By Steve Shoaff
With the explosion of digital business, mobile app adoption, and the Internet of Things, the volume of data we’re creating is expanding dramatically. In fact, the amount of data about a person is growing exponentially, far faster than the number of people.
Every day, we and our devices generate billions of data points, ranging from purchasing histories to the temperature in our homes. But the data at the center of our connected world is identity data. A highly valuable asset enabling a growing number of digital interactions and business initiatives, identity data is driving a new paradigm for data security for three main reasons.
- Identity Data Requires Stronger Security
One of the most important facts to consider in securing identity data is that all data is not equal. Not all data holds the same business value or carries the same risk profile. This is particularly true for identity data. Identity data is just not the same as other data types, such as inventory or sales information; it is highly targeted and valued by cyber criminals. I would argue that the vast majority, better than ninety percent, of security risks involves less than five percent of data, mainly personally identifiable information (PII) that can give thieves access to lucrative data such as bank accounts and health records. The importance of protecting this information from theft and misuse can’t be overstated.
However, identity data security is not a simple matter of tightly locking down your data stores. It’s a dynamic asset that has to be continuously updated and leveraged by apps and services to enable customer engagement. It’s frequently accessed across an entire organization, and that needs to continue. Balancing this access with security is a good reason to encrypt this data from end-to-end, as it enters your organization, during transit bi-directionally between apps, systems and the data store, and when it’s at rest. There should never be a point at which identity data exists as plain text that could potentially be exposed or fall into the wrong hands.
While encryption goes a long way in protecting data, you must also specify the types of data that can be used at interaction points, such as customer data available to mobile apps or third-party marketing services. A marketing email service, for example, only needs names and email addresses, not physical address, phone number, passwords or financial data. Assigning the types of data that can be accessed based on duties or job function creates a crucial layer of security. Today too many applications have access to the entire customer record. We need to stop being so trusting with our application teams and scope their access to identity data.
How companies manage identity information is under increased scrutiny by security organizations and regulatory entities. Identity data must also be easily auditable. IT needs to be able to show internal stakeholders and external auditors how they are using the data, how it is secured, and who has access to it – all part of a data governance strategy.
- Managing Identity Data Requires Customer Involvement
Identity data demands the highest possible levels of security, but that’s not the only thing that makes protecting it different. In addition to enforcing corporate and regulatory policies that satisfy security mandates, administrators must also consider the customer’s perspective.
What may be acceptable from a regulatory standpoint may not be sufficient for an individual customer, and each customer will have different sensitivities regarding how his or her data is used. When consumers feel a brand is not responsibly using their data or is violating what they deem acceptable, companies can swiftly suffer brand damage and a loss of loyalty.
As a result, user-directed choice and preference is a growing component of identity data security and will continue to become even more important as digital business evolves. Organizations need a way to capture customer preference and privacy choices as well as a way to enforce user directives across all interaction points. This is best achieved through centralized data governance and fine-grain control over data delivered to applications. Data use controlled by customer directed choice and preference is a critical but missing part of most data governance strategies.
- Securing Identity Data Requires Real-Time Customer Notifications
In the past, businesses managed data quietly behind the scenes with little to no visibility to the end user. That’s now changing. In the digital world, customers can and should be active participants in protecting their data, adding a powerfully effective line of defense in preventing and responding quickly to suspicious activity.
You can dramatically strengthen security efforts by implementing a notification system that alerts users to significant or abnormal events, such as repeated attempts to access billing information or password changes. Customers can take immediate steps to lock down their accounts and reduce the amount of damage. At the same time, early detection helps IT teams respond quickly to prevent or reduce the impact to the business.
Alerts can also work hand-in-hand with preference capture capabilities. Enabling customers to specify limits for purchase amounts or frequency and then allowing them to approve the transaction if those thresholds are surpassed can prevent misuse or theft in real time.
In summary, balancing access to customer data and the security of that data can be successfully done by remembering these three things: identity data is different in both value and risk so make the investment to protect it; customer choice and preference is a great way to further scope down data access while building brand trust, and real-time notifications to the customer, administrators and security teams can greatly limit damage and reduce fraud.
About the Author
As CEO, Steve leads the business strategy and product vision for UnboundID. He is an internationally recognized adviser on identity and security issues for Fortune 500 companies and the U.S. Federal Government. Previously at Sun Microsystems, Steve served as Technical Director and Chief of Staff for the Identity Management product division, as well as Director of Global Engineering and Support for the Directory Server Product Line. At Netscape Communications, Steve led Product Management for the Directory and Security product lines. He co-founded the OpenDS and SLAMD open source projects for next-generation identity services. Steve has also been a key technical adviser to the U.S. Department of Justice and performs technical due diligence for venture capital firms. Steve has a BS in Computer Science from George Mason University.
- 17 Cybersecurity Podcasts You Should Listen to in 2020 - January 3, 2019
- What’s Changed: Gartner 2017 Magic Quadrant for Identity Governance and Administration (IGA) - January 28, 2018
- Crossmatch Integrates Keyboard Capture to Identity Management Software - November 27, 2017