The digital expression of identity grows increasingly complex every day. Not long ago, an employee’s entire digital presence belonged almost exclusively to the employer, a practice that culminated in the mainframe ID. As enterprise technology expanded to include new tools and platforms, the number of digital identities grew. Does this trend lead to a universal digital identity, seamlessly crossing between professional, private and social lives? Enterprises today have a mandate to more seamlessly manage and enable digital identities for the personas of their employees, customers and partners, within and across enterprises; all of which lays the groundwork for shaping and creating a truly universal digital identity.
Read more about Digital Identities
Harry D. Raduege, Jr.
Deloitte Consulting LLP
Deloitte Center for Cyber Innovation
Leaders today, both in government and industry, have a growing recognition that managing security is about managing risk. Every month, their digital-age organizations face billions of attacks from infiltrators seeking to manipulate, steal, deface or shut-down networks. The threats are increasing exponentially, as are the vulnerabilities. Every organization should assume that its network has or will be compromised.
The rapid evolution and adoption of new technologies, including the emergence of cloud computing and mobility poses advanced security risks. As the number of digital identities that must be managed continues to grow, security awareness, education and training will become increasingly critical for achieving an effective cybersecurity posture. The top three priorities I see for organizations that want to manage and secure digital identities in the coming year are:
Trust – but dynamically monitor. With pervasive cyber threats targeting networks and systems, cybersecurity should not be limited to building static defenses. Organizations should also add strength through dynamic monitoring and situational awareness. This requires a focus on forensics (analyzing an attack after it happens) and predictive analytics (using insights to take action in reducing future risk). A goal in 2012 should be to establish policies and procedures to achieve digital identification of everyone entering and exiting your networks.
Share vulnerability. Leaders should manage cyber security risk by broadening the scope of the security and identity management mission across the organization and moving it permanently from back rooms into board rooms and situation rooms. “Just as security is built on trust, trust is built on sharing vulnerability,” explains John Hagel III, Deloitte Consulting LLP, co-chairman, Deloitte LLP Center for the Edge. That means cyber security isn’t limited to technical and policy considerations, but also includes positive identity recognition, patch maintenance and building a cyber mindset throughout the workforce. Awareness, education and training will become more important than ever, as organizations work to keep employees and service providers equipped with the knowledge, policies and culture to operate responsibly in a cyber environment.
Address expectations. In days gone by, employees went to work and logged onto a network at a computer terminal. Today, that terminal is in their pockets and purses. These mobile users are looking for ease of access and speed of use – and are assuming security and privacy. This environment requires a different security approach. As organizations integrate new technologies and IT systems expand into the cloud, cybersecurity must adapt to address the expectations of users – recognizing that, empowered with these technical evolutions, individuals can deliver both mission and business objectives.
Where do you start?
Digital identities should be an integral part of an organization’s broader cyber intelligence pursuit, with identity, access and credential management forming the core of cyber protection1. Moving beyond isolated, self-contained identity silos to cross-enterprise services can open many doors – both to better security and control management, and as an enabler of innovation in cloud, mobile, social and analytics. Without a unique, verifiable, non-repudiable identity, these emerging technologies may have difficulty integrating with enterprise systems and may lack context even if they do.
- Take inventory of identities. Start taking stock of personas and identities. Determine where digital identities live, what user groups they map to, what they have access to and what job functions and processes they correspond to. Work to understand which external personas users are interacting with for their professional lives, and if they’re willing to share those in their personal lives as well. Note the places where users depend on multiple IDs in their day-to-day activities. Identify new services or process improvements that would be made possible if silos were removed.
- Know your ambition. What is the desired scope for your digital identity effort? Should it extend across a geography? Across business units? To business partners? To other industry players or groups? To the government? To social or consumer platforms? Know your identity roadmap, balancing the potential benefits of greater visibility and information sharing with risk and technical complexity.
- Create boundaries around federation. If your digital identity roadmap extends beyond your organization, clear expectations, service levels and warrants must be put in place. Build trust with your most crucial partners. Spend time on legal contracts and agreements. Establish clear liability and responsibility.
- Execute. After taking the steps outlined above, it’s all about executing the roadmap. Organizations have benefited from launching cross-functional teams led by the business and joined by technology, vendors, outside experts and business partners. Making the digital identity journey an explicit priority can improve its chances of delivering the expected value.
The number of credentials that define an individual has grown exponentially in recent years, and the majority has some form of digital footprint. This is especially true within large enterprises, where digital footprints have spiked due to the growth in personal or consumer-facing identities. As a result, there are an overwhelming number of personas, attributes and relationships that could potentially be managed under a single digital identity. In light of the tenets of outside-in architecture, and the onset of enterprise-dependent cloud, mobile and social forces, businesses have ample motivation to understand and capitalize on these external personas and attributes, as well as link to their corporate credentials. In the end, whoever understands employee, customer and prospect identity data will likely control the currency upon which postdigital innovation is traded – and on which new business models are likely to be defined.
As used in this document, “Deloitte” means Deloitte LLP and its subsidiaries. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
1 Additional information is available in Deloitte Consulting LLP (2011), "Tech Trends 2011: The natural convergence of business and IT", http://www.deloitte.com/us/2011techtrends, Chapter 3.