With traditional digital walls gone and consumer expectations rising, companies are struggling to find effective digital identity management solutions. It is critical to approach enterprise and consumer identity with equal vigour, explore managed services and integrate new technologies.
FROM wax seals and stamps to passports and fingerprints to biometrics and behavioural analysis—humans have always looked for foolproof ways to validate that those they deal with are who they claim to be and can be trusted. In these times of increased concern over data breaches, fraud and privacy, trust is paramount. And in our digital society, trust is determined through digital identity—the corpus of data about an individual, an object, or an organisation that helps identify them through unique qualities and use patterns.
Effective digital identity practices are more important to business success than ever. They are vital for presenting a compelling first contact point to customers, protecting sensitive data, enabling secure transactions and transforming business processes. They can enable new ways to engage with consumers via social media, improve collaboration within the enterprise and automate and simplify cybersecurity practices.
However, companies are having to deal with increasing challenges in enterprise and consumer identity management. One of the reasons for this is the breakdown of traditional digital walls, which has blurred the distinction between the inside and outside of an organisation. This shift, along with changing user expectations, emerging technologies, a shift to cloud-based services, growing business needs and evolving privacy regulations, is giving rise to a digital identity crisis of sorts.
Breakdown of digital walls, changing user expectations and emerging technologies are giving rise to a digital identity crisis of sorts.
Companies should re-examine and rapidly evolve, their digital identity strategies—internally, for their enterprise and externally, for consumers. Only by looking at digital identity management holistically and approaching both enterprise and consumer identities with a similar philosophy can organisations get the outcomes they desire. In this article, we take you through a unified strategy to help improve digital identity practices across the organisation.
There are many emerging trends and challenges shaping the evolution and management of digital identity—both enterprise and consumer. Our research revealed some of the top ones:
Digital identity management can be overshadowed by more urgent concerns. It is not that companies don’t think it is important—they may be dealing with other pressing cybersecurity issues. They also may need to show immediate progress and return on investment on cybersecurity initiatives. However, it takes some patience to implement digital identity projects as they tend to be more of a marathon than a sprint. This challenge shows up in how much time and money companies are spending on the problem. In Deloitte’s 2019 Future of cyber survey, which surveyed 500 C-level executives responsible for cybersecurity, more than half of the respondents (54 per cent) said they dedicated 10 per cent or less of their cyber budget to identity solutions, with 95 per cent committing 20 per cent or less. Additionally, 88 per cent of all respondents spend 10 per cent or less of their time on identity and access management.1
Companies are wary of outsourcing identity management. Most cybersecurity leaders are protective of their systems and hesitant to let others manage them. According to Deloitte’s 2019 Future of cyber survey, the top preferred way to procure, implement and provide ongoing delivery of identity capabilities is on-premise implementations, with 36 per cent of respondents selecting this option. This is especially true of chief information security officers (CISOs), with 60 per cent preferring on-premise solutions. Cloud-based identity-as-a-service (IDaaS) implementations were selected by just 24 per cent of all respondents and only 32 per cent outsource their identity and access management to third parties.
Why this reluctance? The CISO of a major telecommunications company explains, “I have had applications that are many years—if not decades—old; a lot of in-house, homegrown applications that none of the cloud providers could easily integrate without making changes to their cloud infrastructure.”2 Such worries about integration, flexibility, getting specialised support, and a lack of faith in available capabilities are quite reasonable and likely hold back companies from opting for IDaaS.
Rising global data privacy regulations pose compliance challenges. Governments across the world are exploring—and implementing—new legislation and regulations to protect personal data privacy and digital identity. Executives and cybersecurity leaders have to address mandates such as the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and Canada’s updated Personal Information Protection and Electronic Documents Act (PIPEDA). They also are expected to follow many other guidelines including the Cybersecurity Framework from the National Institute of Standards and Technology (NIST).3 This increases the burden on cybersecurity leaders and executives as they’re required to develop a more comprehensive view of their consumers to comply with legal and audit-related mandates.
Challenges aside, approaches to digital identity management are starting to change quickly. Organisations are increasingly living in cloud-centric environments and there is a general shift to managed services and consumption-based models. Deloitte’s 2018 study, Accelerating agility with everything-as-a-service, found evidence of this shift.4 Seventy-one per cent of companies report that as-a-service (XaaS) now makes up more than half of their organisation’s enterprise IT (with the remainder being traditional, nonservice-based IT).
As part of this shift, some companies have moved their identity stacks to the cloud and others are consuming identity-as-a service. Gartner says that by 2022, “Forty per cent of global midsize and larger enterprises will use identity and access management as a service (IDaaS) capabilities to fulfil most of their identity and access management (IAM) needs, which is up from 5 per cent today.”5 One of the reasons for this is that cloud providers and third-party cloud operators are likely to have much more sophisticated capabilities than what a company may have in-house, which eliminates the need for updates and upgrades to both software and infrastructure. Also, with many companies facing a shortage of skilled cybersecurity professionals, using managed services helps eliminate the need to attract, train and/or retain this hard-to-find talent.
Many organisations are also experimenting with and integrating a number of new technologies to improve their digital identity capabilities. Moving beyond simple logins and passwords, they’re increasingly using advanced authentication methods such as physical biometrics and behavioural monitoring as standard practices in digital identity management. In today’s “zero trust” environment, companies continuously monitor and authenticate users—constantly determining their level of risk based on who they are, what they access, and when and where they do it. To facilitate this, they are increasingly turning to AI technologies that help them automatically detect anomalies and identify behaviour that doesn’t fit a particular pattern. Twenty per cent of respondents from Deloitte’s 2019 Future of cyber survey are prioritising AI-driven threat identification and assessment as a transformational capability in digital identity management.
However, there are mixed opinions on the use and maturity of AI in identity management. A CEO of a US-based cybersecurity and risk advisory company is optimistic about AI and says, “AI or machine learning is going to be a capability that’s associated with risk assessment—not just identifying the user but also identifying the device and the health of that device, whether that’s been compromised or not. It has to be more than just ID and authentication.”6 On the more pragmatic side, Alex Beigelman, chairman of the National Cybersecurity Society, says, “The authentic stuff is very much in its infancy. It is being used, but in limited ways and only by a limited number of companies that have the resources to do some experimentation and take some risks.”7
While reexamining their digital identity management strategies, organisations should think about challenges related to both consumer and enterprise identity management to understand what they can do to create a holistic approach. There are different business requirements, technical approaches and challenges for each, but there are sound fundamental practices that can be applied to both. Let’s look at some of the unique challenges:
With the increasing depth and complexity of digital interactions between consumers and businesses, attention to consumer identity management has increased commensurately. Companies want to ensure that those logging in are who they say they are and that they are having a good experience. The reasons for this are many, including:
Within organisations, the complexity around consumer identity management has increased as well. Responsibility and ownership are often distributed among multiple executives, teams (marketing, sales, cybersecurity, etc.) and IT systems, making co-ordination of large-scale projects challenging. According to Deloitte’s 2019 Future of cyber survey, companies are focussed on many different client- and vendor-facing identity initiatives. The top areas are consumer identity and access management at 28 per cent, advanced authentication including MFA at 27 per cent and GDPR enablement/privacy compliance at 25 per cent.
As the pace of business increases and the demands of transformational initiatives multiply, companies shouldn’t neglect enterprise identity management either. One of the biggest identity-related problems faced by companies is privilege misuse and compromised credentials, which are used by bad actors and cybercriminals to breach networks. A recent survey commissioned by Centrify covering 1,000 IT decision-makers in the United States and the United Kingdom found that 74 per cent of respondents whose organisations have been breached acknowledge it involved access to a privileged account.8
Apart from external threats, companies face a host of internal enterprise identity management problems as well, including the following:
The top enterprise identity cybersecurity initiatives, as revealed in Deloitte’s 2019 Future of cyber survey, were advanced authentication (including MFA and risk-based authentication) and privileged access management (PAM)—each selected by 19 per cent of respondents.
To fully address these issues, organisations should strive for digital identity management systems that embody a set of common qualities for both enterprise and consumer users (see the sidebar, “A proper digital identity management system should be”).
Considering how deeply enterprise and consumer identities are interlinked, companies should approach both in a similar and co-ordinated manner to unlock benefits for the enterprise as well as consumers. It is not a question of either/or anymore—a strong, holistic approach to digital identity management can help drive the business, make life easier for cybersecurity teams and provide superior experiences for both consumers and employees (see the sidebar, “How a holistic approach to digital identity helps”).
In the era of cyber everywhere, the operating environment for identity management will likely become increasingly complex—with greater business expectations to meet, new technologies to integrate, multiple data privacy regulations to adhere to, and increasing numbers of people and devices to manage. To navigate this complex environment, there are five things cybersecurity leaders can do to better integrate their digital identity management strategies, processes and systems into the business:
A 360-degree digital identity strategy, built with the above practices in mind, can unlock significant benefits for consumers and employees, cybersecurity teams and business leaders. Most of all, a unified approach can help build trust and ensure privacy and security, thereby preventing a digital identity crisis. Digital identity systems used to require a choice between security or convenience—but now you can have both. Be thoughtful about how you design your systems in order to protect assets and avoid being too onerous for employees and consumers. Keep sight of this and the recommendations above as you walk the path of digital identity transformation.
Every company has a different set of digital identity challenges and a unique approach to identity management. Technology companies, for instance, should be very flexible with their digital identity strategies and systems so they can navigate a fast-moving market. Media and entertainment companies often deal with large numbers of transient customers. Telco companies may have very old systems that are difficult to update or replace and can’t integrate easily with modern identity management solutions. However, there are some common factors they should keep in mind while enhancing their digital identity management capabilities. Here are some of them:
As a recognised leader in cybersecurity consulting, Deloitte Cyber includes thousands of dedicated cyber professionals, across 20 industry sectors, who help clients better align cyber risk strategy and investments with strategic business priorities, improve threat awareness and visibility, and strengthen their ability to thrive in the face of cyber incidents. The ubiquity of cyber drives the scope of our services. Deloitte Cyber advises, implements and manages solutions in strategy, defence and response; data security; application security; infrastructure security; and identity management. In 2019, Deloitte Cyber opened the Cybersphere, a state-of-the-art destination to help clients address their most pressing cyber challenges. The Cybersphere offers a Watch Floor for 24/7 threat monitoring and reconnaissance to help clients detect and respond to threats in real time; a Cyber IoT Studio, where next-generation security is developed and tested; and a client-centred Core, featuring labs that provide disruptive, interactive experiences customised to increases capability and confidence in the face of ever-evolving cyber threats.