Changing Your Approach to Protecting Digital Identity

By Richard Brechwald • September 20, 2017

Security breaches make headline news. Even the most seemingly secure and untouchable organizations are vulnerable as security measures are only as effective as the weakest link. Most recently, Equifax was compromised, potentially exposing vital information of half of all adult Americans.

When it comes to protecting digital identity, there needs to be a more sophisticated way to identify, authenticate, and trust identity information. How does your organization need to change the way it thinks about digital identity? And what measures should you take to better protect your systems and information?

Evolving Threat Landscape Makes Identity Management a Challenge

As hackers employ more sophisticated means to infiltrate an enterprise, organizations need to change the way they prove identity – including moving beyond password security. In Verizon’s 2016 Data Breach Investigations Report, it’s revealed that 63% of confirmed data breaches involve password attacks, including phishing or some other kind of password harvesting technique. (

Once the initial breach happens, more damage occurs as the hackers harvest additional passwords to explore the enterprise from the inside, working to compromise more systems and access more information.

How this Impacts Your Business

Passwords are not enough to protect important data. The more valuable the data, the more important it is that only the right people have access to it. To keep up with changing technologies, market conditions, and attack methods, NIST updated their Digital Identity Guidelines to provide a more robust way to approach safeguarding identity.

Version 3 of NIST 800-63 ( was released in June. The revised guideline helps organizations by outlining methods to adequately evaluate requirements to authenticate users and evaluate identity management tools. The previous version, NIST 800-63-2, had one measure of identity effectiveness. This revised guideline now outlines three individual measures, providing more clarity on how to measure the trust of digital identities. Instead of a single measure for Levels of Assurance, three new measures are defined. They are:

  • Identity Assurance Level (IAL): How well do you know that the person creating this account is the real person he or she claims to be?
  • Authenticator Assurance Level (AAL): How well do you know that the person accessing this service is the same person that created the account?
  • Federation Assurance Level (FAL): How well do you trust the identity provided to you by a third party Identity Service?

Creating Your Identity Management Approach

  1. Determine what types of users interact with your various systems. Typically an enterprise will have employees, customers, vendors, partners, and perhaps other user types.
  2. Map business case and levels of access for each user type. Define what information each role needs to have access to as well as the level of trust that the person accessing it is the person that should be accessing it. If you are not going to require a user to have a high level of assurance, then you are going to restrict the data he or she has access to.
    • For instance, you trust your employees more than you trust your partners, perhaps your partners more than vendors, and vendors more than customers. A market system would require a different level of trust than your internal development system with all of your intellectual property.
  1. Determine how you manage access, and verify and protect digital identity. Some questions to ask include:
    • Do you need to look at someone’s Driver’s License in person before authorizing access to high-value information, or is an email address sufficient for accessing lower value information?
    • Do you need Multi-Factor Authentication (MFA) before allowing access to critical assets, or is password security sufficient for routine access?
      • Important note on MFA: When evaluating MFA vendors, NIST 800-63-3 defines and puts into context the capabilities they need to provide. Some methods of authentication that are in common use today are no longer considered safe – specifically, SMS one-time passwords. If you are currently using SMS or email to send one-time passwords to verify authentication, consider transitioning to push or soft token technologies.
    • Do you need a dedicated on-premise identity management system, or can you rely on a third party Identity as a Service (IDaaS) provider such as Google, Facebook, or Microsoft.

Identity Management is a Balancing Act

The onus is on your company to keep information secure – and to make sure those that interact with your systems are protected. It’s also important for identity management systems to enhance – not limit – your enterprise’s productivity. We can help you understand your needs for identity management. Contact us to learn more.

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Trace Security