Changing Your Approach to Protecting Digital Identity

By Richard Brechwald • September 20, 2017

Security breaches make headline news. Even the most seemingly secure and untouchable organizations are vulnerable as security measures are only as effective as the weakest link. Most recently, Equifax was compromised, potentially exposing vital information of half of all adult Americans.

When it comes to protecting digital identity, there needs to be a more sophisticated way to identify, authenticate, and trust identity information. How does your organization need to change the way it thinks about digital identity? And what measures should you take to better protect your systems and information?

Evolving Threat Landscape Makes Identity Management a Challenge

As hackers employ more sophisticated means to infiltrate an enterprise, organizations need to change the way they prove identity – including moving beyond password security. In Verizon’s 2016 Data Breach Investigations Report, it’s revealed that 63% of confirmed data breaches involve password attacks, including phishing or some other kind of password harvesting technique. (

Once the initial breach happens, more damage occurs as the hackers harvest additional passwords to explore the enterprise from the inside, working to compromise more systems and access more information.

How this Impacts Your Business

Passwords are not enough to protect important data. The more valuable the data, the more important it is that only the right people have access to it. To keep up with changing technologies, market conditions, and attack methods, NIST updated their Digital Identity Guidelines to provide a more robust way to approach safeguarding identity.

Version 3 of NIST 800-63 ( was released in June. The revised guideline helps organizations by outlining methods to adequately evaluate requirements to authenticate users and evaluate identity management tools. The previous version, NIST 800-63-2, had one measure of identity effectiveness. This revised guideline now outlines three individual measures, providing more clarity on how to measure the trust of digital identities. Instead of a single measure for Levels of Assurance, three new measures are defined. They are:

  • Identity Assurance Level (IAL): How well do you know that the person creating this account is the real person he or she claims to be?
  • Authenticator Assurance Level (AAL): How well do you know that the person accessing this service is the same person that created the account?
  • Federation Assurance Level (FAL): How well do you trust the identity provided to you by a third party Identity Service?

Creating Your Identity Management Approach

  1. Determine what types of users interact with your various systems. Typically an enterprise will have employees, customers, vendors, partners, and perhaps other user types.
  2. Map business case and levels of access for each user type. Define what information each role needs to have access to as well as the level of trust that the person accessing it is the person that should be accessing it. If you are not going to require a user to have a high level of assurance, then you are going to restrict the data he or she has access to.
    • For instance, you trust your employees more than you trust your partners, perhaps your partners more than vendors, and vendors more than customers. A market system would require a different level of trust than your internal development system with all of your intellectual property.
  1. Determine how you manage access, and verify and protect digital identity. Some questions to ask include:
    • Do you need to look at someone’s Driver’s License in person before authorizing access to high-value information, or is an email address sufficient for accessing lower value information?
    • Do you need Multi-Factor Authentication (MFA) before allowing access to critical assets, or is password security sufficient for routine access?
      • Important note on MFA: When evaluating MFA vendors, NIST 800-63-3 defines and puts into context the capabilities they need to provide. Some methods of authentication that are in common use today are no longer considered safe – specifically, SMS one-time passwords. If you are currently using SMS or email to send one-time passwords to verify authentication, consider transitioning to push or soft token technologies.
    • Do you need a dedicated on-premise identity management system, or can you rely on a third party Identity as a Service (IDaaS) provider such as Google, Facebook, or Microsoft.

Identity Management is a Balancing Act

The onus is on your company to keep information secure – and to make sure those that interact with your systems are protected. It’s also important for identity management systems to enhance – not limit – your enterprise’s productivity. We can help you understand your needs for identity management. Contact us to learn more.

CyberSheath Blog

Dr. Robert Spalding to Address Nation-State Attacks at CMMC Con 2021

Since the inaugural CMMC Con, we’ve seen some of the most malicious attacks on American infrastructure ever executed. The SolarWinds attack reverberated across the entire government as agencies scrambled to discover what nation-state attackers had accessed and stolen. The Colonial Pipeline, shut down by a ransomware attack, led to fuel…

CMMC-AB vice chair Jeff Dalton to address CMMC Con 2021

The swiftness and severity of recent cyber attacks has dominated headlines and revealed that many organizations still don’t quite know what to do to protect themselves, as well as the businesses and government entities they’re connected to.   Ransomware attacks were a big point of discussion at the recent G7…

CMMC Con 2021 Opens Registration, Reveals Theme and Speakers

CMMC compliance stands in the way of revenue for every defense contractor in the supply chain. Now that CMMC is a reality for the Defense Industrial Base (DIB), learn how contractors — primes and subs, large and small, foreign-owned — are handling the standards and requirements, as well as the…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft