CIAM and the Changing Fate of Identity (Part 2)
Digital identity’s center of gravity has shifted to customer-facing identity (CIAM). As we learned in the changing face of identity (part 1 of this post), effective CIAM is crucial.
Ian Glazer, who inspired my last two posts with a great talk at RSA Conference, actually titled it “The Changing Face/Fate of Identity.” Face or fate: What a difference a single word can make! But why did Glazer dual-title that talk?
Answer: The talk pivots from IAM’s business imperatives and technical architectures to IAM and CIAM threat models. Glazer sees the industry at risk of a failed fate if we fall behind the curve of creating architectures and professional disciplines equal to the risks. The risk is not just from regulations, but from real threats that grow more serious as we look at identity from the CIAM ecosystem perspective. Take a look at my rendition of the threat model.
We are all too familiar with the first two categories of threat actors.
- Bulk Attackers: Anonymous hacktivists and financially-motivated criminals swarm with their botnets and exploit kits. They incessantly attack identity databases to obtain data in bulk. They dump the ill-gotten info to the likes of WikiLeaks, or sell it on underground darknet markets.
- Single Row Attackers: Target an individual identity for nefarious purposes. Perform intelligence-gathering through social networks. Conduct spear-phishing attacks and account takeover. Exploit compromised accounts to the detriment of the individual or his/her organization.
We’re not so familiar with the next two…
- Individual Competitors: Glazer called this “the person who wants your job.” In the increasingly-digital social and economic arena, how might the competitor of an organization’s officer, employee, or customer obtain “too much information” and exploit it? How might this be detrimental? (I don’t have the space to write all the ways…Please comment!)
- Successor Attackers: Glazer called this “the person who takes your job.” May have access to a lot of predecessor information, maybe even a whole “private” email server. If the successor seeks to access and use that information, is it ok for the organization to be a passive bystander, or must it put guard rails in place to avoid liability?
We have barely begun to consider the motivations and tactics of, and counter-measures against, individual competitors and successor attackers. In the recorded presentation, Glazer suggested that we need to consider accountability and transparency mechanisms in addition to arsenals of preventative and detective protections. He also proposed a new IAM maturity model.
I caught up with Ian for a short interview after the show. I asked him: “What about customers and regulators as a threat category?” He responded with a politically-correct “I would never consider customers a threat.”
But we did agree that counter-measures based on transparency and accountability for more subtle threats will run into some challenges in the era of massive regulatory expansion. For example, the GDPR right of access requires companies to release a lot of private information upon customer request.
But what if a hacker exploits that “right of access” to get the very information GDPR also requires the company to protect? Until now, there’s probably a reason most companies have kept user account management interfaces brain-dead-simple: Anything else requires well-thought out authentication, credential recovery, consent, and authorization strategies.
What if, through right of access, the customer obtains information that is inter-woven with information about other customers or employees of the company? Those persons have privacy rights too. Identity professionals responsible for applications for which this could happen need to think out of the box of core identity services architecture, and get deep into application data models, legal guidance, and customer service process design.
Challenges abound, but this isn’t ALL pain. There can be gain too! Liz Brandt from Ctrl-Shift writes: “...It will cost large companies between £25m-50m to merely become GDPR compliant; but for an incremental spend of between £2m – £5m GDPR can be transformed into a revenue generating activity. By using GDPR as a strategic driver for growth, businesses will be able to generate new revenue by building new innovative consumer services; digital experiences which…will be a positive impact on customer loyalty and retention…underpinned by new-age marketing capabilities…to build trusted relationships with customers.”
Meanwhile at the architect’s white board, Ian and I will collaborate further on developing the model. And we may have help.
The Kantara Initiative ID PRO Organization
Security, privacy, and identity are each vast and complex problems. They are also highly inter-related. Glazer issued a final call to action at RSA: The industry needs a well-established professional organization, certification program, and career track for identity professionals.
Sources: Glazer’s RSA presentation
Ian has taken on the mission of leading the Kantara Initiative’s Identity Professional Association (ID PRO). I joined and attended my first meeting with them this week. And Thorsten Niebuhr from WedaCon will be doing a session on the association’s emerging Body of Knowledge (BoK) at KuppingerCole’s European Identity Conference (EIC) in a couple of weeks.