Defend Digital Identities

Learning Objectives

After completing this unit, you’ll be able to:

Describe the different approaches to securing digital identities (IDs).
Explain the threats to the digital ID ecosystem.
Identify the risks to the confidentiality, integrity, and availability of emerging digital ID systems.
List actions to address the challenges associated with securing digital IDs.

Different Approaches Across the Globe

The definition of a secure digital ID is evolving as organizations explore the best way to enable both online and offline transactions. Establishing a robust and globally interoperable approach to digital ID management is critical to realizing the potential economic and societal value of the digital ecosystem in the next 5 to 10 years. By getting digital ID right, organizations have the potential to:

Solve existing security and privacy challenges.
Facilitate a low-friction global market.
Support the digital transformation of existing services.
Unlock new value by offering emergent types of trusted services (for example, in transport, commerce, and finance).

Emerging technology organizations are reimagining digital ID. There have been efforts by various national governments and regional bodies, as well as industry-led efforts, to implement digital ID management approaches. The information security community has established principles; the supporting technologies exist; and digital ID solutions are being implemented in new use cases.

Threats to the ID Ecosystem

As next-generation digital ID systems emerge, society will build up an increasing dependence on their use in critical applications. And attackers will likely target the high-value ID ecosystem. Sophisticated threat actors will capitalize on the opportunity to exploit vulnerabilities in its component parts (for example, authentication devices and authorization mechanisms, access management, communications, and databases) and the actions of users in order to take over accounts, subvert transactions, and more. Let’s take a closer look at some of the threat groups and their motivations for attacking the ID ecosystem.

The Insider

An insider is anyone who has authorized access to resources and who could, wittingly or unwittingly, use access to do harm to your organization. Without strong security measures in place, these users can cause catastrophic and costly harm.

Competitors

Competitors are your rivals in the industry, and are usually motivated by gaining competitive advantage. A competitor may engage a third party to undertake attacks on their behalf. They also may use insiders, either by recruiting a turncloak insider (one who is malicious and may be acting as a knowing agent for another threat group) at your organization, or placing an insider from their organization in a trusted position within your organization.

An employee reaching into a secret filing cabinet and then giving the secret file to a competitor outside.

Organized Crime

Organized criminals often operate globally, and are therefore difficult to trace and prosecute. They are typically motivated by financial advantage, or just by opportunity. Organized criminals may perpetrate digital ID theft at a large scale, using stolen personal data. They may also take over accounts or reuse credentials available on the dark web from other breaches to target new systems and organizations. They can also use ID theft to create fake ID documents.

Hacktivists

Hacktivists are usually seeking attention or pursuing popular causes. Their motivations are dynamic and unpredictable, or potentially related to a political or social issue. Hacktivists may impersonate someone by taking over their account and publishing a statement in their name.

Nation States

Nation states usually target digital ID ecosystems to perform espionage and sabotage. They are motivated by political and economic advantage. Nation states sponsor attackers who engage in large-scale espionage, including account takeover. They may attack rival countries’ infrastructure, track and surveil foreign diplomats, or impersonate a government official online.

Risks to Emerging Digital ID Systems

You can consider risks to the security of emerging digital ID systems in terms of their confidentiality, integrity, and availability.

Confidentiality

Organizations face a major unauthorized disclosure risk to the large amounts of personal information managed by digital ID systems (including personally identifiable information [PII] and biometric, behavioural, and locational data). Minimizing the risk to this data is critical.

Integrity

Detecting fake digital IDs is a major issue in security. Attackers can create fake accounts and perpetrate ID fraud for social and economic gain. Organizations face a risk that the integrity of the ID ecosystem may be subverted, which would reduce the confidence of participants in it. For participating actors, there are challenges in establishing the integrity of the components they depend on (particularly in cases where there is a trust deficit), and demonstrating their competence in protecting their part of the ecosystem against abuse.

Availability

There is an availability risk that attackers will attempt to prevent access to, or use of, digital ID infrastructure. If the infrastructure does not have the necessary resilience and failover modes, then attacks on the availability of systems which services critically depend upon could have grave consequences. Achieving resilience will be particularly challenging in those elements of society where infrastructure (both technical and governance) is weak.

Managing the Risks of Digital ID

Managing the risks associated with digital ID is crucial, in order for users to have confidence in how the system as a whole operates, and to trust the infrastructure behind it. Let’s take a look at some ways your organization can manage the risks associated with digital ID.

Assurance, Trust, and Transparency

To enable trust in and adoption of digital ID solutions, organizations need to verify the security and resilience of the digital ID ecosystem’s components. Users participating in ID transactions need to accurately understand the extent to which the end-to-end process is trustworthy. They also must make informed decisions on whether to implement additional assurance mechanisms to make up for trust deficits (where their confidence in the integrity of the process is limited).

Shared and Interoperable Governance Frameworks

Organizations need a governance framework (standards and certifications) that is globally defined, or at least mutually recognized and interoperable, which creates a common understanding of assurance levels. To promote trust between the various components of globally distributed ID ecosystems, industries may need to define base levels of cybersecurity for those managing ID systems and processes in order for them to participate.

Convening Actors

Nations and organizations have divergent approaches to digital IDs. There is a need to examine the interoperability issue and drive the development of the requisite governance frameworks and incentive models to secure the ID ecosystem. It is a shared responsibility of government, private sector, civil society, and important industry players (for example, banks, telecommunications providers, technology companies).

Sum It Up

In this module, you’ve been introduced to a sustainable approach for managing cybersecurity risks. You've learned about the four technologies that will transform the global digital landscape in the near future: ubiquitous connectivity, artificial intelligence, quantum computing, and digital IDs. In addition, you’ve been introduced to the challenges to improving cybersecurity defenses impacted by these technologies.

You now have a better understanding of what it takes to maintain the integrity of, and trust in, the emerging technologies that future global growth depends on. Interested in learning more about cybersecurity topics? Head on over to the Cybersecurity Learning Hub to explore more and hear from real security practitioners.