10 Mar Identity management 101: How digital identity works in 2020
In a person-to-person business transaction, when the other person doesn’t know you or know who you are, she may accept credentials that vouch for your identity. Identity management in computer networks is about the following:
- Whether a set of digital credentials under examination by a service or application can vouch for your identity, and can attest to your authorization to conduct the transaction you request;
- Whether an access management system can trust the results of that examination enough to grant you access to documents, protected services, or information;
- Whether you personally can trust credentials presented by a website or web app, to represent the business, institution, or agency with which you intend to conduct a transaction.
Data is being collected about you — that much is undeniable. (Just today, you’ve probably thwarted a phishing attempt.) The common misconception is that your personally identifiable data (PII) resides natively in some single, centralized database. Clearly, Facebook is one of the most aggressive collectors of behavioral data and aggregated inferences about the personal information people post — although it accuses others of “harvesting” this data. Indeed, social media’s ability to influence public perceptions and opinion may have already changed the course of world history.
But not even the autonomously collected metadata about everyone’s online behavior — despite efforts to protect everyone’s privacy — constitutes a collective database of digital identities. Many people who claim to have had their digital identities stolen are actually among thousands of victims of the theft of a database which includes some element of personal data, such as a credit card number. What makes the collection of this data most dangerous to you as a person is the possibility that a system with access to data that authenticates you (credentials) can pair it with data that describes you (metadata). This way, conceivably, a malicious actor can gather this data together from multiple sources to impersonate you, and conduct financial and business transactions in your name.
So when we talk about “digital identity,” what are we really saying?
- Digital identity consists of the credentials necessary to gain access to resources in a network or online, in your name.
- In the weakest possible secured system, just a password may suffice to assume some form of digital identity.
- In an unsecured system — for instance, utilizing a web browser so you can read some technology news site somewhere — public servers may only require anonymous credentials, but even then there’s a kind of temporary digital identity representing the browser, which is assumed to represent you because you gained access to the client where the browser was installed.
- An enterprise network typically requires some form of authentication for you to attain access — perhaps two-factor authentication, or even more. Those credentials are your digital identity in the context of that network, but not outside that network.
- On the internet, which is a patchwork of networks linked together through gateways, the sharing of services requires digital identity to be exchanged in some form. This is the trickiest and most volatile part of the entire digital identity scheme.
- Personal identity is the amalgam of information necessary for you, or anyone seeking to impersonate you, to be recognized as valid and to be authenticated. Someone stealing a password to a DMV database might be able to attain information about your driver’s license or the make and model of car you drive. If that’s enough information for someone else, in some other transaction, to pass this person off as you, then that malicious actor may have effectively “stolen your identity.”
Identity management, therefore, consists of the practices and principles to which everyone in the transaction process adheres, including yourself, to protect those elements of digital identity that may be combined by a malicious actor to utilize your personal identity. Identity and access management (IAM) is the class of software and services on the computer networks’ side of the transaction, dedicated to fulfilling their responsibilities to you in that regard.
Digital identity and personal identity
You know who you are. However, digital identity in a computing system, as you’ve just seen, is a fuzzy topic.
Digital identity is asserted through credentials
The weakest form of access management in a computer system involves a single username paired with a single password. Password management is not identity management.
At any one time, your digital identity is comprised of credentials, which are essentially tokens of data and metadata that represent you. They’re not your personal papers, or anything such papers would contain. Whenever you enter a secured building, even if you work there, you present your credentials — probably just to operate the elevator. That card is a token testifying to someone already having cleared you for entry. In most cases, digital identity is a token comprised of data.
But it’s more complicated than that:
- Services and software — which are clearly not people — may have some form of digital identity, because they too must access databases and resources as though they were “users.”
- Browsing the web does not require you, or any other user, to have enough identity for a person or system to identify you personally. You can read this ZDNet article without signing into some central internet service provider first. A browser may be assigned a kind of temporary “visitor’s credentials,” if you will, to establish a session with servers, but which do not exchange your credentials — that may happen as part of a separate transaction.
- There is no universally recognized, converged, single set of credentials that identify “you” exclusively for the Internet. In many regards, that’s not good news. It means, if a malicious actor (a person) truly wants to impersonate you — maybe to post text in your name on social media, or to transfer your cash into this…