While blockchain data privacy features can be leveraged to protect consumers such as enabling self-sovereign identity, blockchain technology poses massive security issues to users who are unaware of the technology’s risks. If designed and executed well, however, blockchain can create a complex and completely private network of computers around the world. Blockchain currently faces problems with consumer privacy and safety that have to be worked out before it can become the computational norm. Some of these issues include:

Blockchain data privacy concerns by Identity Management Institute

Public Ledgers and Blockchain Data Privacy

While the public ledger was a core aspect of Bitcoin’s success (anyone could verify transaction records thought the self-perpetuating blockchain) the feature posed and continues to pose problems for Bitcoin (BTC) and all coins that use this method. While the ability for any user to look at every transaction on the blockchain was good for verification, it quickly became a tool for tracking people and their spending habits. Police and criminals can use the blockchain to find people through use of their digital assets. This is where consumer data can get breached. Learn more about blockchain security.

Centralized Blockchains

Consumer data isn’t only accessed and used by outside individuals, however. A fully centralized blockchain would award the owner/creator full control over the users’ data. Blockchains like Cardano (ADA) are fully decentralized, meaning the community controls the project and no one individual or group controls the blockchain. On the other hand, a nationally centralized blockchain would be a dystopian nightmare for any citizens living under it. The first country to implement something like this will most likely be China. Considering the Chinese Communist Party has already implemented a highly monitored and Chinese-exclusive internet and now its own national digital currency, it wouldn’t be unlikely. If Chinese citizens were to be forced to use the blockchain, it would threaten the self-sovereign identity that other blockchains could offer.

However, blockchain and technology built on top of it have revolutionized what privacy means in the field of economics. Bitcoin proved its concept when the coin was used as a P2P (peer-to-peer) cash-sending system like PayPal or Venmo as well as online marketplaces. Sellers of illicit goods on dark web marketplaces like The Silk Road quickly took up BTC for its decentralization and privacy from authority figures. Monero (XMR) takes the technology even further with its use of stealth addresses. By creating encrypted, one-time addresses used to denote interactions between users on the ledger instead of their real wallet addresses, complete consumer privacy can be achieved. This level of security reaches between the user and the network, other users, and any outside onlookers.

One typical area of concern with blockchain data privacy is around digital currency wallets and users’ lack of awareness of data privacy risks such as when renaming the wallet to something personal such as a password which can be visible to everyone on the public blockchain.

Finally, knowledge and control over personal data is the most important blockchain feature for implementing complete consumer privacy and security. As big tech companies continue to monopolize the personal data of internet users, alternatives are invented to protect user data. Where blockchain technology provides absolute security to a networks transactions by writing on immutable data, the Tor project serves as a complimentary web browser that gives total privacy. It does this by sending users through multiple virtual networks before finally landing on the website. However, it is significantly slower than most other web browsers because of this redirecting as well as its indexing. If Tor worked with blockchain tech, users could comfortably leave mainstream browsers that sell their data and censor their search results. Tor could also connect to blockchain-powered ecosystems like digital supply chains to create a safe and knowledgeable shopping experience on the web. This combination of security and privacy would make the perfect space for consumers to safely interact–free from any centralization, users can achieve full privacy and security in their transactions.

Identity and access management certifications by Identity Management Institute
Learn about leading identity and access management certifications

This article explores important considerations for implementing IdM systems such as implementation processes, role-based access management model, and existing IAM services for processing and managing user access.

Important considerations for identity management IdM system implementation

How to form the concept of the project

Let us start with the basic questions that arise at the initial stage of cooperation between the IdM vendor and the customer.

What is the scope of the IdM system implementation project? Should it be as extensive as possible, carry more value but assume a long implementation timeline, or should we focus on the most important tasks that involve rapid implementation?

The scope should demonstrate to the customer the future value of the IdM system implementation. We are talking not only about the top management of the company and employees of the department who are direct recipients of the final solution but also about other departments. Implementation costs are borne by the entire company, so the effect should be clearly visible to all people; otherwise, full personnel involvement can hardly be achieved.

To participate in the implementation, employees of the customer who are not related to IT and information security need to be interested and motivated. The vendor should show them the benefits that they will receive after the implementation of the project. For example, it is advised to include in the project’s automation opportunity of routine operations that are currently being performed in manual mode. This way, the effect of IdM implementation will be more noticeable.

Also, we must not forget that a user friendly web portal, the ability to build clear reports, and other visual aspects are important parts of the implementation. When defining the scope, it is impossible to consider only the technical parts of the project.

The first stage of implementation should include a small number of systems that provide maximum value for the customer. Initial small coverage of the core systems will bring enough benefits to users and administrators.

What IdM implementation approaches are the most promising

How much should the customer and the vendor formalize the implementation parameters? Do you need a strict technical assignment, or is a flexible approach acceptable? How to reconcile the need for changes discovered in the process of project implementation with the initially defined financial and technical parameters?

According to experts, a flexible approach to implementation requires a high level of trust between the vendor and the customer. It is very important to clearly define the project’s boundaries so that it does not turn into an uncontrollable and endless process. You need to clearly define and fix the final goal for the customer and labor costs for the vendor. One of the options is to conduct an agile session/meeting before finalizing a contract in order to determine all technical parameters more accurately.

The implementation process should not be vague for the customer, regular meetings are needed where the parties could discuss the status of the project. Such involvement of the customer representatives will allow them to influence the course of work and will allow the vendor to adjust to a certain extent the expectations of the other party.

When working on the technical requirements and specifications, the vendor must constantly keep the dialogue with the customer and be ready for changes. Usually, it is good to break the implementation process into stages to provide the project with the necessary flexibility without losing sight of the ultimate goal.

A clear technical assignment is needed at the first stage. It is needed to participate in the competitive bidding process and form an initial “scope” that will show the customer the key benefits of your solution. In the future, as trust between parties grows and customer engagement increases, you can try and use informal cooperation.

Method of work can also be determined through a pilot project, during which the customer and the vendor can get to know each other better.

Once again, it is important to emphasize the importance of customer involvement. The client’s team should not remain an outside observer of the implementation process, since they will have to manage the ongoing maintenance of the system.

Is it possible to implement an IdM system without a ready-made role model?

Are there any chances of successful IdM implementation if the customer does not have a developed role model? Is it possible to automate chaos? Is it possible to build the role model during implementation?

Some experts advise starting with a description of the main HR functions – hiring, firing, moving around. This will ensure a good and speedy start for IdM implementation. Further development of the role model and the description of all the business processes can be performed as the project progresses.

Creating a complete role model will require a lot of resources and can significantly increase the time and cost of a project. In addition, the role model often becomes outdated the day after it is agreed upon. There is little point in fixing it at the beginning of implementation. Sometimes it can be convenient to build the role model around the ready-made IdM toolkit, which will allow you to always keep the role model up to date.

How to build a role model

How should the process for defining roles be structured? Should this process be based on historical data and analysis (Role Mining) or business insights obtained through executive surveys, job descriptions, and other tools?

Actually, the best results are obtained by the symbiosis of several methods. Historical data provides insight into the current access matrix, while executive surveys provide insight into how it fits the company’s rights management goals and objectives. Existing permissions on the level of departments and individual employees should be discussed with the owners of business processes in order to cut off unnecessary privileges and, possibly, add new roles.

In order to avoid misunderstandings between the vendor and the customer, it is recommended to negotiate in advance at what stage, by whom, and at whose expense the role model will be created. Role Mining is not a magic button that will help eliminate all the problems, but only a starting point for building a role model.

It is also important to understand how deep the vendor can dive into role management and where the project boundaries lie. For example, should its scope include setting up roles in SAP or another system used by the customer?

The success of the project depends on how well the customer’s employees are trained to create a role model. It is also important to understand that there is no universal method for building a role model. What works for a bank will not work for a manufacturing company. The size of the organization also plays an important role – the smaller the business is, the easier it is to build a role model.

Client side

How are the portals for processing requests organized? Which toolkit is better to use for this built-in IdM tool (like the IT Shop module) or an IT service management (ITSM) portal that the customer has already implemented to process user requests?

These questions can be approached from the point of view of user convenience. If the company has a well-developed service desk (toolkit for working with user requests), which receives requests from disparate systems, then it may be better to integrate the functions of the IdM portal there. When there is no such tool, it makes more sense to use a separate IdM web interface. The process of access granting in Identity Manager can go in two ways:

  • Built-in IdM system algorithms.
  • Built-in algorithms of the external system (not necessarily of the service desk level) with the transfer of the final result to IdM.

It often happens that it is more convenient for the vendor to use the IT Shop, which is part of the Identity Manager, since this way, the vendor can independently develop this portal and be confident in its functions. On the other hand, if the customer has already built an ecosystem of his business processes around a specific service desk, then it is hard to transfer it to the portal of the IdM system.

Of course, it is more convenient for users to have a single service for processing requests; therefore, implementing it through IdM, you may have to duplicate some of the ITSM functions.

The implementation of the portal for processing requests using the IdM system allows you to link the processes associated with access to the events of the HR system, for example, the reassignment of the responsible person in case of dismissal.

Publishing an IT Shop on the Internet makes sense only if business executives regularly need to access these coordination tools. Ordinary users do not need such an opportunity. The only thing that an employee may need from the outside is to reset the password; other access issues when working remotely are solved using a VPN. Another aspect of this problem is the external user registration portal. Make sure to protect it from attackers as phishing, web injects, redirects and other hacker tricks are on the rise. It makes sense to make it as a separate, protected replica of the general interface with limited functions.


What are the nuances of connecting IdM systems with other solutions used by the customer? Should synchronization with the HR system be event-driven or done with regular intervals or in real-time?

Often, regular synchronization is not much different from event-based synchronization, since events are also piled onto the stack, which is processed at a specified frequency. It is technically possible to implement event-based synchronization in real-time. Still, the use of a queue makes it more convenient to handle numerous user requests, which often happens in large organizations. The less often HR events are processed, the less the risk of transferring an unfinished operation to the IdM system.

Of course, there may be some urgent events (for example, an unplanned dismissal of an employee) that need to be communicated to IdM promptly. For this purpose, there is a specific user blocking option. Customers often want everything to be in real-time; it is possible to explain that they do not need it.

The frequency of contacting the HR system by the IdM system should be set for each organization separately. One of the factors is the load on the HR system. In practice, there are examples of using an intermediate database, which collects information from several systems, for later uploading to IdM.

Continuing the topic of linking IdM with other systems, it is necessary to touch upon the issue of implementing risk and compliance management functions. Such projects are rare. If the customer has already implemented a GRC system, he will most likely refuse to transfer its functions to IdM.

When it comes to integration with other solutions, such as SSO or PAM systems, a properly designed IdM can facilitate the implementation of such solutions. If the customer has not yet implemented SSO or PAM, then it is reasonable to build an architecture for two solutions together and implement them one at a time.


Here are three main advantages of implementing an IdM system. They can be used as a justification for the need for such a solution for the customer.

  1. Reducing the cost of administering access rights by automating routine operations.
  2. Quick employee onboarding, reduction of downtime associated with registration of a new employee.
  3. Increased security by reducing risks (unnecessary rights, access rights left after employee dismissal, etc.).

Identity and access management architects can benefit from the following identity management use cases to improve Identity, Credential, and Access Management (ICAM) practices within their organizations.

The identity management use cases listed for ICAM best practices are approved by the US government as IAM guidelines for various government agencies. These cases involve several factors that contribute to the use and deployment of the use cases. They include the personnel who are part of the ICAM cycle and the systems involved, with a high-level summary of the possible actions. The listed identity management use cases tend to be interrelated, even with each specific ICAM business process. The technologies and activities are generalized in these cases, ensuring their application can be diversified across many organizations. It is important to note that the detailed processes in these identity management use cases are not specific to an organization or department. Every entity should analyze its own systems and processes for alignment with the use cases. Below is comprehensive information on what the use cases entail and how you can use them to your enterprise’s advantage.

Identity Creation and Maintenance

When organizations onboard an employee or a contractor, they collect identity related data from the person, and store pieces of the information as identity attributes which serve as a digital proxy to identify the person within the organization. The attributes will be aggregated into a single identity format to keep individual identities unified.

Federal Identity, Credential, and Access Management Architecture v3.1

The administrator is mainly involved in collecting and managing employee’s identity data throughout the IAM life cycle. The identity information collected doesn’t necessarily have to come directly from the individual. Identity information can also be collected from HR systems, or onboarding documents.

Creating an enterprise identity comes next, with the administrator adding the identity information into the pre-determined data repository. The process results in having an authoritative source for the enterprise identity of the individual. Maintaining the enterprise identity data is essential to keep up with any changes that may affect your organization. Identity maintenance should be performed as often as possible. It is preferable to treat identity maintenance as an ongoing process to avoid missing out on vital data that may negatively affect the IAM lifecycle. The process is imperative, mostly when the individual has updated their personal information. Changes need to be made to maintain an effective identity system. Your identity maintenance’s final process is making updates to your enterprise identity system. There are two ways in which you can make the updates. An administrator can directly update the set authoritative sources, or, allow the individual to use the system to update the information they are changing. The data will automatically update the system on the identity attributes based on the authoritative source.

Proof an Identity

The creation and assigning of a credential to an individual needs some proof of the person’s claimed identity. Also known as identity proofing, it is an essential process through which an organization is involved in collecting and verifying information of an individual so that it can be used to establish an enterprise identity. The Identity Assurance Level (IAL) platform is perfect for determining the critical factors you should consider when conducting identity proofing of the individual.

There are up to three IAL’s that you can use to get the process going. But for federal agencies, there is a minimum requirement of IAL2 for contractors or employees who have recurring access to the government’s resources. With these use cases, IAL1 is not included.

Such use cases mainly describe the steps for proving an identity both at IAL3 and IAL2, which are high-level steps into the process. Some IALs may require more information about the employee, even with other verification processes. Depending on your entity’s processes, you can’t quite know the required IALs until you begin the identity proof process.

Having sufficient information about the individual is important to avoid wasting time in the identity management process. The more information you have at hand, the better it is. The contractor or employee’s information can also be referred to as identity evidence. It may be physical; these are either a driver’s license, birth certificates, passports, or any other valid credential available and verified for use in the IALs.

For the IAL2, the following information may be required:

  • Last name
  • First name
  • Address of record
  • Email address

For this IAL2, all the information must be supported by valid identity documents, and the verification rate should be high. After collecting the identity information, which can be remote or in-person, the administrator will need to confirm the provided information is valid and latest data. Comparison of photo identification may be necessary and the address must match the same information provided in the documents presented.

For the IAL3, the following are some information you will need:

  • Fingerprints
  • Address of record
  • Email Address
  • First name
  • Last name

For the IAL3, all the information must be supported by valid identity documents, and the verification rate should be superior. The administrator has the freedom to make verifications with the issuing organization. This may result in the successful proof of the individual identity at either IAL2 or IAL3.

Entitlement Lifecycle Management

Lifecycle entitlements are assigned to individuals, their roles, and even groups. The entitlements are set to determine access to the agency services by the employed individuals or contractors. If the entitlements are not assigned, the employees don’t have authorized access to the entity’s services. The process is straightforward.

The first step is to initiate the request from the individual. The individual will have to request access to the entity’s services and wait for the administrators’ feedback. The individuals can also join specific groups with access to parts of the entity’s services and directly access what they need. The requestor may be anyone within the firm, such as the supervisor, employee, security personnel, or even a general contractor.

The next step involves a review of the request from the requestor. At this stage, the administrator’s work compares the individual’s request with his access requirements based on their working position. If the requestor qualifies for access to the entitlements and there is a relevant need, the administrator has a green light to approve it.

As soon as the administrator assigns the entitlements to the contractor, they can receive the necessary entitlements without any limitations. However, consider there may be a change in the contractor’s role in the organization. The administrator has the right to change the entitlements as necessary or even terminate the entitlements.

Create and Issue a Credential

Creating credentials for an individual is only possible after completing an individual’s identity proof cycle. Think of the certification as a physical card that gives access to the entity’s services. It is a form of authenticating the individual’s identity to gain access to the system. For contractors and employees, the preferred credential is the Personal Identity Verification (PIV) card.

Just in case the administrator cannot issue a PIV card to the employee, you can use a combination of factors to get to the credentials of the Authenticator Assurance Level 2, also known as (AAL2).

This use case is a three-step process. The first one is to initiate the request. The individual who needs the credentials for access has to provide an identification card issued by the government.

The review process verifies the issued government identification card. The final process is to generate authentication credentials for the employee or contractor. It can work for individuals who need access to buildings and even protected resources for specifically authorized work.

Issue a Derived Credential

A derived credential comes directly from an already existing credential but has a variation in its form factor. This form factor can be a mobile device or any other portable device that can show the credentials. Their derived credentials use the data initially used in the IAL verification process from the existing credentials.

It can have a lower AAL or the same one depending on the individual’s access needs. The derived credential is mainly applicable in areas where the individual needs authentication to have access, but they cannot seem to get it. Leveraging on the derived credential is the best way to gain the same access without the strict authentication requirements.

The individual only needs to have Authenticator Assurance Level 3 or two to use the derived credential when the situation arrives. Obtaining the derived credential is also relatively easy as long as all parties are involved. Initiation of the request is the first step. The individual’s request on the identity data is sent directly to the identity manager for processing.

The identity manager could be a system or a person depending on how a specific organization operates and its resources. After the request, the identity manager needs to authenticate and verify the credential that already exists. The sources for authentication of data retrieved can change from one to another, including personal databases, HR systems, and security data.

The final stage is generating the derived credential for the individual to use. There is a notable change in the enterprise identity record of the user. The derived credential can be applied in different scenarios. It includes the need to authenticate an enterprise’s application by an employee who already has an enterprise credential.

Accessing secure websites through VPN from a remote location is also an example where a derived credential may be necessary.

Managing the Credential Lifecycle in Identity Management Use Cases

Like any other identity management use case, all active credentials need regular maintenance to keep them functioning to their optimum levels. This use case shows the most popular activities for credential maintenance. These are:

  • Resetting a credential – Resetting a credential is applicable when a contractor forgets his identification number or password needed for authentication. The individual will have to request a reset to continue using their credentials.
  • Renewal of credentials – It is necessary to renew an individual’s credentials if expiring and still need to use them. It is also applicable to renew the credentials if the individual’s identity information has changed. In this situation, it is possible to request a replacement credential. It is best to renew the credentials before they expire to avoid the wait time for creating another one.
  • Revoking a credential – When an individual is no longer working with the entity, the administrator needs to request revocation of the individual’s credentials and any other enterprise accounts they may still have access to. The administrator, in this case, can be the supervisor, sponsor, or any other personnel to high-level access.

All administrators should review their employees’ or contractors’ credentials and eligibility to identify data that may be orphaned in the system.

Granting Access in Identity Management Use Cases

The grant access use case mainly entails individuals’ authentication to authorize their agency services access. The agency services can range from files, physical facilities, specific applications, and just about any special resource that needs access.

It involves an Access Control System administrator, also known as (ACS). This administrator’s main function is granting access to the employee as long as they have both an active credential and an enterprise identity. The individual will also have to have a specific reason to access the enterprise’s resources. The following are some of the steps that the individual must undergo to get full access to what they need.

Authentication – Authentication is the first step to getting through the Access Control System to get your access granted. The individual’s identity needs to be verified to validate the person who needs to access the entity’s service. • Authorization – Through authorization, any employee or contractor that meets the criteria can be granted access. This limits access to a specific number of people. The process is not complicated but has a couple of steps to get through the verification process.

The first step is the access attempt. An employee or any contractor needs to access the entity’s services. Then at the second step, the authentication process begins to determine who the individual is. The individual has to ensure the minimum assurance requirements are met. The authenticator uses the AAL2 and the AAL3 for the process.

The AAL2 uses a two-factor process, while the AAL3 uses the two-factor process and the authentication hardware. As soon as the authentication is successful, the ACS identifies the individual’s access entitlements and the protected resource. The ACS then compares the employee’s access entitlements and decides to either authorize or reject the request.

If all the details match up the requirements, the ACS grants access to the agency’s resources. The ACS keeps the information for auditing needs.

Accepting Federation Assertions

Using federation to accept authentication assertions and identification is important to ensure access is limited and only used for the right purposes. Reports can be generated by inter-connected agencies or business units for sharing individual or contractor attributes for easier access and functionality.

Government Identity Management Use Cases

For government identity, complex identity governance use cases are essential for identifying management systems for some sections of the government’s special needs. These can be sections such as national security and law enforcement. Every service-oriented part of the government is directly proportional to its role in every citizen’s life. The identity governance use cases in government identity cases can facilitate many responsibilities and accountabilities in the country’s agencies.

Access Management Use Cases

Through access management use cases, avoiding strict bureaucracy makes it more efficient to access and use resources making it beneficial to citizens and improving their overall living standards. Authentication of enterprises’ identities and access to protected services is vital to keep the government systems functionating. With supporting elements such as federation and governance, there’s so much that ICAM technologies can facilitate ensuring systems are running as smoothly as possible in a secure mode.


Supporting business objectives is essential for moving towards success. Applying identity management use cases in business processes is the best path forward for government agencies and organizations to offer uninterrupted services while ensuring system security and data protection.

In a rapidly evolving digital world where blockchain technology is being adopted to redefine identity and access management, self-sovereign identity is no longer a distant dream to ensure privacy and consumer protection.

From banking and employment to shopping and social media accounts we’ve left pieces of our identities, like DNA, scattered across digital and analog systems to an extent that it is difficult to manage, to monitor, and to protect, leaving us vulnerable to identity theft and fraud, and giving bad actors a treasure trove of data to use for nefarious purposes. At the same time, financial institutions and other organizations that use our data pour a huge amount of operational and financial resources into risk management and regulatory compliance, the overhead for which results in inefficient transactions and long processing times.

Self-Sovereign Identity (SSI), managed by the individual and verifiable on decentralized ledger has been touted for some ten years as a viable solution to some of the biggest privacy and efficiency challenges related to digital identities. More providers enter the space every day, and according to Infopulse, Goode Intelligence Research indicates that 5% of all digital IDs were based on blockchain technology in 2020, and predicts an increase up to 20% in 2025.

What is Self-Sovereign Identity (SSI)?

In the context of digital identity systems, SSI for humans is, in theory, a persistent, portable, interoperable digital identity that belongs to the individual (rather than to a third party such as a bank, a government, or a social login service like Google), that can be used to interact with those third parties, and that is used only at the discretion of the individual. The digital identity consists of encrypted and digitally signed, verified credentials or decentralized identifiers (DIDs) that represent bits of identifying and personal information. The individual chooses which credentials to share and with whom. Commonly, the individual manages their digital identities through browser wallets and mobile apps which they then use to conduct transactions online or by touching their phone to an NFC sensor.

In his 2016 blog post, The Path to Self-Sovereign Identity, Christopher Allen, a blockchain technology speaker and advisor, identified ten principles of SSI to remain focused on as the technology grows and evolves:

  • Users must have an independent existence.
  • Users must control their identities.
  • Users must have access to their personal data.
  • Systems and algorithms must be transparent.
  • Identities must have persistence.
  • Identities must be portable and go with the user.
  • Digital identities should be interoperable and global.
  • Users must consent to the use of their identity data.
  • The amount of data shared should be minimized, meaning that no more information than is needed should be required.
  • The rights of users should be protected.

What is Blockchain?

Blockchain is a linear form of distributed ledger technology (DLT). It is characterized by cryptographic hashes assigned to each block in the chain, which serve as reference points for subsequent blocks in the chain. The most familiar use of blockchain is cryptocurrencies, but there are many other potential applications, including SSI.

How does Blockchain enable SSI?

As a distributed ledger technology (DLT), the decentralized nature of blockchain technology makes it one of the primary technologies enabling SSI today. In some implementations, smart contracts are used to execute agreement provisions such as fund transfers when a new block is added to the chain.

Whether in a public or private blockchain or a blockchain consortium, blockchain’s decentralization and cryptography serve as a strong defense against data tampering and hacking. Through a linear structure and a hashing system in which each block references the previous block in the chain, the validity of the chain is maintained such that a change made to a block impacts the block’s hash and invalidates the hash of all subsequent blocks in the chain. Like a series of auto-locking security gates, this framework acts as a security fail-safe for planned and unplanned modifications to the chain.

How does SSI solve today’s privacy issues?

SSI puts the individual in control of how much information to share, reducing over-sharing as suggested by the KAOS framework in the Identity Diet book and CIPA certification program. Because individuals share digital credentials with verifying institutions instead of their actual personal data, institutions don’t need to collect or store personal data, greatly reducing institutional liability for data privacy protections.

SSI’s distributed ledger keeps data in sync across a transparent, decentralized, peer-to-peer network, leaving no inconsistencies to exploit and making tampering evident.

However, as Sheila Warren and Sumedha Deshmukh of the World Economic Forum explain, standardization and regulation are needed to safeguard and promote privacy, inclusivity, interoperability, and portability, the essential principles of digital identity systems.

How does SSI benefit consumers and businesses?

Buoyed by supporting technology, consumer relationships become more trusted. The institutions that issue credentials, the credential holder (i.e., the individual), and the verifying institution can have confidence that the technology and the framework are inherently trustworthy, removing much of the friction from customer experiences.

Some of the benefits of SSI include:

  • Increased data security
  • Speedier transactions
  • Immutable audit trail
  • Reduced compliance cost for Customer Identification Program (CIP), Know Your Customer (KYC), anti-money laundering (AML) and other regulatory requirements
  • Increased business confidence in the customer’s identity/data
  • Effective Identity and Access Management (IAM)
  • Reduced friction in the customer experience and time it takes to process things like applications for mortgage loans
  • Faster employee onboarding

Where is SSI applicable?

There are seemingly innumerable possible applications for SSI in identity nd access management, due in part to the interoperability of SSI solutions. Some common applications for individuals include:

  • Address validation and age verification
  • Licenses
  • Qualifications and diplomas
  • Proof of employment
  • Credit reports
  • Account details
  • Account access
  • Asset ownership
  • Vaccination and testing records
  • Prescriptions
  • Boarding passes

Other applications for Self-Sovereign Identity involve the Identity of Things (IDoT), where supply chain management in areas such as the COVID-19 vaccines can benefit.

Self-Sovereign Identity and Blockchain

There are many blockchain solutions in the market which are capable of solving the pressing privacy issues. Below are some examples of blockchain solutions for self-sovereign identity:

Atala PRISM is an open-source, linear blockchain solution built on the Cardano system, an IOHK technology. It’s implementation includes a mobile app, a browser wallet, a management console, and SDKs and APIs. Atala’s use cases include education, health, government, enterprise, finance, travel and social.

IOTA’s non-linear, distributed ledger solution, The Tangle, is a blockchain alternative that allows for zero fee transactions (vs Bitcoin and Ethereum which require purchase of a cryptocurrency token). The IOTA Tangle is designed to function on low tech devices and in areas of low connectivity, making it an option for identity-less and bank-less people around the world.

Other Self-Sovereign Identity Technology Solutions

Amazon, Microsoft, Oracle and IBM offer blockchain-as-a-service (BaaS) by providing the infrastructure and management of the blockchain for companies who are then free to build their own apps and functions on the blockchain.

Some other SSI options available in early 2021 include:

  • Evernym’s Verity solution for issuing and verifying digital credentials, its Connect.Me digital wallet, and its mobile SDK
  • Indicio.tech’s IDRamp solutions
  • Sovrin’s SSI network and digital wallet

The future of Self-Sovereign Identity

The ways companies do business may change significantly as SSI is adopted, and among other things the legal implications will have to be sorted out. One of the questions before the U.S. legal community is whether digital smart contracts are enforceable legal agreements. A Harvard Law School Forum on Corporate Governance article, An Introduction to Smart Contracts and Their Potential and Inherent Limitations, explains that contract law is at the state level, meaning that treatment may vary by state, and points out that some states such as Arizona and Nevada have amended laws to account for blockchain and smart contracts.

As SSI technology evolves and use increases, so will the need for standardization and regulation. Likewise, digital literacy among citizens, consumers, and policy makers will be key to large-scale adoption.

In their 2021 report, New Directions for Government in the Second Era of the Digital Age, Blockchain Research Institute and the Chamber of Digital Commerce encourage the U.S. government to focus on five digital priorities:

  • Ensuring security, privacy, autonomy, and citizen-owned identities
  • Embracing cryptocurrencies and the digital dollar
  • Retooling services and service delivery to meet world-class digital standards
  • Building trust by engaging citizens and holding elected officials accountable
  • Rebooting American’s innovation economy to include a diversity of entrepreneurs

Around the world, many are looking to SSI technology to bring new opportunities to underserved populations. According to the World Bank there are one billion people in the world without an official proof of identity, and one in two women in low income countries lack an ID, which inhibits their ability to do things like obtain government services, enroll in school, and open bank accounts. In his blog, Bill Gates notes that giving everyone access to a legal identity is one of the targets of the UN’s Global Goals for 2030. Because SSI systems are decentralized and all participants are treated equally, SSI is thought to be a more democratic option than third-party systems that give some consumers preferential treatment. More and more countries are adopting digital identity systems. India has launched a biometric ID system, and in what is being called the world’s largest blockchain deployment, Ethiopia was reported in February 2021 to be launching a blockchain-based national identity system using the Atala PRISM decentralized identity platform.

Digital identities can also transform the supply chain by bringing transparency to track and trace initiatives, compliance including supplier due diligence and onboarding. In a recent Forbes article, Lora Cercere, CEO of Supply Chain Insights LLC, promotes the development of digital identities for manufacturing and distribution locations and for ocean freight, entities that don’t currently have their own Employer Identification Number (EIN). The possibilities for cost reduction in supply chains are enormous.

Also being explored is the concept of disposable self-sovereign identities (DSSID) which are valid for a limited time after which they expire. Such a solution could give individuals even greater control over their privacy by allowing them to revoke shared credentials when they are no longer needed by the verifying entity. A use case proposed by the Disposable ID citizen-community in the EU is COVID-19 test results which are only relevant for a time period of weeks or less, after which a new test is needed. In January 2021, international technology standards organization Object Management Group® (OMG®) issued a request for information for a Disposable Self-Sovereign Identity (DSSID) standard.


In conclusion, the opportunities for improving individuals’ privacy and data autonomy and reducing corporate operational costs are great, but an SSI revolution is no light undertaking. To become ubiquitous, SSI technologies will need to be standardized and affordable to the organizations that support and use them, data privacy and other regulations will need to be proposed and passed, and even more critically, consumers must be able to access, afford and trust the technology.

Identity and access management certifications by Identity Management Institute
Learn about leading identity and access management certifications

IAM courses are among the most popular courses in cybersecurity due to heightened awareness about the importance of identity and access management in enterprise security. Identity Management Institute offers the most comprehensive set of IAM courses in the industry which include a study guide, examination, and digital certificates of registered trademarks.

Identity and access management courses by IMI are designed to educate IAM training candidates about IAM risks and how to effectively manage user identities and their access to enterprise systems.

Benefits of IAM Courses

Managing user identity and access is extremely important when considering that most data breach incidents are caused by flawed IAM processes and systems or employee errors. Risk awareness, IAM controls, and professional certification are among the benefits of IAM courses by Identity Management Institute.

Which IAM Courses to Select

Identity and access management is vast field and IAM experts may be engaged in any of the technical or operational roles within their organizations. When selecting an IAM certification course, candidates must select a vertical within the IAM field and dive deep to become a specialized expert. For example, if your focus is onboarding and offboarding users, you must be aware of the organizational policies and be able to recommend improvements to ensure access is appropriate at all times. Or, if you are engaged with an authentication project, you must have knowledge of your business requirements, risk assessment process, authentication systems available in the market, and implementation protocols.

IAM Course Scope

From identity governance and digital identity transformation, to access management, program implementation, system deployment, fraud prevention, compliance, and data protection, IAM experts must specialize and take the appropriate IAM courses to meet their career needs.

Security and IAM professionals are often concerned with onboarding and offboarding users as well as access management when users change roles within their organizations. However, IAM experts who may be engaged in technical and non-technical roles are also concerned with IAM process reengineering, risk management, identity directory systems, as well as authentication including single-sign-on and multifactor authentication.


When selecting IAM courses, professionals must decide which IAM training will benefit them the most and help them become more aware of the pitfalls to avoid making mistakes, and, which IAM certification can improve their career growth and advancement. While IMI periodically updates its IAM certification courses to meet industry demands and standards, IAM experts must decide for themselves which identity and access management course with certification will benefit them the most.

Identity Management Institute on LinkedIn

The internet isn’t always a safe place as you will recognize the 10 popular email and phishing scams listed in this article. While antivirus and anti-malware programs can do quite a bit to keep consumers safe, nothing’s quite as effective as knowing when you’re being scammed. Though the sophistication of phishing scams has increased over the years, the truth is that most scams are fairly easy to identify once you know what you are looking for. The following ten scams have all caused quite a bit of damage but can be avoided by those who look out for them.

List of 10 Popular Email and Phishing Scams

Below, we identify the top 10 popular email and phishing scams and how you can protect yourself from becoming the next victim of one of them.


This is a tricky one because it does skirt right by the edge of legitimacy. Though there are some companies that will pay you to take surveys, there are also plenty of cyber-criminals who are more than happy to use such services to take your information. These scams are fairly easy to identify because they offer big prizes for filling out surveys, especially when you compare them to what the legitimate surveys offer. You’ll also notice that most of these scams ask for a great deal of personal information that wouldn’t be relevant to a real product survey.


This is a scam so old that it predates the internet. The layout of this scam is fairly simple – you’ll get an email that asks you to sign up as a ‘mystery shopper’, usually for a major chain or an upscale restaurant. You’ll usually be asked to make purchases that will be reimbursed later as long as you’re willing to send the items back in order to get a refund. Another twist on this scam usually involves getting reimbursed for buying gift cards, a process that will always end up with a gift card in the mail and no money left in your pocket.


Again, this one tends to hit hard because it can often feel real. A big scam during any time of economic uncertainty, these scams tend to target stay-at-home moms, the elderly, and anyone who can’t get out of their homes to work. It’s one of the more predatory scams out there, and it really does prey on desperation.

Again, there are a few different versions of this scam. One of them requires you to click on a link that will either lead you to downloading malware or to a form that will ask you to give up your most sensitive personal information. The other version of this scam will have you work as a ‘processor’ of some sort for the scammer, buying items for which you are supposed to be reimbursed and then shipping them to the next link in the chain.


This is a relatively recent scam, one that’s become popular during the COVID-19 pandemic. You’ll get an email or text message link to what looks like a video call – you’ll usually note that it claims to be from Zoom, for example. If you click on the link, though, you’ll be taken to a site that will hit your computer with any number of nasty surprises.


This is one of the true classics, dating back to the earliest days of the internet. It typically involves a person from a foreign country (usually Nigeria) who claims to need your help transferring money out of the country. If you are willing to front him or her a portion of that money, the scammer claims that he or she will reward you handsomely for your service. In truth, the other party is just trying to get your bank information so that he or she can drain your accounts.


This one is a frightening scam with a few variations. The key to all of them, though, is that you’re being emailed by someone claiming to be a hitman and that he or she will kill you if you don’t send money (or, more commonly transfer over Bitcoin). This is one of the few scams that preys on fear rather than greed or naivety.


This scam usually involves grandparents, but can come from a long-lost uncle or even your parents. In this case, you’ll get an email from someone who claims to need monetary help because he or she has been in a terrible accident or has even been put in jail. This one usually has a fairly significant time pressure behind it, as the scammer doesn’t want you to actually check up on your family member.


This scam comes from someone who claims to be a contact at a government entity – the World Bank or United Nations is typical during most of the year, but the IRS tends to be the big name during tax season. They’ll say that you need to provide them with your Social Security Number so they can give you important information, which is of course just a trick to get access to your identification data.


Congratulations, you’ve won a contest for which you’ve never signed up! The prizes are usually big and the language is usually congratulatory, but the real goal is to get you to send over some kind of ‘deposit’ so that you can get your prize. In other versions of this scam, you need to verify quite a bit of confidential personal information to get your winnings. In either case, you’ll never see a prize.


The CEO of your company needs important information and he or she needs it now. It doesn’t come from a company email address, of course, but the language is very formal and the screen name is just close enough to that of the CEO that someone could be fooled. The goals here range from getting you to send money to the scammer to revealing your business’ trade secrets.

How to Protect Yourself from Popular Email and Phishing Scams

Since there are so many scams, it does make sense to think about how you can protect yourself from all of them. Luckily, most of the steps you can take are fairly straight forward. These include:

  • Always double-check the information of the sender
  • Use an email lookup tool to get the sender’s real name
  • Delete any unsolicited emails from unknown addresses


While the basic steps above will help to protect you from many scams, they won’t catch everything. If you’re not sure if an email is legitimate, you’ll want to look at some basic warning signs. Scam emails often:

  • Come from unknown senders
  • Ask for money
  • Want your personal information
  • Ask you to deposit money into your own account
  • Come from a generic email account
  • Are incredibly generic about the subject
  • Tend to ask you to verify account information
  • Make claims that seem outrageous or too good to be true


Even if the email that you get seems to pass all the tests above, there are a few things that you should never share over email. If it’s necessary to share this information, doing so via official mail or in-person is usually for the best. As it stands, you should never share your:

  • Social security number
  • Full legal name
  • Date or place of birth
  • Bank account number
  • Account passwords
  • Physical address
  • Phone number


Finally, try to make sure that you pay attention to some basic safety protocols while you are online. Never agree to send anyone money online, for example, and never assume that a stranger who sends you a message is actually telling the truth. If you don’t feel like the email is valid, trust your gut and try to find another way to get in contact with the person who sent you the message.

What if You Are a Victim of these Popular Email and Phishing Scams?

The most frightening thing about these popular email and phishing scams is that while you can practice fairly good internet safety and still get scammed. If that happens, there are a few steps to take.

First, contact your bank or credit card company to find out if there has been any unusual activity. If there are suspicious activities, you’ll need to get new account numbers and/or cards. Next, change any account passwords that might have been compromised and remove any unnecessary identifying information that might be in those accounts.

Next, you’ll start filing reports. If you used a company account, let your employer know. If not, contact the police, the FTC, and your state’s cybercrimes division. You’ll also want to do any kind of damage control involved with the data breach that may occur, so make sure that you follow any data security protocols required by your business if you think that company data may have been breached.

Remember, your response to these scams matters. While it’s always best to avoid them, you still have the ability to fight back. If you’re a victim of one of these 10 popular email and phishing scams, you have a responsibility to help ensure that the scammers can’t do more harm with the data that they have gathered from you.

Become a Certified Identity Protection Advisor (CIPA)

Identity Management Institute on LinkedIn

Follow us on LinkedIn to receive update notification

There are many lessons learned from the SolarWinds hack which was a meticulously planned and insidious attack in cyberspace history that occurred over the months from March to December of 2020. The cybercriminals left such a faint malware footprint that, as of January 2021, even the experts aren’t sure how much damage they did.

The full impact of the crime; how it happened, what the hackers got, and how they intend to use it could take years to absorb.

Lessons Learned from the SolarWinds Hack

The Target

It is no secret why the hackers targeted SolarWinds, an information technology management firm based in Austin, Texas. Its products, which are well regarded in a highly competitive industry, help businesses manage their systems, networks and infrastructures. Revenue topped $938 million in 2019. SolarWinds led in market share in 2017, 2018 and 2019. It is still leading as of now at 12.32 percent. At the time of the attack, the 21-year-old firm boasted around 300,000 customers.

SolarWinds develops network management system software, or NMS software, which monitors and analyzes operations. It’s popular with companies that want to see what’s happening across all their computer networks.

It turned out to be popular with the hackers too. There’s greater value in compromising that software than in targeting a single server, machine or individual. Who needs a phishing campaign when you can infiltrate entire networks? It’s a little like robbing a bank rather than mugging a handful of people on the street.

The Victims

About 33,000 public and private entities used Orion, SolarWinds’ NMS software, during the months that the breach occurred. However, SolarWinds told the Securities and Exchange Commission that only around 18,000 users had downloaded the March update that was compromised by the hackers.

Of Fortune 500 companies, 425 used Orion. Microsoft, Cisco and Intel were among the private companies affected. Leading U.S. telecoms and elite accounting firms were clients. AT&T, McDonald’s, and Procter & Gamble are also SolarWinds customers, but it’s not yet known if they were infected. At least one university system, Kent State, and one hospital system were victimized.

Most disturbing of all, the hackers managed to breach the upper echelons of the U.S. government. At last count, the State Department, Energy Department, Treasury Department, Commerce Department, Department of Homeland Security, National Nuclear Security Administration, National Institutes of Health, and some systems within the Pentagon were hacked.

Given its scale, the attack calls into question the safety and integrity of the cyberinfrastructure.

How It Happened

First, the hackers somehow got into SolarWinds’ development operations while the software update was being assembled. This tactic is known as a supply chain attack.

The hackers inserted malicious code that created access to clients’ IT systems. Anybody who downloaded the patch, which was digitally signed by SolarWinds and highly trusted, also downloaded the malicious code. Once it’s downloaded, it sometimes installs even more malware.

In early December, a private security firm called FireEye announced that its servers had been compromised and that security testing tools had been stolen. FireEye had traced the breach to the SolarWinds update and let the company know that their software had been corrupted. It identified the trojan component as SUNBURST. FireEye explained that the malware had actually mimicked Orion activities and stored data inside legitimate SolarWinds files.

That’s how it was able to lurk undetected for months. Since the credentials appeared to check out, it could perform all the actions that one would expect only from an extremely privileged system administrator. It operated as SolarWinds software but had a mind of its own.

The Perpetrators

According to U.S. officials, all fingers point to organized hackers within Russia’s foreign intelligence service. The U.S. government calls the group Advanced Persistent Threat 29, or APT29. The hackers themselves prefer Cozy Bear. During the Obama administration, Cozy Bear was blamed for abusing email systems in the White House and State Department.

The Russian embassy in America coolly denied responsibility on Facebook in December: “Malicious activities in the information space contradict the principles of the Russian foreign policy … Russia does not conduct offensive operations in the cyber domain.”

The Purpose of the Hack and the Risks for Victims

The malware spied out sensitive data and reported its findings to third-party servers in a remote command center. To evade security analysts, it waited patiently for around two weeks before “phoning home.”

It now appears that the hack penetrated multiple networks. What were the hackers after? How will they use the sensitive information that was exposed?

Again, that remains to be seen. Spying appears to have been the chief objective. However, in some cases, the malware installed additional malware that keeps the backdoor propped open for long-term remote access. The hackers could potentially disable systems, modify configurations, alter or destroy data, steal data and demand a ransom, interfere with cloud-based resources, swipe credentials to impersonate real people, or go after victims’ business partners. Several U.S. security agencies view the attack as significant and ongoing.

There’s one silver lining. Not every SolarWinds customer was hacked. Only the 18,000 that downloaded the patch released in March seem to be affected. Not only that, but the hackers most likely started with the heavy hitters and worked their way down the list; smaller organizations of less value could come through unscathed.

Lessons Learned from the SolarWinds Hack that Companies can Use to Protect Themselves

Once hackers like Cozy Bear are exposed, they start covering their tracks and plotting new schemes. There is strong evidence that Cozy Bear left backdoors open for a future return.

Unfortunately, hackers get savvier all the time and system security breaches have become commonplace. That’s probably why nobody has accused SolarWinds of negligence.

SolarWinds’ customers and other companies should assume that they have been or eventually will be hacked and should implement layered security to compensate for the inevitable security gaps suggests Henry Bagdasarian, Founder and President of Identity Management Institute. There’s no time to waste.

Even companies that don’t see obvious indications of compromise should do all they can to limit their exposure. It might be prudent to decommission the SolarWinds software and complete a security scan and risk assessment of the most critical systems and infrastructure until the entire incident is sorted out suggests Mr. Bagdasarian.

Going forward, companies should ramp up cybersecurity training and awareness. They should regularly conduct emergency response drills. All the experts encourage collaboration between government and private entities. Suspicions, threats and unusual activity must be reported.

Improving Supply Chain Management to Prevent Future Attacks

Third-party vendors are the weakness in supply chains. The more there are, the more vulnerable the system is.

Companies can better manage their supply chains and fortify against attacks by following these lessons learned from the SolarWinds hack and best practices:

Tell what they know

Cybersecurity experts can’t mitigate potential threats without detailed information about hacks that have already happened. SolarWinds, FireEye and Microsoft have been very forthcoming about the recent hack and how vulnerabilities in their systems could have allowed it.

Embrace artificial intelligence

Companies have to know where classified data is stored and who has access to it all along the chain. Humans just aren’t up to the task of constant monitoring for threats. Companies can leverage AI to do it for them and flag odd behaviors in real time.

Ensure that Nth parties play by the rules

Even an organization with strict protocols in place is only as secure as the least secure link in its supply chain. That’s rather depressing, but it should motivate companies to insist on greater oversight all the way from first-tier vendors down to Nth parties.

Nth parties are third-party vendors’ third-party vendors. Everyone at every level should have the tightest security controls in place.

Stay current on best practices

The bad guys’ tactics and methods evolve right along with cybersecurity improvements, and staying a step ahead calls for expert advice. The National Institute of Standards and Technology publishes an up-to-date, detailed list of countermeasures to protect companies.

As we accumulate more lessons learned from the SolarWinds hack, there’s no magic bullet for preventing a repeat. Awareness, hypervigilance and ongoing education are the best weapons for now.

Identity and access management certifications by Identity Management Institute
Learn about leading identity and access management certifications

Identity and access management threats have been growing rapidly in the last few years as digital transformation has revolutionized almost every area of business and daily life. Modern businesses are spending more money than ever before on automation and digital technologies, and this shift is increasing incentives for hacking and the theft of intellectual property.

Identity and Access Management Threat Predictions for 2021

Businesses have, therefore, significantly expanded their IAM investments. Nevertheless, IAM spending is projected to continue growing in the years ahead. As a result, 2021 will be a monumental year in the IAM space. To stay ahead of the market, both businesses and IAM professionals need to understand the changes that will occur in 2021.

New Identity and Access Management Threats in 2021

Historically, nefarious actors have always been able to adapt to technological changes in ways that have introduced significant security challenges for cybersecurity specialists. For instance, security was initially seen as one of the main benefits of transitioning to the cloud. To obtain access to sensitive data in the cloud environment, nefarious actors were able to shift to phishing attacks and man-in-the-middle strategies to steal accounts. Likewise, new technologies will be introduced in 2021 that will help to improve security but also offer a new dynamic range of challenges that IAM organizations will need to respond to adequately. Some of the main challenges that are expected to characterize 2021 include:

More Sophisticated Social Engineering

Modern technologies are enabling people to interact directly without having to leave their homes. In the aftermath of the COVID-19 pandemic that became widespread in 2020, an unprecedented number of workers began working from home. Recent research has shown that 99 percent of remote workers would prefer to continue working from home for at least some portion of their workweek. This trend will lead to a surge of spending on devices that enable close communications in a remote setting.

In response to the need for working from home, many employers have asked their personnel to install cameras that allow for easy collaboration. Some employers have even chosen to use always-on teleconferencing to encourage employees to stay engaged while working alone.

The problem, however, is that adversaries can gain access to these communications in ways that can introduce significant security threats. Always-on teleconferencing is particularly problematic because cameras are generally mounted in a fixed position, so adversaries can easily use recorded footage to create fraudulent communications. Adversaries could also potentially spy on members of an organization to acquire proprietary information. Since 87 percent of smartphones are exposed to at least one vulnerability, IAM professionals will need to adapt to these new threats quickly to protect their organizations.

5G Identity and Access Management Threats

5G will transform the fundamentals of the digital space by providing very fast connection speeds without tethering users to a wall or a Wi-Fi network. It will take a few years to fully roll out 5G, but 2021 is expected to be the year when 5G first becomes common for both businesses and consumers.

One of the most significant security challenges associated with 5G is that many 5G connections will be provided by a third party. Some very large corporations may have their own 5G connections on their campuses, but the vast majority of users will have to rely on public connections. Highly motivated and sophisticated adversaries could attempt to intercept 5G communications. The ordinary range of threats on the hardware and software levels could also present a significant challenge.

Finally, 5G disrupts some of the long-standing assumptions in networking. If all users on a network have access to 5G connections, they could all theoretically send gigabytes worth of requests at the same time. Therefore, adversaries may find new ways to overwhelm a network or server by taking advantage of the more substantial bandwidth that 5G networks provide.

Internet of Things Creates New Weak Points

Digital devices continue to get smaller as hardware technology advances. With more devices connected to a network, attackers enjoy more points from which to gain unauthorized access.

Unfortunately, many IoT devices will have limited processing capabilities. Some devices may be produced by engineers with a limited background in cybersecurity. It is even possible for some devices to be intentionally compromised by manufacturers or adversaries in the supply chain. IoT professionals will, therefore, need to effectively control the growing range of new devices connecting to networks.

Satellite-Based Identity and Access Management Threats

In 2020, Elon Musk’s SpaceX succeeded at launching a sophisticated constellation of almost 900 satellites that promise to provide almost universal access to internet speeds of up to 150 megabits per second. SpaceX plans to grow aggressively, and it already expects to expand initial access to its technology as early as January 2021. Additionally, competing providers plan to launch their own satellite constellations that could help to widen access even further.

With the growth of satellite internet, new security threats will emerge. In theory, all devices capable of picking up a Starlink internet signal could be vulnerable to attacks. As this new technology is rolled out, attackers are expected to find many ways to exploit it to gain unauthorized network access.

New Types of Ransomware Attacks

2018 and 2019 were years when ransomware attacks grew precipitously in the wake of the growing acceptance of cryptocurrencies. These types of ransomware attacks are still evolving and becoming more sophisticated.

Businesses are also increasingly using operational technology platforms that are improving a broad range of business processes. However, critical infrastructure is becoming more dependent on using these platforms. When adversaries gain control over operational technology platforms, they can often shut down critical infrastructure or threaten to do so. In 2021, IAM professionals will need to find new ways to defend these systems while providing alternative modes of access in the event of an attack.

Specialized Computing

Specialized computing has been around since the early days of digital technology, but it has grown in importance in recent years as resource-intensive processes become more common. Quantum computing is particularly powerful because it holds the potential to compute in novel ways that could have serious implications in IAM. For instance, some experts believe that 256-bit encryption may soon become crackable by adversaries with access to advanced quantum computing systems.

Additionally, specialized computing has the potential to enable threats to emerge in novel ways that even IAM specialists may not be able to plan for. Artificial intelligence, for instance, could be used to develop complex hacking tools that could easily break into a network. Large networks of leading-edge ASIC servers designed for cryptocurrency mining or other specialized applications could also be misused in ways that could have unforeseen security implications. The bottom line is that IAM professionals need to remain vigilant to discover and defend against threats that emerge in today’s evolving landscape.

Expanding Regulations Among Identity and Access Management Threats

Of course, regulations are constantly changing as the digital space increasingly finds itself in the crosshairs of regulators. In particular, new versions of the California Consumer Privacy Act of 2018 and its addendum California Privacy Rights Act (CPRA) are expected to be passed into law across the country. Therefore, IAM strategies will increasingly need to be tailored to local markets.

Budget Priorities in the IAM Space

As the digital space matures, businesses will need to improve how they allocate their technology budgets. In this environment, the technology stack that businesses utilize will need to be highly focused on achieving specific objectives. The days when businesses could invest in a wide range of platforms are over because competitors are increasingly improving how they make use of technology. To remain competitive, businesses will need to use comprehensive research and assessment processes to determine what products are the best match for their needs.

Budgeting will become increasingly important in IAM. The necessity of staying ahead of security threats will need to be balanced against financial constraints. Failing to budget properly could lead to catastrophic mistakes that have the possibility of leading to business failure.

Dominant IAM Product Categories

All of the key IAM product categories that have long been used by businesses will continue to remain relevant in 2021. Some of these categories include:

  • multi-factor authentication,
  • identity governance,
  • user activity compliance, and
  • user provisioning.

The area of risk analytics is projected to grow rapidly as AI becomes more advanced in 2021. Centralized access management will also expand since demand for data continues to grow exponentially.

IAM Employment Demand

As with all industries, demand for employment in IAM will grow in alignment with growth in demand for IAM services. Researchers project that the IAM industry will account for $29.79 billion in revenue by 2027. Overall, the industry will grow at a compounded annual growth rate of 13.2 percent. As a result, it is inevitable that demand for IAM professionals will surge in 2021.

Demand for Identity Management Institute Certifications

The field of IAM continues to grow, but it is arguably beginning to mature. As a result, employers will increasingly demand that employees have credentials to verify their qualifications to act as IAM professionals. After all, IAM professionals are tasked with securing systems that businesses depend on for their survival.

Identity Management Institute is the leading provider of certifications for IAM professionals. Certifications are available for a wide range of IAM professionals, including analysts, managers, technologists, and advisors. Getting certified is strongly recommended for candidates who wish to compete in the challenging job market that 2021 will offer.

Identity and access management certifications by Identity Management Institute
Learn about leading identity and access management certifications

A stunning cybersecurity attack on FireEye allowed hackers to impact consulting, government, technology and telecom entities worldwide. The hardware and software company that protects clients in Asia, Europe, the Middle East and North America experienced an attack that may include other victims as well. Services by the company include preventing large-scale cyberattacks, deterring malicious software, investigating causes and analyzing cybersecurity risks.

Impact and risks of FireEye hacked cybersecurity Systems and stolen security data

What was the FireEye attack or hack about?

The attack on FireEye targeted its specialized security assessment capability, the Red Team hacking tools that make the company a leader in cybersecurity. Fortune 500 companies, numerous agencies of the federal government and thousands of worldwide organizations use the security systems that the attackers targeted successfully. FireEye attributes the attack to hackers backed by a nation-state motivated more by obtaining secret information or controlling critical systems than by financial gain.

Was cybersecurity system data about other companies stolen?

FireEye has not found any indication that the attack obtained information from the company’s consulting arm, incident-response business or intelligence data. Instead, the attack focused on the tools that FireEye uses to replicate potential hacking activities and identify weaknesses in clients’ computer networks. The U.K.’s Daily Mail reported that no evidence exists that the attack succeeded in removing client data, although when this occurs “stolen security related data about the state of an organization’s systems may prove to be extremely valuable to hackers who plan to penetrate systems” according to Henry Bagdasarian, Founder of Identity Management Institute.

What are the consequences of the hack for FireEye?

FireEye anticipates minimal impact from the hack. Still, it must replace the stolen tools and sustain a financial loss on professional services which account for more than 20 percent of company revenue. A lack of client credibility may impinge on the company’s claim of superiority over competitors in cybersecurity, leading to long-term damage to its reputation. Some business activity may slow down until clients can resume using FireEye’s consultant services without fear of a potential risk of exposure to insecure systems.

What consequences do FireEye users experience?

The theft of FireEye’s Red Team tools deprives clients of the cybersecurity capability to detect and deter system vulnerabilities. With tactics that the company had not seen previously, the attack limits clients’ ability to protect system integrity. FireEye’s tools allow clients to simulate actual attacks by cybercriminals, and the theft deprives them of the ability to defend against malicious acts that can create long-term damage.

What protections do the various types of cybersecurity software provide?

Cyber technology provides five kinds of security to address increasingly complex demands.

1. Securing critical infrastructure

Interruption of the physical systems that support modern societies can occur through cyberattacks on the electricity grid, hospitals, shopping centers, traffic lights and water purification. Responsibility for protecting critical infrastructure rests with organizations that understand the vulnerabilities that malicious attackers may exercise. Users of systems can develop contingency plans that provide alternative solutions in case of an attack on essential systems.

2. Protecting applications

Hardware and software identify and deter threats to malicious attacks through network installations of anti-virus programs, firewalls and encryption programs. Essential components of cybersecurity, the applications prevent unauthorized access to valuable assets and protect them from attack.

3. Securing a network

Protection of internal networks and infrastructure from unauthorized intrusion can result from implementing advanced network security technology. Security teams may incorporate machine learning to detect an abnormal increase in traffic that can indicate the presence of threats. Internal policies that can help prevent unauthorized access include anti-spyware software, additional logins, anti-virus programs, encryption methods, firewalls and new passwords.

4. Monitoring cloud security

Software-based tools protect the data in cloud resources by creating more security than traditional approaches can offer. Storage on physical servers offers less effective security measures and allows a greater incidence of intrusion. Studies indicate that an on-premise environment allows more than twice as many attacks as a service provider environment provides.

5. Securing the Internet of Things (IoT)

Unprecedented growth in ownership of appliances, printers, sensors, security cameras, televisions and Wi-Fi routers that connect to each other and the internet broadens the base of concerns for invasion by malicious attacks. Many intelligent devices exist in a vulnerable state that includes no security capability while they comprise the central technology of the consumer market for IoT.

What was FireEye response following the incident?

FireEye has not seen any evidence that the attack resulted in the use of the stolen tools. To counteract any potential impact, the company implemented some countermeasures that block any unauthorized use of the Red Team tools. A decision to share the implemented countermeasures with the security community helps others update their detection tools, and a blog post provides access to the measures as well.

What risks exist for the theft of software data?

FireEye’s filing to the U.S. Securities and Exchange Commission stated that no evidence existed that attackers had stolen customer data. While the theft of security software creates a potential risk, FireEye’s tools provide a greater risk as a threat to governmental security systems.

How does the attack affect the risk for theft of the software program?

While the loss of security tools presents a threat, FireEye’s disclosure of the malicious intrusion alerts users to exercise countermeasures. The company works with different software makers to improve defenses against its proprietary security tools, enhancing the likelihood of others avoiding compromises in security.

What can users of security software products learn from the FireEye attack?

Experts caution that a security breach can happen anywhere at any time, and the response to it may matter more than the incident. FireEye advised clients of Common Vulnerabilities and Exposures that may curtail the usefulness of the stolen security tools. A further step includes rules that clients can use in responding to any apparent use of the stolen tools.

What can we learn from the breach?

The compromise to software that affected the Pentagon and the U.S. military, the Justice Department, NASA, the National Security Agency, the State Department and leading telecommunications and accounting firms occurred from an infected security update. Users received instructions from the Homeland Security Department to review all networks for evidence of compromise and to disconnect products from the compromised products. The attack increased the need for users to monitor potential exposure to malicious intrusion and implement measures to prevent exploitation.

CIMP grandfathering is available to qualified technical identity management professionals – Learn More

Most business transactions necessitate knowing the identity of customers. Although there are situations that do not require knowing a customer, such as in retail, knowing the identity of a customer is a basic requirement for mutual accountability in complex and long-term business contracts. Most importantly, many businesses are required to use a customer identity verification process to remain in compliance with the law. Therefore, it is important for today’s business leaders to have an understanding of the most effective customer identification methods.

Best Customer Identification and Identity Verification Methods

What Is a Customer Identification Program?

The U.S. government and other world governments have implemented a broad range of laws in response to the growth of terrorism and international money laundering. In 2001, the U.S. Congress passed the Patriot Act, a law that requires banks to collect information about their customers and conduct extensive background checks.

One of the most significant requirements under the Patriot Act is the requirement for financial institutions to set up a customer identification program. CIP programs are more broadly referred to as know your customer programs, but the term CIP denotes the specific laws defined under the Patriot Act.

Under CIP requirements, banks must collect sufficient information about their customers to adequately verify their identity. CIPs are why banks collect highly personal information about customers, such as multiple forms of identification and Social Security numbers. Banks also ask customers a series of questions designed to verify that they are who they say they are. If bankers discover any irregularities, they are required to submit an expanded version of a Suspicious Activity Report under the Bank Secrecy Act of 1970.

Although formal CIPs get most of the attention in regulated industries, customer identification is also used in industries that are not required to comply with know your customer laws. Nearly any e-commerce website wants to know the identity of customers to contact them if something goes wrong and to avoid getting scammed. Customer identification is also important when seeking to develop a long-term customer relationship or when asking a customer to sign a legal document.

Importance of Customer Identification

CIPs are of significant importance to financial institutions because they are required to comply in proportion to their size. Smaller banks only have to do minimal checks to confirm a customer’s identity, but larger banks have to use sophisticated customer identity verification methods. In practice, banks are required to use a broad range of digital identity verification tools to confirm that customers are who they say they are and that they should be allowed to open an account.

Compliance with CIP requirements is crucial because banks can face enormous fines for failing to comply. For instance, Wachovia was forced to pay $160 million in 2010 for failing to adequately verify customers who were agents of drug cartels in South America. Wachovia’s mistakes were significant because its failure to implement an effective CIP enabled more than $8 billion in illicit cross-border transactions to take place.

Customer identification is also important for most e-commerce businesses because credit card fraud is widespread. When fraudulent cards are used, businesses usually lose money spent by a customer regardless of whether they delivered the product or service in return. Additionally, when a contract is necessary, businesses cannot hold customers liable when they do not know their identity.

Benefits of Customer Identification

Implementing a proper customer identification process can protect banks from heavy fines that can be incurred for noncompliance. Today, there are sophisticated software tools available that can verify the identity of customers with a high degree of accuracy. Most of these tools are used over the internet to access enormous haystacks of data that can be used for purposes of identity verification.

Additionally, businesses other than banks can use the same identity management tools that have been developed for formal CIPs. Many businesses can benefit from using a customer identification method to confirm that their customers are who they say they are. Identity verification can help with compliance and prevent fraud. Some employers even confirm the identity of new hires when they are first brought on.

Types of Businesses That Need Customer Identification

All financial institutions are legally required to use CIPs to confirm the identity of their customers. However, many other businesses have used CIPs to improve their security. In today’s highly digitalized world, identity verification is especially important when users are given access to highly sensitive information systems.

The reality is that nearly all businesses have a need to use some form of customer identification. In retail or retail-like buying situations, such as in e-commerce or in simple phone-based transactions, customer identification can often be as simple as confirming that the name and address provided by a customer matches their credit card details. Some situations may necessitate simply asking a customer to see their identification without photocopying it. There are also situations where a business needs to develop a relationship with a customer before agreeing to a transaction.

When to Use Customer Identification

Certain types of business transactions require the use of CIPs. Money transfers of more than $10,000 are required to be scrutinized, and CIPs are an important element in scrutinizing any transaction. For very large international transactions, banks will usually go through an extensive customer identification process to verify that the identity of all parties can be confirmed.

There are also many business transactions that make voluntarily using CIPs a favorable option. Before investing a large amount of money in a new business, investors usually want to verify the identity of all major shareholders and officers. Some businesses also need to verify the identity of certain major vendors and customers to avoid making a serious mistake.

Finally, it is often beneficial to verify the identity of users who open accounts on websites. Identity verification is especially important when users will make purchases through a website or are expected to enter into a contractual agreement.

Customer Identification Methods for Online Business

Customer identification is challenging in the online environment because users can easily use a VPN or a simple proxy to hide their identity. Nevertheless, many effective online methods of customer identification have been discovered.

Most online identification strategies use some form of multi-factor authentication to confirm who a person is. MFA involves testing:

  • what a customer knows,
  • what devices a customer owns, or
  • personal attributes of a customer.

The most common form of MFA is the implementation of phone-verified accounts. PVAs ask a user for their phone number at the point of registration before sending a code to the user’s phone. The user then has to enter the code they receive on the registration page to verify their account.

More basic MFA methods ask users for their email address. Users then have to click through from an email they receive to confirm that they are a legitimate user. However, email verification only stops low-level users since email addresses from major providers, such as Gmail and Yahoo, can be inexpensively purchased in bulk quantities.

In situations that require more rigorous identity verification, websites can ask users to upload their identification cards or passports to confirm their identity. Selfies can also be used to verify users. However, the trade-off is that some users feel unsafe when sending highly personal forms of identification through the internet, so businesses lose a segment of potential customers when more complex methods are used. More complex identity verification also significantly slows adoption by reducing the conversion rate on registration pages.

Customer Identification for Offline Business

Offline businesses also need to implement significant customer verification procedures in many cases. Identifying customers is usually easier in the offline environment since businesses can usually verify who a customer is by knowing them personally.

When a customer relationship first begins, businesses can ask in-person clients to submit their identification card or passport. Some businesses ask for two forms of identification. Social security cards and birth certificates should not be accepted as forms of identification since these documents can be easily forged. In cases when customer relationships take place over the phone, the same methods used for online identity verification can be used.

In offline relationships, customer identification is inherently enhanced in several ways. When businesses talk to customers in person or over the phone, it is often easier to hear when customers are being dishonest or shuffling through their notes. Smaller businesses are often able to recognize the voice of a person who has attempted to open accounts under other names in the past. Of course, most offline relationships take place in person or through video chat, so it is possible to see a person’s live face to confirm their identity.

Implementing a Customer Identification Program

Businesses that need to use a CIP should understand the steps necessary for getting started.

The first step is to understand the extent to which you need to verify the identity of your customers. Some CIP tools use exhaustive methods to confirm identities while other tools are designed for mass verification or for smaller businesses.

Next, you should evaluate solutions that are available in the marketplace. Some tools use customer identity verification methods that may not be sufficient for your particular use case. It is also important to consider the sales impact of increasing verification requirements. The reduction in revenue should be weighed against compliance and fraud risks that could manifest as a result of the activity of inauthentic users.

Tools for Customer Identification

The final step for executing a CIP is to implement and use customer identity management software. Most software tools are available on a subscription basis, but some tools require a minimum term of several years. There are hundreds of vendors available, so be sure to read online reviews to confirm that a particular software suite will be effective in your situation. However, once you have put in the work to choose the right software tool, you can continue to validate the identities of your customers for years to come.

Identity and access management certifications by Identity Management Institute
Learn about leading identity and access management certifications