Holistic Identity Security: It’s Not All About the Database

The digitization of almost everything we do has become the norm. From our phone, to our TV and with the advent of the Internet of Things, even our fridge has become part of what is being called the ‘Fourth Industrial Revolution’. Like any revolution, there has to be a foundation. The first revolution had its heart in the development of the mechanical engine. This fourth revolution has its foundation stone in the digitized version of ourselves, our digital identity.


Get Individual Advise

A member of our team will get back to you to discuss the topic further with you tailored to your individual needs.


Request A Call Back


In the past few years the concept, use of and productization of digital identity, has exploded. 10 years ago, the nearest thing the average person got to call their digital identity was when they logged onto their company network via Active Directory or LDAP. Then along came the Internet. At first, nothing much changed in the world of digital identity for individuals. But as the enterprise perimeter started to become fuzzier and as we started to become more connected, spending time on social networks, and shopping online, so the whole area, concept and requirements of digital identity started to mature.

The Digital Identity Landscape of 2016

Not only how we view identity, but how we create products to service those identity needs, has changed in just a few years. In the identity arena, much debate has raged about what an identity is and how the actors within an identity eco-system co-operate with each other and how the identity attributes are kept private and secured.

There have been a number of key changes in the identity space that are challenging the way we do business and how we interact, online, across inter- connected devices and apps.

  1. The concept of user-centric, as opposed to enterprise centric, identity: This is a system based on the user being the center of the eco-system as opposed to the enterprise directory. Users have more control over their identity account, being able to update identity data and decide whom to share it with.
  2. The idea of enhanced privacy for identity attributes. Privacy of identity has been and remains a thorny issue. Modern identity systems can offer obfuscation of attributes, or enhance the privacy of others. For example, if a service requires proof of age, then the identity provider could give a yes or no answer to a question about the user’s age, than their actual date of birth.
  3. Bring Your Own Identity (BYOID) and the consumerization of identity. Business has certainly seen major transformations in the last 5 years. In a Quorcirca report into “Digital Identities and the Open Business” they looked at how businesses need to open up their applications to external users. Stating that, “many businesses now have more external than internal users” and describing identity as “the new perimeter”. Identity and protocol developments have opened up ways that businesses can utilize employees, contractors and even their customers’ existing identities, including social media based login credentials. This is achieved through federation of Internet based authorization and identity schemes including SAML 2.0 and OpenID Connect.

One of the noteworthy outcomes of all of this is the amount of data generated to create our digital selves: from login credentials, to the identity attributes, such as name, address and other personally identifying information. Data that represents our identity has literally exploded in the last ten years. In 2011 analysts IDC predicted we would create the largest amount of digital data in human history at 1.8 trillion gigabytes – 75% of that being generated by individuals and less than 1/3rd of it being adequately protected. Since then, big data has only gotten bigger. IDC now predicting that by 2020 there will be as many, “digital bits as there are stars in the universe”, that is 44 trillion gigabytes – mind blowing stuff.

Protecting Our Most Precious Commodity: Our Identity

All that data, floating about in our digital version of the universe is attracting the wrong sort of interest. Cybercriminals are having a feeding frenzy over our personal data. In 2015 identity data loss was the #1 cause of data breaches. A report by Gemalto identified that 53% of breaches in 2015 could be traced back to identity theft. Identity data is creating its own black economy. McAfee’s 2015 report on ‘The Hidden Data Economy’, offered up some figures for the price paid on the Dark Web for personal data. For example, payment card details, with a date of birth thrown in, will set you back $35 per record. If you want the ‘dump track’ of a high balance card (aka the information copied from the electronic strip from a credit card) it’d set you back up to $190 for an EU based card. So you can see, if a cybercriminal steals even 1000 identity records or credit card details they can make lot of money.

We, the citizens and business people of the 21st century, find ourselves in the unique historical position as the custodians of our world identities. All of these data has to be protected, yet freely available. How to do this, to ensure security of storage, as well as transmission, and to also ensure that privacy is upheld, is one of the hardest tasks our technology has had to resolve. In fact we are still resolving this. This article remit is to look at how our databases can handle the plethora of data created, but the problem is a holistic one and includes everything from the protocols used to communicate the messages, to cross border, multi-jurisdiction, legal issues in sharing identity data, to the authentication used to identify the user, and the storage.

Storage of digital identity data is something that many world governments are exploring by using an offset method. An example is the UK government Verify program. The UK government is working with a number of commercial organizations to supply online identities for all of its UK citizens. The UK government is very aware of privacy issues, after attempts to issue a UK identity card, was rejected by the citizens of the country. This new online scheme requires that separate commercial entities are responsible for the creation of the digital identity and the storage of the identity data. This approach to online identity is user-centric, offering the user an identity account manager, where the user can update identity data directly. Identity data is checked in this system using third party services, like credit file agencies and government services.

But storage is not the only consideration is identity data security. The Verify program and any other identity schemes that require data storage need to ensure they comply with some fundamental security requisites. Here we are talking about:

  1. Credential protection. It’s surprising how common credentials are simply not protected properly. For example, passwords not correctly secured, from the point of input, through to being correctly hashed and stored. Credential protection goes further, however. There is no point correctly protecting passwords, if a smart phishing email can get an unsuspecting user to enter them into a spoof website. Credential protection is a holistic action, requiring consideration of second factors to add a layer of additional account security.
  2. Data protection. Protection of user data during storage can be done using well-known techniques like database encryption. However, the data security is only as good as the other aspects of the system. This includes credential protection (as above). It also needs to have a well-designed credential recovery system in place. Poor credential recovery systems can result in data loss as evidenced in the Apple iCloud breach where intimate photos of celebrities were stolen.
  3. Disparate data, identity brokerage. One of the areas of the eco-system being explored in the industry at the moment is to use identity data brokers to handle requests for identity information from services. An identity data broker, sometimes called a ‘personal data store’ (PDS) is controlled by the user. Data can be stored across disparate systems to separate out identity data making a single breach less effective. Users of the PDS can control the release of data to services and also set privacy settings against the data.

Beware of the Weakest Link in the Chain

The best way to think about the protection of identity data is to think of the whole. The most secured, high performance database is only as good as the other parts of the identity chain. A weak link in the system will break that chain. The database is one part of a highly organized eco-system with each part dependent on the other’s security. Every part of this system has a role in security. From the transport protocols, to the credential choice and management, to the databases; keeping identity data safe and private is a process, not an end point.


Discuss further directly with us

We are looking forward to discussing the topic further with you in terms of your individual needs. Please request a call back to get in touch with us.

Request A Call Back




Comments 1

Author Details

Lincoln Hewett

Lincoln Hewett

Country Manager United Kingdom

Leave A Comment?