Can They Steal Your Digital Identity?

by | Sep 4, 2022

Digital Identity

In the 1995 movie The Net, the protagonist Angela Bennett (played by Sandra Bullock) – a computer professional who tests new (security) software for bugs and removes viruses from people’s computers – accidentally gets into hot water and is pursued by agents from three letter agencies. In one of her chatroom sessions online, a friend lures her to click on a pi symbol on a website seemingly devoted to Mozart. Doing so enables them to access Bennett’s computer files. Her identities – driver’s license, credit cards, bank accounts – are all deleted. She loses her apartment and worse, her records are erased in census databases, making her identity non-existent. This is an example of how digital identity theft could impact an individual. But it can also apply to organizations like yours.

Digital Identity

Angela Bennett’s identity was erased and replaced with a new one – with a false criminal record.

This incident can happen to any of us today, as our identities are digitalized, and we use them to log into online services on the cloud. Identities provide access to resources on cloud or on-premise. As more organizations move their infrastructure to the cloud, Identity and Access Management solutions become significant. Employees also work from anywhere today and access company resources from the cloud. That calls for tightened access control governed by identities. An Identity and Access Management (IAM) solution secures digital identities; IAM is essential for the adoption of Zero Trust models in the enterprise.

What are Digital Identities?

It’s natural to think that identities are only for people. But in the digital world that we live in today, with personal and business assets increasingly digitalized, identities are available for applications, workloads, systems, and electronic devices.

A Digital Identity is a unique piece of information used to identify an individual, an organization, a device, a workload, or an app.

Let’s start with people. We have login credentials for accessing our email, bank accounts, the online newspapers we subscribe to, e-commerce sites we shop at, and the government services we use. There are credit card numbers with unique PINs and CVVs. Governments issue national identity numbers to citizens – social security numbers in the West or Aadhaar number if you are an Indian citizen. Tax authorities in India issue PAN IDs to individual tax payers and TAN numbers for corporations responsible for deducting tax at source (TDS). Entrepreneurs and organizations in India need to have GST numbers to conduct business.

For devices like smartphones, computers, and IoT devices, there are MAC and IP addresses. These connected devices need to be uniquely identified since they are used for sending and receiving information via the Internet.

Applications are interconnected via application program interfaces (APIs) and have unique identifiers. 

Workloads have global task IDs, and session IDs. UUIDs or Universally Unique Identifiers are used for identifying information exchanged through global databases. These are also used for tracking information. 

Identity and Access Management Challenges

An organisation’s IT infrastructure was once centralised with all resources in an on-premise data centre. There was “perimeter security” in the form of a firewall – security software or an appliance that inspected all data packets leaving and entering the enterprise network. The analogy is your building security checkpoint at the main gate. Security personnel question all visitors and call you from the intercom for permission to allow them to pass through and visit your home.

But as IT infrastructure moved to the cloud and employees started working from home and remote locations, the infrastructure became decentralised. With the availability of online services, employees bypassed the IT department and helped themselves to services on the cloud with a swipe of their credit cards. A resource for storage, for instance, is a service like Box or Dropbox. Bypassing the IT department for resource provisioning and a self-help approach is known as “shadow IT.”

Enterprises too started moving pieces of their IT infrastructure to the cloud, as the cloud offers benefits like cost savings, flexibility and scalability. To do this, they had to transform their business processes and IT infrastructure – or embrace Digital Transformation.

Digital Transformation in organizations was accelerated during the pandemic, as more employees began to work remotely. Customers started consuming services through apps. So we also witnessed consumers embracing digitalization. Food delivery apps with food ordered from “cloud kitchens” is a prominent example. Online shopping and OTT entertainment apps are other examples. People stayed at home during the pandemic and started consuming services from the cloud via apps.

To remain competitive, businesses had to embrace digitalization at a rapid pace and advance their digital transformation plans. It was either that or bankruptcy and losses.

With the proliferation and rapid adoption of cloud services, enterprise IT architecture and infrastructure became decentralized. Organizations now have their infrastructure spread across multiple clouds from different service providers: Microsoft Azure, Google Cloud Platform, Amazon Web Services and other alternative cloud providers such as Digital Ocean and Akamai/Linode. As resources were spread in multi-cloud and hybrid clouds (on-premise and cloud), identities were further distributed. We experienced “identity sprawl” which makes visibility and control of identities a huge challenge.

To compound this problem, employees started using their personal devices to access resources on the enterprise network. And as we know, the security on personal devices is not as robust as what you would find on a company-issued laptop or server behind a firewall.

With the advent of IoT and IP-enabled devices, thousands of devices were connected to corporate networks. And this compounded the problem. Remember, devices have identities too.

In the industry, people say the increase in devices and identities, especially from remote locations, “broadened the attack surface.” In plain terms, there were now more doorways to secure.

Let’s explain this using the real-world analogy of building security. Imagine what would happen in your society if there were more entry points to your society compound and not all of them were locked or manned by security personnel – or if there were no CCTV cameras.

The likelihood of a security breach increases manifold.

Why is it important to Secure Identities?

Bad actors and hackers observed the decentralisation of IT infrastructure and turned their attention to devices used by remote workers. We use the term “endpoint” to refer to these devices. These bad actors know very well that home networks and endpoints are unsecure. When was the last time you changed the password on your home router? Every security professional knows that home routers have default passwords that are known to hackers.

Employees who do not practice security hygiene are careless about clicking on malicious links in phishing emails. This very action throws open the gates to the corporate network, as the user endpoint is connected to the enterprise network via the internet. Hackers try to steal identities and credentials from end users. Credentials are your login details.

According to the BofA Global Research report, 80% of attacks originated through compromised credentials. Over 90% of all organizations have experienced a breach that stems from poor identity security.

The BofA report says Identity Security is now regarded as the “digital front door” to the network, spanning across users, devices, applications and infrastructure. Trends like Zero Trust and Cloud security increase the importance of Identity Security, and the use cases and capabilities evolve.

Identity and Access Management (IAM) solutions can secure digital identities. BofA expects the IAM market to grow about 13.1% CAGR between 2023-2026, with most public companies focused on the Employee Identity market and speciality vendors like CyberArk and BeyondTrust targeting the Privileged Account sub-segment.

Share This Article!

Brian Pereira
Brian Pereira
Brian Pereira is an Indian journalist and editor based in Mumbai. He founded Digital Creed in 2015. A technology buff, former computer instructor, and software developer, Brian has 29 years of journalism experience (since 1994). Brian is the former Editor of CHIP India, InformationWeek India and CISO Mag. He has served India's leading newspaper groups: The Times of India and The Indian Express. Presently, he serves the Information Security Media Group, as Sr. Director, Editorial. You'll find his most current work on CIO Inc. During his career he wrote (and continues to write) 5000+ technology articles. He conducted more than 450 industry interviews. Brian writes on aviation, drones, cybersecurity, tech startups, cloud, data center, AI/ML/Gen AI, IoT, Blockchain etc. He achieved certifications from the EC-Council (Certified Secure Computer User) and from IBM (Basics of Cloud Computing). Apart from those, he has successfully completed many courses on Content Marketing and Business Writing. He recently achieved a Certificate in Cybersecurity (CC) from the international certification body ISC2. Follow Brian on Twitter (@creed_digital) and LinkedIn. Email Brian at: [email protected]
Recommended Posts
The First 90 Days Are Crucial for the CISO and CIO

This book arms you with insights into crafting a robust 90-day plan, and you’ll be well-equipped to catapult into CIO or CISO roles successfully. Beyond technical proficiency, the book instills survival skills, ensuring longevity and helping you prevent burnout in these pivotal positions.

Similar Articles