Identity Theft in the Age of Blockchain and Digital Identity Management

With over 17 years’ experience, the field of cybersecurity in which David Ruzicka began his career has transformed and evolved markedly over the years. Now a Partner at EY Australia, Ruzicka is one of Australia’s foremost authorities on cybersecurity and IdAM.

Today’s organisations face a challenge. People want instant access to information, and they want it in more ways than ever before. Just look at the different channels that a standard financial services institution is now tasked with maintaining – brick-and-mortar branches, call centres, websites, mobile apps, and all of that before we start wading into the murky waters of things like social media.

The number of channels is increasing, and these channels are also transforming, becoming ever more reliant on digital technology. Where once a transfer of information needed to be conducted face-to-face, there is now a demand for it to be done at the tap of a smartphone screen or any number of other devices.

What is identity and access management (IdAM) and why is it important?

With digital, multi-channel support becoming critical for any organisation aiming to still be relevant in a decade’s time, managing access to information across a number of different networks, some of which may not be entirely in your control, has become critical. Your clients, partners and customers, the parties whose information you hold, want it to be perfectly safe and secure but also wholly and instantly accessible.

So, how do you ensure that the right people (or things) have got the right access to the right services and resources at the right time? This daunting assignment is tackled through a discipline called identity and access management, or IdAM.

The principles of digital identity management

For organisations who provide services and hold data, IdAM can be summed up in two key principles:

1. Ensuring the services, systems and data that an organisation provides or holds can be accessed simply and seamlessly.
2. Ensuring access to services, systems and data is restricted to the appropriate parties.

But summing up these principles in two sentences can understate the complexity of the task. With our entire lives going digital, the vast amount of data that is now digitally accessible – much of it deeply confidential – has turned the World Wide Web into a goldmine for those whose motives are more nefarious. The most accessible private information can be found, ironically, at security checkpoints, where users offer up passwords and personal data in return for access.

Many access and identity managers will admit that access has sometimes been prioritised over identity – that the desire to enhance the user experience has seen security lagging behind at times. So we’re beginning to see a third IdAM principle evolve: Minimisation.

Increasingly, organisations are realising that the data and information requested during access needs to be just enough to be able to get through the security clearance process. It’s not in the organisation’s nor the customer’s interest to store or ask for a whole range of irrelevant information and data, because if (or perhaps when) an organisation experiences a security breach, that data is often the first to be accessed.

At EY, we’ve been working with organisations to challenge some embedded thinking around personal information. One good example is date of birth. In an electronic verification scenario, do we really need to store date of birth? At best you need to use it for verification, then it can be discarded. Why use it in the first place, particularly if there’s a better way?

Strengthening IdAM and the interactions it facilitates begins by leaving passwords and personal data behind, and moving to more evolved forms of authentication.

Is blockchain technology the answer to identity theft?

Blockchain. Whenever the future of IdAM or indeed any online technology is mentioned, you can guarantee that someone will shout this term from the rafters. But we need to exercise an element of caution when it comes to blockchain and any similar decentralisation technology. It does a couple of things really well, but it doesn’t go all the way to solving every challenge that exists around identity and access.

Blockchain is an immutable online register. It’s good at storing and validating data transactions. What it’s not great at is facilitating real-time authentication and validation of transactions. And the very nature of blockchain – the fact that once a ledger is created it can’t ever, or at least easily, be erased – makes it unsuitable for great swathes of data, as it actively flies in the face of things like GDPR regulation and privacy principles regulation.

Blockchain technology is promising and exciting, no doubt. But there are other technologies that perhaps hold more promise in the field of IdAM. Strong authentication mechanisms are now available on devices, with biometrics holding particular promise – fingerprint scans, facial scans and the like. These offer an instantaneous way to increase the likelihood that it’s the right individual accessing services and data.

Building a strong data privacy infrastructure

More so than blockchain, biometrics, or any other new technology, systems that are secure by design are seen as the future. This concept focuses on ensuring every channel, application and service is secured through technologies and principles that go beyond identity. It holds that we should be making sure all digital services and applications are, at their very core, secure.

If we look at some recent large-scale data breaches, many haven’t happened from authorisation issues, but from inherent structural issues. The only way to avoid these is to ensure strong security testing and design principles are embedded when developing systems and services.

Even with the best secure-by-design frameworks in place, organisations still need to ensure that they have strong and instant anti-data exfiltration and response controls in place should the worst occur. These must centre on data loss analytics and prevention, but will ideally also include customer education. If we look again at the financial services space, we now see many organisations providing things like anti-virus and anti-malware products at no charge; things that strengthen the end user’s device, which is where a lot of the compromises end up occurring.

Protecting digital identity at an individual level

Those anti-virus and anti-malware offerings of some financial institutions serve to highlight perhaps the greatest challenge those in IdAM face – the often laissez-faire attitude of end users. It takes two to tango, but if the end user is doing the twist instead, they can open both themselves and the service provider up to serious risk.

What can an individual do to help the cause? It’s simple – practise good online security behaviours. Only use secure home Wi-Fi, never public Wi-Fi, to access anything confidential – things like financial, medical or governmental information. Use multi-stage authentication whenever it is offered. Secure your device with biometrics. Use technologies like anti-malware to further protect yourself against outside threats. Treat your online security like that of your home. Lock the doors. Set the alarm. Be a solid digital citizen.

Applying the right controls to mitigate risk

A final point on IdAM, and one that can be easily forgotten or ignored by organisations, is the fact that everything put in place to secure digital channels must be done through the prism of risk. The levels of risk vary across organisational data, and the levels of security should likewise vary. If an organisation applies maximum security controls to all data, even ultra-low risk, the end user’s experience will be negatively affected.

Understanding your data, and identifying the right controls to apply, is key to ensuring that things don’t get too cumbersome or costly, and that the channel experience is smooth as well as secure. Security is vital, certainly, but it mustn’t get in the way. It is there to enable interactions, not inhibit them.