In CIAM, Pay Attention to the Entry Nodes


In CIAM, Pay Attention to the Entry Nodes

When you think of customer identity and access management (CIAM), what do you think of? One of the first things I think of is a network. That’s because I believe security teams need to map out all the different ways in which your customer interacts with you, and how they end up authenticating themselves in each of those flows. Think of them as the different points in your “business network” that customers use to get in. If you haven’t mapped out each and every one of them, you have a problem. To use a different analogy, making the front door stronger won’t matter much if you’ve left a window open somewhere. Your defenses are only as strong as your weakest checkpoint. And in far too many enterprises, the weakest checkpoint will often turn out to be something that was missed, overlooked or just not paid enough attention to.

When you do take up the task of mapping out all your customer entry points, there are two aspects of the map that I recommend paying special attention to. The first is your omnichannel strategy, and the other is your exception flows.

If you’re like most businesses, your customers end up interacting with you in many different ways–via browsers, mobile apps, the phone or in person (if you still happen to have a store front). In this omnichannel world you have to ensure that the authentication happening in each of these interactions is equally strong, and doesn’t leave you exposed to identity fraud because one of them is easier to exploit. We often see cases of identity fraud that leverage the weaker authentication process the call center employs.

Of course, the best case would be if you can figure out a way to use the exact same mechanism across all channels. But if you can’t, ensure that the strength and risk profile of the authentication used by each is the same across all.

Next, think about all of the escape hatches you’ve built into your infrastructure because your customers are, after all, human. I’m talking mainly about your account recovery flows, or alternative authentication flows. Adding a really strong second factor to your authentication doesn’t help if malicious actors are given a weaker path to bypass it. Just think…if they click on the “I lost my phone” button, they may get dropped into an alternate flow that’s not as strong (like emailing links or asking security questions that are easily harvested or guessed). More than a few organizations have faltered when setting up these exception flows, resulting in painful hacks or embarrassing disclosures.

The key to making the authentication stronger in exception flows is remembering that they’re exception flows. What I mean is that because they’ll rarely get invoked by your customers, you can introduce more friction into the flows in order to make them more secure (using a combination of factors, for instance). Just make sure they’re factors that actually add security (in other words, please don’t use static security questions).

If we’re to truly anoint identity as the new perimeter, we need to ensure the protection offered by that perimeter is consistent and continuous. Only then will we be offering our customers the convenience and security they deserve.

See you at CIS in June.

By Nishant Kaushik, CTO, Uniken

View More Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

Excited to be leading such a great Enterprise Identity Track lineup at this year's @Identiverse where we will have fantastic talks from Tejas Dharami, Will Rose, @GoneSecuring, Namitha Krishna, @bpuhl, & @krobert7. Hope to see you in DC in June! https://t.co/C2BLJ6hmQ3

Put the candy hearts away. We have something you’re really going to love! With 4 months to go, we can’t think of a better way to share the love this #ValentinesDay than giving the gift of #Identiverse! Use code: "identiverselove" by Feb 16 to get 50% off! https://t.co/qgjYZR0vJ2

As the @FIDOAlliance continues to strive for a stronger #authentication world w/o #passwords, the rapid adoption of the #FIDO2 standard is showing a lot of promise. Read this #Identiverse blog for FIDO2 specs & how it’s enabling deployment at scale. https://t.co/KD5RehxToS

Identity pros - find the DC area @WomeninID you work with and encourage them to come meet their industry peers next week. A little bit of time spent could have great results! https://t.co/WRJ8cZdoGn

Many people have asked how #Identiverse continually produces an identity industry conference agenda that sets the bar so high. So from our CFPs to committee review to speakers taking the stage, here’s how it works. @andrewhindle https://t.co/hTVcrnEyDL

Load More...

Enter your details to receive email updates from Identiverse