see 2021
on-demand
close
Session / Deployment & Leading Practices

Operationalizing Identity: IAM for Customer Service

Wednesday, June 23
2:05pm - 2:30pm MDT

Account recovery, governance, fraud, and biometrics: are these terms that come to mind when you think of customer service? They should be. These are common concerns that shouldn’t be limited to your application stack. After all, you can build the most impenetrable fortress of security services, but if you leave the back door open, you’ve failed to materially improve your security posture. Yet, as critical as this direct link between your organization and your customer is, many identity practitioners feel unprepared when asked to make decisions or recommendations that form the runbooks for operational groups.

This is a rich topic that scales in complexity with your organization. This session covers common use cases and considerations for retail and technology companies, including:

  • High-risk operations with, typically, the least assurance (e.g., resetting credentials, GDPR service requests, PII updates);
  • Suboptimal, out-of-band communication norms (e.g., social media, phone calls) for identity verification; and
  • Managing risk in your workforce (e.g., over-provisioning, insider threat, providing for break-glass emergencies).

You will also discover options for dealing with these challenges, including:

  • The use of various authenticators: there are common methods, like Knowledge-Based Authentication and SMS, each with specific benefits and risks. “Passive” methods like voice biometrics are increasingly sought, but fraught with technical and compliance complexities. Assurance level is an important concept here, balancing the need for customer satisfaction with customer data protection.
  • Considering compensation/localized risk when doing your staffing: is the opportunity cost of betraying your organization greater than what your data fetches on the black market? Invest in training frontline personnel about phishing and other security risks
  • Give people a means to report unauthorized changes and suspicious activity, and provide staff a way to escalate issues.