A digital identity is a virtual representation of an individual in the digital world. It comprises the attributes and information that uniquely define and distinguish them online. Login credentials, biometric data, email addresses and decentralized identifiers (DIDs) are all examples of digital identities.
In the realm of cybersecurity, digital identities play a pivotal role in regulating access to network resources. Any user, device or application seeking access to a network resource must first obtain a unique digital identity. This digital identity contains the authorization and permissions they need to interact with the resource.
For example, a user would need an AWS account to access resources in an AWS environment. This account functions as their digital identity on AWS and may grant them access to different cloud computing services and resources, including EC2 instances (virtual servers in Amazon's Elastic Compute Cloud) and Lambda functions. Similarly, an application running on an EC2 instance that wants to read data from an S3 bucket must also first acquire a digital identity.
A digital identity defines who can access what, under which circumstances and for how long. For instance, an AWS IAM role may temporarily grant an external user access to perform WRITE operations on an RDS instance, after they have presented an authorization token.
Digital identities, accounts and users are unique concepts in cybersecurity that have different scopes and use cases.
Digital identity is the broadest of all three. It encompasses any attributes or identifiers that can be used to identify, authenticate and authorize an entity in a network. For example, API keys, digital certificates, IAM roles and service accounts.
A digital account is a type of digital identity used to access a particular resource or environment. Access to digital accounts is often protected via some sort of authentication, e.g. single sign-on (SSO), passwords or keys.
A digital user is an individual that interacts with a digital system. Interactions can include accessing a resource, performing some operations or using a service.
A single digital identity may have multiple digital accounts. For example, a project owner’s identity may encompass different administrator accounts, service accounts and root profiles that offer them exclusive access to the entire infrastructure.
Digital identity management begins with registration and enrollment. Administrators provision a user on the system, typically an identity and access management (IAM) solution, and create their digital identity. Depending on the user’s role, the administrators then grant the relevant privileges and access rights to the user’s identity.
When a user tries to access a resource, the access management system authenticates their identity. Authentication typically involves verifying user credentials associated with an identity, such as tokens, biometrics, cryptographic keys or multi-factor authentication (MFA).
Once a user has been authenticated, they are authorized to use the privileges associated with their identity. This is important to mitigate security threats associated with privilege escalation and maintain high standards of application security. For example, if a user assumes a role to perform an elevated operation, the identity management system will check whether the assumed role grants the rights to do so.
Another important aspect of digital identity management is tracking the lifecycle of identities. This includes regular reviews, updates and eventual deactivation or archiving of identities when they are no longer needed.
Federation is a technique that allows digital identities to be trusted across different domains and systems. For example, a user may be able to use the same digital identity to access resources in both cloud and on-premises environments.
Continuous monitoring and auditing are essential to reduce vulnerabilities, avoid security threats and breaches, and comply with different cybersecurity standards and frameworks. For example, you may monitor logs of your web applications to detect any suspicious login attempts.
An eWallet, or digital wallet or digital identity wallet, is an application that allows you to digitally store and present your identity in a seamless way.
Leveraging modern technologies, like verifiable credentials, eWallets can store all kinds of identity information, including passports, identity cards, licenses, university cards and even marriage certificates.
eWallets use strong cryptographic techniques to verify a user’s digital identity information with the requesting service or application. However, this verification happens behind the scenes. All the user has to do is tap a button on the wallet application.
In our increasingly digital world, it’s crucial to use modern IAM solutions to protect digital identities. Let’s explore some of these solutions.
An AM solution controls access to resources and applications using the principle of least privilege and implementing various authentication and authorization methods. It offers the following features for digital identity management:
PAM tools focus on privileged identities, including root users, service accounts and administrator roles. Unique features of PAM are:
IGA solutions focus on managing and governing identities, roles and entitlements across an organization. Some IGA features for digital identities are:
For organizations that use AD/Azure AD for authentication and authorization, AD management solutions are a great tool for securing digital identities. Here are some of their useful features:
The traditional concept of digital identities in cybersecurity was limited to organizational networks, where they were used to authenticate and authorize users. However, modern eWallet applications have made it possible to use digital identities in a wider range of contexts, such as accessing online services, applying for visas and verifying nationality.
As more specifications, like verifiable credentials, are released in the future, we can expect digital identities to become even more prevalent.