The following post is an excerpt from GovLoop's recent industry perspective, The Evolution of Identity Management. In the brief, we discuss why organizations must reassess the way they verify accounts and credential their users. We also offer tactics to help evolve government identity management strategies.
When determining how your agency should verify the identity of it's users, there is no one-size-fits-all template of credentialing requirements. Your appropriate identity management strategy is dependent not only on your user base, but also on your agency’s particular mission, risk tolerance level, and regulatory environment. Each of these components will shift your identity-verification tactics, making them more extensive when necessary and less invasive where possible.
“It’s really up to the agency to make those hard business decisions of where they want that threshold to be and where they want to strike that balance,” said Kolin Whitley, Director of Fraud and Identity Solutions at Experian, a global information services provider that offers a suite of identity-proofing tools to both public and private sectors.
Every facet of your agency, including its credentialing process, should serve your mission. Your mission is not static. It manifests in different ways over different mediums and processes over time. Your identity management tactics should be equally diverse and adaptable.
“Every agency has a slightly different mandate that they’re trying to meet,” Whitley explained. “Being able to work with application providers who have the flexibility to provide a customized approach helps them tremendously as they work through that mandate.”
In many instances, your mission is best served by encouraging as many users as possible to access your information. In those scenarios, a light credentialing process is most appropriate to avoid impeding users from engaging with your agency. In other cases, however, advancing your agency’s cause may require strictly securing data to ensure that only those users who can and should appropriately use it have access to it. For instance, departments should deploy a stringent identity authentication process to protect large, complex data sets that can be easily corrupted by fraudsters or novice users.
Security is clearly a primary concern for many agencies. However, as noted by Whitley, “It doesn’t make a lot of sense to have a user go through an expensive and, in some cases, perceived invasive form of identity verification just to reset a password.” Some processes need to be safeguarded better than others.
The ideal identity management strategy will reflect not only the risk tolerance of your organization at large, but also the unique risks associated with particular access scenarios. Whitley explained how Experian helps determine this strategy: “We work and engage with the client to come up with the best mix of risk strategies that will optimize the performance of the product while still maintaining that level of security.”
Finally, considering the environment in which your agency operates is also important. Regulatory standards can safeguard or inhibit your ability to service these users. “The challenge that we encounter quite often is that an agency has a directive requiring them to authenticate users accessing their applications,” said Whitley. “But at the same time, they are trying to balance the fact that these users do need to access those applications.”
Regulations may require stricter credentialing processes than you might otherwise find appropriate for a specific user action. In these instances, helping to alleviate credentialing burdens while remaining compliant with your regulatory environment should also be part of your identity management strategy.
To learn more about securing your organization through robust identity management, read our full report.