When you think of customer identity and access management (CIAM), what do you think of? One of the first things I think of is a network. That's because I believe security teams need to map out all the different ways in which your customer interacts with you, and how they end up authenticating themselves in each of those flows. Think of them as the different points in your "business network" that customers use to get in. If you haven't mapped out each and every one of them, you have a problem. To use a different analogy, making the front door stronger won't matter much if you've left a window open somewhere. Your defenses are only as strong as your weakest checkpoint. And in far too many enterprises, the weakest checkpoint will often turn out to be something that was missed, overlooked or just not paid enough attention to.
When you do take up the task of mapping out all your customer entry points, there are two aspects of the map that I recommend paying special attention to. The first is your omnichannel strategy, and the other is your exception flows.
If you're like most businesses, your customers end up interacting with you in many different ways--via browsers, mobile apps, the phone or in person (if you still happen to have a store front). In this omnichannel world you have to ensure that the authentication happening in each of these interactions is equally strong, and doesn't leave you exposed to identity fraud because one of them is easier to exploit. We often see cases of identity fraud that leverage the weaker authentication process the call center employs.
Of course, the best case would be if you can figure out a way to use the exact same mechanism across all channels. But if you can't, ensure that the strength and risk profile of the authentication used by each is the same across all.
Next, think about all of the escape hatches you've built into your infrastructure because your customers are, after all, human. I'm talking mainly about your account recovery flows, or alternative authentication flows. Adding a really strong second factor to your authentication doesn't help if malicious actors are given a weaker path to bypass it. Just think...if they click on the "I lost my phone" button, they may get dropped into an alternate flow that's not as strong (like emailing links or asking security questions that are easily harvested or guessed). More than a few organizations have faltered when setting up these exception flows, resulting in painful hacks or embarrassing disclosures.
The key to making the authentication stronger in exception flows is remembering that they're exception flows. What I mean is that because they'll rarely get invoked by your customers, you can introduce more friction into the flows in order to make them more secure (using a combination of factors, for instance). Just make sure they're factors that actually add security (in other words, please don't use static security questions).
If we're to truly anoint identity as the new perimeter, we need to ensure the protection offered by that perimeter is consistent and continuous. Only then will we be offering our customers the convenience and security they deserve.
See you at CIS in June.
By Nishant Kaushik, CTO, Uniken
CIS Blog - In CIAM, Pay Attention to the Entry Nodes