Sunday, August 24, 2025

Identity Management just isn’t what it used to be

 

It feels like Identity Management, whether we are discussing managing employee or customer identities, that it’s not just about managing user names and passwords. Of course, this has been the case for several years. But those of us in the industry are realizing there is a new paradigm where suspicion is the new normal, and this means that everyone involved needs to find new ways to manage and operate in this new model.

The recent Scattered Spider and related attacks are hitting us where we are most vulnerable, the intersection of customers and support, using social engineering to get organizations to reset passwords, along with standbys such as adversary-in-the-middle tactics.[i] Microsoft has also done a great job of describing its tactics and overall strategy.

As a result, the efforts of the Scattered Spider group have done an excellent job of making anyone involved in IT Support and Security very concerned, and have left their customers feeling overwhelmed with doubt and insecurity. “Is this user who they say they are?” is a bigger concern than ever before.

There is one thing that has become abundantly clear for both organizations and customers: Suspicion must be the new normal. It’s a sad, but true reflection on the state of things right now. For customers, it means manual verification of information requests. Do not submit or provide data over the phone without independently verifying that they are communicating with the right people. Of course, this means separate phone calls or other interactions, which means in complicated scam scenarios that this might not be enough, and of course, it slows everything down. It’s really nothing less than a new form of digital terrorism.

For the large organizations, it means that ensuring both employee and customer security is even more critical than ever. Ensuring that employee and customer data is properly segmented and that proper entitlement governance policies are in place is more essential than ever. Additionally, new patterns should be considered for verifying incoming user requests. The most promising method is using stronger identity verification mechanisms, such as liveliness checks, and when the strongest measures are called for, submission of government documents such as ID Cards, Driver’s licenses, and passports. This, of course, can unfortunately increase authentication and authorization friction in areas where there had been motivation to reduce or eliminate it.

There is hope that the use of concepts in Self-sovereign identity will make this verification easier through the encapsulation of identity-related data via an identity wallet secured by technologies such as blockchain. However, this is still an evolving, niche technology.

While we wait for this technology to mature, it is crucial for organizations and individuals who digitally interact with them to exercise caution and remember that when it comes to protecting one’s digital identity, “Paranoid people live longer.[ii]



[i] https://www.cybersecuritydive.com/news/scattered-spider-expands-tactics-recent-hacks/753220/

[ii] I’ve used this expression for over thirty years of my IT career. I can’t believe it has taken me this long to use it in a blog entry.

No comments: