Best IAM practices to strengthen enterprise security
As part of Cybermoi/s 2024, we are sharing best IAM practices with you to strengthen corporate security.
KYC, or Know Your Customer, is a crucial process for verifying the digital identity of an individual or company in the context of business activities. As human beings, trust in our identity, that is, who we are, is at the heart of our social interactions: whether it’s renting or buying real estate, receiving our salary, shopping at the supermarket, opening a bank account, or even for the reimbursement of medical expenses.
KYC is not a new concept, but the rapid digitization of our societies requires it to be adapted to new uses. At Memority, we are convinced that properly equipped digital identity processes are growth drivers for businesses.
Identifier, login, IAM, password, IDaaS, Fido, passkey: all these barbaric terms have been imagined by our technological societies to replicate, in the digital world, ancestral concepts. The terms Identity Factory and KYCaaS, more recent, extend this long list to offer new services.
Originally, a simple handshake was enough to exchange a goat for three chickens, but organizations and governments have long since established processes aimed at guaranteeing the identity of individuals. Clay or wax tablets, discovered in large numbers during excavations in Mesopotamia and other ancient sites, were used to record decrees, loans, contracts, and other commercial transactions. These tablets were authenticated by a representative of the governing authority, often a scribe, who signed or stamped them with the seal of the local sovereign.
As our civilizations evolved, the role of the scribe was passed on to Roman scriptores and then to medieval scribes. As early as 1215, the Council of Lateran mandated the keeping of registers of baptisms, marriages, and burials by parishes, to combat consanguinity. This system was gradually enriched through councils and royal ordinances, until the French Revolution, where this role was progressively assumed by state services, notably mayors and notaries in France.
Thus, the importance of our identity in modern societies is undeniable, and record-keeping is by no means a novelty. It is a fundamental process that dates back millennia and continues to play an essential role in our current social and commercial interactions.
The modern age saw a rapid increase in transport and communication capabilities, allowing us to interact with actors who are increasingly distant from our usual social circles, which historically guaranteed trust between individuals. Growing concerns about money laundering, terrorism financing, and other criminal activities prompted the United States in the 1970s to enact the “Bank Secrecy Act,” a law aimed at detecting and preventing money laundering. Similarly, in France, there is the LCB-FT. Verifying the identity or documents of a new user is a legal obligation for many sectors of activity. This is what is called KYC (Know Your Customer).
Telecommunications, e-commerce, and now the xTechs: FinTech, InsurTech, EdTech, LegalTech, PropTech, TravelTech, RetailTech, etc. The list of fields gradually revolutionized by technology continues to grow. Some that were thought to be protected are no longer, such as notaries, who were considered resistant to change due to their role as guardians of the books.
Large companies have long industrialized and automated the maintenance of their user registries. Initially simple digital directories, they have evolved into Identity and Access Management (IAM) applications, providing identity management interfaces and processes. Then they migrated to the cloud with IDaaS (Identity as a Service), lightening the burden of infrastructure maintenance.
Finally, Memority’s Identity Factory offers organizations a service where identities are produced, managed, and secured efficiently, reproducibly, and securely. This includes automated processes for creating, managing, and revoking all types of identities (employees, partners, customers, connected objects), as well as mechanisms to ensure the security of identification information and data associated with identities. Modern interfaces simplify data entry, and connectors facilitate integration with the business tools of the information system. Built-in authentication, federation, and access control functions streamline complex historical IAM systems. The speed and controlled cost of activating Memority make it accessible not only to large organizations but also to mid-sized and even some small businesses.
Indeed, since 2019 and the lockdowns, many latecomer organizations have digitized numerous processes to continue their activities despite the distance. Relying on services that allow them to do more, faster, but sometimes forgetting the historical reason that led to certain processes deemed complicated, archaic, or unnecessary, and on which our civilizations are based: the importance of trust.
This rapid democratization has allowed far too many malicious actors to take advantage of our weaknesses. Despite awareness campaigns, training sessions, warning messages, and other three-step validation screens, it is still too easy to impersonate someone’s digital identity. This can have devastating consequences for the owner of the stolen identity or the deceived counterpart.
As a result, stories abound of fraudulent consumer loans, cars sold without proper paperwork, elderly people extorted, friends supposedly stranded on the other side of the world asking for money… Or significant sums of illegally obtained money (from drug and arms markets, etc.) being laundered too easily through digital exchanges.
These multiple reasons have motivated companies to offer digital identity verification services that are more accessible to non-governmental or non-financial organizations. This allows them to comply with regulations and reduce their risk. These services have been around for about fifteen years and offer various packages to adapt controls to the level of trust required for their clients’ business needs.
Our fellow citizens have thus discovered practices that have been used for several decades by some large companies and for about a decade by technophiles and other crypto-addicts: electronic signature, automated identity document verification, electronic wallet, encryption keys, etc. These are tools and services that allow for the automatic authentication of a person using their identity documents, thus simplifying identity verification. While some are still cumbersome to use, others offer such fluidity that they are now being used not only to enhance security but also to improve the productivity of our organizations. KYCaaS, or Know Your Customer as a Service, allows identity checks to be carried out in less than 5 minutes, regardless of the time or day of the week, and at a cost of a few cents.
• KYC -> Know Your Customer: customer authentication process
• KYCaaS -> KYC as a Service: online service offering to automate the KYC process
• Identity Factory Memority: an online service that allows organizations to produce, manage, and secure all types of identities, thereby accelerating and streamlining user journeys and identity management processes