The Growing Importance of Digital Identity and NTT DATA's Efforts

NTT DATA to Lead Future Market with MDR as Core

We at NTT DATA consider Managed Detection and Response (MDR) to be crucial for enhancing cybersecurity measures. We emphasize the importance of MDR in providing continuous monitoring, threat detection, and rapid response to security incidents. By leveraging advanced technologies and skilled security analysts, we aim to protect our clients' digital assets and ensure business continuity. Our focus on MDR reflects our commitment to delivering comprehensive security solutions that address the evolving threat landscape (*1).

The importance of MDR has grown significantly, especially with the rise of the "zero trust" concept, which has become more prominent due to the trend toward online services, and evolving cybersecurity trends. As Microsoft advocates "never trust, always verify (*2)," zero trust is based on the assumption that a network boundary will be breached. In this model, all communications are untrusted, and access is evaluated each time, rather than relying on a secure network boundary.

In the zero-trust world, the "Identify," "Respond," and "Recover" components of the cybersecurity frameworks proposed by the National Institute of Standards and Technology (NIST) are particularly important. These frameworks were previously introduced in the NTT Technology Journal (*3). MDR is a solution that encompasses all these critical aspects.

MDR includes various categories such as endpoint security, network security, cloud security, application security, and data security. Furthermore, digital identity security is also a crucial element. Digital identity plays a central role in MDR because it connects the existence of a physical person with the various networks and systems they use. To realize a zero-trust world, it is necessary to first confirm and guarantee "Who are you?" and "Are you really who you are?"

What Should Companies Think About Digital Identity?

Figure 1: Flow of Support for Problem Resolution

When we support customers in resolving issues related to digital identity, we place importance on the phase of "organizing the overall picture of the issues" (the red part in Figure 1). This is because the issues that customers see are often just the tip of the iceberg and solving them alone may not lead to fundamental improvements. In some cases, as customers start to consider the issues they see, they may find themes with higher priority related to them. In the field of digital identity, in particular, there are few best practices that say, "It's OK to do this," and there are many requirements that need to be implemented after selecting and customizing a solution according to the customer's situation. Therefore, finding the optimal solution to the goal is not easy.

To organize the issues, NIST and the International Organization for Standardization (ISO) have defined international guidelines and frameworks.

Table 1: Overview of NIST SP800-63 (*4) and ISO/IEC 24760 (*5)

The above information is used by many organizations and experts around the world. However, from a practical point of view, we think there may be some shortcomings. NTT DATA has developed a framework mainly for organizing digital identity issues within companies, and has been consulting with many customers. This section presents an overview of the framework.

Nine Perspectives on Digital Identity

In order to get a bird's eye view of a company's digital identity, nine perspectives are necessary, as shown in the bubbles in Figure 2. Figure 3 shows an example of replacing these perspectives with a physical environment within a company, rather than cyberspace.

Figure 2: A framework for organizing digital identity issues organized by NTT DATA

Figure 3: Examples of perspectives of digital identity in the physical world

Key Elements of Digital Identity Management

1. Proofing: Linking a physical person to an electronic identity so that the system can understand it. True identity verification is achieved only after thorough processes of proofing and authentication.
2. Life-cycle Management: Managing the states of an electronic identity from creation to deactivation and destruction, including transitions. ISO/IEC 24760 provides a model for this perspective. In enterprises, it is crucial to ensure account status changes correctly with personnel events, name changes, and organizational changes. Immediate deletion of unnecessary user IDs is recommended to prevent information leakage due to internal improprieties.
3. Authentication: Determining whether an electronic ID is used by its owner, based on knowledge factor, possession factor, or inherence factor. Balancing security strength and convenience is essential, with modern methods like password less authentication (*b) and WebAuthn (*c) offering both.
4. Federation: Accepting the result of a person's authentication from another system, allowing access without re-authentication. Single Sign-On (SSO) is often implemented to achieve this.
5. Authorization: Confirming authentication result and allowing access. This can be managed by each business system or a central authentication infrastructure.
6. Session Management: Deciding how long to maintain identity authentication, authentication linkage, and authorization status based on requirements, especially when handling sensitive information.
7. Access Control: Permitting or denying access based on user information. Ensuring access permissions are appropriate to prevent information theft is critical.
8. Accounting: Acquiring and managing usage status and system access history. Regular audits and appropriate log management are necessary to ensure security and compliance.
9. Governance: Creating and managing rules to properly operate all elements related to digital identity. Regular reviews and adherence to internal policies are essential for maintaining governance.

The Value NTT DATA Provides

NTT DATA has developed a framework to systematically and comprehensively organize issues related to digital identity, referring to standards defined by NIST and ISO. This framework has been used in numerous consultations and solution proposals. Digital identity is a fundamental part of internal security, especially as concepts like "Digital Transformation (DX ,)" "cloud shift," and "remoteness" gain popularity. By organizing the overall picture, NTT DATA helps identify additional issues and reexamine the entire internal system, ensuring it is fit for the times.