The state of cybersecurity in Europe is severely challenged. This has become even more apparent during the resent accelerated pandemic transformation of our ways of working and collaborating. At the same time, the EU’s cybersecurity directive – NIS2 – is facing a major upgrade, which will have far-reaching consequences for the private sector. GlobalID’s potential as part of the solution has been subjected to an external critical review and has passed.
The State of Cybersecurity in the EU
Both politically and in the private sector, there is a general recognition that cybersecurity in the EU is a growing concern. A contributing factor to the EU announcing an imminent significant upgrade of both requirements and sanctions.
To go deeper, concretize the consequences and finally get an assessment of whether Liga’s GlobalID can help meet the growing challenges at European level, we asked the international research institute KuppingerCole to conduct an analysis that included a benchmarking of our solution.
A benchmarking, we passed.
It is a known fact that Denmark in many respects is far ahead of our European neighbors when it comes to digitalization. Largely driven by a very progressive public strategy, but nicely followed by the private sector. However, the European lag poses a growing concern, as Danish companies are dependent on being able to work, trade and cooperate across borders.
This is an issue that needs to be addressed. And that is why Liga chose to ask KuppingerCole to take an overall European perspective, make recommendations and, as part of this, assess whether GlobalID can contribute to the solution.
Lack of foundation
KuppingerCole quickly identified that when it comes to trust, security, pace, efficiency and ultimately the realization of the potential of digitization, the lack of implementation of eIDAS – the European standard for the use of validated digital identities that are linked to and follows the individual – is a decisive factor. In the negative sense. All other initiatives to ensure security, protection, and management of threats rest on this foundation, yet it is far too rarely employed.
3 serious challenges
In their analysis, KuppingerCole point to three challenges as consequence of the lack of implementation of eIDAS. By pointing to these three challenges, KuppingerCole emphasize that there is more at stake than the immediate need for security and protection.
Topping the list of challenges, however, is – of course – security.
KuppingerCole point out that far too many companies have not yet adapted to the new hybrid reality, where the peripheral boundaries are no longer sharply defined, and companies need to handle and onboard changing and new partners, suppliers and employees spread across large distances and across national borders giving them varying degrees of access to digital systems and platforms from changing devices.
KuppingerCole strongly recommend that companies replace their old practices and completely abandon the method of onboarding and subsequent validation, which is limited to username – typically a publicly known email address – and password and implement a method of secure identification.
2. Management, Compliance & Governance
The lack of implementation of eIDAS and use of services that provide access to a network of validated digital identities through an adequate identification and validation process and updating, entails both a huge security exposure, but also a heavy burden on the administrative staff who are forced to handle onboarding, identification, and validation as a repetitive manual task.
As the network of employees, partners, suppliers, and customers grows in scope and complexity, this task becomes completely overwhelming with the fatal consequence that a compliant access management is either neglected, becomes open to errors due to manual handling requirements or blindly adopts non-verified data from an external party. All in direct conflict with the basic principle of Zero Trust: Never Trust – Always Validate.
The practice of handling digital identities manually and the lack of implementation of secure validation practices – both during onboarding and as part of the lifecycle management of digital identities – poses a serious security issue to all companies who are basically in the dark as to whether the digital identities that are linked to the network of employees, partners, and suppliers in their AD, are valid. With regards to compliance and governance, they may thus be under pressure to meet regulatory demands.
To CISOs and others responsible for the handling of data security, the task seizes more and more resources, which delays, makes it more expensive and ultimately blocks development and growth.
But above all, it increases the risk of IT security breaches.
And that also applies to their collaborating partners – including Danish companies. There is no way for them to know whether the identity data the company has linked to their employees and other stakeholders is valid and can be trusted.
3. Trust, Cooperation and Growth
Whereas the first two challenges are immediately obvious, KuppingerCole also address a challenge that lies as a derivative, but just as serious, effect, and points back to what motivated the formulation of eIDAS way back in 2014.
Cross-border collaboration, trade, and exchange of services as well as the interaction between public institutions is completely dependent on trust.
Similarly, future collaboration between both public and private organizations and hence the potential for growth depends on the digital transformation being accelerated in order to remain competitive.
Prerequisite for both is security and transparency.
The foundation for this, KuppingerCole emphasize, is validated digital identities.
GlobalID in a European perspective
Liga’s GlobalID is specifically designed to provide access to the implementation of the standards formulated with eIDAS and the establishment of networks of validated digital identities.
In the analysis, KuppingerCole assess whether GlobalID as a service can contribute to overcome the growing cybersecurity challenge.
Regarding the need for a service that ensures an automated implementation of validated digital identities, among other things KuppingerCole state:
”By harnessing a network of verified identities, verification can be delegated to the individual, and reused many times in different contexts: firstly, for their personal banking, financial relationships, or citizen ID, then reused during onboarding as an employee, supplier, or contractor. Once verification has been established, the organization must only validate the identity data, with other processes building off that, such as CIAM. But the beginning part of the trust relationship must begin well, with verification of the identity and validation of the identity data”.
In light of this, KuppingerCole conclude that GlobalID will be a significant resource:
”GlobalID from Liga enables the use of trusted identities for enterprise workforce use, beginning with identity data validation at the time of onboarding (…) GlobalID enhances the digital lifecycle by using validated identity data for onboarding on through use and review of the identity at the organization”.
Which is largely due to the comprehensive identification and validation process:
”GlobalID (…) is a cybersecurity platform to harness trusted identities for enterprise workforce use. It is designed to connect to identity sources – Microsoft Active Directory, Micro Focus eDirectory, SAP, systems used by Human Resources departments, and more – with validation systems – like eID, passport and video identification, and others – with authentication factors – including certificate authorities (CA), tokens, and apps – and identity providers (IdPs). With GlobalID, organizations validate the identity of their workforce against data that suits the LoA required, including passports, eID, and video identification. Authentication tokens are then issued by external or internal CAs or can get verified against existing systems like Azure MFA”.
The analysis from KuppingerCole is comprehensive and provides good insights into the challenges we face.
However, at the request of Liga, it also includes a list of vendor-agnostic recommendations that can be used to initiate the implementation of secure and effective practices for accessing and using validated digital identities.
The analysis and recommendations from KuppingerCole are available as white paper and can be downloaded via the form below.
Click the button below to get full access to the whitepaper which will open in your browser.
KuppingerCole, founded in 2004, is an international, independent research institute headquartered in Europe. They specialize in delivering neutral analyzes and expert advice about Information Security, Identity & Access Management (IAM), Governance (IAG), Risk Management & Compliance (GRC) and all aspects of digital transformation. https://www.kuppingercole.com/