Strengthening the Foundation of Digital Trust: The Role of Identity in Modernizing Citizen-Facing Portals
In an era dominated by digital interactions, citizen-facing portals have become essential tools for governments and organizations to connect with their constituents. However, the increasing sophistication of cyber threats demands a paradigm shift in security strategies. Enter the Zero Trust model, a revolutionary approach that challenges the traditional perimeter-based security mindset. Coupled with NIST 800-63-3 (Digital Identity Guidelines), the Zero Trust framework—with a deeper focus on identity verification and authentication—is redefining security for citizen-facing portals.
Zero Trust is a comprehensive security philosophy that challenges the traditional security models’ notion of implicit trust. Traditional security models revolved around a trusted perimeter, assuming that once inside, users and devices were trustworthy. Pioneered by Forrester Research in 2010, Zero Trust challenges organizations to trust no one and nothing—regardless of their position within or outside the network.
The available frameworks (i.e., Forrester ZTX, Gartner CARTA, or NIST SP 800-207 (Zero Trust Architecture)), have always placed a special focus on identity, and in truth, that is where zero trust should begin. Where the traditional models of Zero Trust maturity have fallen short, especially when applied to citizen-facing portals, is beginning with the directory housing the identity. This model is fine when applied to an organization’s employees, but when dealing with citizen stakeholders, we need to meet them where they are.
This begs the question: How do I know the person in my directory is actually who they claim to be? Addressing this requires a shift in the Zero Trust model by adding a requirement for a robust identity verification process, as is outlined in NIST 800-63-3. Identity verification must be the first step in securing citizen portals and building trust.
Identity verification serves as the cornerstone for establishing trust between end-users and agencies in the digital realm. Properly implemented, identity verification combined with consent management empowers the end-user to ensure their information is shared with the right agencies under the right conditions. It also allows the user to revoke rights when appropriate, which lays the foundation for bi-directional trust. From the agency perspective, identity verification is crucial for ensuring the security and authenticity of users accessing systems, services, or information digitally.
The primary goal of identity verification is to prevent unauthorized access, fraud, and the misuse of sensitive data. Traditionally, this has been accomplished using Knowledge-Based Verification, sometimes referred to as Knowledge-Based Authentication. With much of our personal information available with just a few keystrokes, malicious actors are able to defeat this question-and-answer form of verification. To combat this, agencies should look towards a modern identity verification platform that meets well-established standards for an identity’s assurance level, namely NIST 800-63-3’s Identity Assurance Level (IAL). Currently, IAL2—which requires a combination of strong documentation validation and the use of unsupervised biometric or in-person verification—is the Identity Assurance Level required for high-risk target systems like financial and healthcare services.
Agencies should strive for strong identity verification by layering multiple pieces of evidence, providing robust fraud detection and consent management while still meeting the citizens where they are in the digital realm. By weaving identity verification into the fabric of citizen-facing portals, agencies set the stage for a secure, low-friction, and trustworthy online experience. This goes beyond traditional methods, ensuring that trust is built incrementally and with every interaction between the citizen and the application.
In the face of evolving cyber threats, preventing unauthorized access by malicious actors is a primary concern for organizations managing citizen-facing portals. To address this concern, we should look at the intersection of Zero Trust and the Authentication Assurance Levels outlined in NIST 800-63-3.
In citizen-facing portals, this means implementing multi-factor authentication (MFA) mechanisms to ensure that users are who they claim to be at the time of login. MFA combines something the user knows (password), something they have (token or device), and sometimes something they are (biometric data) for a more secure authentication process. One truth we must acknowledge is that not all factors are created equal. Strong authentication has evolved beyond traditional methods like passwords or even SMS and email.
The adoption of Federal Information Processing Standards (FIPS) validated NIST-approved factors, including biometrics (such as fingerprints or facial recognition), smart cards, hardware tokens, WebAuthn, push notifications, and one-time passcodes generated through mobile applications need to be the new norm. By adopting these measures, organizations can significantly reduce the risk of unauthorized access, especially when dealing with sensitive citizen information. Robust identity verification coupled with effective authentication processes acts as a formidable barrier against potential breaches.
As citizens increasingly rely on digital portals for government services, the need for robust security measures cannot be overstated. Zero Trust offers a dynamic and adaptive security approach, ensuring that every interaction is treated as potentially risky. This is particularly crucial when handling sensitive citizen data, which requires the highest levels of protection. Modernizing citizen-facing portals with a Zero Trust mindset not only aligns with NIST guidelines but also addresses the evolving threat landscape.
Adding modern identity verification to the framework provides a proactive defense, mitigating risks and fortifying security measures in ways that traditional models do not. The combination of high-assurance identity verification and robust authentication ensures that trust is earned at every step.
According to Dr. Chase Cunningham at Forrester Research, “We consistently find that enterprises have the earliest and rapidest success if they focus on improving identity management and device security.” 1Cunningham, Chase, et al. “A Practical Guide To A Zero Trust Implementation” Forrester Research, January, 15, 2020. When it comes to interacting with our citizen stakeholders, we need to meet them where they are, and this puts the device out of our control. If we start with high-assurance identity verification coupled with strong authentication and modern factors, we minimize the risk of attacks and reinforce the overall security posture, building trust in citizen-facing portals.