Digital Identity Risk Management (DIRM) – Step 4: Tailor and Document Assurance Levels
DIRM involves tailoring and documenting assurance levels (xALs: IAL, AAL, FAL) by addressing risks, applying compensating/supplemental controls, and ensuring alignment with organizational needs.
Core Elements
- Two Dimensions of Risk
- External Threats: Credential theft, phishing, impersonation, and replay attacks.
- Unintended Consequences: User friction, excessive data collection, misaligned controls.
- Tailoring
Adjust assurance levels to reduce unintended impacts. Requires documentation, governance, balance, and flexibility. - Assessment Areas
- Privacy: Use PTA/PIA to identify risks.
- Customer Experience: Ensure usability, inclusivity, and minimal friction.
- Threat Resistance: Strengthen defenses against attacks and misuse.
- Controls
- Compensating Controls: When baseline controls can’t be applied, alternatives must mitigate risk equally.
- Supplemental Controls: Add-ons such as phishing-resistant authentication or stronger identity verification.
- Digital Identity Acceptance Statement (DIAS)
Mandatory for each service (including SaaS). Documents assurance level choices, controls, risks, and rationale.
Check out this infographic for an overview of DIRM – Step 4: Tailor and Document Assurance Levels.
Gabriel Magarino
Gabriel Magarino – Senior Security Manager | IAM Evangelist - Experienced leader with over 20 years in the IT and cybersecurity industry, specializing in Identity & Access Management. Expert in Okta, One Identity, SailPoint (IdentityIQ & IdentityNow), OneLogin, Delinea, and CyberArk. Passionate about exploring IAM and emerging technologies, coaching, and training IAM teams. Holds a Master’s in Computer Science and multiple certifications, including Okta Professional & Administration, One Identity Architect & Instructor, SailPoint Identity Now, ITIL, Scrum Master, among others. Currently pursuing a PhD with a focus on Computer Science and Artificial Intelligence.