Sellers of computer security products and services sometimes fret that their messaging is too scary as they go on about risk, data loss and regulatory fines. To get around this, every so often they like to remind potential buyers that their wares are also business enablers. The case is easier to make in some areas than others, one such is identity and access management (IAM).
In the old days (pre-business use of the internet) IAM was mainly about providing identities to employees (and the odd contractor) to give them access to various in-house applications. This was generally from PCs and dumb terminals situated on-premise and owned by the business; all was restricted to private networks. How things have changed.
A recent Quocirca report,
Digital identities and the open business, shows that the majority of European organizations now open up their applications to external users; from either business customers, consumers or both. This is done entirely for positive business reasons, the top drivers being direct transactions with customers, improved customer experience, smoother supply chains and revenue growth.
However, this requires a level of IAM to be put in place that enables the quick capture and ongoing authentication of identities. One of the challenges this throws up is the need for federated identity management.
Organizations that only need to worry about their own employees can put in place a single directory for centralized storage and rely solely on this to underpin IAM requirements. Microsoft Active Directory is by far the most common “internal directory”. However, when it comes to users from external organizations, a whole range of other identity sources come into play.
For users from business customers and partner organiations, it will often be the target organisation’s own directory (so may be another instance of Active Directory). However, identities may also be sourced from the membership lists of professional bodies (e.g. legal and accounting associations), government databases and social media sites.
When it comes to dealing with consumers, social media tops the list as a source of identity. Many of us will already be familiar with, being able to optionally use our Facebook identities to login to sites like Spotify of JustGiving. Wherever an identity is sourced from it is clear that for external users there is a growing concept of BYOID (bring-your-own-identity).
Some may frown at this and wonder how secure it can all be. The answer to that is down to the IAM system in place. This is where the different sources of identity are federated and policies about who can access what are enforced.
Banks would clearly be taking a great risk by allowing a user to move large sums of cash around based on a Google identity, but it may be good enough to answer an enquiry about opening a new account and capturing some basic details to kick the relationship off. If things go further the expense of creating a more secure identity and means of authentication can go ahead and the details updated in the IAM system.
Quocirca’s report shows that when IT and IT security managers think about IAM they still think primarily in terms of achieving certain security goals. However, its use for achieving business goals is creeping up the list the priorities. Furthermore, in the past IAM may have been seen as affordable only by large enterprise. However, it is now widely available as an on-demand service (IAM as a service/IAMaaS) and open to business of all sizes.
The majority of respondents to Quocirca’s survey report that their business managers are taking an interest in IAM. This is for not for security reasons but for its power as a business enabler. Now that’s not too scary – is it?