Identity and access management (IAM) has come a long way in the last ten years. Where once it was confined to the internal network of the enterprise, now it has broken free of those chains, and is out in the wild. The reasons for this are many, including changes in working habits, like BYOD, and the extension of the enterprise network outwards into the Cloud so that it effectively no longer exists. Also, closer working relationships with third parties, such as contractors and vendors have had an effect. All these changes have contributed to the evolution of IAM from an enterprise-only luxury, to a system that is used by everyone, across consumer and company boundaries.
Digital identity and it’s cousin, IAM are also changing the face of cyber security and how we deal with security threats. Online identity is a fuzzy concept, but more often than not, it’s being used as the method of identifying a person and assigning privileged access rights. The initial touch point of a breach is often via a social engineering attack that steals login credentials associated with a user’s digital identity login. The two concepts, online identity, and IAM are becoming more and more intrinsically linked as our online lives outside of work, and our access rights inside work, merge.
Digital identity: The Future is Now
Gartner is predicting that by 2019, third party provided identity services (IDaaS) will account for 40% of enterprise ID systems, replacing traditional IAM. What this means is that dedicated identity providers (IdP’s or identity platforms) will offer hosting and identity management services that will allow on boarding of employees. These systems offer a wider scope of identification services than traditional IAM, and can handle a wider set of use cases than internal identity systems, whilst still utilizing existing directory structures, like LDAP or Active Directory. IDaaS has the potential to create ‘hybrid identities’ where a mix of a consumer identity, verified by services such as credit file agencies or even social network participation, are combined with business identifiers. This idea of a hybrid identity, straddling all aspects of our personal and work life is a powerful concept and one driving changes in the IAM and general digital identity industry.
Identity and Security: Co-dependent Species
We’ve seen in the past few years a number of cyber attacks that have presented as a credential management issue. For example, the infamous Target Corp breach of 2013/2014, originated from a phishing exposure of third-party administrator credentials; the hackers using these to access customer accounts. Issues such as these will escalate as IAM and IDaaS systems are used in a more distributed manner, across companies, services, and systems. Ensuring that the right level of security is applied, at the right juncture, whilst retaining the usability needed for mass usage of identity and associated login, is a fine balancing act. One area that is being mixed into identity management is adaptive authentication, whereby user credentials are linked to a risk based policy or rule set. Here, a user can utilize the same identity as a consumer and as a business user, but the use of that identity and their associated login is controlled by rules. For example, if the user is accessing a company resource from outside the company geography or IP address, then they will need to enter a second factor such as a mobile app based code to gain access. Single Sign On (SSO) is used effectively with adaptive settings to ‘up the ante’ in login expectations based on a variety of rules, whilst retaining the usability afforded by SSO. This type of adaptive setting is now being expanded to IDaaS platforms where you want to create a hybrid identity, made up from a consumer profile, coupled with a business profile. This is being exemplified in the verification of the individual. Verification within an enterprise is often done using the company’s rules of on boarding of an employee. Verification outside of a company is much less controlled, but there are systems that can add levels of assurance that the individual is, who they say they are, and these types of verification services are starting to become de rigueur in modern IDaaS platforms.
Government Driving Identity Innovation
A number of governments, including the USA and UK are working on making online citizen identity a reality. In the UK, the government Verify initiative is taking the ideas of identity verification, fraud handling, and second factor authentication, and wrapping them up into the concept of a ‘level of assurance’ or LOA. The Verify system uses commercial IdP’s from the likes of Barclays Bank, Royal Mail, and Experian, to issue and manage the user identities to a LOA 2 level. This effectively means the user has gone through an identity checking experience that incorporates a third party external ID check, coupled with document ID checks, and something known as Knowledge Based Authentication (KBA) whereby they must answer a series of questions personal to themselves. The Verify system went into full production earlier this year and is being used for a number of online government services.
In the USA, a much larger and more dispersed population than the UK, the idea of citizen identity is more of a challenge. However, there is a lot of work going on in this area, and movement is happening. The National Strategy for Trusted Identities in Cyberspace (NSTIC) which is part of the National Institute of Standards and Technology (NIST) is developing the framework for an online, secure, and privacy enhanced identity system for online service access across a consumer and business environment. Working groups like Connect.gov of which NIST has input, are working out the technology implications of such a framework for government – citizen use.
The type of mass adoption afforded by government based identity systems has to drive innovation, as the demography is large and complex. These innovations are bound to trickle down to the use within a commercial context.
IAM to IDaas to More Secure Working
One of the best outcomes from the transition to Cloud based identity systems is to have a more holistic view of what working securely really is. Our online identity is becoming intrinsically linked with our access to our work resources. As government drivers cross into the commercial world, and as our personal identity and work identity become ever more blurred, we will see IDaaS become the frontline of secure working. We are already seeing strides forward in making identity access and credential management a better proposition. Just this last month, NIST set out a directive around the use of SMS text message as a second factor – NIST deprecating the use of SMS as a 2FA because of inherent security issues. Work is continuing to make online identity across disparate systems and resources even more of a way of life for all of us. New protocols like OpenID Connect will likely replace SAML 2.0 in the longer term, purely because they have been specifically designed for large scale Internet use. Movements in the space that make identity both a usable and secure proposition, but one that connects back to existing company directories, will only continue to strengthen the use of a fully verified identity as a front door into our IT networks and resources.