olly - Fotolia

How to manage IT access for external users

Identity and access management has extended from being solely an internal IT management process to focus on external business engagement too

Quocirca research published in 2015 showed that all organisations now interact online with external users. To manage these relationships and provide controlled access to applications businesses need to know who the individual users are.

Identity access management (IAM) systems have had to scale up to cope with this, and their use has been extended into lines of business. With these shifts, information stored in IAM systems now holds real business value.

There are two distinct constituencies of external users: Business-to-business (B2B) and business-to-consumer (B2C).

This split reflects not just the different users involved, but also the type of systems deployed. B2B needs are often best served by extending the use of existing IAM systems, while B2C usually needs an entirely new approach. There is, however, some overlap between the two areas.

Suppliers of IAM systems are seeing growing demand for external user management capabilities from customers and prospects across all industry sectors. The old hands are adapting their systems accordingly, and new suppliers with new ideas have emerged.

Many suppliers are focused on large enterprises and/or the mid-market. Some also have offerings for smaller businesses, which are mostly delivered as cloud-based services, thereby opening up enterprise-class technology to all.

Cloud-based IAM versus on-premise

Most suppliers now offer identity and access management as a service (IAMaaS) in addition to on-premise versions. It is the main route to market for some, including Okta, Centrify, Intermedia and OneLogin. Perhaps the direction of travel is best underlined by IBM, which says its foundational IAM capabilities lie in its on-premise product, but the primary demand is now for its IAMaaS offering (based, in part, on its 2014 acquisition of Lighthouse Security). Other IAM platforms, such as ForgeRock and Courion, are used by service providers to build their own IAMaaS offerings.

IAMaaS makes sense for many because if the applications to which external access is granted are cloud-based, why not the IAM system as well? In addition, the external users being granted access are likely to do so over the internet, so the IAM systems involved have to be open to the outside world anyway.

Extending internal IAM for B2B relationships

External users often need access to the same resources as an organisation’s employees, albeit usually more restricted in scope. They include the employees of partners, suppliers and business customers, as well as contractors and seasonal workers. With large supply chains and partner communities, the number of users involved can be many times the number of employees, so technology and pricing must scale accordingly.

It is also necessary to create mixed groupings of external and internal users, and apply common policies to them – for example, who can create an order in an enterprise resource planning (ERP) system or update a customer record in a customer relationship management (CRM) system?

There is also a need for governance – knowing who has been accessing what resources and ensuring that access remains in line with contracts. In many cases, governance is more about internal processes and user monitoring than it is about external regulation. Most IAM suppliers agree that business need, rather than compliance, is the primary driver for investment in external IAM and that the fundamentals need to be in place to achieve this.

Primary and secondary identity management

The organisation creating the relationship has two choices for adding a group of external users to its IAM system. It can either create new identities in its own system, or it can load them, by agreement, from another organisation’s IAM directory.

Such federation of identities from multiple systems is made easier by the widely accepted use of the Lightweight Directory Access Protocol (LDAP) standard. The most commonly used LDAP-compliant directory is Microsoft Active Directory, but suppliers must be able to extend their reach to other identity sources that matter to their customers.

Directories must be kept in sync. For example, if one organisation fires an employee and de-provisions that user from its IAM system, this must be reflected in other systems that also use that identity. In some cases, for example with contractors, there may be no useful external identity source, so a new primary identity record must be created.

B2B needs are often best served by extending the use of existing IAM systems, while B2C usually needs an entirely new approach

However, even that is changing with increased acceptance of bring your own identity (BYOID), where users provide their own digital identity in the same way they would their own passport for travel. In such cases social media can play the role of identity provider – this is one area where the B2B world overlaps with that of B2C (see “Business-to-consumer relationships” below).

IAM suppliers fall into two broad and overlapping groups: Those whose origins lie in the primary creation and management of identities, and those which make secondary use of identities from other sources.

The first group includes products from some of the big names, including the CA Identity Suite, IBM Security Access Manager, Microsoft Identity Manager (its on-premise product) and the Oracle IAM Suite. Others include SailPoint, which characterises its approach as “the brains for all IAM processes”, the open source ForgeRock Identity Platform, Courion’s Access Assurance Suite and Hitachi ID Systems. Two other products seem destined to come together in 2016: Dell’s Identity Manager (from its Quest acquisition), and EMC/RSA’s Identity Management and Governance (previously called Aveksa).

One of the main secondary uses for identities is single sign-on (SSO), whereby external identities are federated from a range of sources and policy-based access enabled to a range of applications. Some specialists came to the IAM market via this route, including Okta (which also supports primary provisioning), Ping Identity, Intermedia, Centrify and OneLogin.

Many of the primary suppliers have also developed SSO capabilities, including CA SSO (previously called SiteMinder, and CA has acquired the IAMaaS assets of Identropy) and Dell Cloud Access Manager (this will be complicated when Dell merges with EMC, as the latter acquired the assets of Symplified, another SSO supplier squeezed out of the busy market). Symantec Access Manager (SAM) is a newish SSO product developed from its 2013 acquisition of PasswordBank (Symantec having had a false start by previously partnering with the defunct Symplified).

Delegation of identity management

External users are given access to an organisation’s resources for business reasons, and it is business managers who will understand who should be granted access to what resources. With some IAM systems, at best, business managers are given access to IT tools to do this; at worst, they have to ask the IT department to make changes. For some suppliers, however, delegation is a primary value proposition.

UK-based ProofID’s ARMS specialises in allowing delegation of the workflows associated with enabling external users and integrates with broader IAM tools. Identity Automation’s Rapid Identity product has an out-of-the-box capability for managing external users, including delegation, which it calls “sponsored identity management” (it is only just get going in Europe). SailPoint, Dell, IBM, CA, Courion, ForgeRock, Hitachi ID Systems and OneLogin all also say they support delegation to business managers, although in some cases they work with partners to extend the workflows.

The best way to enable business managers to carry out such tasks is to provide integration with the applications they use on a regular basis. Some suppliers, such as ProofID, provide application programming interfaces (APIs) to support this, for example by allowing access rights to be enabled directly from a supply chain or CRM system.

The workflows involved are further enabled by the System for Cross-domain Identity Management (SCIM) standard. This is supported by many suppliers, which makes it easy to propagate identity information, for example creating and deleting accounts in both software-as-a-service (SaaS) and on-premise applications. Courion calls such links “connectors”, which, as with some other suppliers, are available off the shelf or can be custom-built.

With the volumes involved, another area of delegation that can reduce the burden on IT departments is user self-service, for example for password reset and requesting access to new resources. This is an off-the-shelf capability for many suppliers, including Hitachi ID Systems, Intermedia, ForgeRock, IBM, Courion and ProofID.

How much should you pay?

The most common pricing model is per user or identity under management. A lower fee is charged for external users than employees, as there are lots of them, often with less complex requirements. Entry level is typically a few dollars per year and discounts reduce this – a minimum number of users may apply. External user access may be intermittent, and some suppliers, for example Okta, Intermedia and Microsoft, only charge for active authentications. ProofID provides site licences for ARMS with no limit on user numbers. Microsoft’s IAMaaS, Azure Active Directory, is free with some broader Azure contracts. Courion’s pricing is based on users and/or the modules and connectors deployed.

Effective engagement with external users is now required for most businesses to remain competitive, with efficient low-cost management of external identities that links lines of business into the necessary workflows. Many will find existing IAM systems can be adapted or supplemented for their B2B requirements. For B2C a whole new scale is required.

Business-to-consumer relationships

Having looked at external identity and access managementthe other part of the IAM equation is managing business-to-consumer (B2C) relationships. Some call this customer-IAM (CIAM), but the “C” could just as easily stand for “consumers”, which would avoid any confusion with users from business customers.

Whereas existing IAM systems are often extended to include B2B relationships, B2C deployments are more likely to be standalone for a number of reasons:

  • The numbers of users involved can be huge;
  • Consumer identities come from different sources to business users and social media is playing an increasingly important role;
  • The applications involved often stand apart from mainstream business applications, although there are areas where needs overlap;
  • Different governance pressures for B2C engagements;
  • B2C IAM systems are a primary feed for analysis that supports broader consumer marketing requirements.

The social multitude

Whereas the users involved in B2B relationships may be measured in thousands, B2C numbers can run into millions – for a consumer-facing business, this is a nice problem to have. Scalability of both platforms and pricing is required. Consumers need to be attracted in the first place, then both understood as individuals and managed en masse. There also needs to be a high level of confidence that a given consumer is who they claim to be in the first place and when they return in the future. Social media is turning out to be an effective way of finding, understanding and authenticating consumers.

Social media is good for both sides of the B2C relationship. Consumers get more convenience and security across all their various access devices. Using an identity from a social media site such as Facebook, PayPal or Google to log in to multiple other services means fewer usernames and passwords to remember. Strong authentication options also make it more secure, with one-time passwords being sent by the social media site via SMS before access is allowed from a new device. All this brings a single sign-on-like experience to the consumer multitude.

For businesses dealing with consumers via their established social identities, this provides a higher level of confidence that a real person is being dealt with. It saves having to create completely new accounts and, with necessary permission, the social media site can provide information about an individual that would otherwise have to be gathered from scratch. Social media sites themselves need to establish a balance between making their users’ online lives simpler and respecting their privacy.

Read more about identity and access management

One way for a business providing an online service to make use of social login capabilities is to deal directly with a chosen social media site. For example, Google Sign-In enables a consumer’s Google account to be used to access non-Google resources. The problem with this, however, is it restricts choice – a consumer without a Google account could be obliged to create one to access certain services.

The need for choice and all sorts of other supporting capabilities for B2C engagement has led to the rise over the past decade of social login brokers. There are three big names in the market: LoginRadius, Gigya and Janrain. The basic aim of their platforms, all of which are provided as on-demand services, is to enable consumers to register, authenticate and maintain a profile for accessing online services using a chosen social identity or, for those who do not want to use a social identity, to support creation of a re-usable primary identity on the broker’s platform. The broker’s platform is transparent to the consumer, who just gets the convenience of dealing with various online resources via their social identity of choice. They will not know that in the process their data may be handled by different brokers for different online services.

The cost of using the broker’s platform is paid by the provider of the online service – typically in the pence per user range, but with quite a high entry level. For example, LoginRadius plans start with 100,000 users with a base charge for the different plans it offers; Gigya charges in 10,000-user blocks.

UK-based supplier ProofID has a product called Identify which enables access via social identities and can associate various identities to build a consolidated identity for a consumer. This could be by linking an institutional identity, say from an educational establishment, with details from associated Facebook and LinkedIn accounts. This idea may also prove attractive as social identities gain traction in the B2B world.

Consumer governance

Any organisation that transacts online with consumers must be wary of privacy regulations that apply to personal data, such as the UK Data Protection Act and the coming EU General Data Protection Regulation.

Social media is turning out to be an effective way of finding, understanding and authenticating consumers

However, working with social login brokers can outsource the responsibility for at least some of this. For example, it is useful for marketing purposes to segment consumers by a range of factors – age, postcode, gender, marital status, etc. Rather than collecting and storing such data, it can be left to the brokers to crunch data for you across the different social sources they have access to. However, it should be made clear that a given organisation has the ultimate legal responsibility for any personal data collected and stored in its name.

It is also necessary for consumers to be enabled to update their profile information and marketing/communications preferences. Social identity brokers can manage this for you, including the clean ending of relationships as and when a consumer chooses, which is required by the social media sites themselves. For example, Facebook states that a user’s non-public profile information has to be deleted when a relationship ends and makes it a condition of using an identity in the first place.

Market analytics

Big data processing is required to crunch consumer identity data for marketing purposes, usually in conjunction with other, often unstructured, data sources. This may be retrospectively to segment consumers for marketing campaigns, but also in real time to provide a more personal online experience. Social identity brokers have pre-agreed permission to collect and process such data. Gigya asserts that a purpose-built repository is necessary for such consumer data processing requirements, and that B2B-focused IAM products are not up to the job.

To this end, the brokers have developed another set of relationships with suppliers of a range of consumer market services. Gigya, Janrain and LoginRadius list many integration partners on their websites in areas as diverse as online ad-serving, gamification, recommendation engines, CRM systems and business intelligence, all aimed at helping their customers provide integrated marketing to consumers.

Scaling B2B IAM

Despite the challenges of CIAM that the social identity brokers claim only they can rise to, many traditional IAM suppliers believe their systems are up to the job and that their established customers can adapt their existing IAM investments accordingly. Many have extended their capability to federate identities from social media (using standards such as OAuth and OpenID Connect) and scaled their platforms to cope with the numbers. Some have done this for themselves, others have partnered with a specialist identity middleware provider, such as Radiant Logic.

Radiant Logic describes its RadiantOne product as a “highly scalable and secure” identity federation platform, based on a big data engine it terms HDAP. The term is a play on LDAP, the widely used standard for storing identities, with the substituted “H” standing for “highly-available”.

Radiant Logic finds traction in insurance, banking and healthcare markets, where there is often legacy identity infrastructure in place, a range of identity sources to be integrated and a need for common access to data and applications by both business users and consumers. Radiant Logic lists technology partnerships with a number of IAM suppliers on its website, including Ping Identity, EMC/RSA, CA, Courion, Microsoft, IBM, SailPoint and Gigya.

Back to business

The IAM story set out in this article looks set to come full circle, as there is growing interest in the use of social identities in a B2B context. The term BYOID has emerged to describe this. Janrain says there is a push from its customers to use LinkedIn identities, and LoginRadius says it is seeing demand for Google, LinkedIn and Twitter.

Quocirca’s own research looked at the trust businesses place in various social identities in a 2015 report, entitled Getting to know you (sponsored by Ping Identity). Perhaps unsurprisingly, the research discovered organisations that deal with consumers find Facebook more acceptable than those that do not. With LinkedIn it was the other way around, while Google was found to be equally trusted by both. Microsoft was the most trusted overall, perhaps due to long-standing familiarity and the fact that it is already the most widely used source of identities in business through Active Directory. PayPal and Amazon were also found to be highly trusted, with their long-established capability to securely handle financial transactions.

The point of all this is not about what businesses want, it is about serving consumers and providing them with a choice, confident that their identities and personal data are being more safely stored and processed than may have been the case in the past. Meanwhile, the services provided should be easier to access and the experience provided more personal. Oh, and there will be fewer passwords to remember!

Read more on Identity and access management products

Data Center
Data Management