If you stop to think about identity and access management (IAM), it’s striking how many practices it covers. In some contexts, it refers to streamlining the user experience through technologies and practices that make it easier for individuals to log on securely. In others, IAM effectively means identity lifecycle management...
– that is, ensuring that accounts are set up, modified and retired in a timely, accurate and secure manner.
It can also refer to security and compliance through technologies and practices that make governance activities straightforward – adding a layer of control and visibility for privileged accounts to enjoy special access.
So IAM is all of these things and more – and for those running security in the enterprise, it is clear that living with the multiplicity of IAM is par for the course because IAM is more than just identity provisioning or access governance or single sign-on (SSO) or any one of a long list of disciplines. The success, or otherwise, of identity management in companies today relies on moving from singular and isolated technical initiatives to a full IAM programme – or at least having a plan for such a journey.
“If you had to single out a sector at the cutting edge of IAM, it’s financial services,” says Martin Kuppinger, founder and principal information security analyst at KuppingerCole.
“That’s because finances need good protection – and regulators and the sector itself have long required secure digital identities and standardised processes. Yet that’s only one part of the IAM story now, because next to this security-first identity agenda is a parallel consumer-convenience move being driven by the large digital companies that are developing a different kind of expertise in consumer identity management.”
If these are clear twin tracks in the mainstream of identity management, the more nuanced challenge for each enterprise is to understand how and where to carry the fight around identity, cyber security and convenience.
“The technologies are evolving, sure, but the pressing need in each organisation is to work out the problems that need to be solved,” says Kuppinger. “In other words, start with the guideline requirements first rather than with the technology. What’s the change that is needed and what’s driving it?”
Privileged access management
Partly, identity management is about managing cyber security risk, and most large organisations have cyber risk initiatives to ensure the right people have the right access on the right terms. At the centre of this, as Kuppinger and others note, is privileged access management (PAM), which helps organisations to restrict privileged access within an existing staff directory (most commonly an Active Directory environment, for those using Windows).
Privileged access management accomplishes two goals. It re-establishes control over a compromised directory environment by maintaining a separate environment that is known to be unaffected by malicious attacks, and it isolates the use of privileged accounts to reduce the risk of credentials being stolen.
“Today, it can be too easy for attackers to obtain admin account access, and too hard for enterprises to discover these attacks after the fact. The goal of PAM is to cut the opportunities for malicious users to get access, while increasing your control and awareness of the environment,” says Kuppinger.
PAM is clearly an initiative with excellent aims, but the other push in IAM flows is the need for convenience. How can enterprises give convenient, but authenticated, access that is also flexible? How can they give access not only for staff with different privilege levels, but also for contractors and consumers in a controlled and versatile way?
Fido and being fast online
“Here, I would say an important mission is that of the not-for-profit Fido Alliance to change the nature of online authentication,” says Kuppinger.
Fido refers to “fast identity online” and was set up in 2013 to develop technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users. The idea is to enable stronger account or transaction security, thereby driving lower loss rates and improved customer loyalty with less churn. There is also the prospect of the versatility this work brings, enabling new business models and revenue streams.
“Once users no longer need to remember complex passwords, user provisioning is simplified and the cost associated with remote password resets are drastically reduced,” says Kuppinger. “The idea is that system management functionality is provided by the Fido infrastructure, rather than having to be built by each application developer. And with less testing required, all devices just need to plug into the Fido interface, and the time to introduce new technologies is reduced significantly.”
Fido is backed by a range of stakeholders, including Google, Facebook, Amazon, PayPal, Microsoft and numerous banks and card providers, including American Express and MasterCard. The drive at every step is to authenticate in convenient ways that do not require a conventional username and password, yet go further in security terms through user behaviour analytics in particular for increasingly invisible security checking as far as possible.
Verify, the government and digital identity
If those are some of the fundamental drivers in IAM right now, not everything is moving seamlessly in the right direction in the space. The UK government-backed digital verification and identity service, Verify, has been slow to deliver and is at risk of closure, with user numbers and government agencies using the service drastically down on where they need to be for Verify’s long-term viability.
Jim Lound, an independent identity expert who worked on Verify until recently, says the level of identity assurance built into the scheme was perhaps set too high from the start in relation to need, and serves to show that practicality goes to the heart of identity management.
“The service works, but hasn’t achieved its goals and reached a critical mass of users,” he says. “I think that’s because an individual worker or citizen does not think ‘I need a digital identity’ but just wants to be productive online and have a simpler and better user journey. The identity itself is just a by-product of engaging online.”
Lound says the long-term learning that enterprises should take away is that the future lies in passive, background authentication.
“It’s already possible today, if you apply the technologies,” he says. “With the individual’s knowledge and consent, when you open a laptop, you can be invisibly authenticated by the fact that you are using the same device in the same time zone and location. Next to this, user behaviour can also verify the individual through monitoring key strikes, mouse movements and the like – and by taking a facial image.
“In these scenarios, everything to authenticate the individual is taking place in the background. The apps the user is running, and the way they are being used, can also give extra confidence in a user’s identity with further layers of assurance. This is where digital identity is heading.”
Identity management at Leeds University
It is this combination of invisible assurance of the individual user and their behaviour, coupled with the verified access protocols, that many enterprises are applying today in practice.
Trevor Hough is subscriptions and e-resources coordinator working at Leeds University Library, which is one of the UK’s major academic research libraries.
Hough says universities and their libraries have long faced a particular challenge around user identities, because of the high turnover of students passing through the institutions and the different privileges required for access to a growing band of digital resources.
“Our solution has been to adopt Eduserv’s OpenAthens platform for our identity and access management needs,” he says. “It gives us federated authentication through a single sign-on cloud service and it is also now being adopted more widely across the university, including the student union using it for its access and identification needs.”
With OpenAthens, the library service Hough oversees uses Microsoft sign-in protocols used for services such as like Microsoft Office 365, giving verified students in the university’s Active Directory access to the right digital resources for their course and study needs.
“The OpenAthens portal is invisible to users, who just log in via any device from any location using the university’s single sign-in screen, but it’s working harder than ever in the background,” says Hough.
Five steps to IAM programme success
- Get stakeholder buy-in and measure and communicate wins and improvements.
- Define your IAM projects of scale and understand the challenges to set the right expectations.
- Define the flow of data between IAM and the wider business and agree where system responsibilities lie.
- Work out the journey between a starter IAM project and full adoption, and how to get from one to the other.
- Keep an eye on future IAM trends and update your programme plans regularly.
Not all of the university’s services are accessible in the cloud yet, so there is still work to do in the back end by the IT team to simplify things further, but Hough says the security and flexibility of the current platform is already a step up from previous systems.
“We are enabling authenticated, secure access to thousands of e-books from different publishers, and the platform’s monitoring and analytics is part of what makes it work,” he says. “The algorithms can monitor suspicious activity – say, if a student account has been hacked – and can block access or flag a potential issue based on unusual behaviour, such as multiple sign-on attempts from different devices or sign-ins from unlikely locations.
“We can also freeze or review user rights based on behaviours that don’t fit, such as trying to download big swathes of content from a particular publisher, as a hacker might. It means we keep on good terms with the publishers, too, as we are protecting their copyrighted content.”
One convenience benefit as the platform’s security algorithms have developed has been removing the need for users to sign in again to a browser in an active session, whereas earlier systems logged out users after 30 minutes.
“It’s a big improvement, and there’s a lot of automation in the back end now, too,” says Hough. “The next step could be the university’s alumni association adopting OpenAthens for its services and users. It’s being looked at now.”
Decentralised access for all
There are other applications for OpenAthens today beyond academia and research, even if this is where the organisation sprang from.
Jon Bentley is commercial director at Eduserv, the non-profit organisation that created OpenAthens, and says the need to authenticate and grant flexible access to digital resources now has a clear application in other contexts, such as healthcare and life sciences, and more generally.
“It’s all been designed with knowledge managers and intensive research in mind, but increasingly, the profile of large enterprises and how they access information looks similar to these research-led organisations,” he says.
Bentley adds that even Eduserv itself benefits from the platform in a way that is a good match with other organisations.
“We use Active Directory and run on Microsoft Windows, and log into HR and finance functions, plus Salesforce and more,” he says. “I have about six applications I use regularly, and the interoperability of the OpenAthens layer means there’s no need to register independently. It’s all via a single sign-on with embedded security monitoring, and making use of Security Assertion Markup Language [SAML].
“This is an open standard for exchanging authentication and authorisation data between an identity provider and a service provider. Most common platforms that engage with large enterprises will have a SAML capability.”
One question that arises, as these kinds of federated services collect information and insight for security purposes and more, is who owns the insights that are generated.
“There’s a lot in this and it’s a conversation worth having and returning to,” says Bentley. “The reporting that drives security adds value in myriad ways if well-applied. Knowing who is accessing what resources and on what terms is a powerful insight, as you might imagine. Organisations can begin to track elements like engagement with digital resources versus outcomes.”
The security aspect is always there, too, he says. The challenge here is to contextualise the journey of every user for security and for learning – but this is a challenge Bentley claims to be winning.
“An enterprise might need two-factor authentication in places, for example for some users accessing sensitive resources or from a particular location or using a device that’s less secure or easily verified,” he says. “It’s all part of the IAM story now and will keep evolving.
“The point is that single sign-on really works. Users are accountable and understand that their login is something they need to protect for their own needs, whereas that world of multiple sign-ins that you still find in places encourages a culture where logins and passwords end up being shared, with security implications and no way to glean data insights. That’s a risky game now.”