In March, Grand View Research suggested that the Identity and Access Management (IAM) market will be worth over $24 billion by 2020. This healthy growth will be achieved in part, the research firm says, through the increasing popularity of bring-your-own-identity (BYOI). BYOI offers speed and convenience for users, but do the risks still outweigh the benefits for enterprises?
We’ve all become comfortable with the concept of BYOI in our daily lives. How many services do you now sign in to using your Facebook or other social media credentials? It’s fast, efficient and you don’t have to remember thousands of different passwords. The B2B world has taken longer to embrace BYOI, but it’s beginning to happen.
When I joined OpenText™ in 2017, I was very pleased to find that the company used the same expense management provider as my previous employer. When I was setting up all the things a new employee must during the first week, I was pleased to see that I simply logged in and it worked—it remembered who I was based on my identity. Now, I had to update a few important items like my new credit card and my new address in California, but not much else – setting up my corporate expenses profile was finished before it even started. This type of federated identity management represents the way forward for enterprises, especially in a world where your networks and applications are being accessed as much—if not more—by external parties (customers, partners and contractors) as they are by your own employees.
No information security professional worth their salt is going to allow access to their most vital corporate assets through social media authentication. So, how do we build an intelligent enterprise-strength solution that delivers both the business and security benefits of BYOI?
The rise of BYOI
BYOI sounds a lot like BYOD (bring-your-own-device) and with good reasons. The need for the first has grown out of the success of the other. The trend for employees to want to access corporate resources using their own devices—laptops, tablets and smartphones—began well over a decade ago. Today, it’s almost replacing the traditional approach of ensuring that employees only access your systems on company-provided devices. In fact, some organizations are beginning to mandate that employees use whatever device they want while the organization ensures that the right levels of identity and access management and data security are in place.
Of course, we have moved a long way from where our employees were the only ones we had to worry about. Today, secure access must be quickly granted to customers and partners as well, and almost all companies are increasing their use of contractors—all of which need different access rights and different levels of access, which they can work with quickly and easily. While in the past you could concentrate solely on security considerations (in theory, at least!), now you have to look at the role of information security as a business enabler.
The Ponemon Institute carried out a large global study in 2017, which found that 69% of respondents felt that their current security solutions were outdated and inadequate for their business. When asked what the most important capabilities on a new security infrastructure were, respondents were certain that IAM topped the list. The companies surveyed saw integrating third parties into their networks and applications (76%) and the inability to secure access rights (74%) as two of the major security risks they faced today.
It’s clear that BYOI has a significant role in addressing these security requirements, but it must be very carefully planned and designed. Many of the multi-factor security features, such as biometrics and location, mitigate against the speed and convenience required. Ponemon’s findings highlight the need to find an identity management solution that works for the users. Almost 60% of respondents admitted that, within their organization, employees and third parties bypass security policies and technologies as they are too complex.
The problem with the honest identity broker
BYOI revolves around the creation of an identity that is independent from any of the target applications or networks. You don’t have to be set up on every individual application. Rather, you establish your identity and apply that to every resource you need to access. This naturally suggests an identity broker, and that’s exactly what’s happening in the B2C world. The social media services are becoming accepted identity brokers.
With identity brokers, you would have a cloud-based service where a single user account can be linked to identities from different identity sources. This account would then be used as means of BYOI that can be applied to your applications and networks. This represents a step forward in IT consumerization as the line between business and personal identities blurs to create a universal identity.
In fact, this is exactly what the FIDO Alliance is trying to achieve. Led by the likes of Microsoft, Google and PayPal, the alliance sees PKI authentication as a means to enable secure access to a wide range of applications and services.
However, I question whether the identity broker approach is correct for most enterprises. If, as the Ponemon Institute suggests, IAM is the most important element of a modern information security strategy, would you want to outsource to a provider, a social media company no less? You are also creating a single point of failure. Using a social identity broker would be an almost irresistible target for hackers and, if you are most worried about data breaches, any successful attack will expose all your systems to threat.
In addition, a single user account requires that every individual work with the broker to place all their identity information in the one place and keep it updated. This may work out in the long term, but beforehand the enterprise would have to point the new user to the brokerage service and ask them to register there before they could gain access to the enterprise’s resources. This seems like an unnecessary step with little real benefit to the user or enterprise.
Towards enterprise-strength BYOI
While BYOI can’t simply be bolted on to traditional IT security systems, there are advanced IAM platforms, such as the OpenText™ Covisint Cloud Platform, that can be used as the basis for delivering enterprise-strength BYOI capabilities. I have written before about the need to move from an ‘inside out’ to an ‘outside in’ model for identity management designed to give secure access to all partners involved in the connected supply chain. This brings us full circle to the start of this blog: we’re not talking about only your employees, we’re talking about everyone that needs to access information within your enterprise.
Platforms that enable the ‘outside in’ model are already delivering identity management solutions that address all the people, systems and things that need to be properly identified, managed and granted appropriate access rules. BYOI is, in reality, an extension of this approach. For example, a product manufacturer is connected to a retailer via a B2B integration network and has secured business to work with another retailer. If that retailer is connected to the B2B network then the manufacturer would be able to begin trading using its existing security and authentication settings—in addition to but ultimately beyond standard EDI transactions.
In this instance, the enterprise-wide identity management platform acts as the identity broker but is presented as part of the overall enterprise identity management solution. You can maintain the same levels of security and data protection you had previously and you are able to provide the speed and convenience—at both an individual and company level—to deliver the promise of BYOI as a business enabler.
BYOI is still only a theme that we’re figuring out for B2B, but it represents one element involved in securing the connected supply chain and that’s one of our key topics at Enterprise World in Toronto in July. Register your place today. For a personalized and private meeting, please contact us through the website or email me directly.