By Eric Renaud-Oracle on Dec 03, 2014
Author: Paul Toal
Most organizations know from experience that Identity and Access Management isn’t a project, but more of a multi-phase, multi-year programme. Those who treat it as a single project, or even worse, as a milestone deliverable within another project (i.e. delivering a new business application) will be destined to fail. However, it is typically individual projects that surface the need for IAM and are forced to implement tactical fixes whilst the organization catches up with a more strategic solution. It is easy to see the challenges that individual projects face. No project sponsor wants to foot the bill for an enterprise-wide IAM platform, just to deliver the subset of capabilities they need. On the flipside, it is often difficult to get sufficient buy-in at the board level to invest in a strategic IAM platform. Implementing such a platform is often seen as a cost with very little ROI.
However, that is no longer the case. The days of committing to a lengthy and costly IAM programm with very little return are gone. Let’s look at the evolution of IAM business cases in relation to IT security as a whole.
Anyone who has worked in IT security for any length of time will be more than familiar with this approach. Vendors used to sell IT security-related products on fear. IT departments then used the same approach with their investment boards. Pick the worst case scenario of what would happen if you didn’t have a particular IT security product (e.g. firewall) and convince the business that the scenario is highly likely and therefore they absolutely must invest in the project. This approach worked well in the early days when threats on the internet weren’t as well understood and many organizations didn’t take a risk management approach to handling IT security. As use of the internet for business increased and the risks were better understood, the approach of selling on fear started to wane, coupled with the fact that this approach also had very little demonstrable ROI.
As business started pushing back against throwing endless pots of money at IT security with very little to show for it, the industry needed to evolve. By now, use of the internet for business was widespread and organizations were looking at how to take advantage of this shift to online business. As part of this shift, businesses realized that the foundation of any online business is security, and in relation to that, identity. For a company looking to deploy, for example, as eCommerce platform, or online banking, how could this possibly be done unless it was secure? Also, how could online services be provided to consumers unless you know who the consumer is. Once you know their identity and they have proven ownership of their identity (authenticated) you can provide then with the right services (authorization) to meet their needs.
The approach of deploying IAM as a business enabler has been key to obtaining investment from the business. We also know from our everyday experience that there is real ROI associated with this approach. Using the online channel, as end-users, we are transacting more money online than ever before. For many people, the online channel is the first, and preferred channel of engagement. Indeed, it can also be a differentiator when you are looking for a company to provide a service to you. For example, positive answers to questions such as “Can I manage my accounts online?” can set one business apart from its competitors.
For a lot of organizations, identity as an enabler is still the business justification for investing in IAM. However, there are a number of drivers within the industry today that are enabling IAM business cases to evolve further.
There are many organizations that already offer a strong online presence and online catalog of services for their customers. However, just having these online capabilities is no longer good enough. With the shift of users from laptops and desktops to mobiles and tablets, the expectations around user experience are driving IAM to a new level and forcing organizations to evolve. Consumers have come to expect slick and personalized user experiences whether they are an employee or a customer. What is going to set an organization apart from its competitors isn’t whether they have an online presence, but what the experience for the end user is like. For example, does the company have a mobile application? Is it easy to use? Can it provide me with all the information and services that I need in an intuitive way? There are so many mobile applications on the market today that users know what a good application looks like. They are not prepared to spend hours learning what they must do. If the app isn’t intuitive enough within a couple of minutes, it is easy for the user to delete it and find a different company that provides a better app and user experience.
IAM plays a crucial role within this evolution. We know from the enablement business cases discussed above, that knowing the user is key to providing them with services. However, looking at user experience, IAM also provides a key set of services. Take these examples:
Social login – Mobiles and tablets are great devices for many things, but filling in long forms with lots of fields (e.g. username, firstname, lastname, email etc) isn’t one of them. However, user registration is one of the key elements to a mobile application. If you can’t get your user up and running with your mobile app easily and quickly, it will be deleted. Enabling customers to register from their social network such as Facebook, Google+ etc is a great solution to this. However, integrating with lots of social networks can be a painful and time-consuming coding exercise for an application developer. Fortunately, a good IAM platform will take that pain away for you, turning social network integration into a configuration rather than coding exercise.
Step-up authentication – So, now your user has registered and logged into your app from a social network, now what? Well, that level of trust may be good enough to access some basic information but you aren’t going to let a user manage their bank account (I hope) purely based on a social login. A good IAM platform will enable you to understand the level of trust a user has at any point in time and when necessary step-up their level of trust with an additional challenge. This should be flexible but could include options such as a issuing a challenge question or using a one-time passcode.
Multi-channel Single Sign-on – In modern development, the ‘constant beta’ and the focus is on rapid application development and release cycles is very popular. Therefore, it is not always necessary or desirable to implement all of the information and services that are available on the website within the mobile app. This isn’t a problem because you can always drop out from the application into a web browser on a device, or even present web content within your mobile application. However, you need to ensure you maintain the user experience. Users have enjoyed SSO in the web channel for a long time and they expect no less in the mobile channel. Therefore, flows like the one below are unacceptable for users (and so they should be):
A good IAM platform will enable SSO not just within a single channel, i.e. between multiple mobile applications, but also across channel, e.g between a native app and a browser-based application so that the user experience is maintained.
If you are looking for an IAM solution that can address all of the above requirements as well as provide a single, integrated platform for addressing all of your IAM needs, both internally and externally, the Oracle IAM platform is a great option. Whether you are looking to deploy it on-premise or within the cloud, Oracle can help you realize your IAM strategy with its market-leading solutions.
To summarise, it’s not just about user experience. IAM helps many organizations to meet their legal and regulatory requirements. However, in today’s rapidly evolving IT world, we need to look at how IAM can be used, not only as an enabler, but as a differentiator by delivering improved user experience, thus taking it from a pure cost to the business to one that has a demonstrable ROI.
About the Author
||Paul Toal is a very passionate and capable IT security consultant specialising in the field of Information Security. He has worked in IT for over 20 years and built up a wide-ranging and in-depth portfolio of knowledge and skills. Equally comfortable talking to C-level execs or technical experts, Paul has worked in both pre-sales and consulting delivery roles covering everything from writing business cases, high-level requirements capturing and solution architecture, through to delivery, training and post-sales support. In addition, he has also been an integral part of designing the UK’s citizen Identity Assurance framework, “Gov.UK Verify”, where he was one of the original authors of the technical specification.|
|Paul can be reached via LinkedIn|
|Extend your Security Platform to enable
secure, mobile access.
Paul will be speaking at the OKOUG Technology Conference & Exhibition: Dec 8-10, 2014, at the ACC in Liverpool. Find out how you can secure your mobile workforce to enable BYOD strategies