By Tanu Sood on Jan 21, 2013
Consumerization of Identity: Bringing Social Identity to Work
Business is now driving costs out and enriching services with the
sophisticated use of identity information. Forward-looking organizations are
latching on to terms such as “social media identity” and “Consumerization” to
gain an upper hand against the competition through improved and simplified
internal or consumer orientated user experience. What does this mean in real
We’ve looked previously at how the desire of users and consumers to access information from anywhere at any time impacts on our approach. The security boundary has surely moved. But how far? Yes, it could move as far as individual data elements. If we examine things more closely, however, is the step that employees and consumers are asking us to take really such a big one? Is it a blind leap into the unknown, or a manageable journey to a better place for all?
Complexity always exists, and simplification for end-users will likely come as a result of an infrastructure that is functionally richer. The discussion should not be one of complexity, though. To decide whether to accede to our users’ requests and support the consumerization of identity, we must focus primarily on risk. Let’s approach this from two points of view.
The first view is that of security of social identity. There is much talk of using Facebook, Twitter and other social media identity to replace logon to low-value resource on company websites. The knee-jerk reaction to such a request is “no way”, because it just feels insecure. If we think about it, though, what’s more valuable to an individual? Their company-provided extranet logon or their Facebook logon? Their company credit card or their personal credit card? Their office keys or their house keys? People will always tend to value more highly those things whose compromise will lead to greater personal impact. And thus they will protect them more diligently. So a Facebook logon is arguably more valuable to its holder than the extranet logon. Of course, the comparison is not as simple as just that one aspect. Among other risks, personal assets can be shared with a trusted peer group, particularly family, whereas corporate assets are typically not. Conversely, personal assets are generally not shared with trusted work peer groups either, whereas corporate assets can be. However, the point remains that a social identity is not the weak credential that it can appear to be when just using initial gut reaction.
So with a combination of both personal and corporate security responsibilities, the security of a credential existing in both domains simultaneously can be greater than one that exists purely in a single domain. The duties of care between the employer and the employee are becoming entwined in a subtle way that it hard to unpick, but in a way where security benefits can accrue in unanticipated ways for both sides.
Take a second, completely different viewpoint. It’s common for employees to use social identity for numerous business purposes. Data is sourced and published in the public domain using identities that exist in the public domain. Marketing, recruitment and many other activities rely on sites such as Twitter and LinkedIn. Does the company gain benefit by trying to control these public domain identities too closely? Should the employee be allowed to use their personal accounts? Just as valid a question is: does the employee want to use their personal accounts?
Employees are asking for access to everything from everywhere. But do they really want so much freedom, with almost no boundary between personal and corporate identities? A degree of separation between the two is desirable for all? Regardless, identity governance needs as complete a picture as possible of system access – for corporate, partner and cloud systems. The risk assessment around this needs data, so we need to include public domain systems in our governance scope. We can’t establish a BYOD or social identity programme without an analysis of the risk trade-offs.
So where does this leave us? Are we being asked to take the blind leap into the unknown? It leaves us at "Security: Step 1".
We need to do the risk assessment. We need to compare the business rewards, the possible issues and compare these with the corporate risk appetite. And crucially, to do this we need to know what our employees and customers really desire. They really aren’t asking us to move to a scary place.
In fact, for some areas of business it is a wholly appropriate place. Irrespective, though, it’s just to a place we’re not accustomed to in the new use cases we are being presented with.
But know this. If you choose to say “yes” to shifting the security boundary, the technology exists to support your journey. We will look more closely at some of the options in our final part of this series.
About the Author:
Mike Nelsey, Managing Director, aurionPro SENA
Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control. Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.