Author: Paul Toal
Most organizations know from experience that Identity and Access
Management isn’t a project, but more of a multi-phase, multi-year
programme. Those who treat it as a single project, or even worse, as a
milestone deliverable within another project (i.e. delivering a new
business application) will be destined to fail. However, it is
typically individual projects that surface the need for IAM and are
forced to implement tactical fixes whilst the organization catches up
with a more strategic solution. It is easy to see the challenges that
individual projects face. No project sponsor wants to foot the bill
for an enterprise-wide IAM platform, just to deliver the subset of
capabilities they need. On the flipside, it is often difficult to get
sufficient buy-in at the board level to invest in a strategic IAM
platform. Implementing such a platform is often seen as a cost with
very little ROI.
However, that is no longer the case. The days of committing to a
lengthy and costly IAM programm with very little return are gone.
Let’s look at the evolution of IAM business cases in relation to IT
security as a whole.
Anyone who has worked in IT security for any length of time will be
more than familiar with this approach. Vendors used to sell IT
security-related products on fear. IT departments then used the same
approach with their investment boards. Pick the worst case scenario of
what would happen if you didn’t have a particular IT security product
(e.g. firewall) and convince the business that the scenario is highly
likely and therefore they absolutely must invest in the project. This
approach worked well in the early days when threats on the internet
weren’t as well understood and many organizations didn’t take a risk
management approach to handling IT security. As use of the internet
for business increased and the risks were better understood, the
approach of selling on fear started to wane, coupled with the fact
that this approach also had very little demonstrable ROI.
As business started pushing back against throwing endless pots of
money at IT security with very little to show for it, the industry
needed to evolve. By now, use of the internet for business was
widespread and organizations were looking at how to take advantage of
this shift to online business. As part of this shift, businesses
realized that the foundation of any online business is security, and
in relation to that, identity. For a company looking to deploy, for
example, as eCommerce platform, or online banking, how could this
possibly be done unless it was secure? Also, how could online services
be provided to consumers unless you know who the consumer is. Once you
know their identity and they have proven ownership of their identity
(authenticated) you can provide then with the right services
(authorization) to meet their needs.
The approach of deploying IAM as a business enabler has been key to
obtaining investment from the business. We also know from our
everyday experience that there is real ROI associated with this
approach. Using the online channel, as end-users, we are transacting
more money online than ever before. For many people, the online
channel is the first, and preferred channel of engagement. Indeed, it
can also be a differentiator when you are looking for a company to
provide a service to you. For example, positive answers to questions
such as “Can I manage my accounts online?” can set one business apart
from its competitors.
For a lot of organizations, identity as an enabler is still the
business justification for investing in IAM. However, there are a
number of drivers within the industry today that are enabling IAM
business cases to evolve further.
There are many organizations that already offer a strong online
presence and online catalog of services for their customers. However,
just having these online capabilities is no longer good enough. With
the shift of users from laptops and desktops to mobiles and tablets,
the expectations around user experience are driving IAM to a new level
and forcing organizations to evolve. Consumers have come to expect
slick and personalized user experiences whether they are an employee
or a customer. What is going to set an organization apart from its
competitors isn’t whether they have an online presence, but what the
experience for the end user is like. For example, does the company have a
mobile application? Is it easy to use? Can it provide me with all the
information and services that I need in an intuitive way? There are
so many mobile applications on the market today that users know what a
good application looks like. They are not prepared to spend hours
learning what they must do. If the app isn’t intuitive enough within a
couple of minutes, it is easy for the user to delete it and find a
different company that provides a better app and user experience.
IAM plays a crucial role within this evolution. We know from the
enablement business cases discussed above, that knowing the user is
key to providing them with services. However, looking at user
experience, IAM also provides a key set of services. Take these
Social login – Mobiles and tablets are great devices
for many things, but filling in long forms with lots of fields (e.g.
username, firstname, lastname, email etc) isn’t one of them. However,
user registration is one of the key elements to a mobile application.
If you can’t get your user up and running with your mobile app easily
and quickly, it will be deleted. Enabling customers to register from
their social network such as Facebook, Google+ etc is a great solution
to this. However, integrating with lots of social networks can be a
painful and time-consuming coding exercise for an application
developer. Fortunately, a good IAM platform will take that pain away
for you, turning social network integration into a configuration
rather than coding exercise.
Step-up authentication – So, now your user has
registered and logged into your app from a social network, now what?
Well, that level of trust may be good enough to access some basic
information but you aren’t going to let a user manage their bank
account (I hope) purely based on a social login. A good IAM platform
will enable you to understand the level of trust a user has at any
point in time and when necessary step-up their level of trust with an
additional challenge. This should be flexible but could include
options such as a issuing a challenge question or using a one-time
Multi-channel Single Sign-on – In modern development,
the ‘constant beta’ and the focus is on rapid application development
and release cycles is very popular. Therefore, it is not always
necessary or desirable to implement all of the information and services
that are available on the website within the mobile app. This isn’t a
problem because you can always drop out from the application into a
web browser on a device, or even present web content within your
mobile application. However, you need to ensure you maintain the user
experience. Users have enjoyed SSO in the web channel for a long time
and they expect no less in the mobile channel. Therefore, flows like the
one below are unacceptable for users (and so they should be):
A good IAM platform will enable SSO not just within a single
channel, i.e. between multiple mobile applications, but also across
channel, e.g between a native app and a browser-based application so
that the user experience is maintained.
If you are looking for an IAM solution that can address all of the
above requirements as well as provide a single, integrated platform
for addressing all of your IAM needs, both internally and externally,
the Oracle IAM platform is a great option. Whether you are looking to
deploy it on-premise or within the cloud, Oracle can help you realize
your IAM strategy with its market-leading solutions.
To summarise, it’s not just about user experience. IAM helps many
organizations to meet their legal and regulatory requirements. However,
in today’s rapidly evolving IT world, we need to look at how IAM can
be used, not only as an enabler, but as a differentiator by delivering
improved user experience, thus taking it from a pure cost to the
business to one that has a demonstrable ROI.
About the Author
| ||Paul Toal is a very passionate and capable IT |
security consultant specialising in the field of Information Security.
He has worked in IT for over 20 years and built up a wide-ranging and
in-depth portfolio of knowledge and skills. Equally comfortable talking
to C-level execs or technical experts, Paul has worked in both pre-sales
and consulting delivery roles covering everything from writing business
cases, high-level requirements capturing and solution architecture,
through to delivery, training and post-sales support. In addition, he
has also been an integral part of designing the UK’s citizen Identity
Assurance framework, “Gov.UK Verify”, where he was one of the original
authors of the technical specification.
|Paul can be reached via LinkedIn|
|Extend your Security Platform to enable |
secure, mobile access.
Paul will be speaking at the OKOUG Technology Conference &
Exhibition: Dec 8-10, 2014, at the ACC in Liverpool. Find out how you
can secure your mobile workforce to enable BYOD strategies