The Role of Identity and Access Management in the Era of Digital Transformation

Prabath Siriwardena
FACILELOGIN
Published in
22 min readMar 27, 2017

--

The construction of railroads and the invention of the steam engine, which catalyzed the mechanical production, triggered the first industrial revolution from 1760 to 1840. With the advent of electricity and the assembly line, which made mass production possible, resulted in the second industrial revolution starting from the late 19th century to the early 20th century. The third industrial revolution is called the computer or digital revolution. The development of semiconductors, mainframe computing in 1960s, personal computing in 1970s and 80s, and the Internet in 1990s catalyzed the 3rd industrial revolution.

The Fourth Industrial Revolution

What’s next? We are not stagnated. The massive DDoS (Distributed Denial of Service) attack on Dyn came from 100,000+ infected devices, happened recently— even a guy with a shorter memory would still find it hard to forget! Twitter, Etsy, Github, SoundCloud, Spotify, Heroku, PagerDuty, Shopify and many more were down for hours. For many years now, the analysts and futurists were talking about the proliferation of Internet of Things or smart devices — but it was this Dyn attack, which made us think, how close this to our real lives. Smart devices, connected machines and systems, driver-less cars, clean energy and many other exciting advancements in the technology result in the fourth industrial revolution, where we are in. In the book , The Second Machine Age by Erik Brynjolfsson and Andrew McAfee, highlights that the world is at an inflection point where the effect of these digital technologies will manifest with full force through automation and the making of unprecedented things.

Industry 4.0

The term Industry 4.0 was coined at the Hannover Fair in 2011. This describes how the advancements in the technology could revolutionize the organization of global value chains. By enabling smart factories the fourth industrial revolution creates a world in which virtual and physical systems of manufacturing globally cooperate with each other in a flexible manner. The book The Fourth Industrial Revolution by Klaus Schwab explains in detail the drivers behind the fourth industrial revolution and its impact on the economy, business, society at the individual and global levels.

The Digital Transformation

The digital transformation is not just about the technology. Its about how you could benefit from the technological advancements to innovate in your own business domain. It has to be driven by vision — not by the technology (Yet don’t forget that there are 1.3 billion people still on earth without benefiting from the 2nd industrial revolution, with no electricity and more than 4 billion people from the 3rd industrial revolution, with no Internet access).

The committed leadership is the key to be successful in digital transformation. It is the lever that turns the technology into transformation. According to the book Leading Digital by by George Westerman, Didier Bonnet and Andrew McAfee, in all most all the success cases, the transformation was steered by the top-down leadership by setting the direction, building the momentum and ensuring that the company follows through. The top-down leadership also means strong governance and coordination. People in different departments/units often do their own things, but the true advantage for the business comes from linking these different digital activities. Nike built Nike Digital Sports in 2010 to provide coordination, innovation and some shared resources for the company’s many digital efforts. The Starbucks created the position of chief digital officer in 2012 for the same reason.

The digital transformation focuses on making the business different through technology, not on the technologies themselves. The book Leading Digital looks into how executives have transformed the way their companies operate and presents three ways how one could differentiate a company through three broad categories of digital capability: customer experience, operational processes, and business models. In the rest of the article I will be using this model to highlight the role of IAM (Identity and Access Management) in the era of digital transformation.

Identity and Access Management

According to Gartner, identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. IAM addresses the mission-critical needs to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements. This security practice is a crucial undertaking for any enterprise. It is increasingly business-aligned, and it requires business skills, not just technical expertise.

There are multiple components in an IAM system: provisioning (or on-boarding), accounts management, identity governance, identification (or authentication), access control (or authorization) and identity federation. IAM is a broad area, so the above components can be further divided. For example, provisioning talks about inbound/outbound provisioning of user accounts, just-in-time provisioning, approval workflows — accounts management talks about privileged accounts management, credential management, users/groups/roles management— identity governance talks about role engineering, identity analytics, segregation of duties, role consolidation, identity delegation, attestation, reporting, self-service, risk management, compliance— authentication talks about multi-factor authentication, adaptive/risk-based authentication — access control talks about access control based on attributes or roles and policies — identity federation talks about single sign on, single log out, session management, attribute sharing. This is never a complete list — and it will keep growing!

The book, Identity Management — A Business Perspective by Graham Williamson is a very good source for anyone who is keen on reading more about building an enterprise IAM strategy. The book was released in last month (Feb 2017) and it was part of my weekend reading, this week. If you have already read the book Identity Management — A Premier (Sept 2009), Graham Williamson is a co-author there too. Both the books are great and worth reading.

Forrester Identity Management Maturity Model

Most often people struggle to understand the gaps and potential security vulnerabilities related to identity and access management tasks. To address these challenges, Forrester developed the Forrester Identity Management Maturity Model. With this model, one can identify the gaps in the current IAM environment, evaluate the maturity, and incorporate those findings into the security strategy.

  • Nonexistence (level-0): No identity management system in place — and do not realize the need. The Human Resource (HR) department possibly maintains a spreadsheet to manage all the employee information and their salaries. There is a case I know, one employee hacked into an HR department computer (the default Windows $C share) and downloaded the complete spreadsheet with all the employee information with salary details. These kind of environments do not require users to login — having just logged into the wireless network assumes users can access anything.
  • Ad hoc (level-1): Occasionally, not consistent, not planned, disorganized. Not all the applications require users to login and access. On case by case basis users are manually provisioned into applications — and the user records are duplicated across multiple applications. The single user may be in different applications with different usernames. This may be due to some constraints on username by each application.
  • Repeatable (level-2): Intuitive, not documented, occurs only when necessary. Many organizations are at this level. An employee on his/her first day has to meet an IT guy and get his/her email and other applications setup. IT admin knows exactly what needs to be done. Whenever an employee resigns, the IT admin has to manually deprovision the user from all the applications. Still the user records are duplicated across multiple applications — and users may have different credentials for different applications. Having an IAM system not designed from the beginning with a phased approach to be at the optimized level some day — could cause severe headaches in the future during the migration. Recently we (WSO2) worked with a large analytics firm in USA to help them migrate from their current IAM system — which is quite ad hoc in nature into an optimized model. The key challenge there was to come up with a model to build a unified identity model across all the applications. They had more than 30 identity stores used by multiple applications — and the same user is duplicated in each identity store with no correlation handle.
  • Defined (level-3): Documented, predictable, occurs only when necessary. This is a better version of level-2. The entire identity management process is documented — possibly maintained in a check list. When an employee joins the company, the HR department sends an email to the IT department and the IT department creates all the access required for the employee by his/her role. Still the user may be provisioned to multiple applications manually. Some time back we worked with a large financial organization in USA — where they had 70+ departments and each department maintained its own set of applications with custom access control rules. These rules were maintained in different custom formats and given a user what level of access the user has in the company is some thing really hard, if not impossible, to figure out.
  • Measured (level-4): Well-managed, formal, often automated, evaluated frequently. The level-4 maturity level removes lot of manual involvement from the level-3. Once the user record is created in the HR application, the user will be automatically provisioned to all the applications with the appropriate level of access rights. The user will be deprovisioned automatically when he/she resigns.
  • Optimized (level-5): Continuous and effective, integrated, proactive, usually automated. This is the ultimate wisdom expanded on the level-4 maturity level. Identity governance play a key role here. There will be multiple dashboards, based on the organizational roles to monitor what’s going on. For example, how many external users signed up by month — and out of all signed up users how many are actively using the system. At the same time if your organization hosts multiple applications, then you may also need to know what applications users access actively during a given period.

Understanding the current state of the identity management system in an enterprise is the key to make it aligns with the future business goals, towards the digital transformation.

Customer Experience

Transforming the customer experience is at the heart of digital transformation. Digital technologies are changing the game of customer interactions, with new rules and possibilities that were unimaginable only a few years back. Customer Identity and Access Management (CIAM) is a whole emerging area in the IAM, which is essentially an ingredient for digital customer experience. Today’s increasingly sophisticated consumers now view digital interactions as the primary mechanism for interacting with brands and, consequently, expect deeper online relationships delivered simply and seamlessly.

Further, the customers do expect some control around how firms collect, store, manage, and share their profile data. With the competition only a click away, your firm’s misuse of customer data, whether deliberate or inadvertent, can significantly damage brand equity. Yahoo! was in the middle of a series of data breaches during last couple of years, that exposed the personal information of more than 1 billion users and already have cost the company $350 million. Yahoo had to lower the sales price of its email and other digital services to Verizon Communications from $4.83 billion to $4.48 billion to account for the potential backlash from the data breaches.

Customer On-boarding

Customer focused IAM systems are different from it’s traditional IAM counterpart (Look for Market Overview: Customer Identity And Access Management (CIAM) Solutions by Forrester for more details).

If CIAM processes are cumbersome, customers will go to your competition where these processes are more streamlined or easier to use. The same is not true of employees. Very few employees leave their employer because business-to-employee (B2E) IAM processes are archaic or hard to use.

In B2E IAM, the employer is responsible for creating the user accounts, but in the B2C space, the customer generally creates his or her account, which means that firms spend more time validating and verifying the identity instead of creating the identities. In other words, for employees, its the HR department who initiates the employee on-boarding process and remains the owner of the user accounts, while for customers — in most of the cases the on-boarding happens via self registration. It can be a completely new customer or an existing customer who now wants to use company’s online services. Let me give you few examples for the latter.

  • Some time back we (WSO2) worked with a popular life insurance provider in USA. The insurance agents sell the insurance policies — and then to do the payments and claims online the customer has to register via the company’s web site. The customer registration form asks a minimal set of details like the policy number, social security number, name and the date of birth — and the user provided information will be automatically validated against the user data already recorded in the system (after the original policy being sold).
  • Another company we worked with, who sells medical equipment to individuals and medical institutes, let them register via the company web site to consume online services. As in the case of the previous example, the medical equipment are sold by sales agents — and all the customer data are recorded in Salesforce. When a customer decides to register online — the data entered by the customer is verified against the data already recorded in Salesforce.
  • Recently we worked with a company in the west coast, who’s building a virtualized data center at the enterprise level. They do follow the same model as explained in the previous example. They too maintain customer records in the Salesforce first, at the point of the sale — and then later the customer can register via the company’s online portal by providing the same information recorded before in Salesforce.

In addition to the above examples, there are multiple companies that we have worked with who open up the user registration for fresh customers. Most of these companies let customer registration via a known public identity provider. This vastly reduces the initial barrier for registration — and there are multiple studies which confirm the huge success rate in user registration after integrating with known public identity providers (Facebook, Google, Microsoft Live).

Social Login

Integrating public identity providers for self registration does not necessarily mean one should use the same identity provider for login. This goes hand in hand with the business operations user performs after the login. If its an online book seller — you will probably let users login with their public identity provider account. You will further maintain user interaction patterns, wish lists against the user record — but at the point user wants to buy something and save his/her credit card details — you may need to force the user to create a set of local credentials. Any transaction must be confirmed with this local credentials. One company we worked with recently enables users to login with their social identity provider of choice — but locally enforces multi-factor authentication via SMS. Overall for any serious business — just relying on social login brings convenience but raises a larger security concern. We need to find the right middle path based on the business goals.

Security vs Convenience

Security vs convenience is a long lasting debate. Finding the right balance is extremely hard. One guy I met from the Google Chrome security team mentioned — they are working on for months by gathering user feedback for just changing the colors and to find the right alignment of the text, on the Chrome page displayed to the user, when it finds the public certificate of a web site is not valid.

We have involved in many discussions where people discuss for hours how to design customer login pages with multiple identity provider options. One company, who is a manufacturer of a popular credit card payments processor, let both the public users and employees login to the same set of applications. Both the employees and public users share the same login page — but the employees login is from another connected identity provider. In other words, the immediate identity provider — will federate to another identity provider for employee login, while the public users can just type their credentials and login. The most obvious solution was — on the login page of the immediate identity provider, provide a link to login with the corporate identity provider — and remember it on the browser for further logins. This is a common pattern followed by many service providers who accept multiple identity provider login. But after a lengthy discussion we agreed not to do that — but follow the identifier first login approach (which now you see while login to G Mail or Yahoo!) and based on the typed username (which is the email address) decide whether its a customer or an employee — and if its an employee redirect to the corporate identity provider.

Another way of handling multiple identity provider login scenarios, is by home realm discovery. In this case the identity provider expects the service provider (or the user) to send some hint that will help to find the home identity provider corresponding to the user. This will give a seamless login experience for the user. GSMA Mobile Connect, which is a profile built on top of OpenID Connect, nails this. With Mobile Connect — users can login to any supported service provider just authenticating with his/her own SIM. Here the mobile network operator(MNO) acts as the identity provider. If you are in USA — you may not be familiar with Mobile Connect — but its getting popular in Asia Pacific and Europe. All the six key MNOs in India do support Mobile Connect — and it is supposed to launch Mobile Connect in Canada in this summer. Unfortunately still there are only few service providers who accept Mobile Connect based logins.

Hate Spam — Hate CAPTCHA too!

CAPTCHA plays a key role in customer conversion rates. People hate spam — but people hate CAPTCHA too! Over the time it’s proven that even the hardest CAPTCHAs can be solved by state of art machine learning algorithms at a better rate than humans. There are many companies who have shared their experience with CAPTCHA — and one thing in common is- after introducing CAPTCHA, the customer conversion rate has rigorously gone down. With the new reCAPTCHA from Google, a significant number of users can now attest they are human without having to solve a CAPTCHA. Instead with just a single click they’ll confirm they are not a robot. The Google reCAPTCHA takes-away most of challenges enterprises face in customer on-boarding — and provides the right balance between convenience and security.

Compliance

Identity and Access Management, has a direct impact on the security of identity data and regulatory controls over the collection, storage and usage of identity information. As the organizations grow — more and more consumer identity data are collected to make more personalized, context-based decisions. These can be personally identifiable information or just contextual information. Whatever it is the organizations are bound to follow rules and regulations enforced by governments and different industrial bodies.

In the USA we have the federal level legislation such as SOX(Sarbanes-Oxley Act) and GLBA(Gramm-Leach Bliley Act) focused on the financial sector, FERPA(Family Education Rights and Privacy Act) in the education sector and HIPAA((Health Insurance Portability and Accountability Act) in healthcare. The GDPR(General Data Protection Regulation) in Europe, intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The primary objectives of the GDPR are to give EU residents back control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Then in Singapore PDPA (Personal Data Protection Act) stipulates that consent must be obtained before personal data is collected. The Privacy Act in Australia regulates how personal information is handled.

Scalability

A consumer IAM system has a greater need for scale than a B2E IAM system. Although many firms have successful enterprise-wide employee IAM deployments, that number is in the tens or hundreds of thousands of active users; the user populations of leading online consumer properties are 10 to 50 times larger. This creates numerous architectural challenges, as CIAM solutions must be able to support login flows and personalization/preference management for hundreds of thousands, even millions, of online consumers.

Most of the IAM projects that we worked with are customer facing. The largest project in terms of number of users, was done in Saudi Arabia — that’s for more than 4 million users. It’s a common pattern that in most of the cases, the customer facing IAM projects do go up to millions of users — while workforce IAM projects most of the time in thousands. Picking the right identity store is a key decision in managing scalability. Most of the time, what we have seen is people go with databases for managing customers — while using an Active Directory or an LDAP server to manage employees. One of the project we did for a state government in USA — they use Active Directory to manage internal employees while a MS SQL server database to manage citizens. In either way — you must not use the same identity store to manage both the employees and the customers.

Capacity planning is an exercise one would carry about before any serious deployment of a customer IAM infrastructure. You rarely get a second chance to convince a customer who had a bad first impression. The rule of thumb is, it’s totally fine to over provision resources — but never under provision. One popular example from the history is, Friendster. Friendster was a popular social networking site before Facebook. But it failed to scale with the demand — and today its a popular example to show how businesses fail not being able to address the demand and scale.

Operation Processes

Not every enterprise focuses on digital transformation worry about customer experience. As per the book, Leading Digital, Codelco, the world’s largest copper producer, did not choose customer experience as the focus of its digital transformation. It looked inward, transforming its operational processes to increase both its efficiency and its innovativeness. The company, which is owned by the government of Chile, employs nearly eighteen thousand people and produces 10% of the world’s copper. In 2012 it produced 1.8 million metric tons, generating $15.9 billion in revenue. The objective of the Codelco Digital initiative, which paved the way to company’s digital transformation, was to drive radical improvements in mining automation and to support executives in developing, communicating and evolving a digital vision.

The workforce IAM looks inward. The workforce IAM focuses on B2E (business-to-employee) and B2B (business-to-business) interactions. The goal of workforce IAM is to reduce the risk and cost associated with on-boarding and off-boarding new employees, partners and suppliers, while the purpose of customer IAM (CIAM) is to help drive revenue growth by leveraging identity data to acquire and retain customers.

The key challenge in workforce IAM is to break identity silos in the enterprise and build a unified identity platform, which will result in much improved productivity, security, governance, oversight, compliance and monitoring. Ultimately this will reduce both the risk and cost associated with all the B2E and B2B interactions.

Acquisitions, Mergers and Partnerships

If you look at the history, most enterprises grow today via acquisitions, mergers and partnerships. In USA only, mergers and acquisitions volume totaled to $865.1 billion in the first nine months of 2013, according to Dealogic. That’s a 39% increase over the same period a year ago — and the highest nine-month total since 2008. What does this mean to workforce IAM? You would have to work with multiple heterogeneous identity stores — identity federation protocols — legacy systems and many more. BYOID (Bring Your Own IDentity) is the key to facilitate B2B interactions. BYOID is not just about bridging social identity with enterprise identity — it is also about bridging different heterogeneous identities between different corporates or enterprises.

Federation Silos

SAML, OpenID, OpenID Connect, WS-Federation all support identity federation — cross domain authentication. But, can we always expect all the parties in a federation use case to support SAML, OpenID or OpenID Connect ? Most of the federation systems we see today are in silos. It can be a silo of SAML federation, a silo of OpenID Connect federation or a silo of OpenID federation. You are not able to talk between silos. This is not just between enterprises — even within one enterprise. Recently we had a call with a large company in the finance domain — and they mentioned they have more than 10,000 service providers (applications) internally, using multiple identity federation protocols. We need to find a way to get rid of these federation silos (either within the same enterprise or between multiple enterprises) and build a way to facilitate communication between different heterogeneous protocols.

Spaghetti Identity

In addition to federation silos, another anti-pattern we see in large-scale federation deployments is the spaghetti identity. You create many point-to-point trust relationships between multiple identity providers and service providers. Even in a given federation silo how do you scale with the increasing number of service providers and identity providers? Each service provider has to trust each identity provider and this leads into the Spaghetti Identity anti-pattern.

Identity Bus

With the identity bus pattern, a given service provider is not coupled to a given identity provider — and also not coupled to a given federation protocol. A user should be able to login into a service provider which accepts only SAML 2.0 tokens with an identity provider who only issues OpenID Connect tokens. The identity bus acts as the middle-man who mediates and transforms identity tokens between heterogeneous identity protocols.

Either knowingly or unknowingly most of the enterprises use the identity bus pattern to address their complex workforce IAM needs. Let’s summarize some of the benefits of the identity bus pattern.

  • Introducing (and removing) a new service provider is friction-less. You only need to register the service provider at the identity bus and from the there pick which identity providers it trusts. No need to add the service provider configuration to each and every identity provider.
  • Introducing (and removing) a new trusted identity provider is friction-less. You only need to register the identity provider at the identity bus. It will be available for any service provider.
  • Enforcing new authentication protocols is friction-less. Say you need to authenticate employees with both the username/password and SMS OTP— you only need to add that capability to the identity bus and from there you pick the required set of authentication protocols against a given service provider at the time of service provider registration. Each service provider can pick how it wants to authenticate users at the identity bus.
  • Claim transformations. Your service provider may read user’s email address from the http://sp1.org/claims/email attribute id — but the identity provider of the user may send it as http://idp1.org/claims/emai. Identity bus can transform the claims it receives from the identity provider to the format expected by the service provider.
  • Role mapping. Your service provider needs to authorize users once they are logged in. What the user can do at the identity provider is different from what the same user can do at the service provider. User’s roles from the identity provider define what he can do at the identity provider. Service provider’s roles define the things a user can do at the service provider. Identity bus is capable of mapping identity provider’s roles to the service provider’s roles. For example, a user may bring idp-admin role from his identity provider — in a SAML response — then the identity bus will find the mapped service provider role corresponding to this, say sp-admin, and will add that into the SAML response returning back to the service provider from the identity bus.
  • Just-in-time provisioning. Since identity bus is at the middle of all identity transactions — it can provision all external user identities to an internal user store — and also can outbound provision to connected applications.
  • Centralized monitoring and auditing.
  • Centralized access control.
  • Introducing a new federation protocol needs minimal changes. If you have a service provider or an identity provider, which supports a proprietary federation protocol, then you only need to add that capability to the identity bus. No need to implement it at each and every identity provider or service provider.

Bring Your Own Device (BYOD)

In last February, Sidd Bikkannavar (an employee of NASA’s Jet Propulsion Laboratory (JPL)) who flew back into the USA after spending a few weeks abroad in South America, was detained by US Customs and Border Patrol (CBP) and pressured to give the CBP agents his phone and access PIN. It may have contained sensitive material that wasn’t supposed to be shared. Bikkannavar’s phone was returned to him after it was searched by CBP, but he doesn’t know exactly what information officials might have taken from the device.

With BYOD in place, employees tend to access the corporate network with their own personal devices and possibly store confidential data locally in the device itself. The role of workforce IAM gets extended with BYOD and needs to be deeply integrated with MDM(Mobile Device Management) and EMM(Enterprise Mobility Management) solutions. The MDM tools make sure that the corporate applications can be restricted to operate in controlled memory, and managed storage lets the company restrict access to corporate data based on the geolocation of the device. The EMM goes further. With an EMM solution in place, the device becomes an integral part of the corporate IT environment or in other words, the device must be enabled with the same controls and be subjected to the same deployment management as any other device using the corporate resources.

Business Models

The business model reinvention sometimes involves radically shifting what you sell, how you sell it, or how you make money from it. Reinvention may involve re-imaging the nature of competition in your industry or re-configuring your value chain to deliver at a substantial efficiency advantage against your competitors.

The book Leading Digital highlights Apple as an industry-changing platform. With the iPod, Apple delivered a convenient and user-friendly way of downloading music onto a brilliantly designed player. But the magic came later, when Apple launched its iTunes store — a service that created a tight link between hardware, software, digital music, and videos in one user-friendly package.

The role of IAM in business model reinvention does not change that much from what we have discussed so far. But — the challenge would be how agile is your IAM infrastructure to absorb the change. For example, if you build your application by baking in the access control rules, the change is hard and costly. But if its designed to be externalized and policy based, then its just a piece of cake (well… no… but you know what I meant).

The careful design of the IAM strategy, implementation and the forward thinking is the key to success.

Summary

The digital transformation is all about driving the business towards profitability (in all ways) with the aid of technological advancements we witness with the fourth industrial revolution, with a clear vision. The identity and access management plays a key role in digital transformation as an enabler.

--

--