Business Issues -> Security & Risk
By: Bob Tarzey, Service Director, Quocirca
Published: 25th July 2013
Copyright Quocirca © 2013
A lot of the talk around the consumerisation of IT focusses on employees using their own devices, installing their own apps and using social media. The trend to bring-your-own (BYO) is at best seen as employees being innovative in the way they use IT and at worse a danger to an organisation’s digital assets that needs to be monitored, controlled or blocked. Employers can exercise some level of control over what those dependent on them for their income do with IT systems; this is not so with customers.
In fact, recent Quocirca research shows the extent to which the BYO trend is being exploited more and more by businesses in one particular area—bring-your-own-identity (BYOID). The primary opportunity is the ease of engagement with consumers. The driver for this is to solve one of the oldest issues in the pantheon of IT security issues—how to avoid the problem of users having to manage multiple identities and therefore remember many passwords. In effect, BYOID is outsourcing all the issues involved with establishing and managing identity to third parties.
Most people reading this article will be familiar with the problem and many will likely already be benefiting from BYOID. Most providers of internet services want their regular users to create an account of some sort so the relationship can be deepened for marketing and other commercial purposes. Accounts need logins and that means establishing an identity. However, rather than getting users to create a new identity, many now turn to third party social media sites that the user already has another account with; there are many to choose from: Facebook, Google, Yahoo, Twitter, PayPal etc.
Most of the major social media sites provide widgets and APIs that enable the use of the login credentials the user has for their site as a way of authenticating to another. This is convenient for the consumer as it allows them to more easily register for a service and then of course, when they return at a later date, they are far more likely to remember their credentials if they are the ones they use for their favoured social media site. Indeed, many of their devices may be set to auto log in to such services.
It is good for the social media site as it cements its relationship with users too and raises its profile through exposure on hundreds of other sites. You will likely have seen social login offered as an alternative all over the place, with a patchwork of social media logos. JustGiving, Spotify and The Economist are just a few examples of those offering social login.
For the provider of a new online service there will be whole series of questions about doing this including the veracity of social identities, how to set up and manage them and how to authenticate the actual user behind the identity.
When it comes to veracity, some will worry more than others. A free media service that wants to capture identities for marketing purposes may not care if a few are not real. Users will like the convenience of using a social identity and will be more likely to create an account. Anyway why would someone want to sign up for a free service in someone else’s name?
However, as soon as money starts changing hands there is a need to be sure of whom you are dealing with. In fact using social identities actually reduces the problem—making-up an identity on the spot is easier than creating a social identity expressly for the purpose. If it can be established that the account being used has been active for some time and has history of activity that matches that of a genuine user then it is arguably far better to be using social identities than ones created on the fly.
The good news is that social infrastructure services such as Gigya, Janrain and Loginradius are amongst other things designed to check the veracity of social logins. By looking at a given user’s history and activity on a given social media site they can verify that they are an established user with a track record. They also help with another obvious problem, which is that many users will want to use different social identities and this needs managing.
Social infrastructure services act as brokers, managing the many-to-many relationship between the social media sites and those providing services that want to enable social login. Social infrastructure services enable a retailer, charity, media company etc. to establish a single view of their customers regardless of how they login—providing a basic form of customer relationship management (CRM).
Using such services it is possible to establish a high level of confidence that a real person is being dealt with. In fact, far more so than if someone had just made up a username and password. The next question is when someone logs in with a social identity how do you know that in this instance the user is the owner of that identity? Authentication is only as good as that offered by the social media site itself. Some now offer two factor authentication as an option and have auto-logout settings. Remember, the competition here is ad hoc usernames and passwords scribbled on scraps of paper.
So far this article has focussed primarily on the consumer. However, for many organisations the need to manage external identity goes well beyond this. There are also external business users, the employees of partners and customers—these are business-to-business relationships. Quocirca’s research shows that in some cases social identities are being used here too. However, there are other sources of identity that come into play, including the other business’s own directories, the membership lists of professional bodies, government databases and so on.
To manage all this requires a federated identity management system which can bring together identities from all sources and manage them via a single interface. This may include employees as well as third party users, many of whom will access common applications (for example supply chain systems). To this end many of the big identity management providers such as CA, Oracle, IBM and Intel/McAfee have adapted their systems to work from multiple identity sources.
Having a unified identity and access management system, regardless of the sources of identity, eases reporting for security and compliance purposes, enables the creation of common policies across disparate user communities and makes it easier to implement single sign on (SSO) systems. SSO solves the business equivalent of the consumer problem described earlier, the user having to remember multiple usernames and passwords for different systems.
SSO also helps solve another growing problem for businesses; controlling access to web-based services. The problem here is if a business uses Google Apps or Microsoft Office 365 for document management, salesforce.com for CRM, SuccessFactors for HR and so on, enabling every employee for each one and, perhaps more importantly, ensuring access is de-provisioned when they leave, is much easier if all access is provided via an SSO portal. This has led to the emergence of a host of new identity and access management vendors including Ping Identity, Okta, SaaS-ID and Symplified (the last of which has a partnership with Symantec).
Many of these are offering SSO and identity and access management as cloud based services (IAMaaS) the benefits of which are outlined in Quocirca’s recent report; if the users can be anywhere and the applications are in the cloud, why not the SSO system too? The big identity vendors are adapting their products as well, for example CA’s CloudMinder can be deployed as purely an on-demand service or linked with existing on-premise systems creating a hybrid deployment.
Looking to the future we can speculate that we may all get more ownership of our digital identities as time goes by. As consumers we can already increasingly choose to use a favoured social identity and with education we can understand how to protect and harden it. Actually we are quite used to this in the off-line world. Most people have a passport and understand the need to care for and protect that.
This raises an interesting point. When you turn up at a new employer they do not issue you with a passport for business travel; you use your own. Perhaps in the future employees will provide employers with their favoured digital identities. It may not be long before you are accessing your employer’s IT systems and applications using your Facebook, LinkedIn or Twitter identity. When that happens the age of BYOID will truly have arrived.
 ”Digital identities and the open business”, Quocirca, Feb 2013, this is a free report available on request from Quocirca downloadable at this link: https://www.ca.com/gb/register/forms/collateral/Quocirca-European-Research-Digital-Identities-and-the-Open-Business.aspx
Posted: 26th July 2013 | By Bartley Doyle :
Great articles, very informative and accurate.
Posted: 26th July 2013 | By Staci E. :
Single Sign On is vital in today's BYOD world as it protects data and is extremely convenient for all users. SecureAuth IdP offers SSO for ALL web, cloud, and mobile applications, including native mobile apps.
Check out our product and see how we compare to the providers that you mentioned above. We allow multi-factor authentication and fully integrated SSO in a single solution that does not provide any hardware or installation.
Disclaimer: I am employed by SecureAuth.
Posted: 19th August 2013 | By ecobb951 :
I think bring-your-own-identity (BYOID) is an important concept, but in the end of the day it should always be about data security. Data security on smart mobile devices is a difficult issue, especially with the use of apps. Some companies are combating this issue with their own data security apps. Example, we are developing our own app for our employees and doctors, using the Tigertext Tigerconnect API for HIPAA compliant texting and Dropbox integration, this will allow an increase in security and compliance but not burden the users will a lot of security protocols and restrictions. The other benefit is that it will work across OS and platforms weather it is BYOD or COPE. I think the trucking companies are going to have to be innovative with their BYOD policies and technologies in order to give drives that flexibility they need and give the companies the security they need.
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.
We automatically stop accepting comments 180 days after a post is published. If you would like to know more about this subject, please contact us and we'll try to help.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761