Why it's time for a holistic approach to identity
At the recent Deskflix, Season 5, The Future of Identity Management, Jessica Riccio, Senior Solutions Marketing at Okta, explained the benefits of a holistic approach to identity.
The challenges facing organisations of all sizes as they attempt to balance the data and operations against an ongoing barrage of digital threats are daunting, and made more so by the heightened expectations of employees and customers. Employees seek seamless engagement and interaction with enterprise applications and systems, and customers expect streamlined user registration and login experiences and the capability to personalise experiences. Of course, everyone - except the criminal fraternity - expects all of these goals to be achieved without cyber security compromise.
This is where identity comes into play. Identity defines access, and the complex mapping between users and the resources they seek. Yet many organisations according to Jessica Riccio of Okta, remain overly dependent on a traditional perimeter endpoint security solution approach which becomes less effective with every passing day.
"Threat actors focus on targeting users, the weakest link in the attack chain," said Riccio. "All they need to do to bypass these solutions is compromise users and their credentials. That's the easiest way."
"We need to regroup as an industry and attack the problem from a different angle. What is the control that's agnostic of devices and networks? Identity is our most critical method for protecting our front door for protecting our users, our data, our business. It's the jumping off point for everything."
Riccio set out the fact that the moment of log in to a business or consumer applications is the starting point for all the other controls in the security stack.
"This is why we really need to look at identity holistically. We need to start with identity and make it a strategic component of our overall security frameworks."
Context is critical
Another critical component of identity is contextual access because is allows for the preservation of a high-quality user experience without sacrificing security. Riccio gave her own working week as an example of why context is so important.
"Today I logged in from my usual, home-based location of work. When I do that I just log into my dashboard and it will authenticate me once for all my applications so I have access to everything right away.
"Tomorrow I might be travelling so when I'm in a different city I'm going to again, authenticate myself to my Okta dashboard. However, once I click on an app it's going to ask me to authenticate again, because my location has changed. This is contextual access and it helps us to find that balance between security and user experience."
Customer identity is also a vital consideration. Organisations are trying to work out how to make their interactions with their goods and services quicker and easier. How can they enable agile software development teams to build, integrate and maintain their consumer applications?
Riccio set out some other goals that Okta's customers might have.
"How can we help companies reduce guest checkouts and increase acquisition and conversion rates? This has everything to do with customising, simplifying and streamlining, streamlining, login and registration pages. Once their customers are in the website or on the apps, how do we keep them there? How can we help them get insights into their customers so that they can tailor experiences? Finally, how can we protect their services, from bot attacks from account takeovers, fraudulent registrations etc.?"
A holistic approach to identity
Riccio went on to lament the historical tendency of the cyber security industry to simply throw new products at problems when they arise.
"We might have vendor A for access management, vendor B for governance, vendor C for privileged access management, vendor D, for customer access etc. Why are we not approaching identity holistically and comprehensively consolidating our approach? Wouldn't it serve a business better to have a single view of their identities, whether customer or workforce? Wouldn't it improve visibility, security, management, even compliance to have those identity controls, processes, policies, governance all on the one platform?"
There are four critical capabilities of an identity solution.
- Neutrality: Because identity is the driver of employee and consumer experiences, it has to operate everywhere and with everything. Bias doesn't have a place in the identity layer.
- Integration: As an organisation adopts new applications and new systems, integrating them should be as easy as adding an application to your phone. Identity should be able to integrate with HR systems, network security, email gateways, SaaS etc. Out of the box integrations are useful.
- Extensibility: Most organisations require far more extensible platforms than off the shelf products can deliver. That requires an identity solution which embraces no code, low code and protocol options for ease of customisation.
- Unification: Identity needs to be unified in terms of support for both workforce identity and customer identity and embracing identity for security.
A solution with all of these components builds a foundation for identity where users and resources are secure, where users have access to the right resources in the right context, where experiences are optimum with the least amount of friction, and where experiences are personalised because of the insights provided.