Companies now have more external users than internal ones: how do we manage digital identities without creating huge complexity?
Our recent research confirms that many businesses now have more external users than internal ones: in Europe 58 percent transact directly with users from other businesses and/or consumers; for the UK alone the figure is 65 percent.
This change in the profile of users means many organisations are adapting the way they manage digital identities to enable federated identity management.
Since Quocirca last researched the market in 2009, the number with some form of identity and access management (IAM) system in place has risen from around 25 percent to 70 percent; although to be clear this is not an exact comparison as the basis of the research was different in each case. Nevertheless the change is marked.
There are other motivations behind this; one is the growing use of cloud based services. Correlations within the most recent research show a remarkable difference between those who are enthusiastic about cloud and those who avoid it. A huge 97 percent of the enthusiasts had deployed IAM compared with just 25 percent of the avoiders.
One of the reasons for this is to make use of single-sign-on (SSO) for cloud resources, which provides the ability to rapidly provision a user to a range of cloud base applications and services and, perhaps more importantly, rapidly and securely de-provision them from all such services when they depart.
Another driver is the desire to embrace the growing use of social media and the rise of bring-your-own-identity (BYOID).
For consumers at least, social identities (those used to access Facebook, Google, Yahoo, PayPal) are increasingly seen as the best way of establishing an identity. The alternative of creating and manage millions of identities using an internally deployed IAM system is just not practical. This has led to the rise of a number of social infrastructure providers such as Gigya, Janrain and Loginradius.
However, these vendors limit themselves to social identities and maintain a consumer focus. Incorporating users from other businesses requires a broader federated identity management capability. This enables a number of external identity sources for external business users to be managed from a single console. Such sources include the use of customers’ and partners’ own identity databases, the membership lists of professional bodies, certain government databases and, of course, social identities.
To achieve this requires a full federated identity management capability. The big identity vendors such as CA, IBM, Oracle and Intel/McAfee are adapting their systems to address this requirement. Having such a system in place facilitates SSO for all users and makes it easier to have granular access policies for different types of users. It also makes it easier to keep accurate audit trails of access to applications and resources, a necessity for many organisations to meet their regulatory requirements.
With more and more users being external and the growing use of cloud based services, it does not really matter where the IAM system itself resides. That too may as well be external; this is reflected by the growing use of IAM-as-a-service (IAMaaS).
There are a number of benefits to IAMaaS over an on-premise deployment. From a business perspective, such systems are designed from the bottom up for external access, so IAMaaS fits well with the need to address both internal and external users.
Many of the services have pre-built integrations with commonly used cloud services. Then there is scalability, for example if the rate of uptake of a new consumer offering is uncertain an organisation may not want to commit large funds up front; as with most cloud services, IAMaaS is usually pay per use.
From an operational perspective, IAMaaS lowers deployment and management costs, as would be expected through the use of any cloud service and payments can be out of operational rather than capital expenditure. And, of course, outsourcing many of the tasks associated with IAM leaves IT staff free to focus on other things.
A new breed of identity management services have come to market in recent years from vendors such as Ping Identity, Okta and Symplified. The big names are also adapting their products too.
This underlines another requirement that many larger organisations will have as they evolve their IAM systems. That is to link cloud based services with existing on-premise deployments. Wholesale change from one mode to another may not be practical or desirable. Quocirca’s research report shows the extent to which this is the case.
Of the 70 percent of organisations that have IAM in place, 27 percent have a purely on-premise system and 21 percent are using IAMaaS. The remaining 22 percent have a hybrid system, according to our research commissioned by CA Technologies. For those that are cloud enthusiasts, the use of pure IAMaaS rises to 36 percent and hybrid use to 29 percent. The top benefits of IAMaaS are seen as being lower cost of management, improved employee productivity, lower cost of ownership and the ease of integrating external users.
Once such capabilities are in place, anything becomes possible. The use of social indemnities may be limited mainly to consumers today, but why not employees tomorrow? When you start work with a new employer, you are not issued with a new passport, you provide your own; why not provide your own digital identity? When that is the case the age of BYOID will truly have arrived.