How to implement a successful IAM solution

Guest article for Computerworld from November 16, 2018

Identity and access management (IAM) solutions can offer companies a wealth of benefits. But how do they find a system that is right for them? And what are the things to look out for when choosing a system and planning its implementation?

Identity and access management (IAM) in its conventional sense arose in the 1990s and involved assigning employees a clear identity and sharply defined roles on the basis of fully known data. As business processes have become ever more digitalised, more and more sensitive data and processes are being exported and disclosed outside the company limits – to customers, partners, suppliers and increasingly also to objects such as machines.

However, the underlying data is often highly restricted and not always clear. This also brings compliance issues into the picture, with solutions needing the ability to react flexibly to ever more complex and rapidly changing data protection regulations. With all this in mind, identity and access management in its present form is divided into two categories depending on the target group: internal and external IAM. The latter of these two is a hot topic in the current environment and is often referred to as ‘cIAM’, with the ‘c’ standing for either customer or consumer.

Usability versus security

One of the main tasks of cIAM is access control, since applications, services, data and identities are still the main targets for cyber criminals. Secure authentication can help here, but often at the expense of user-friendliness. The term ‘secure’ tends to mean ‘two-factor’ when referring to authentication, a measure which is vital to protect access to sensitive data, but which users often find laborious.

A more user-friendly solution is risk-based authentication. This involves analysing the context in which access is made, instead of always asking for the second factor every time the user requests access. For example, if the user always logs on securely from the same place at the same time, the reliability increases and the second factor can be dispensed with.

A single sign-on can also simplify the process for the customer. Instead of having to log in separately for different services from the same provider, the user can quickly and easily access all their services using this feature.

Choosing an authentication method

If security concerns mean that two-factor authentication (2FA) is required for certain content, a corresponding method must then be chosen. Alongside the security issues, there are many other aspects that must be considered in order to offer customers the greatest possible usability.

• Online/offline: Does the method still need to work even if the user does not have a data connection?
• Additional device: Is the user allowed to use the same device for the second factor and for the actual access itself? Is it feasible to ask the customer to use a dedicated 2FA device, or should this just be their own smartphone?
• Action confirmation: Should the second factor also be used to confirm an action, such as signing an e-banking transaction? In this instance, it must be possible to transfer the payment data through a second secure channel.

User experience as a key element

Consideration has already been given to the fact that the interaction with the user plays a crucial role in the success of a digitalisation project. A clear and simple user journey is vital in order to enable customers to access the desired services in just a few steps. This begins when registering: the more information a user has to disclose about themselves, the higher the risk that they will abandon the process. Social login or social registration can help here. For customers, this means that they do not have to enter their details multiple times. Meanwhile, companies can use social login to transform anonymous visitors into actual identities in a quick and simple manner.

A company has certain quality features – and perhaps even unique selling points – that are particularly valued by its customers, such as simplicity or a rapid response to queries. These factors must be defined at the outset so that they can also be capitalised upon in the digital relationship with the customer. A clear focus on the relevant target group also falls under the umbrella of user experience. Should all customers – that is to say, the general public – have access to the services? Or is the service aimed at technicians working for business clients?

Empowerment through self-service

Nowadays, customers want to do a lot of things themselves right away, without having to contact a help desk. A user self-service feature can be integrated into cIAM to enable the customer to carry out certain actions themselves, such as creating and unlocking accounts or resetting passwords. And it’s not just users who are happy with this solution – user self-services can save providers considerable amounts of time and money. According to the research company Gartner, users forget their password 1.8 times a year on average.

With this in mind, it must be ensured that users can select their ideal working environment themselves, whether that is a desktop PC, tablet or smartphone. For providers, this means that a responsive design is essential when it comes to mobile applications, or better still, dedicated apps or single-page applications. What is more, cIAM systems have to be multi-channel-capable.

No time to lose

In the age of digitalisation, time is of the essence. Applications and services must be provided virtually instantaneously, without impairing security or user-friendliness. It is especially useful to implement the necessary security functions – such as 2FA, user management, profile management and so on – centrally on a one-off basis, and then make them available to the applications as a service. This allows applications to concentrate on their functionality. In addition, there is no risk of security measures being implemented differently across the various applications.

By combining these measures with an upstream web application firewall, it is possible to protect applications against the top 10 known risks according to the Open Web Application Security Project (OWASP). This enables applications to be published more quickly and safely. Any vulnerabilities can be promptly eliminated upstream and may eliminate the need to release a security update for the application.

cIAM as a service provider for web applications

Good cIAM is not an end in itself but a tool for integrated web applications. The focus is on providing the desired functionality in such a way that applications do not need to keep being updated. Its direct applicability means considerable savings in terms of time and money, and it is especially useful when not all the services on offer are being developed from scratch and designed in accordance with federation protocols such as OpenID Connect or SAML. It must be ensured that suitable identity propagation methods are offered for applications so that they receive all the necessary information on the current user.

The authors:
Marc Bütikofer is the Director of Innovation for Airlock security solutions at Ergon Informatik.
Urs Zurbuchen is the Senior Security Consultant for Airlock security solutions at Ergon Informatik.