It isn’t exactly a new idea, but designing your Identity and Access Management (IAM) with your users in mind always makes sense. But how about your customers and suppliers? After all, they, too, increasingly need to gain admittance to some of your internal applications and data. Unfortunately, internal directories usually aren’t up to the job, so choosing the right identity provider is growing more and more important.
It isn’t exactly a new idea, but designing your Identity and Access Management (IAM) with your users in mind always makes sense. But how about your customers and suppliers? After all, they, too, increasingly need to gain admittance to some of your internal applications and data. Unfortunately, internal directories usually aren’t up to the job, so choosing the right identity provider is growing more and more important.
When we say identity provider, we actually mean the service provider in charge of authenticating and authorizing users and determining which information they are allowed to see, depending on their pre-defined roles, their names and other attributes used to establish identity. Today, most organizations rely on their internal directories for this. And since there are usually quite a few of them, each is assigned a different task: Active Directory for initial authentication, corporate directories for internal users, various other directories for outsiders such as clients, customers, or business partners who access the system via the Web.
This internal perspective has its drawbacks, though. For instance, it forces external users to register and authenticate themselves for each partner separately, which can cause problems in industries that are well connected or which employ complex supply chains, as well as for customers wanting to reach an eCommerce website.
Some industries such as aerospace or automotive already boast well-entrenched identity providers such as Exostar or Covisint, but for others alternatives like OpenID or Information Cards are becoming increasingly popular. In Germany, the soon-to-be-released new government identity card, or nPA (“Neuer Personal-Ausweis”) also involves an external identity provider. And in fact it makes sense not to do everything yourself but to call instead on outside help. This is a growing trend, and it is being reinforced by things like the increasing use of identity federation and new standards such as claims-based authentication, which is part of Microsoft’s new Sharepoint release.
Internal IT departments should start focusing on transactions and interactions where an identity provider can improve the reliability, security and cost-effectiveness of access to systems and data. Whenever an external provider can do a better job, internal directories should be replaced by outsourcing. However, this means devoting greater attention than before to technical connection issues and understanding the concept federation, as well as graduated security models that work well with different identity providers.
This means that one size no longer fit all. Valuable and sensitive data and transactions need a different level of security than simple registration of potential customers at a website – Facebook may actually be good enough for identifying them. A modular and graduated approach is required to avoid built-in conflicts of interest between usability and security which can cause unnecessary friction. A clear and well-defined concept will enable organizations and enterprises to work well with all relevant user groups.