Much more than just security: the future of identity and access management

Published: Friday, 24 August 2018 08:15

Andy Cory discusses how the increase in Internet of Things (IoT) devices has caused identity and access management (IAM) systems to become smarter, opening up new ways to improved security, amongst many other advantages.

As more organizations embark on the journey that is digital transformation, the ability to manage digital identities is becoming more crucial — especially at a time when the Internet of Things (IoT) is redefining the concept of identity and access management (IAM). While traditional IAM was designed to manage employees’ information access authorization, organizations soon began to use IAM to understand the interactions between their customers or employees and the company.

The IoT world, however, challenges organizations to manage exponentially more identities beyond those of employees and customers; now they must manage also the millions of devices and connected ‘things’ — and the complex digital relationships between all of them.

With more than 20 billion IoT devices expected to be in use worldwide by 2020, according to Gartner, organizations require identity access management solutions to operate on a massive scale. Each connected ‘thing’, whether it’s a watch on a consumer’s wrist or a piece of connected manufacturing machinery, will need an identity, much in the same way that employees receive digital identities when they first join a company.

To make these devices — or ‘things’ — identifiable, manufacturers are implementing hard-coded (burned-in) unique identifiers or storing a piece of cryptographic data in a secure element (SE) or trusted execution environment (TEE). Innovative IAM vendors are making use of edge computing, moving the processing of data closer to where the data is generated, reducing latency and helping to allow interactions to happen at machine speeds.

In parallel to the development of this new identity ‘estate’, IAM systems have become smarter. No longer do they simply rely on a username and password to grant or deny access. They use supplemental contextual information, like login location, time of day, browser, operating system, IP address and much more to build up a powerful profile of the person or device attempting access. If something occurs out of the ordinary, like a login attempt at an unusual time of day or from a new device, IAM automatically restricts access and the danger it could cause.

While using these contextual ‘signals’ to ascertain identity is inherently more secure (because it collates a lot of information to build up a profile), this new kind of IAM opens up a number of new ways to improve the digital experience for customers:

Offering a frictionless customer experience
IAM can now make data and network access a much faster and smoother process — even enabling customers to access services without a password because the IAM system recognises the login coming from its usual geographical location on a device that’s been pre-approved and at a normal time of day.

Tailoring digital experiences for customers
Using contextual signals, it is possible to tailor digital experiences to different types of consumers. For example, the authentication experience can be configured differently for customers in London compared to customers in Paris — something potentially useful for, say, airline brands analysing the different types of consumer behaviour in different countries. Geography aside, Google Chrome users could be directed to one kind of digital experience and Firefox users to another. Or mobile users to one particular digital experience and desktop users to another. The possibilities are vast.

Empowering customers
Moreover, IAM can be part of a strategy to help you empower customers. Consumers are increasingly worried about data privacy, and want more visibility into what data they’ve shared with businesses, what the business is doing with that data, and who it’s being shared with. And many customers want the right to be forgotten. Acting on customer preferences is exactly what the GDPR is all about. IAM makes it easy for businesses to be able to locate and determine any device the consumer has interacted with and determine how those devices are using customer data.

Many see the GDPR as a compliance tick-box exercise, but it’s so much more than that — it’s an opportunity to improve the relationship you have with your customers.

Improving security - obviously
In the IoT context, devices are now encountering similar security vulnerabilities people encounter when using the Internet. Organizations need to securely deliver goods and services to ‘connected’ customers and citizens and their devices. IoT requires a secure IAM at a scale, designed for devices with varying levels of sophistication, interfaces and standards. 

Improving everyday business operations
IAM can also improve the day-to-day operations within a business. IAM data can feed into different parts of your business for different purposes — sales and marketing can improve customer profiling to deliver on personalisation strategies, R&D departments can improve future iterations of products based on actual performance data, senior management can make better decisions based on real-time, up-to-date information. This sort of capability is vital to achieve a competitive edge and ultimately drive customer loyalty and revenue, helping an organization to become better at what they are already doing as a business.

What you should look for in IAM for the IoT

Businesses should ideally look out for IoT-ready ‘identity relationship management’ (IRM). IRMs should be able to scale easily while offering high performance, flexibility, and the ability to offer a single view of the entire IoT estate — whatever the level of sophistication.

With an IoT-ready identity platform, it is possible to securely support devices such as healthcare wearables, connected cars, set-top boxes, e-citizen portals, home security systems, industrial machines, or any yet-to-be-invented ‘thing’ that organizations and their customers are using now and in the years ahead.

Don’t just think about IAM from a security perspective, think about how you can use identity as an asset to drive value. 

The author

Andy Cory, Identity Management Services lead at KCOM.