Identity Management Solutions
Sagnik uses an analogy to compare an identity system to a house which is a great way to break it down.
Identity is the entrance to your digital world. If the door to your house is locked, it doesn't matter how great the house is - you can't enter it. Similarly, if the door to your house is broken - your entire house is at risk. So your digital world, like every house, needs both doors and locks. -Sagnik Nandy._ the CTO and President of Technology at Okta, speaking on the alphlist podcast._
We could expand on his house/door/key analogy for identity management like this:
Each service you use in your ecosystem needs another door. To keep your house secure, you need to make sure that each of those doors has a lock so only the right people have access. Yet having a lock for each door makes a huge keychain. What about having a master key that opens all doors (SSO) or a key that opens a locked key box in which all your keys are stored (password manager)? How would you secure that master key though so that even if it falls into the wrong hands, a burglar can’t get access (MFA)? How do make sure that when someone no longer needs access, their keys are removed and voided (user permission and lifecycle management). You also want your house to be continuously secure - even if you are in the process of building new doors or moving houses. Talking about moving houses - wouldn’t it be great that as you move houses, the security system works with you to make sure both your old house and new house are secure and you don’t need to issue new keys to everyone as the system just adapts itself to your new house? Furthermore, even just one breached lock puts your entire house at risk. It is bad enough if just your things get stolen but it is even worse if he burglar steals something of your friend’s that you are storing at your house. Therefore you want to make sure that you are using the best locks and trusting the right locksmiths. The locksmiths of Identity Management are companies that provide all sorts of restricted access solutions to securing your online presence.
What are Identity Management Solutions
Identity Management Solutions allow users to manage their online identities cohesively. There are many types of IAM (Identity and access management) solutions out there, each solving a different pain point.
A common IAM solution most people are familiar with is Single Sign-On (SSO) which allows end-users to verify their identity with an existing account. This is a service frequently provided by SaaS companies who don’t want to require their users to think of yet another password.
There are IAM solutions that act like password managers that allow people to store passwords, pins, and other sensitive information in safe, secure, and accessible places.
On an enterprise level, password managers allow companies or teams to share login credentials in a secure environment and even delegate access based on user roles, permissions, and privileges. This is often called ‘User provisioning and lifecycle management and often is a vital component of onboarding and off-boarding new employees
Another IAM solution used by companies is adaptive Multi-Factor Authentication. Commonly provided by IDaaS providers, it gives companies the ability to add extra layers of security to the employee login process.
Other services in the identity management industry allow logged-in users with seamless integration with other services used in a tech stack - think hardware, cloud hosting, API keys, etc.
IAM Industry Outlook
There is a lot of potential for growth in the IAM industry. As more users and services come online, the need for unified identity management becomes more apparent. IAMs solutions are needed to provide a simplified and seamless user experience based on complex secure technology
Opportunities in The IAM Space
As mentioned before, the need for solutions in the IAM space is growing. Okta might be the leading product in providing identity management at scale, but there are still customer pain points waiting to be solved. These are 2 ideas that came up in the podcast.
Delegated timed access with OTP
It would be great to have an IAM solution that generates OTP that provides access to an online account for only a certain amount of time. This would help parents raising digital native children who want to allow access to online websites only as a reward and only for a certain amount of time. Sagnik gives the example of how he rewards his children with screen time if they complete a task. However, it currently requires a parent to log the child in to redeem the reward and log out when the reward has timed out. It would be great if parents would be able to send their children OTPs to certain online services that are only good for a certain amount of time.
Identity Library - borrow a login to try out a product
Another idea, suggested by the podcast host Tobias (who has built and sold to tech-product companies) is a SaaS solution that creates a library of tools used within a company so employees can try out different software e.g. ActiveCampaign, Google Analytics, etc without needing to buy a whole new license. This system will be the gatekeeper of a marketplace for SaaS where people in the company who want to try a particular SaaS product can select it from a limited catalog of tools and just try it. This will optimise the licenses required by each company.
Technical Complexity of IAM Solutions
Now that we got you thinking about potential products in the IAM space, be warned! It is a huge challenge to provide a seamless experience to end-users where they can log in securely with minimal effort
[IAM] is a very technically rich problem.From an engineering point of view, I think almost every branch of computing plays out in the space - Sagnik Nandy._ the CTO and President of Technology at Okta, speaking on the alphlist podcast._
You are going to need to provide: Common Features Needed for a IAM Application
- Multifactor support
- User Support e.g forget your password
- Multi-Device support
- Compliant to all relevant data and tech laws
- Resilient - needs to scale as literally billions of users who rely on your prompt supply of access to their needed service.
- DDoS Prevention
- High Throughput
Challenges of Setting up Integrations
In today’s API economy, the more services you integrate with the better. Yet the challenge increases exponentially for every integration you have. Think of it as a combinatorial sum:
ChallengesofIntegrations! = number of integrations X number of platforms X number of devices X different kinds of users X different kinds of companies X different kinds of applications - and each with their own constraints.
This huge combinatorial space comes together as a layer of integrations combining thousands of applications that require a seamless connection. There are nuances to every integration partner e.g how they look at users, groups' permission, their method of authentication, their multi-device and multi-platform support - and worse yet - each of these partners you are integrating with is a continuously evolving product. This means that your integration needs to evolve as the partner software evolves.
Do Auth standards help with integration set-up?
Authorization Standards like OAuth and OpenID do help with integrating with other products, yet the method of authorization standard adoption varies from company to company. Even when they are Auth-Standard Compliant, companies still differ on
- How they sync data
- How data is exposed
- How endpoints are accessed
- Some endpoints are readily available while others require you to ping them.
- Furthermore, some APIs can be pinged anytime (real-time import) and other pings need to be scheduled - requiring a daily mass import. Of course, users don’t care how complicated it is for you to set up the end-to-end integration they require. Part of your job as a developer is to shield them from the complexity while providing the most simplified user interface.
Digital Identity and The Passwordless Future
Both from a security point of view and the mode of use point of view, [passwords] are starting to show their limitations. Identity Management Solutions like Okta are increasingly providing newer forms of authentication, which are both more secure as well as often easier to use. - Sagnik Nandy._ the CTO and President of Technology at Okta, speaking on the alphlist podcast._
As technology develops, it is providing new ways for people to log in without needing a password. For example, advances in biometric technologies are quickly converted into alternative authentication methods. Okta - a leading identity management solution - releases a new method every few months just to keep up with innovation. The wealth of password alternatives are allowing users more secure and seamless ways to combine layers of authentication needed in the secure multi- factor approach.
Will new authentication technologies make passwords a thing of the past?
Sagnik believes that it's still important to provide people with options. Let the user decide if they want to authenticate themselves with a password or a different method.
“Choice is very important, especially in an area like this, because there's so much innovation happening. I think the customer deserves to decide - at the customer level and at the application level.” - Sagnik Nandy, CTO of Okta
Every user is entitled to a preference of how they want to interact with their accounts and online identities - after all, every user has a different appetite for security and even the accounts themselves require varying levels of security. For example, if it's just an account that provides access to an aggregated, high-level view of your data, perhaps you would want the most seamless authentication method. However, if it is an online service that contains highly sensitive and critical information about you - you might want to use multi-factor authorization which might also require a password as part of the process.
Tobias, a CTO himself is also hoping for even more seamless authentication in the next 10 years - after all, to him, solutions like YubiKey just add extra devices so he doesn’t think they are a long-term solution.
Conclusion In this article, we discussed the Identity Management (IAM) industry and the opportunities, challenges, and trends that Sagnik Nandy - the CTO of Okta, leading Identity Management provider - sees in that space.