Federate and secure identities with enterprise BYOI
Consumers have been using the federated identity concept 'bring your own identity' through social sign-on for years. It is time for the enterprise to embrace the trend.
Most office workers probably know the acronyms BYOD and BYOB, but what about BYOI, referring to bring your own identity?
Who we "are" online starts with an identity. You do a form of bringing your own identity when signing up for new services with an email that becomes your ID on that system. If you use a password manager, you could have upwards of 100 to 200 account logins -- each with different passwords -- connected back to the same email address or username. (Important: While having the same email address for hundreds of accounts is not necessarily a security risk, please remember to create a unique password for each account.)
As a consumer, you've probably also come across the option to use an existing ID/password combination from a known third-party provider such as Apple, Google or Facebook to create a new login on a connected service. This is another form of BYOI called social sign-on. It makes consumers' lives simpler because it decreases the number of passwords to memorize. Likewise, in the case of a compromise, it can make it easier to protect connected accounts because only one password needs to be reset, rather than multiple passwords across sites that use the same email/password combination (which users still do, regardless of how often they are told not to).
So, why haven't these benefits been brought to the workplace yet?
BYOI in the enterprise
BYOI is, in fact, becoming so popular that it's taking hold in the enterprise space, too. Most enterprises support single sign-on (SSO) within their digital boundaries. In other words, when employees log into their devices with a fingerprint or their face in the morning, that may be the only form of login needed to access work files and emails that day.
An employee's workspace also probably extends beyond the digital borders of their organization. If you need to check the balance on your health savings account or 401(k), for example, that would require a login to the corresponding financial institution. Got a toothache and need to check which dental providers are in network for your corporate health insurance? Chances are that's another login. And if you're working within a partner's systems to submit billing or access progress dashboards, you may be logging in multiple times a day making that enterprise-supported SSO seem even less useful.
Bring your own identity enterprise model
With enterprise BYOI, organizations can enjoy the benefits of consumer BYOI by using validated corporate identities with partners. In this model, a company acts as an identity provider and shares or federates credential information with third-party services on its employees' behalf.
Want to get started with an enterprise BYOI rollout? Here are three important points to consider:
- Independence. Since BYOI needs to be flexible, start with a known identity provider for your identity repository. Most companies already manage identities with an identity provider, but if you were thinking of rolling your own or extending the ID management from one of your home-grown apps, you may find integration and compatibility issues rearing their head as you scale.
- Bidirectional. Trust goes two ways. Yes, it's important that your organization and partners know that a presented ID has been validated and verified, but it's also important for your employees to know that they're connecting to a trusted party. Systems that can validate that the server on the other end is, in fact, the bank that manages the company 401(k) help raise the security bar.
- Universal. Some organizations are taking enterprise BYOI to the max by allowing employees to bring their existing ID, for example, Google or PayPal, to the workplace. While this approach isn't common with most large organizations yet, with proper access control, it can alleviate identity management overhead for companies. Just keep in mind that if the identity provider is compromised, this can have downstream affects if you are trusting that identity provider.
Reduce identity struggles with BYOI
If you haven't thought about BYOI, now is a great time to start. Advances in identity interoperability, thanks to groups like FIDO Alliance, make it easier than ever to reduce sign-ins and the number of passwords people need to remember.
