ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Bring your own identity

Bring your own identity

| Posted at 6:09 PM by ISACA News | Category: Privacy | Permalink | Email this Post | Comments (0)

Merritt MaximThe “consumerization of IT” is one of the most important trends to impact IT organizations in recent years and is likely to increase in importance as the flood of new and more intelligent devices in the market continues and the typical worker becomes more mobile.

This important trend is not just about new devices; it is about the entire relationship between IT and its user population. In addition, this trend introduces significant security issues because critical IT assets need to be available— securely—to an increasingly distributed and diverse user base that is using consumer devices of their own choosing.

While the initial consumerization hype was focused on the bring your Own device (BYOD) trend, we are now seeing the emergence of bring your own identity (BYOI). The rise of BYOI is being driven by users’ “identity fatigue.” Users have too many accounts, too many usernames and too many passwords. That makes the mere step of registering at a new site one anathema too many. When the competition is literally a click away, organizations must enable the easiest user experience possible or users migrate to sites that offer the simplest registration and login process. Thankfully, many web sites have moved quickly to accept identities from popular online identity providers like Facebook, Google and LinkedIn.

BYOI brings a range of benefits and risks to both users and relying parties. (The Kantara Initiative defines a relying party as an entity that controls a resource that users wish to access and determines attributes required for access to resources.) For users, BYOI simplifies the user experience and reduces the need to remember—or, worse, write down—additional usernames and passwords. For relying parties, BYOI can reduce administrative costs since they can exit the entire forgotten password or forgotten username cycle.

However, BYOI is not without risks. While it does simplify the user experience, it also creates a potential single point of failure. If the underlying digital identity is compromised, the user may have to undergo considerable efforts to reestablish his or her identity with the new sites. In addition, the identity provider and relying party will also incur higher management and administrative costs to fix or reissue new identities.

Despite these challenges, BYOI is here to stay, especially for low-value consumer-oriented web sites and applications. This means organizations need to support social identity and allow BYOI if they are not already. Forrester’s Eve Maler explores this idea in a recent blog post.

Digital identity/BYOI should be viewed as a continuum and not as a binary option. Many organizations hear about the rise of BYOI and immediately assume that the next step after consumers use BYOI will be new employees using their Google/Facebook/LinkedIn identity to access the corporate network on their first day of employment. While that is technically feasible, the reality is that most organizations have not evolved to this point yet and they may never get to that point.

Not using BYOI in the workplace is not a repudiation of BYOI, it merely confirms that organizations continue to make the risk/reward trade-off for any technical concept. And when lower-value consumer-oriented transactions are involved, BYOI is still very much a viable concept.

Lastly, for organizations that are concerned about using BYOI even for consumer scenarios, there are ways to supplement BYOI to increase security and reduce risk without significantly affecting the user experience.  One example is adding a risk-based or step-up authentication process when the perceived risk is higher or when there is a higher value transaction. Risk-based authentication (otherwise known as adaptive authentication) can evaluate a variety of configurable factors such as time of day, transaction amount, and transaction amount relative to historical averages for that user, geographic location, IP address or mobile device.  Adaptive authentication is user-friendly, easy to deploy and flexible, enabling organizations to modify rules over time. The benefit of adaptive authentication is that it allows organizations to enhance their support for BYOI in a manner that does not necessarily increase risk.

Want to learn more? Access my recent ISACA webinar on this topic.

Merritt Maxim
Director of Security Solutions, CA Technologies

Continue the conversation in the Security Trends topic within ISACA’s Knowledge Center.


There are no comments yet for this post.
You must be logged in and a member to post a comment to this blog.