Consumerization of Identity: Bringing Social Identity to Work
Business is now driving costs out and enriching services with the
sophisticated use of identity information. Forward-looking organizations are
latching on to terms such as “social media identity” and “Consumerization” to
gain an upper hand against the competition through improved and simplified
internal or consumer orientated user experience. What does this mean in real
terms, though?
We’ve looked previously at how the desire of users and consumers to access
information from anywhere at any time impacts on our approach. The security
boundary has surely moved. But how far? Yes, it could move as far as individual
data elements. If we examine things more closely, however, is the step that
employees and consumers are asking us to take really such a big one? Is it a
blind leap into the unknown, or a manageable journey to a better place for all?
Complexity always exists, and simplification for end-users will likely come as
a result of an infrastructure that is functionally richer. The discussion
should not be one of complexity, though. To decide whether to accede to our
users’ requests and support the consumerization of identity, we must focus
primarily on risk. Let’s approach this from two points of view.
The first view is that of security of social identity. There is much talk of
using Facebook, Twitter and other social media identity to replace logon to
low-value resource on company websites. The knee-jerk reaction to such a
request is “no way”, because it just feels insecure. If we think about it,
though, what’s more valuable to an individual? Their company-provided extranet logon
or their Facebook logon? Their company credit card or their personal credit
card? Their office keys or their house keys? People will always tend to value
more highly those things whose compromise will lead to greater personal impact.
And thus they will protect them more diligently. So a Facebook logon is
arguably more valuable to its holder than the extranet logon. Of course, the
comparison is not as simple as just that one aspect. Among other risks,
personal assets can be shared with a trusted peer group, particularly family,
whereas corporate assets are typically not. Conversely, personal assets are
generally not shared with trusted work peer groups either, whereas corporate
assets can be. However, the point remains that a social identity is not the
weak credential that it can appear to be when just using initial gut reaction.
So with a combination of both personal and corporate security responsibilities,
the security of a credential existing in both domains simultaneously can be greater
than one that exists purely in a single domain. The duties of care between the
employer and the employee are becoming entwined in a subtle way that it hard to
unpick, but in a way where security benefits can accrue in unanticipated ways
for both sides.
Take a second, completely different viewpoint. It’s common for employees to use
social identity for numerous business purposes. Data is sourced and published
in the public domain using identities that exist in the public domain.
Marketing, recruitment and many other activities rely on sites such as Twitter
and LinkedIn. Does the company gain benefit by trying to control these public
domain identities too closely? Should the employee be allowed to use their
personal accounts? Just as valid a question is: does the employee want to use
their personal accounts?
Employees are asking for access to everything from everywhere. But do they
really want so much freedom, with almost no boundary between personal and corporate
identities? A degree of separation between the two is desirable for all? Regardless,
identity governance needs as complete a picture as possible of system access –
for corporate, partner and cloud systems. The risk assessment around this needs
data, so we need to include public domain systems in our governance scope. We
can’t establish a BYOD or social identity programme without an analysis of the
risk trade-offs.
So where does this leave us? Are we being asked to take the blind leap into the
unknown? It leaves us at "Security: Step 1".
We need to do the risk assessment. We need to compare the business rewards, the
possible issues and compare these with the corporate risk appetite. And
crucially, to do this we need to know what our employees and customers really
desire. They really aren’t asking us to move to a scary place.
In fact, for some areas of business it is a wholly appropriate place.
Irrespective, though, it’s just to a place we’re not accustomed to in the new
use cases we are being presented with.
But know this. If you choose to say “yes” to shifting the security boundary,
the technology exists to support your journey. We will look more closely at
some of the options in our final part of this series.
About the Author:
Mike Nelsey, Managing Director,
aurionPro SENA
Working in the IT industry since the early 90’s, Mike leads the aurionProSENA European operation. Mike has been involved in identity and access management since 1999 when the company won its first framework agreement with UK policing for web access control.Since then he has overseen the company’s strategy moving into a focused delivery model working closely with Oracle to provide a true stack offering covering consult, design, build and support.