Identity & Access Management: Beyond usernames and passwords
Some weeks ago I had my first Clubhouse speaker experience (practically my first real experience with the app) when I was invited by Lameck Mbangula to come and speak to a cross section of the Namibian tech community about Identity and Access Management (IAM). This write up summarizes what we discussed.
As you may already know I currently work at Okta, a leader in the realm of Identity and Access Management where I help with the company’s Developer Content, Community and Support strategy. Basically, my team is responsible for making sure that developers who decide to leverage Okta are as successful.
Now if you had never heard the term IAM or identity and Access Management before reading this article, no need to feel weird because before joining Okta, I had hardly ever heard (or taken note of) the term myself. Joining Okta was more as a result of my work as an ecosystem builder than my knowledge of the IAM space. My goal with this article is to share my understanding of the space based on what I have picked up in the almost one year I have been there. Hopefully this will help you to not only appreciate this part of the tech space but also to understand how to take advantage of the coming advancements in this area and by doing so save yourself and your colleagues a load of avoidable pain.
What is IAM?
According to Gartner: Identity and access management (IAM) is the discipline that enables the right individuals to access the right resources at the right times for the right reasons.
IAM addresses authentication (who are you?), authorization (Which resources can you access?), and access control (Since I know the resources you can access, how do I make sure that you access only those resources for which you were authorized?)
To help us better understand these concepts, let us look at what I hope will be a good analogy: checking into a hotel.
First you present your ID and payment to the receptionist at the lobby, which is the authentication step because at that point the hotel determines that you are who you say you are and that you have what is needed to gain access to the hotel facilities, next you are given a room key which basically means that you are permitted to access a room with a particular number (say room 602) and not any other room. This is authorization. When you get to the room, you insert the key and are then allowed to enter the room. That is access control where the lock is the access control mechanism.
Now let’s look at a simple app. You authenticate with your username and password, this proves to the app that you are who you say you are. Then based on your identity as represented by your username , the app determines which roles or groups you belong to and bestows on you the necessary credentials needed to access the permitted resources, that is the authorization step. This is what makes sure that you get to access stuff that is relevant to you and not someone else. Lastly, for you to access any protected resources in the app , there is some logic that checks if the user’s identity is associated with the right credentials and then allows or denies access to the said resource. The inner workings of the part of the app that checks all this is what comprises the access control aspect of IAM.
A typical IAM solution should have functionality to support a user repository (for storing the identities of all the legitimate users of the service), role definition and authorization engine (how you determine who has access to what), authentication system with single sign-on capabilities, password (or credentials ) management, account provisioning/de-provisioning (how do you add new users to your user repository) , and audit (how to know who did what and when on the system)
Why is IAM Important?
So you may be wondering why this whole business of identifying and authorizing the users of your app or service has taken on added importance in recent times especially where businesses are concerned. Well, here are a few reasons
Security and protection of access to valuable resources is the most obvious one. When we create an app or a service, we want to make sure that only authorized users have access to the resources that the app provides. That is one of the main reasons why we authenticate users because not only do we not want any unwanted guests to gain access, we also do not want an authenticated user ,Bob, to access stuff that is meant only for another authenticated user, Alice.
User / Customer experience is another one that goes hand in hand with the security bit. This usually shows up in a number of ways. One of them is personalization. Everyone appreciates a bit of a personalized experience. Even though it is taken for granted these days, I remember the thrill, in my early days on the internet, of being able to access a website and see my name at the top right hand corner “Hello Emeka”. It meant a lot to a young Nigerian accessing the web for the first time. Today it has been taken to the next level where you can log into a game, portal or virtual reality environment from any location and any device and pick up from where you left off. This is all thanks to the management of identity information. There is also the user experience bit around how you gain access to the app or service in the first place. Examples here include the user login experience and account provisioning. If you have ever had to sign up for anything by filling a 20 page online form, or forgotten your password to a service you only use once a year then you know what I am talking about. Careful application of the basics of identity and access management enables you to craft the best possible user experience for the first time or returning users of your app/service.
One other reason why businesses care about IAM is regulatory compliance. Many organizations have to abide by certain guidelines or rules form some regulatory body that specify not only who should be able to access a system but also when, how and even where they can access the service from. Examples include FedRamp , HIPAA or online banking regulations . In a situation where you or your organization have to abide by these rules or guidelines, you need to think carefully about how, who and when you permit people to access your systems.
The last one I will mention is related to finances and cost efficiencies. Through skillful deployment of IAM systems , companies are able to save cost either directly or through efficiencies. One example is single sign on whereby you can enable your users to have access to multiple applications using the same identity credentials. This is known as single-sign on. It is the reason you are able to access your GMail and YouTube apps with the same Google username and password. It also comes in handy in the enterprise setting e.g. a bank where the employees can access their email , instant messaging and core banking application with the one username and password thereby saving the company a lot in terms of man hours lost to employees forgetting their passwords to the various apps and asking the support team to reset them. Or think of a case where one bank acquires another and the users of bank A can now access Bank A’s services through Bank B’s website thereby saving a lot in terms of convenience.
Types of IAM : WfIAM, CIAM
Now there are different lenses through which you can analyse the IAM field. One way is to look at it from the perspective of who you are building the service for. Are they employees of the organization or are they customers?
Workforce Identity and Access Management: this is mainly concerned with ensuring that employees of a given organization are able to authenticate and have access to the necessary resources they need for their work. An example is being able to sign into your company or school network or intranet portal and have access to all the apps you need to do your job e.g your email and maybe your company accounting system ideally without needing to enter a different username and password each time.
Customer Identity Access Management, is the situation where the users are not employees of the company, rather they are customers. The idea here is being able to identify them so as to be able to render a service to them. And sometimes in the process of rendering this service, you need to connect them to different internal systems. For example when you sign into a banking app, they may be using a different system for bills payment and funds transfer vs accounts balance checking but that might be transparent to you because you accessed it using one username and password.
You can read more here
Use cases beyond Username and Password
So there is always a question when it comes to Identity and Access Management and that is whether you should build the systems that allow you do all the things I mentioned above yourself or should you outsource it. So before I answer, let me paint a scenario.
So let us imagine that you are launching an ecommerce startup. It’s a straightforward forward use case. Customers sign up , sign in and are then able to make purchases . Because you like to keep things simple all you are thinking about is how to identify the logged in user so that you provide them with a personalized shopping cart and maybe store their shipping address details. So you create a sign up flow where they sign up with the email address and create a password. Because you understand the basics of security you follow the best practices and store the hashed passwords as provided by whatever framework you are using. The same thing applies to session management which enables you to persist their shopping cart regardless of which device they log in with.
Not so simple app
But then things get complicated,, after a few security or identity related incidents where your users have used insecure passwords, you decide to implement two factor authentication ,that includes SMS authentication for your users and maybe even include biometric authentication for your staff and then at some point as your market share grows, you realize that some of your potential users have never had emails in their lives and for them, the mobile phone number is their main form of identity. Which is why they are always forgetting their password, so for those users you decide to implement some sort of SMS based passwordless login that relies on their phone number only.
At the same time you find that you need to integrate into a shipping and logistics system so that your users can have seamless shipping and your staff can manage this from the backend. You also need to integrate into a Customer ticketing system to enable you respond to your customer support queries. All of these systems come with their own identity management and you want to have single sign on and seamless session management so that your customers are not having to sign in everytime they switch between systems not to mention having to remember which username and password they used for which sub system
Then business improves and you find that the best way for you to expand into another country is to acquire the leading ecommerce company in that country and that company comes with its own systems and integrations. But you want your users in one country to have a seamless experience when they want to buy from merchants in the other country.
How do you make all of this happen in a secure and seamless way?
Well, that is where Identity and Access Management products like Okta and Auth0 come in. They help you manage all these scenarios in such a way that you can start from the simplest scenario and scale up to the most complex with as little code as possible.
There is a saying that “friends don’t let friends build auth.”
This is because given the complexity of everything I described above, there is a good chance that if you go on to build all these systems yourself, not only will you likely spend more time on your identity management system than your core business logic, you run the risk of making mistakes that may prove very costly for your business.
The future of IAM
I will close with a few lines on the future of Identity and access management which is a world where anyone can safely use any technology. This is actually the vision of Okta where I work. And by any technology , it goes beyond your normal web and mobile apps. Here we are even thinking about devices , extended reality or even a combination of all of the above. Whether in a centralized or decentralized world. It all counts.
There is also a world where you are able to carry your identity with you and use it to access technology without necessarily needing to share your private information with anyone. One example could be having a digital wallet that contains all your ID cards in the same way that it is possible today to have a digital wallet that contains all your payment cards. You can watch this video for a glimpse of what this world could look like.
Today there is a fast growing career path of developers, devops , solutions architects and designers that are beginning to specialize in creating this future of identity. And I hope that this short article has inspired you to do more research into the topic to see how it applies to you.