IAM – Identity and Access Management

Consumer applications

There are two specific IAM use cases for applications targeting consumers that are of most interest to developers:

  • Consumer identity provides a trusted, branded experience for initial user registration, single sign-on (SSO) including social login, multi-factor authentication (MFA), and user profile management.

  • User privacy and consent provides a trusted method of collecting user data that adequately protects personally identifiable information (PII) and adheres to privacy laws and compliance regulations.

Let’s dive a bit deeper into each of these use cases to better understand developer-specific responsibilities and the importance of working closely with security and privacy experts in these areas.

Consumer identity

Initial interaction with any consumer requires a seamless and privacy-transparent experience to onboard new users as they register and interact with your brand. This includes establishing a trusted relationship by leveraging branded experiences that verify user information as it is entered. Consumer onboarding should be streamlined with a single, scalable, and secure directory that supports defining custom attributes that are important to the brand.

Developers work directly with line of business and marketing teams to create registration forms to capture appropriate user information during registration. This process must also address data consent, privacy, and terms and conditions as users interact with the company’s web site and offerings. A single common registration experience can be created or multiple registration experiences with specific sub-brand branding and customization can be defined, all feeding into a singular view of the consumer.

Once registered, users must be authenticated to ensure they are who they purport to be, allowing them to access the systems and data to which they’ve been authorized. The most basic authentication happens when a person enters a username and password into a login screen. The IAM system checks a database to ensure the entries match what’s on record. Today’s authentication solutions include more sophisticated ways of protecting assets:

  • Single sign-on (SSO) solutions increase productivity and reduce friction for users. With one set of login credentials (username and password) entered one time, an individual can access multiple applications, switching between them seamlessly. Developers will leverage standards like Secure Access Markup Language (SAML) 2.0 and OpenID Connect (OIDC) to implement their SSO solutions.

  • Multi-factor authentication (MFA) adds another layer of protection by requiring users to present two or more identifying credentials in addition to a username to gain access to applications. For example, you might be asked to enter a password and a temporary code sent by email or text message.

  • Biometric authentication, which can be used as one of the credentials for MFA, relies on a unique biological trait such as a fingerprint, retina, or face to verify identity. This is a reliable means of authentication, however it does require additional hardware, such as a fingerprint reader and processing software.

  • Risk-based authentication prompts the user for MFA only when it detects the presence of higher risk — such as when the user’s location differs from that indicated by the IP address.

To simplify how consumers interact with your brand, it’s important to provide a seamless SSO experience that allows users to leverage social logins, such as Facebook or LinkedIn. Users are offered the option to use social providers when authenticating for access to applications which have been enabled for social sign-on support. This provides a clean authentication experience to your users, giving them the ability to use credentials that they already have. Essentially, this allows users to bring their own identity (BYOI) which is typically already validated.

Consumers should also be enabled to determine what MFA types can be used and provided a means to easily configure them. More generally, users must be provided a self-service experience to manage their profile settings. This includes modifying profile information, controlling data consents/permissions for opt-in/opt-out preferences, enrolling/de-enrolling MFA methods, and more.

Brand equity and reputation hinges on proper consent and data privacy stewardship. Compliance regulations are changing fast and growing in both complexity and scope, especially when it relates to user data privacy and personally identifiable information (PII). In addition, users now expect greater transparency and autonomy over their data. Specifically, regulations require that users be informed as to what is being collected and why is it being collected, and that users have control over how long they choose to share this data.

Developers continue to struggle to keep up with the latest regulations and to parse legal jargon into code and pleasing experiences. The siloed interactions between developers and privacy officers make implementation a challenge. As new laws emerge and old laws change, this can have major impact on business. As a result, there is a need for a holistic and advanced privacy and consent management system that:

  1. Streamlines workflows across stakeholders — the compliance officer, the developer, the line-of-business owner, and the consumer.

  2. Enables data privacy officers to author privacy rules as regulations evolve, without requiring developers to modify applications. Furthermore, these rules can be activated based on regulatory timelines.

  3. Facilitates developer compliance with privacy regulations either through enhanced OAuth or Open ID Connect flows, or through direct integration with well-defined application programming interfaces (API) that guide the developer through the assessment and consent collection process. And all of this should require little to no understanding of privacy laws by developers.

A strong partnership between developers and data privacy officers is critical. Data privacy officers define data privacy and consent rules that apply to their industry and geography. These rules can be modified at any time and take immediate effect on applications that perform the data usage approval assessment to request data. In addition, data privacy officers can manage data purposes and associated attributes and indicate a need to ask the user to re-consent because of significant changes. All these self-service capabilities should use recognized privacy terminology and be enabled without requiring code changes.

Developers can remove the guesswork of having to know and apply the proper data privacy and consent rules. As rules and End User License Agreement (EULA) versions are updated by the data privacy officers, they automatically get reflected in the application without the developer having to intervene. Instead, developers can focus on core application development and comply with data usage approval decisions rendered as an API response based on rules defined by data privacy officers.

Given that granular data privacy and consent rules can be applied, the right amount of information can be requested of the consumer while practicing proper data stewardship. You don’t have to over-collect or under-collect user information. You can collect exactly what is needed while giving users the transparency into why the information is being collected and what the information will be used for. Users should also be given the ability to download the data that’s been collected on them. They should also be given the ability to remove their account at any time, with the assurance that all account-related information will be removed from all systems.

Workforce applications

Workforce applications provide a company’s employees with services and access to data. As a result, several IAM capabilities applicable to consumer applications like social login and user privacy and consent do not apply to workforce applications. Perhaps the most critical IAM-related functionality required of all workforce applications is support for single sign-on (SSO). SSO enables employees to log in just one time with a single set of credentials to get secure access to all corporate applications, websites, and data for which they have permission.

To enable SSO, trust must first be established between an Identity Provider (IdP) and the workplace application. Once that’s established, users authenticate once with the IdP and can access any of the workplace applications that have been configured to trust that IdP. Developers of workplace applications will leverage either the SAML 2.0 or OpenID Connect standards to implement their SSO solution.

Managing entitlements for workplace applications is another key aspect of enabling SSO. As a first step, developers must be empowered to self-register their applications with an IdP for SSO and API access. Allowing developers to self-serve means security administrators don’t need to manually create application definitions and distribute credentials when developers want to on-board their applications.

Instead, developers should be given the option to download example code to facilitate SSO communication with the IdP. The example code is preconfigured with the client ID and client secret registered to the application — required input for all SSO flows.

In addition, access to workplace applications must be carefully managed. In many cases, application access can be integrated with business governance workflows, requiring justification from users and approval from application owners or managers. When users change roles, entitlements should be dynamically adjusted to add and remove access automatically. When users need access to workplace applications, they should be able to easily request access from their application catalog.

Lastly, developers and/or security administrators must have access to identity analytics that enable them to:

  • Review the overall health of their IAM environment
  • Scan for identity lifecycle risks across users, entitlements, and applications
  • Thoroughly investigate individual users and applications for detailed information on violations and AI-powered risk scores
  • Highlight anomalies such as atypical entitlements within a peer group and take a remediation action, like recertifying access or removing an entitlement

Share Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

See also:

Table of Contents