10 tips for your next Identity and Access Management (IAM) project

2018/9/23 posted in  Authn&Authz

https://www.linkedin.com/pulse/10-tips-your-next-identity-access-management-iam-project-schwartz/

It’s no secret that identity and access management (IAM) requirements can be extremely diverse from one organization to the next. And because IAM is a fairly specialized skill set, the cost of finding and employing contractors can be high. As with any special purpose integrator, you want to use their services tactically to help you jump start the project.

Here are ten recommendations to help you get the most out of your next identity and access management project:

  1. Keep the initial scope limited. You can always define subsequent phases. I would suggest a pilot where you propose a design and build out a sample infrastructure including your IAM platform (like the Gluu Server!) and sample Web, mobile, and desktop applications. This would buy you some time to do a more detailed analysis of how to roll out the new access management service to all your applications.
  2. Remember--Identity Management (IDM) and Access Management are different. IDM enables you to define a workflow for user create, update, and delete events. Once you know who the people are, access management enables you to define who can get to what, and what the available interfaces are to the applications.
  3. Outsourcing IAM is great, but will it give you the flexibility and security your organization requires? Also are you ready to pay per user? If the answer to any of these questions is "no," then you may need an on-premise identity solution.
  4. Centralize! Consolidation saves money. It's more efficient if application developers focus on business processes than security. Also, hard coding security into applications can lead to problems when security policies change, or new technologies become available--then you have to update and re-QA the application or API. Create services centrally to identify people, and to define policies about who can access what resources.
  5. Make sure your organization’s operational staff is involved from day one. You don’t want to have the integrators just hand over the keys at the end of the project.
  6. Future proof your solution by making sure your federation platform supports OAuth2, including OpenID Connect which provides API's for user identification, and UMA which provides API's for central access management. Like any other API's, you need to market these new OAuth2 API's to developers at your organization. Leave time to develop a showcase application so developers can look at actual code. Make the pilot environment available for testing by application developers.
  7. To drive down the cost of the application integrations, you need to provide developers with information about the federation schema, standards, and best practices. Just to give you an idea, here is a sample federation site.
  8. Do you want to support external identities? If your enterprise customers have their own SAML or OpenID Connect identity provider (IDP), and your organization wants to enable those users to use their home credentials, you will need to define both business and technical processes to onboard them. Social login is also a form of external identity. If you decide to trust a consumer IDP like Google or Facebook, you must also define the workflow for user enrollment and authentication.
  9. Think about how you identity proof people (how does a person prove they are who they say they are!). If you issue strong credentials to someone impersonating another individual, your strong credentials mean nothing. The integrity of your identity system relies on a careful business process to issue and manage credentials. Can you in-person identity proof a person? For example, when an employee provides an I-9, someone at your company looks at the person, looks at their id documents, and validates they match. Do you validate the identity documents are valid? You can use services like AuthenticID to validate these physical credentials. If you enroll a person online, you can ask the person to take a selfie, and to take a picture of their physical credentials, like a front and back of the drivers license.
  10. Two-factor authentication, a.k.a. 2FA: One of the main advantages of a centralized authentication and authorization platform is that it enables many applications to leverage your investment in a strong authentication technology. Duo Authentication and Yubikey are two examples of 2FA that you can implement with ease. If you need a custom 2FA application, you may be interested in Gluu's free open source mobile software called oxPush. But no matter what technology you choose, remember a credential is only as strong as the weakest reset mechanism. If you can reset your hardware token by receiving an email, hackers will skip the token and go straight for the account reset process! Create many ways to strongly identify a person, and implement policies so that in order to reset a credential, you must provide a credential of equal or greater strength. If you lose your most secure credential, the person should have to re-identity proof. But don't wait. 2FA is something every company needs to implement right now, if only for a subset of the people in your organization.

Should you have questions about this advice, please schedule a meetingwith me to discuss further.

If you need to identity customers, partners, employees, and devices, you should check out the free open source Gluu Server. Using a Gluu Server, you can centralize your authentication and authorization service and leverage open web standards to enable federated single sign-on (SSO) and web and API access management.

More posts from Mike Schwartz: