In the digital era, IT is becoming increasingly service-oriented, cloud-based and supported by artificial intelligence (AI) technologies. As a result, there has been a rapid growth in digital interactions between people, processes and things.
Each of these actors or entities has an identity, and it is essential for organisations to be able to manage those identities and control what resources they can interact with for business, security, privacy and compliance reasons.
Organisations are familiar with managing and controlling access for human identities, but the rapidly growing number of non-human identities is a relatively new phenomenon. Consequently, managing these identities is relatively unfamiliar territory and there is little or no support for doing so in traditional identity and access management (IAM) applications, processes and approaches.
Digital identities are at the core of digital transformation, information security and privacy, making it extremely important for enterprises to ensure they have the capability to manage all identities effectively and efficiently in a rapidly changing business, regulatory and IT environment.
One of the significant changes that have been taking place is the rapid growth in the volume and number of different types of non-human identities. Failure to ensure comprehensive identity management capabilities for these identities as well as human identities is likely to expose organisations to business, security and compliance risks.
It is therefore important for organisations to recognise where and how non-human identities are used in their IT environments and to ensure they have the necessary systems and processes in place to manage them properly.
Non-human identities are emerging in four main areas: devices, IT admin, software defined infrastructure (SDI) and artificial intelligence (AI) technologies.
Devices
The most visible group of non-human identities interacting with enterprise IT resources are devices, ranging from the personal to the industrial and internet connected devices making up the internet of things (IoT). Devices with identities that must be managed in the enterprise context include:
- Desktop and laptop computers
- Smartphones
- Tablets
- Network-connected cameras and printers
- Industrial sensors
- Smart meters
- Industrial robots
- Autonomous devices
IT Administration
Within IT administration, several account types that are not linked to any one person, but rather roles and groups within IT administration also need to be managed. These include:
- Shared accounts
- Service accounts
- Technical accounts
Software-defined infrastructure
SDI refers to computing infrastructure that is completely under the control of software with no operator or human intervention. It operates independently of any hardware-specific dependencies, and is programmatically extensible. This has resulted in several entities that interact with other entities and have their own identities that must be managed. These include:
- Containers
- Services/microservices
- Networks
- Application program interfaces (APIs)
Artificial intelligence
AI technologies have introduced a whole new set of entities to the enterprise IT environment that all have identities that need to be managed. These entities include:
- Chat bots
- Bots used in robotic process automation (RPA)
- Analytics processes
- Self-learning and self-modifying algorithms
A new approach to IAM
Digital transformation, therefore, has introduced a wide range of new identity types, which means that organisations need to change the way they approach IAM.
In the digital era, therefore, Identity Management must include not only employees, partners, contractors, customers and consumers, but all the above mentioned non-human entities as well. This is necessary to meet security and privacy requirements, while at the same time enabling business growth, frictionless consumer/customer interaction, and personalised services and content.
At the very least, businesses need to be in control of all entities interacting with their systems. Therefore, businesses must work to eliminate shared accounts so that all human or non-human entities interacting with systems have an identity that can be managed and used for applying the Principle of Least Privilege as well as for authentication, authorisation, visibility, traceability and accountability purposes. No entity should be allowed to interact with IT systems unless it has a unique identity that can be linked to an owner who can take responsibility for that entity’s actions.
It is also essential that organisations have a standard, policy-based way of managing privileged identities, which are common targets of compromise for cyber criminals. Privileged non-human identities should not be overlooked. Privilege access management (PAM) systems, therefore, must support privileged non-human identities for machines, processes, microservices and containers in both production and development environments or DevOps, where this model is followed.
In the context of digital transformation, however, businesses need to go even further to ensure that they have the appropriate strategy and loosely coupled, extensible and service-orientated IT architecture in place to enable a smooth transition to the as-a-service model, both in terms of service consumption (to reduce costs and boost productivity) and service provision (to add new revenue streams and improve consumer/customer engagement).
The success of digital transformation depends on an ability to manage the access of everyone and everything to every digital service. This means having a complete understanding of all the identities at play (human and non-human), understanding their relationships, and having a consistent, policy-based way to manage them and to secure them.
Identity fabrics
One way organisations could manage access of everyone and everything to every digital service is by enabling decentralised identities that can be created once according to agreed standards and easily maintained by the identity owners, who then can give consent for those identities to be re-used as many times as needed to grant or deny access based on centralised access policies that can be applied dynamically at time of access.
This approach is getting growing support from vendors picking up on the concept of Identity Fabrics and including support for devices and things. Going forward, organisations should plan to support all kinds of identities and ensure they have the tools to understand the level of assurance provided by each identity type so they can make informed decisions on how those identities can be used for specific transactions or interactions using risk-based scoring, and adaptive authentication and authorisation systems.
For most businesses this will mean making fundamental changes to their IT architecture to become more agile and flexible by separating identity and applications, and providing the backend systems required to make all the necessary connections using Application Program Interfaces (APIs) that bridge services, microservices and containers in the cloud (public and private) and on-premise.
These changes will result in a converged digital identity backend or identity fabric that can deliver as a utility all the identity services (including registration, verification, governance, security and privacy) required by the growing number of new digital services enabled by digital transformation that will actively consume identity services.
The term “fabric” is used to describe a set of connected enabling IT components that work together as single entity. An identity fabric, therefore, is a concept, not a single tool, that is about connecting every user to every service and is centred around managing all types of identities in a consistent manner, managing access to services, and supporting federating external identities from third-party providers as well as their own directory services.
The concept of identity fabrics refers to a logical infrastructure that enables access for everyone and everything to any service within a consistent framework of services, capabilities and building blocks that are part of a well-defined, loosely-coupled overall architecture that is ideally delivered and used homogeneously via secure APIs.
Identify fabrics, therefore, are focused on delivering the APIs and the tools required by the developers of digital services to support advanced approaches to identity management such as adaptive authentication, auditing capabilities, comprehensive federation services, and dynamic authorisation through open standards like OAuth 2.0 and OpenID Connect. In the context of non-human identities, the identify fabric concept is a useful starting point because it provides a centralised, non-siloed, consistent and policy-based way of managing all identities.
Recommendations
IAM has never been more challenging as the IT world becomes increasingly services-oriented, mobile and cloud-based. These changes include a proliferation of non-human identities, which is something no organisation can afford to overlook as they gear up their IAM capabilities for the short, medium and long term. In the short term, it essential that all organisations:
- Identity where and how non-human entities interact with their IT systems
- Ensure that all these entities have unique identities that can be managed
- Identify all non-human identities with privileged access
- Ensure PAM systems are in place and configured to manage privileged non-human identities
In the medium to long term, organisations need to adapt to a new way of doing business in an increasingly digital and services-based world. IAM must therefore evolve to become a service akin to an Identity utility that is easy to consume and flexible in supporting emerging business requirements across heterogenous and increasingly hybrid modern enterprise IT environments.
Organisations can use the identity fabric concept to provide all services in a standardised manner that integrates back to legacy IAM systems, where necessary, while being able to deliver a scalable, comprehensive set of centralised, consistent and integrated Identity services accessed via secure APIs to meet new, emerging and future IAM challenges, which include managing non-human identities.
Organisations can future-proof their IAM capabilities by taking a services-based approach to enable anyone or anything to connect to everything using decentralised identities. To pave the way, organisation should:
- Assess and understand the state of current IAM systems
- Understand the types of human and non-human identities that will need to be served after digital transformation
- Define the capabilities and services of a future Identity Fabric based on these requirements
- Identify the gaps between the current and desired future state of Identity Management
- Define a future Identity Fabric built on an Identity API Platform
- Select an appropriate set of technologies for the core services of a future Identity Fabric and build a loosely coupled, extensible and service-orientated IT architecture
- Identify what existing technologies can be used and whether/when these need to be migrated to a services-based model and plan for a phased migration
- Examine the APIs used by the chosen technologies to define a consistent, stable API layer
- Educate software architects and developers on how to use these APIs
- Define central policies to enable consistent Access Governance across the enterprise
These steps will enable the organisation to start building digital services based on a future-proof identity fabric to provide a centralised set of services to enable a consistent approach to access management, identity governance and administration (IGA), consent, and privacy.