Solving enterprise, consumer IAM challenges with identity virtualization and federation
How an identity team can leverage its IAM experience in the consumer market
11 July, 2016
category: Corporate, Digital ID, Financial
Michel Prompt, Founder and CEO, Radiant Logic.
Reaching out through direct digital channels to your customers, partners, and other constituencies is the new imperative for most sizable enterprises. Security architect have a wealth of experience with identity management — but can they take what they have learned with employees and apply it to the burgeoning customer identity market? Whether an enterprise opts for a consumer IAM package or wants to extend existing investments in a federation stack, there are two main challenges:
- Scale: Sizable companies have more customers than employees, and if not, they’re higher-value targets — with much higher expectations
- Mapping/Integration: While IAM is based around LDAP/Active Directory, customer identities are in SQL or APIs — and this data is spread across applications, such as Salesforce or billing, requiring integration to deliver a “complete profile”
With a new consumer IAM solution, enterprise can get a toolset that that’s purpose-built for customers and should enable you to scale well. While such tools generally support SQL and LDAP, there’s still an integration challenge if you’re pulling customer identity data from multiple sources.
The IAM infrastructure means working with familiar tools while gaining better ROI. But again, there’s the issue of integrating information across systems — and few security architects want to become high priests of SQL. Whichever path the enterprise chooses must scale in terms of users, their devices, and the interactions between them. It should also be easy to access customer attributes and use them to drive greater understanding of each individual, so you can deliver secure, one-stop access, while also offering targeted services and promos. After all, delivering the richest user experience requires an integrated profile for a 360-degree view of each customer.
User experience is a goal for employees — and a MUST for customers
Large-scale enterprises have a tough time competing against agile internet-only companies who’ve built their security from the ground up for optimal online service. It can be costly to create a seamless experience across multiple lines of business or deliver strong security that doesn’t get in the shopper’s way. But while your company may not be digital first, you’ve been gathering valuable intel on your customers for years. You just need to harness that information to meet—and exceed—your customers’ needs online.
The first requirement for consumer IAM is user registration. The new consumer registration process will record the identity and credentials of a user who interacts with your system for the first time, but that doesn’t mean they’re a new prospect or customer.
It’s simply a new channel, and for most companies, they will be registering these off-line customers via your portal, and their user experience is paramount. The goal is providing a seamless omni-channel customer experience—one that leverages the digital, while honoring the existing relationship, with no gaps between brick and mortar, online or phone experiences.
The reality of IAM and consumer IAM: Complexity, difficult integrations
Security architect in large companies face predictable challenges. The current federation stack is tightly tied to LDAP and Active Directory, employee-based identity data stores, which, in the case of AD, offer an authoritative list of employees that’s at the center of the local network.
These legacy infrastructures don’t always work well together, which makes authenticating users a real challenge, much less delivering seamless SSO, fine-grained access, or the best experience across platforms.
Smart security architects have discovered a way to map these different directory systems, unifying identities with a federated identity service based on advanced virtualization. Such a service creates a global list of users where everyone is represented once, as well as global profiles containing attributes from across diverse sources. Whether you invest in a customer IAM package or retrofit your existing IAM infrastructure, this same federated identity service can help your solution scale in every direction, while eliminating the hassle of on-the-fly integration, so customer data stays in SQL but gets consumed as LDAP.
One common platform based on identity federation and virtualization
While customers expect a frictionless experience, the lack of a common view across data silos is a major security issue — and a global identifier/link is often required to enable high-value targets such as single sign-on (SSO) or provisioning.
To securely authenticate and authorize all users, companies need quick access to customer databases, where those identities are stored and managed. SQL is not a fast engine for authentication, though, and its slow “join” function severely inhibits authorization. The federated identity service unifies the identity environment, providing a common representation of all users across heterogeneous sources and enabling these use cases:
Faster authentication and streamlined SSO: Most enterprise identity architects customizes each new initiative, building one-off access to the attributes in SQL databases at the speeds their security demands. Such custom tinkering is costly and unscalable—but by virtualizing SQL and mapping it to LDAP, your company can maintain its existing infrastructure, while giving customer apps immediate access to the best security and performance. No more homegrown code or slow connections — just a flexible federated identity layer that enables fast log-ins and smarter SSO.
Fine-grained authorization and customized services: Performing dynamic distributed joins across many heterogeneous data stores is compute-intensive—and expensive. Federated identity service makes it easy to perform distributed joins across many sources, without sacrificing speed. So you can dynamically join information that changes constantly, building materialized views that meet the needs of your consuming applications.
These always up-to-date, persisted views can be delivered quickly in the appropriate protocol. So companies now have access to essential attributes that have long been siloed within SQL, driving more precisely-grained authorization decisions and customer-focused services, micro-targeted for each individual.
The best of both worlds: store in SQL, secure and scale via federated ID
By federating identity from across diverse stores, IAM and customer IAM data can rely on the same identity virtualization platform—and enterprises don’t have to be SQL experts to take advantage of the data stored in the customer database.
A global identity service enables companies to improve security and deliver better service, all while saving time and money. By mapping customer data to LDAP, integrating global customer profiles, and scaling dynamically to meet demand, the federated identity service secures the existing application infrastructure, ensuring access and enabling richer customer outreach.