Permanently out of office?

The concept of bring your own identity is still in development, but is promising from the perspective of privacy and convenience for the end-user.
Read time 4min 30sec

Identity is the new perimeter – this is used so often these days that it has almost become a cliché in articles pertaining to cyber security. The expression traces back approximately a decade to when bring your own device and home/office flexibility was being introduced into many businesses.

In this 2020 COVID-19 situation, it has become clear that many businesses will, going forward, no longer retain office real estate and will have an IT infrastructure that resides entirely in the public cloud.

The identity of employees is now the only key to entry. The safety of the network perimeter is well and truly gone.

The coronavirus lockdown and resulting work from home movement was a stress test that has proven work from home is viable for the employees of many knowledge businesses. Viable has now evolved into preferable and employees will not be prepared to go back to corporate network lockdown.

In support of this fact, a recent IBM study found that 75% of employees prefer to work from home, at least occasionally.

The thinking is, why expose yourself to a stressful commute, inefficiencies of in-person communication, possibly substandard office workplaces, and not to mention, the still present pandemic?

The office spaces of many companies will be minimised for infrequent social gathering purposes or eliminated altogether. This means that, barring only physical hands-on or machine automated industries, the office will not contain any centralised IT infrastructure. This will come with several issues to consider around identity and access management.

Interoperable identities

Going with a decentralised, third-party provider-based IT model means that silos of identity begin to form. Fortunately, the number of online identity platforms is consolidating to a few major vendors. Ensuring your SaaS applications can utilise your existing identity platform solves this identity silo challenge.

Viable has now evolved into preferable and employees will not be prepared to go back to corporate network lockdown.

Another option is to use a dedicated single sign-on platform which can leverage all identity providers and translate these logins to any other SaaS service providers.

Bear in mind that there will always be legacy technologies that simply must maintain a silo of identity. Choosing a solution that has strong integration with older applications can be an effective bridge for managing access.

Identity alone can’t be used in isolation. The device from which the user is authenticating must also be managed. Consider that there is no more ‘over the shoulder’ monitoring which would have been done in an office.

It is known that employees are blending personal and work activities on their own or company-issued equipment. People are effectively doing their work, talking to their relatives, doing their shopping and any number of activities from the same device.

This creates risk in a number of ways where the presence of malware, spyware and general insecure configuration can cause issues for the organisation. The possibility for data loss or data leakage is high if no data loss prevention specific solution is in place. A good quality IT asset management and monitoring solution mitigates these risks.

The security of a login, which can be initiated from anywhere, is a challenge and one that is best mitigated by multifactor authentication. While it is a good security mechanism, it can be overbearing for the average user to repetitively provide multiple credentials.

Context-based or risk-based authentication minimises impact on the end-user by only prompting them for multiple authentication factors when risk is calculated above a certain threshold.

Take as an example the metadata surrounding the average login. Date/time, geolocation, last time, and previous number of logins per period are a few among many data points on which to calculate risk, as well as information about a new or existing device as discussed earlier.

True decentralisation of identity

Taking a big picture view of identity, as we see further decentralisation, we must ask at what point the end-user will become entirely responsible for their own identity.

The concept of bring your own identity is one that is still in development. It’s promising from the perspective of privacy and convenience for the end-user. This will inevitably be based on a blockchain-type solution with a decentralised, open processing model.

The benefits here are that a person effectively sets up one online profile and then uses that as their login to any service, whether that be health, financial or otherwise.

They then choose what data to share with each service, maintaining their personal data and revoking access on provision of service.

The question of permissions, roles and privileges (for organisational purposes) is still being worked on with this concept but I believe even then, role information can be stored in the unified profile with a two-way trust established for organisational roles.

This continues to be an interesting development to watch as identity management shifts further away from the organisation to the individual.

Gregory Dellas

Information security specialist working for CA Southern Africa

Gregory Dellas, CISSP, is an information security specialist working for CA Southern Africa since 2018. He is a former EU-GDPR practitioner and draws knowledge from having consulted in multi-disciplinary security roles for over a decade in the broader IT industry.

See also