Tommaso Re – Principal Security Architect  – Cybertech

1. Why should you choose the Identity and Access Management solution?   

All companies need a dedicated infrastructure to manage the authentication and the authorization functions in order to guarantee a secure access to data, systems, services and applications, through a “Secure Domain” in which security services are centrally managed and integrated for all applications of the Domain. Without a dedicated infrastructure it is impossible to ensure an automated, centralized and controlled governance of the user authorizations by business roles, and the compliance to the security standards for application access and Audit management. 

2. What are the benefits of an effective Identity and Access Management strategy? 

Identity and Access Management plays a key role in defining the Digital Transformation strategy of all companies that must guarantee new secure digital processes that are easily accessible by customers and employees. Access strategies should be considered in the initial phase of the design of a digital process, when the main focus is given to the usability and the ease of access for the users (customers, employees or partners). 

Numerous companies contact us when they have to evaluate the validity of their IAM strategies, that are often not aligned with the expectations of their customers and employees, who rightly demand the reliability and usability of the digital services. Highly complex authentication processes, are probably more secure, but are also, responsible for a negative user experience.  

By implementing a correct IAM Digital Transformation strategy companies can benefit from a complete visibility of their customers’ behavior,  through the access information, such as: the point of access, the chosen authentication mode, the frequency of access, and the usage duration. This type of data, if interpreted correctly, can greatly improve the security strategy, help identify potential breaches, raise the quality of service for the customer, and give the opportunity to market additional services. 

3. What are the key drivers of our IAM strategy?  

Thanks to the best IAM solutions, such as the IBM Security Verify Access (ISVA)  and IBM Security Identity Governance & Intelligence (IGI), we can support our clients in building a customized interaction with their customers, ensuring the usability of the process, interface customization according to the customer’s needs, and data protection. 

By implementing the right authentication policies we create engaging and simplified user experiences. To bring an example, signing in with an Apple ID is considered a sufficient authentication if this request is coming from an already known location. If, on the other hand, the user logs-in from a new location, or performs a sensitive transaction, they will be asked for an additional identification factor, such as a confirmation code sent to the personal e-mail address or a biometric feature, such as a fingerprint. In addition, thanks to the single sign-on feature, we can guarantee a single identification valid for multiple software systems which improves the user experience and protects the whole environment as well as the single user. 

In order to provide a unified customer experience, organizations need to improve the personalization of each user profile. The information about the user may coexist in multiple systems. Being able to bring together quests and different types of information allows us to enrich the user profile and to eventually build a better customer experience. Technologies such as federated  identity service unify “what we know” about the customer, so each system doesn’t have to connect to different back ends in order to obtain data. As a layer of identity integration, these services can be used to unify identity information, improve security, create personalized experiences based on identity attributes, and even maintain data locally as needed. This level of integration accelerates deployments and simplifies integration between systems, improves the ability to scale across systems, and prepares the security infrastructure for the future events. 

We accelerate the implementation of our solutions, offering IAM services in Cloud, such as IBM Security Verify SaaS. In  some industries, internal regulations and/or policies do not allow companies to manage user identities with SaaS IAM services. The cloud-based identity service may not be suitable for companies that need to manage a large number of on-premises applications. However, we must consider that the main driver of the Digital Transformation is the revisioning and modernizing local applications, which means, migrating them, therefore transforming and deploying them in Cloud. The new systems, developed for customers or/and employees, have to be secure.  

We offer IAM components as microservices to accelerate time to market, enable the outsourcing of application security, and centralized security policy management without having to implement monolithic legacy technologies. Thanks to IAM microservices, we are able to create new applications using a collection of free-coupled services, that improve the modularity and flexibility of the applications in their development phase, and to create a more comprehensive interface. Identity is a key factor that allows us to build a personalized user experience when designing new applications, by enabling IAM microservices such as authorization, single sign-on, identity management, and compliance. In addition, IAM microservices can improve customer engagement by creating a unique experience across different interaction platforms (mobile applications or websites). 

• Modernize identity and Access Management infrastructure and processes by adopting  DevOps models in order to combine IAM processes and technologies with IT development and  operational supply chains. This creates shorter release cycles and improves the quality of business systems. We use technologies like  Red Hat Open Shift for orchestration, deployment automation, scalability, and IAM infrastructure management. For the microservices, all individual components of the IAM infrastructure can be improved and deployed automatically without having to risk the impact to the entire IAM environment. 
• Adopt new Artificial Intelligence (AI) technologies to maximize the effectiveness of our IAM Digital Transformation strategy. Today, thanks to the AI, we are able to obtain user behavior information, that can otherwise stay unknown. This improves the ability to provide a safer environment and to anticipate potential breaches. It also provides insights into user behavior, which is an essential information to build effective digital marketing strategies. 
• Improve the employee experience, considering them as “internal customers”. In the definition phase of the IAM digital transformation strategy, we apply technologies to improve the employee experience, expanding access to different technologies and allowing employees to use  the devices of their choice. We are evaluating and implementing the same principles that are being used for the external customers.  
• Simplify the security interactions implementing the authentication policies,  easy-to-use multi-factor authentication (MFA), single sign-on, and collaboration technologies secure access. We observe the Zero Trust Framework principles to determine the level of trust in the systems connected to the corporate network and the behavior of internal users. 

4. What are the most common mistakes made in the Identity and Access Management? 

The biggest technical mistake is to employ the non-integrated tools to provide a IAM infrastructure. This oversimplifies deployment and introduces potential security gaps. We recommend the use of tools that are closely integrated or that have native integration,  validating these systems through a proof of concept before making a major investment. 

As big of a mistake is to choose the “big-bang” release mode, that is, to activate the new solution while discontinuing the “old” solution, greatly increasing the risk and reducing the ability to quantify the level of incremental improvement. Thanks to a managerial and strategic support, companies can minimize the negative effect of the new release, exploiting easily replaceable systems or activating smaller services provided with greater agility following an incremental release model to obtain a clear vision of the advantages and to increase confidence in the new solutions.   

The last, but not the least important mistake, is to choose to take on the challenge on your own and risk the outcome of your investment.  

 5. What are the 5  to-do’s of a successful IAM strategy? 

IAM is one of the key strategic solutions driving all new business and technological processes as well as one of the pillars of the Zero Trust principles, which focuses on the customer (buyer or employee). The user experience is critical and can be managed and addressed by a powerful layer of identity integration and easily usable micro services. 

5 to-do’s of an effective IAM strategy are:

1. Analyze the current state of the infrastructure through a specific Assessment. 
2. Identify the main difficulties and evaluate the best technological solutions. 
3. Implement a IAM strategy that focuses on flexibility.  
4. Evaluate the effectiveness of the implemented flows, comparing them with alternative approaches that can provide greater benefits. 
5. Gain the support of the internal stakeholders to set the grounds for an effective implementation of the IAM Digital Transformation strategy and to increase the investment returns.