Breathe deep, solution providers and CIOs already juggling with the complexities of bring your own device (BYOD). After recent much-publicized breaches at Amazon and Apple, another bring-your-own element could rear its head and generate a flurry of security, management, and best-practices concerns.
This time, some pundits are discussing "bring your own identity" (BYOI), a term coined by Gerry Gebel of Axiomatics when he was with the Burton Group. So writes Dave Kearns, senior analyst at KuppingerCole, in a blog today.
Since so many Websites today demand people use their Twitter or Facebook accounts to register, the thinking goes, why can’t employees use these same login credentials to prove their identities to the corporate network or applications?
After all, corporations spend millions of dollars every year to validate the identities of employees, partners, and suppliers -- and so do service providers like Facebook and Twitter, writes Robert Block, vice president of identity access management services group at Fishnet Security, in a blog. Today, corporations are no longer shunning these social media sites and, in some industries like retail, are being pushed to adopt consumers’ social credentials as valid identities, says Block.
In addition, Facebook and Twitter are aggressively expanding and creating “circles of trust” with third parties (such as publications and retailers), so consumers can leverage them with additional service providers. And corporations are more open to discussions about outsourcing identity-as-a-service (IaaS, not to be confused with infrastructure-as-a-service), Block writes.
This makes sense: After all, many organizations are embracing other as-a-service options; why not add identity to their menu? Cloud-based identity management makes sense at a time when businesses are scrutinizing every penny they spend, looking to transform their IT use and continue doing more with less. Nothing, it appears, is sacred.
But could it mean one day employees will sign into your company’s customer relationship management software via Facebook? Or enter the corporate LAN using their Twitter sign-ons? What about privacy and users’ concerns about Facebook’s user-data policies?
As Nick Crown, director of product marketing at UnboundID writes in a really interesting company blog:
Given that the idea of leveraging one’s own identity for work purposes has been around for some time, why is this not more commonplace today? Further, why do we not see more companies serving in the role of an identity provider (IdP) out there today? Yes, Facebook Connect is an example of success in this regard, but only for a certain class of identities. No, I don’t believe we’ll see the lower level-of-assurance (LoA) credentials issued by Facebook being utilized for accessing sensitive enterprise applications. Granted, it’s feasible for Facebook to provide additional vetting and assurance for the identity information that they provide to third parties, but it is highly unlikely. Even so, there are serious conflicts of interest between their current model of selling our personal data for profit and the sensitivity associated with the access of enterprise resources. That’s not a good mix.
There have, after all, been well known cases of “verified” Twitter accounts that were quickly shown to be hoaxes. ("Mrs. Murdoch" ring any bells?) And I can quickly come up with at least a dozen friends with fake info on Facebook. But some experts say the technology, at least, is almost ready.
Running behind the scenes, OAuth could allow social media to become the BYOI (or as it’s sometimes written, BYOId) engine. It is lightweight, portable, open, and easy to implement. As Scott Morrison, chief technology officer of Layer 7 writes in Forbes:
The insight so many miss is that OAuth is not important because of its technology; it is important because of the paradigm shift it represents. OAuth is really about the delegation of control. It moves entitlement management away from central administrators, and puts this into the hands of individual users. There’s a certain common sense behind this: after all, it’s your Twitter account; shouldn’t you be the one to decide which other applications can access it?
This simple idea subverts the entire traditional model of identity management. But this is a good thing, because pushing the problem out to users is the real secret to managing identity at scale.