Identity and access management analysed and explained

My parents aren’t digital natives. But when the pandemic hit, they too had to learn to navigate life online. At a fundamental level, this meant they needed digital identities with which to access the services they had long received in person: healthcare, banking, even picking up the newspaper on the way to the train. I found myself explaining the concept of access and realising, even as an identity vendor, how easy it is to take the login box for granted.

Identity and access management (IAM) is utterly pervasive in our daily lives. Research on The State of Application Assembly shows 83% of applications today require some form of authentication to verify users’ identity and control their access to digital resources. Whether you’re ordering a gym hoodie for your teenager, messaging a colleague at work, subscribing to a news outlet, or tuning into your favourite streaming service – all of which I’ve done this week – it’s likely you’re logging in.

In most cases, we do this autopilot, barely registering as we enter our credentials unless there is a problem. Login should be simple for my parents, but that limited understanding of IAM is ill-suited for the business world where access must span many applications, comply with data privacy laws, thwart hackers, and generate revenue. In light of Cybersecurity Awareness Month, I wanted to share a few thoughts on why the login box is just the tip of the iceberg, and how to make access work securely and profitably for your business.

IAM can save on compliance and security costs

Whilst explaining access to my parents, I inevitably started with passwords. Passwords are the classic form of authentication. Only the person who knows the password can access personal information, which is, of course, why passwords have become a prime target for people pretending to be you. Either through so-called phishing attempts that trick you into divulging your credentials or by simply purchasing lists of stolen usernames and passwords from the dark web, hackers can gain access to your loyalty points, bank account information, and streaming accounts.

One of the most pervasive types of attacks is called credential stuffing, which has befallen Disney+, Tesco, Deliveroo, Boots, and the TFL’s Oyster site in the past two years. If you’re reusing passwords across sites, you’re at a higher risk for this attack, which tries previously leaked usernames and passwords against a large number of websites in an attempt to take over accounts. The Cost of Credential Stuffing report by Ponemon Institute puts the cost of credential stuffing attacks at £4.63 million ($6 million) per company per year, not to mention fines for breaches of data privacy regulation.

Classic IAM with passwords alone cannot defend against credential stuffing attacks. Multi-factor authentication (MFA) is a way to supplement passwords with a second way to prove you are who you say you are, whether that’s biometrics or a code sent to your device. People trying to impersonate you will have a much harder time getting through these defenses. If you can beat a hacker’s patience, you’ve won.

Stolen credentials are now responsible for the majority of cyberattacks according to Verizon’s 2020 Data Breach Investigations report. As a business, this should put IAM squarely in the centre of your security strategy. IAM is worthy of investment as your first line of defense not just against hackers, but against unnecessary security and compliance costs as well.

IAM can make you money by converting customers

When put in the position of explaining what we do to friends and family, many of us in the IAM space have responded with, ‘we’re the login box on your app.’ It’s true, but if this were the only benefit provided by IAM there would be little reason for business like ours to exist.

IAM is the umbrella term to describe verifying users’ identity (authentication) and granting them access to digital services based on the rights they have (authorisation). However there is a special type of IAM that deals specifically with end-user identities, called Customer Identity and Access Management (CIAM). Traditional IAM is internally-focused for employees and often a cost centre, while CIAM is externally-focused and can actually generate revenue.

Here’s how. If you’re a user of Gymshark’s conditioning app launched earlier this year, you will have needed to create an account. As consumers, we have little to no patience for long registration forms. And if you’re Gymshark, you want people who’ve created an account to be automatically logged into your retail sites to encourage conversion. CIAM is essential for solving both of these challenges and making login both effortless and secure.

But if CIAM is just Single Sign-On (SSO) with a few fancy security features, companies would still be building it themselves. This is why CIAM affords additional benefits like the ability to integrate with third-party social providers like Sign in with Apple or Google, progressive profiling to gather first-party data from the user over time (versus all at once during registration), and stringent data privacy policies to store identity information appropriately in light of decisions like Schrems II / invalidation of US-EU privacy shield.

This is the value you pay for and the return on investment can be both immediate (such as in the case of Arduino that saw a 20% increase in user conversion after turning on social logins) and lasting, like Gymshark that is now saving £900,000 per year on authentication costs.

IAM is a building block of the internet

Like the average consumer, executives aren’t used to paying much attention to IAM. But as every company becomes a software company, knowing who your users are and what they can access is essential. Like payments, messaging, even data and analytics, identity management is taking its place among the building blocks for a successful digital business.

According to a Hitachi ID report on Top IT Budget Priorities Through 2020, about 43% of IT executives said they’re investing in IAM ahead of such areas as endpoint security and security awareness training. They know there is no such thing as a corporate perimeter with one gate in and out. Users can come from anywhere in the world on any device, and IAM can both protect the company and make money in the process.

At the time of writing, I am pleased to report my parents are getting on just fine in the digital world. If you are investing in access, your business can say the same.

By Steven Rees-Pullman, SVP International, Auth0