The so-called ‘Third Platform’ is our terminology for the disruptive technology forces of social, mobile, Big Data, and cloud; in essence solutions that are changing the very way we exist and do business. These technologies are critical in shaping Business 3.0 – business that is on the go, information that is easy to access and share, processes that are flexible and scalable, and, most importantly, business that is happening outside the bounds of the corporate network.
These technologies do bring with them a certain set of challenges; a few years ago the key issue was adoption, as user awareness of how to use these technologies to their full benefit was nascent. However, as adoption rises, concerns shift to matters such as security, compliance, and management. With each new technology, the enterprise in essence opens itself up to a new vulnerability point that must to be addressed. While a layered or holistic approach to security is critical, companies can compromise their security strategies by failing to define ‘user identities’.
When an organization assigns its employees (whether junior or senior) with an ‘identity’, it is not just about provisioning a name and password; there must also be a clear definition of rights to the type of data they can access and from where they can access it. This is easier said than done, with identity lifecycle management often becoming a major administrative challenge for the IT department as a result of role changes and end-of-service considerations.
With more and more organizations adopting Third Platform technologies, ‘identities’ are probably one of the best ways to manage risk. In a cloud environment (whether public, private, or hybrid), identities play a critical role in allowing employees to access services levels and help IT departments manage what information was accessed using the cloud. When it comes to social media, identities play a far more critical role, since social platforms such as business-to-consumer and business-to-business solutions will depend on the sort of interaction or engagement being carried out by user.
Mobility is one of the few mediums where identity and seamless access plays a major role. User experience is critical in the mobile sphere, and users need to know that once they enter their user name and password they will achieve the same service levels when accessing certain applications as they do when they are on their desktops/laptops. Unified identities and rights are critical not just for organizations but also for governments; for example, in the case of e-government and m-government services, the UAE government needs to ensure proper access rights are assigned to every citizen/resident ‘identity’ to ensure that these services are accessed and executed properly. In an increasingly connected world, identities will become critical as devices begin to capture information on their owners; record their preferences, communicate with other devices, and are used to complete financial transactions on the go.
Lastly, we come to Big Data; by using such technologies to harness information for things like improving decision making and analyzing logs and feeds, the information gathered will be sensitive and might have been requisitioned at a departmental level, making identity rights and access a critical factor in preventing data loss and protection.
By having proper user-defined access and rights in place, organizations will be able to better protect their valuable information. To use identity and access management solutions properly, there needs to be a synergy between the IT, HR, and business departments from the beginning of the identity life cycle. In addition to proper definitions, identities need to be monitored so as to ensure that only active ones remain provisioned. Compliance is another major element with identities, if users violate security/ information policies, compliance remediation will also be necessary without disrupting existing business operations.
However, identities come with their own set of concerns as well. Identity fraud remains prominent in the digital world, where customers of governments, banks, telco’s, education institutes, and even hospitals remain vulnerable to identity theft. Financial and information loss becomes inevitable when an identity is stolen, and avenues such as phishing, key logging, and the provision of personal information via dubious phone calls remain prevalent. IDC is also seeing a rise in mobile applications that capture personal information, which can leave a user vulnerable. To better protect their users, organizations should be evaluating solutions such as tokens, two-factor authentication, user authentication, and even biometrics.
While identity will rise to be one of the first levels of control for organizations in securing the third platform, companies cannot ignore the consequences of identity theft or compromise. They must assess how data is accessed within the organisation, and central management and monitoring will be critical to ensure privileged access rights are not being misused. Identity and access management must form a critical part of an organization’s security policy, which should be constantly reviewed and revised to protect not just the information but the users as well.
The columnist is Group vice president and Regional MD for the Middle East, Turkey & Africa at global ICT market intelligence and advisory firm, IDC.