Not Your Father's Identity and Access Management
I t used to be easy to define the boundaries of Identity and Access Management (IAM)–its purpose was to prevent anyone getting to anything that they weren’t supposed to. While that is still true it fails to recognize the world that is unfolding for IAM going forward, even in industries that are more cautious such as Finance.
You can trace the roots of IAM to at least two separate roots: Controlling access to early computer systems and authenticating customers face to face in branch.
• In the first case, computer users, at first access were controlled by physical security–if you could not touch the computer then you could not use it. As access broadened and progressively, controls that are more complex were brought in: Accounts, Passwords, Role Based Access Control, etc.
• On the customer facing side, we progressed through passbooks and cards to the introduction of call centers, which brought with it a need to introduce customer to account name and password, and subsequently, we progressed into the Internet world.
And from that point, the two strands joined and we have moved forward, recognizing the weaknesses, while fundamentally seeing IAM as a way to constrain access and isolate systems. For financial services, isolation has been the watchword ever since–IAM has been about restricting access.
"Financial organizations that take advantage of the opportunities provided by federation will be able to maintain their value for the customer"
In common with other industries, financial services are now shifting to a digital approach to customer interactions. This is now well established and improving the customer’s experience. The key to digital is that it works from a focus on the user’s journey through a web site or service. Businesses are aware that these efforts frequently hit a roadblock at the boundary of the organization and that there are opportunities beyond them. These opportunities may be to simply reduce user friction but in many cases, they involve opening up additional streams of revenue or cost reduction that would benefit the business.
• A customer may use their good standing at one Bank or service provider to open accounts or services at another bank or service provider.
• A customer may use information that is held in one organisation to seamlessly conduct business with another. For instance, filling in the common data that businesses often require.
• A customer’s continued use of the new service would be via the original service, improving stickiness.
Consequently, there is a drive to break down the historical isolation that has existed, and allow more complex customer journeys that may span multiple companies. This flow can be enabled by IAM using the Open Standard protocols that have become popular in recent years. Originally established for use with social media protocols such as Oauth and OpenIDconnect, Open Standard protocols can be used to create journeys that both federate and meet the security requirements all the way up to the financial service industry. Also, by being open rather than proprietary it is reasonable to expect that others can and will interoperate.
Financial organizations that take advantage of the opportunities provided by federation will be able to maintain their value for the customer. They will be the route through which the customer accesses existing services and signs up to new ones. Companiess with strong and reusable data that can be federated will be in the strongest position. Such enterprises include financial institutions, mobile phone networks and governmental organizations. The value that a company can charge on data will depend on the dependability and breadth of that data and the consent that the user has provided for its use.
The conclusion is that, while we must still protect that which we see as valuable, the way forward for IAM is not so much in the isolation but in federation. From the perspective of us practitioners, the move from being an obstruction to an enabler will be very welcome.