Bring Your Own Identity and Access Governance?

Bring Your Own Identity and Access Governance?

A manager’s identity and access governance duties.

I think that a lot of people out there are familiar with the concept of BYOD or "Bring Your Own Device", even if they don’t consciously realize it. I had never heard the term until very recently and realized that I had been using my personal smartphone at work for years now and never gave it any thought beyond the convenience it lent my generally hectic days.

Many businesses are adopting a BYOD policy because not having to purchase an iPad for their entire management staff saves them money. There are a whole list of debatable pros and cons, from convenience and productivity to identity and access governance, and opinions on the matter vary wildly.

One aspect of BYOD that is unquestionably an issue, is IT cyber security.  It is easy to see how using an insecure phone to access company servers or keeping proprietary information on your tablet or iPad would be a security risk. The most interesting thought on the matter was from a blog post by Martin Kuppinger. He says:
BYOD is one of the trends which are fundamentally changing the way that IT needs to handle identity and access governance, as well from the system management as from the information security perspective. It is about moving away from device-centric security to information-centric security approaches.

It is that last part that perked up my metaphorical ears and seemed to be an IT movement that would make BYOD more than just possible, but profitable. Rather than having "work computers" laden down with technological chains and razor wire, you place security around and within the information itself, making the device from which it is accessed less important to overall security.

Of course his blog post wasn’t only intended to disseminate interesting tidbits for the rest of us to enjoy; it was a response to a blog post by Nick Crown, Director of Product Marketing at UnboundID.

In his post, Nick goes into detail about another interesting buzzword, BUOI or "Bring Your Own Identity".  His conjecture is that there will be a rise of third party groups specializing in access provisioning by providing individuals with vetted and secure identities. Companies are already spending millions of dollars on user provisioning for their own employees so it would obviously be a savings to have an employee come with a verified ID, provided it could be trusted.

In the social media sector services like this obviously already exist. If there is a website that you can’t log into using your Google, Facebook, or Twitter account I haven’t seen it. While the "identities" provided by such services are not iron clad, or even reliable in some cases, it does not stretch the imagination to see that the technology for secure Identity Providers (IdP’s) is waiting to be harnessed. It is also waiting for the right mind to decide how to make it worthwhile for everyone involved: individual consumers, corporations, and the IdP’s themselves.

Martin and Nick both make good arguments as to why BUOI or BUOD is superior or more likely to become mainstream in lieu of the other. However; it seems that the reality of access provisioning may be somewhere in the middle. After all, an information based cyber security approach is, in part, what will make BUOD secure. BYOI is itself a potentially valuable piece of information security technology. Each innovation may, in fact, necessitate the other.  The reliability of your company’s identity and access governance process is certainly something to consider the next time you log onto your company wifi with your personal phone and sign into a website using your Facebook account to watch the most recent viral video on your lunch break after uploading a proposal to your company’s cloud based storage.

BP_access-governanceGet Your Free Top 10 Access Governance Best Practices Workbook

Learn the top 10 Access Governance Best Practices for successful implementations from experts. Sidestep the challenges that can derail GRC software and compliance management projects.

Request the Workbook

Written by Joseph Wheeler