Access Management , Identity & Access Management , Multi-factor & Risk-based Authentication
Applying CIAM Principles to Employee AuthenticationStreamlining and Enhancing Authentication for the Workforce
Many organizations have updated the authentication process for customers to help ensure frictionless transactions. Now, some are starting to take similar steps to streamline and enhance authentication of their employees - especially those working remotely
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Thomas Malta, head of identification and authentication at Navy Federal Credit Union, says not many companies have adopted multiple layers of authentication for employees yet. "This has become the need of the hour, since employees are no longer inside your secure network,” he says.
Richard Bird, chief customer information officer at Ping Identity, adds: “I believe we are seeing the beginnings of a new paradigm - not workforce identity or consumer identity, but an expectation for a more universal digital identity that can be used for both.”
Adopting CIAM Principles
To enhance employee authentication for system access, some organizations, including Navy Federal Credit Union and the travel portal Priceline, are adopting customer identity and access management, or CIAM, procedures for their workforces. Those include dynamic authorization, continuous authentication and the use of various forms of biometrics.
"With the death of user ID and password, I am trying to create digital layers of authentication on the workforce side," Malta says. "We are looking to be able to let the hybrid workforce ‘inside our network’ in a very frictionless way."
Joe Dropkin, principal server engineer at Priceline, says he's been applying the concept of CIAM to employee authentication because of the shift toward applications and data storage in the cloud. “We did not want our employees to go through multiple layers of authentication to SAAS applications. The users now have single 'pane of glass' to look at,” he says.
Priceline employees no longer have to log in multiple times to access different applications. Once they're authenticated, using multiple layers, they gain access to all appropriate systems, Dropkin says.
“When you are coming in at the office, username and password are enough to log in," Malta says. "You are inside your office network and multiple layers of authentication are not really required. But now, employees are logging in from different networks. So we need to have those additional layers of authentication, typically for privileged access.”
Keith Casey, who serves on the production team at Okta, a San Francisco-based identity and access management company, notes: “Employees should have a frictionless authentication experience no matter what kind of device they're using to access systems. It is high time we bring in the concepts from CIAM for employees.
"From an IT and support perspective, the easier we make the process of authentication for employees the better it will be, as in the long run it will result in low cost. We need to start having adaptive authentication."
A Complex Process
Multiple factors need to be taken into account while authenticating employees, which makes the process more complex that authenticating customers.
“An organization has data governance policies, and sometimes access to a particular application is required only for a limited period of time. Such factors have to be weaved in while designing an authentication policy,” Casey says.
Bird of Ping Identity says that "creating a unified repository, directory or profile for every single employee is the very beginning step in developing a truly digital identity for that employee.
"Digital identities aren't accounts and passwords. They are a rich, digital representation of the physical you. The richer these digital identities are, the more exact we can be in the certainty that an employee is who they say they are, is doing what they are supposed to be doing and is accessing what they should be."
Tracking Baseline Behavior
Tracking the baseline behavior of employees is important when developing an enhanced authentication strategy.
“Normal behavior isn't a measure that is separate or independent from an identity; it is a part of the identity itself”, says Dropkin of Priceline. "We need to aggregate the types of data that we need to create a rich digital identity. And with that collection comes the learning of baseline behaviors that we can then use to determine normal and abnormal actions."
The goal, he says, is to create unified digital identities "that we can leverage in all aspects of our lives."
Malta of Navy Federal Credit Union suggests implementing enhanced employee authentication in phases. “With any new system, there are bound to be challenges," he says. "Hence, instead of disrupting the entire organization, try and learn from your mistakes by incorporating the changes in one department initially.” (See: Changing Authentication for Employees)
Industries Taking the Leap
The banking, healthcare and air travel sectors are leading the way when it comes to applying CIAM principles to employee authentication.
“In highly regulated environments, adopting CIAM principles is actually incredibly useful,” Bird says. “It allows companies to provide the correct access, roles, resources and assets based upon the user's persona in the instant of the transaction. If I'm a doctor but I'm also a patient, by using CIAM principles, I can ensure that I'm not using my physician-related access credentials to look at information about myself.
“CIAM can actually be a pathway to better compliance results for financial institutions and other highly regulated companies by providing a complete view of the human being in question in both of their roles - as customer and employee."