Friday, 30th July 2021

Open standards are central to identity - here’s why

By Armin Ebrahimi, Head of Distributed Identity for Ping Identity.

The Enterprise IT Ecosystem is rapidly diversifying and everywhere you look businesses are onboarding new users, devices and technologies. Every second they’re acquiring more data, more apps, more devices and heading further into the cloud. While that growth beckons a lot of great things for enterprise IT, all of those advancements will be for nothing if they aren’t secure.

Unfortunately, this growth often happens faster than security can keep up with. This is especially true for identity security where it’s increasingly difficult to keep pace with the sheer number of users and devices that are now entering the enterprise environment. The ultimate task is to find ways to secure and accommodate this increasingly more complex ecosystem.

To do that, Open Standards are crucial. These are the specifications that dictate roles for apps, users and identities, and define how they talk to each other. These are built with the intention of letting anyone use them to build their own software, apps and infrastructure. JSON and HTML are two famous examples and it’s no coincidence that they are two of the foundational standards which define how people build and use IT today.

Standing opposite the Open Standard is the proprietary standard - the kind which are confined to particular products and vendors. While they still might be used regularly, they stand in direct conflict with the way IT is evolving.

Interoperability and connection are now the fundamental values that enterprises are pursuing. But complexity is mounting in the digital enterprise. While it mounts, the job of security practitioners gets harder. To overcome it, security needs to easily plug in with anything and everything in its environment.

That function is especially important when it comes to Identity, which needs to make sure that the devices and users interacting within the environment can be verified and trusted. It allows interoperability between identity systems, web resources, organisations and vendors. It's for this reason that Open Identity Standards are so crucially important in expanding that critical function as far and wide as possible.

The average enterprise has around 130 apps deployed. Without identity systems that can operate together, devices and user identities can run wild, growing exponentially with the rise of un-integratable new apps and systems that enter the environment. Suddenly one user will have multiple identities for each app they use, and security teams need to create, update, validate and monitor each of those identities. That tangle of disorganised identities creates multiple opportunities for security compromise. However, using open standards like Oauth and SCIM - enterprises can give those users a single identity to centrally manage.

This is what the Open Identity standard allows: the integration of identity systems under one authentication authority which can serve as the single, objective source of truth in the enterprise.

When different identity systems can be integrated, the security benefits trickle down to the user experience, too. In this case, open identity standards marry the purpose of security with more streamlined user experiences and greater productivity. Without Identity systems that work together, users will be left to log in to every individual app and service they use while at work. This creates significant productivity lag considering the multiple passwords needed to access various systems and portals throughout a workday. In fact, the average employee spends 11 hours a year messing around with passwords. Moreover, it alienates users from the security process. When that happens, they’re more likely to engage in poor security behaviours like reusing passwords and finding workarounds to their constant clashes with security processes. When authentication and Identity processes can be unified, they only need one login to securely access the entirety of the corporate network.

But the promises of Open Standards go even further. Because Open Identity standards enable interoperability, they can also smooth out the barriers that delay or restrict developers in their job. Those standards can take much of the grunt work that developers are burdened with and free them to actually push their discipline forward.

OpenStand, a group formed in 2012 by the Internet Engineering Task Force (IETF), World Wide Web Consortium (W3C) and the Institute of Electrical and Electronic Engineers (IEEE), places innovation as a central value of Open Standards. When we talk about Open Standards - we're not just talking about making this or that process easier, we're talking about driving innovation of the internet and making sure that, through cooperation, we can all benefit and drive global technology forward.

Other standards such as the Decentralised Identity Foundation (DIF) and W3C provide for further innovation of personal identity (aka decentralised identity) that allow for user owned identity with a closely-held private/public key pair in lieu of usernames and passwords to further enhance security, interoperability as well as lower friction when interacting with disparate systems.

Those principles are being borne out in new standards which promise great things for identity security. The FIDO 2 project is a particularly significant movement in this direction. Formed of WC3 and the FIDO alliance, which was created to address problems of interoperability in authentication, FIDO 2 aims to provide open authentication standards and roll out passwordless authentication globally. Nothing less than a groundbreaking move in identity security.

As it is often said - Identity is the new perimeter. The increasing complexity in enterprise IT has made it hard to preserve the castle and moat perimeters of traditional network security. As old perimeters break down, authentication and identity are becoming the new castle walls by which we protect ourselves. It’s not just that identity has to change - it's that identity has to become our first line of defence at the network security perimeter. It has to be able to reach and interoperate with all parts of the network security infrastructure. And that can only be done with Open Identity standards.

Open standards are central to everything we do. They establish Identity as the single source of truth within the enterprise, providing greater trust in authentication across the enterprise, and a more streamlined user experience. But it’s not just a technical aspect of our products – it’s part of who we are. It’s why we believe that Open Identity Standards are critical to securing the future of ever more complex IT within the enterprise and innovation on the internet.

Nigel Thorpe, technical director at SecureAge Technology questions whether security by design will e...
By Adam Philpott, EMEA President, McAfee.
Everyone is petrified of ransomware attacks right now, and with good reason. The attacks have penetr...
Why is it that the security industry talks about network security, but data breaches? It’s clear tha...
By Steve Bradford, SVP EMEA SailPoint.
By Jennifer LuPiba, Senior Product Marketing Manager at Quest Software.
By James Preston, Security Architect for ANSecurity.
By Tod Beardsley, research director, Rapid7.