How does digital identity fit into digital transformation efforts and cyber security? A recent virtual roundtable discussed the implications.
Companies in all industries are working to balance their digital transformation efforts with cyber security, said Ian Lowe of Okta at a recent virtual roundtable. He told attendees, all senior executives from a range of sectors, that identity is a central pillar to both, and it is one that organisations often overlook.
A better registration and login process can improve user experience, regardless of whether the user is an employee, a customer or another stakeholder. Increasingly, the Internet of Things means that a range of devices need to log into the system, so they must have identities too. A coherent system can improve security because it reduces the risk from lapsed accounts or poor security habits from users with multiple accounts.
Gathering registration data
It’s important to be careful what you ask for, said one attendee from the retail sector. He noted that, when asking for identification, you need to decide what you will do with that information. If you plan to retain it, you must be sure to stay compliant with regulations such as GDPR.
Another attendee, who works in the hospitality industry, said he was sceptical of the current trend for ‘zero trust’ solutions because you must trust something or else you can’t get started. His priority is to minimise what you need to ask or check for when registering or confirming a user identity. For example, are they logging in from an unknown device or an unusual location?
Attendees agreed that it is best to ask for as little information as necessary because longer processes put people off. However, for higher-risk applications, it is important to ensure that only the account holder has access, so sometimes lengthier processes, such as multi-factor authentication, are unavoidable.
Linking disconnected systems
Of course, most organisations have several such processes and must ensure there is coherence between them. An employee might also be a customer, for example, and their experience would be better if those identities were linked.
Mr Lowe gave the example of a European football league, which had six different types of identities, including employees, players, fans and referees. The more information required from a sign-up process, the worse the user perception of the onboarding process was. Each had a different, unconnected registration experience, so they used Okta to link them.
Linking identities is not a simple task because it requires, say, an Office 365 database to share information with a Salesforce database and both of those to talk to an on-premises system. Most organisations will require third-party help with this kind of work, said Mr Lowe, because they won’t have the necessary expertise in-house.
Identity is not just an IT issue
Another significant challenge, in addition to finding the expertise, is to get buy-in from across the organisation. As one attendee put it, the business tends to see identity as an IT problem, and IT tends to see it as a business problem. In reality, it is a problem that crosses multiple departments, including IT, legal, HR, sales and marketing.
One attendee warned that customer-focused organisations tend to overlook back-office functions in their determination to provide a good experience. In fact, spending some time ensuring that back-office systems are efficient and secure can pay dividends in customer experience too.
Some attendees said they had created a cross-department group to handle identity, with varying degrees of success. Those who reported success had ensured that the group’s members were not too senior and that meetings were far enough apart to allow time for tasks to be accomplished in between.
None of those at the briefing felt that they had solved the problem. It is a challenging area and one that needs constant work and attention. In many cases, the answer might be to find the right partner.