How ISPs manage digital identities

Today, many actions that have an influence on a company are carried out by employees on the computer. This means that physical, self-determined persons move with digital identities in the digital corporate environment, where they can and must make decisions and carry out actions.

As is usually the case in companies, it is therefore also advisable in this context to define and enforce the way in which decisions and actions can be carried out. Otherwise, there is a danger of the regulated paths being left and room for undesired results being established, such as the uncontrolled filing of data. But how do you implement this?

First of all, it is important to be able to distinguish between different identities. These are usually categorised as follows:

• Private Identities: Actions in this area usually have accounts that are tailored to the respective platform. Examples of this are Twitter, Amazon or Netflix.
  
  
• Professional Identities: Actions in this area should ideally have an account that is linked to the core activity or the company.
  
  
• Anonymity: Actions in this area are taken without an account and can only be traced with difficulty.

 

In order for a company to be able to master the above-mentioned challenge, professional identities or accounts must be set up accordingly. When the topic of the cloud was still in its infancy, it was common for companies to set up and operate their own management system for identities. One of the best-known tools for this is the Microsoft Active Directory Domain Service (ADDS). Today, however, it is primarily used to manage locally operated applications. In the meantime, the cloud has opened up completely new possibilities, especially a multitude of new services – and thus the topic of identities has also become more complex.

 

Why does one need an Identity Service Provider (ISP)?

Nowadays, most companies use the possibility of having services such as Dropbox, Salesforce, Slack, Microsoft 365 and many more operated by specialised service providers and thus save resources. However, this also means that it no longer makes sense to manage and operate identities with the original method (ADDS), because several different accounts would have to be managed for the multitude of services.

The state of the art is therefore to work with an identity service provider (ISP). Put simply, the task of managing and operating several identities for one person in different systems is handed over. As a company, one therefore no longer has to build up in-depth competencies in the technical area and invest resources in it. One only needs to obtain the available and modern services in a designated system at the administrative level. In summary, an ISP is the operator of the administration system for identities, entailing an encapsulated and shielded environment for administration and use of all available features.

 

What added value does an ISP generate?

One of the most popular ISPs is Microsoft Azure Active Directory (Azure AD). The general added values in connection with Azure AD look something like this:

• Modern applications usually have established an interface to integrate an ISP. This means that identity management can easily be transferred to the respective ISP. In our example, to Azure AD.
  
  
• Azure AD can establish a connection to the existing local Microsoft systems (ADDS) (hybrid identity). This allows one identity to serve both local/outdated services and new/innovative services from the cloud.
  
  
• There are innovations to replace old-fashioned access from outside to local applications of the company. For example, VPN dial-up can be replaced with Azure Application Proxy and paired with new protections.
  
  
• As identity management is outsourced to the ISP, user dial-in procedures can be simplified. To this end, options such as the single sign-on (SSO) procedure will be established. With this technology, the user is automatically logged on to the connected services without any interaction and only needs one identity for access.
  
  
• Since the identities are managed centrally and across the board in Azure AD, access can also be regulated and influenced for the connected services.
  
  
• Information and data are generated with every access to the services. This means that in the long term, user behaviour can be influenced or the services offered can be adapted. The information is stored in detail in the log and is useful for analysis purposes.
  
  
• The technical exchange of information about users between ISP and the respective application complies with the latest standards such as Oauth 2.0 (security, technological progress, authentication, authorisation, etc.).
  
  
• Azure AD opens up innovative collaboration possibilities with partners and/or customers.
  
  

Besides the aforementioned, there are several other added values. For example, a modern ISP can manage/control groups of people or mobile devices in addition to individual identities.

 

ISP as the basis for a zero-trust model

Closely related to ISP is the zero-trust model. This is a modern approach that, among other things, strengthens security at the identity level. The background is that many successful cyber attacks are due to human interactions. The following graphic shows how such a model can be built.

Source: Microsoft Zero-Trust-Whitepaper

 

The area on the left up to the "zero trust policy" can be covered by a modern ISP. Thus, individual regulations can be implemented, such as enforcing multi-factor authentication when logging in. The use of artificial intelligence is also coming into play more and more in these areas and is already a great addition. At its core, it analyses user behaviour and, based on this, initiates measures at an early stage in the event of deviations. Consequently, a modern ISP is one of the basic elements of a good zero-trust model.

 

Conclusion: An ISP is essential for many companies today

Even if you have no intention or need to build a zero-trust model, an ISP is essential, especially for companies that use a variety of cloud services. An ISP is practically the only way to manage and operate identities with a reasonable use of resources and to keep up to date with security issues. It is therefore advisable for such companies to set up a modern administration system according to their own guidelines and conformities with an "Identity and Access Management (IAM)" concept.