Today, many actions that have an influence on a company are carried out by employees on the computer. This means that physical, self-determined persons move with digital identities in the digital corporate environment, where they can and must make decisions and carry out actions.
As is usually the case in companies, it is therefore also advisable in this context to define and enforce the way in which decisions and actions can be carried out. Otherwise, there is a danger of the regulated paths being left and room for undesired results being established, such as the uncontrolled filing of data. But how do you implement this?
First of all, it is important to be able to distinguish between different identities. These are usually categorised as follows:
In order for a company to be able to master the above-mentioned challenge, professional identities or accounts must be set up accordingly. When the topic of the cloud was still in its infancy, it was common for companies to set up and operate their own management system for identities. One of the best-known tools for this is the Microsoft Active Directory Domain Service (ADDS). Today, however, it is primarily used to manage locally operated applications. In the meantime, the cloud has opened up completely new possibilities, especially a multitude of new services – and thus the topic of identities has also become more complex.
Nowadays, most companies use the possibility of having services such as Dropbox, Salesforce, Slack, Microsoft 365 and many more operated by specialised service providers and thus save resources. However, this also means that it no longer makes sense to manage and operate identities with the original method (ADDS), because several different accounts would have to be managed for the multitude of services.
The state of the art is therefore to work with an identity service provider (ISP). Put simply, the task of managing and operating several identities for one person in different systems is handed over. As a company, one therefore no longer has to build up in-depth competencies in the technical area and invest resources in it. One only needs to obtain the available and modern services in a designated system at the administrative level. In summary, an ISP is the operator of the administration system for identities, entailing an encapsulated and shielded environment for administration and use of all available features.
One of the most popular ISPs is Microsoft Azure Active Directory (Azure AD). The general added values in connection with Azure AD look something like this:
Besides the aforementioned, there are several other added values. For example, a modern ISP can manage/control groups of people or mobile devices in addition to individual identities.
Closely related to ISP is the zero-trust model. This is a modern approach that, among other things, strengthens security at the identity level. The background is that many successful cyber attacks are due to human interactions. The following graphic shows how such a model can be built.
Source: Microsoft Zero-Trust-Whitepaper
The area on the left up to the "zero trust policy" can be covered by a modern ISP. Thus, individual regulations can be implemented, such as enforcing multi-factor authentication when logging in. The use of artificial intelligence is also coming into play more and more in these areas and is already a great addition. At its core, it analyses user behaviour and, based on this, initiates measures at an early stage in the event of deviations. Consequently, a modern ISP is one of the basic elements of a good zero-trust model.
Even if you have no intention or need to build a zero-trust model, an ISP is essential, especially for companies that use a variety of cloud services. An ISP is practically the only way to manage and operate identities with a reasonable use of resources and to keep up to date with security issues. It is therefore advisable for such companies to set up a modern administration system according to their own guidelines and conformities with an "Identity and Access Management (IAM)" concept.