Identity management is one of those topics that looks trivial but becomes gnarly when you dig into it. Two important issues in identity management are:
- “Is this person who they say they are?”
- “Given who they are, what systems and information can they access?”
The latter is of particular importance to HR given the sensitivity of any information about employees.
HR won’t be taking the lead on identity management; that will probably come from IT. However, HR pros should be aware of the issues and terminology. Let’s step through some of the main elements of identity management, what is changing, and what it means for HR.
Identity has for generations been proven with paper documents issued by the government: birth certificate, passport, driver’s license, and so on. Now everything is becoming electronic, and you can expect most people soon to have a digital identity certificate to authenticate their identity and sign documents.
The UN and World Bank’s ID4D initiative intends to give everyone in the world a legal identity by 2030. This will make HR’s life easier, especially in proving someone’s right to work in your country.
In the absence of a robust national solution to identification, companies rely on a variety of tools: passwords, physical passcards, authenticator apps, and the latest gadget: a USB-cryptographic key. All these technologies have some security weaknesses, but HR pros will guess correctly that human behavior is a bigger problem than hackers.
Humans often undermine security measures, most famously by choosing simple passwords. Attempts to force better behavior by, for example, requiring people to change passwords regularly creates what’s called “user friction.” This can lead to behavior that is even less secure (e.g., writing the password on a note attached to the PC).
Once someone has signed into the corporate system, they would like to be able to get into all the appropriate systems without signing into each one. There are standard protocols, notably OAuth and IDConnect, that enable a single sign-on to one system.
Identity As a Service (IDaaS)
IDaaS refers to vendors that provide the technology and setup needed for identity management. According to Forrester, leaders in this space are Okta, OneLogin, CyberArk, and Microsoft.
Even when you are sure of someone’s identity, you still need to decide which systems and information they are allowed to access. It’s common to set rules for who can access what based on their role.
For example, perhaps everyone in the training department can fully access the LMS, whereas other HR professionals can view but not edit LMS information, and other employees can’t access it at all. This works well for a few months. However, in a large organization with people coming and going, with the organization being reorganized, and with new project teams constantly being invented, the roles that are given access to various data quickly become out of date.
This is a real headache and can lead to the wrong people having access to systems and information. There is no perfect solution, but people are working on alternatives. Nulli.com uses graph technology, which captures who is connected to whom or what, as a novel way to manage access rights. The important thing at this point is to be aware of how easily managing access rights can become a major weak point in keeping information secure.
Identity management is a surprisingly complex area. Since you probably won’t be an expert on the topic, you need to find someone who is. There is an organization, IDpro.org that now certifies ID professionals. While no certification can ever prove a person has the knowledge and judgment you need, it’s a good start.