Further Exploring Identity Management

by Yvonne Wilson

It was such a simple request. My manager called me into his office and told me there was a server running in a closet in our Singapore office. It had a small directory service running on it. “Can you figure out what to do with it?” One little server running in a closet. How hard could that be? “Sure, no problem”, I said. Digging into that one request would change the course of my career and lead to writing a book.

I soon found myself leading a team to design a worldwide directory service for a Fortune 500 company, and then a project to add a single sign-on service. Then we added federated single sign-on so employees could use corporate credentials to securely log into SaaS services. After those deployments, we experimented with different types of multi-factor authentication, including personal certificates, for use with this infrastructure. We solved countless challenges along the way, so when I landed at Oracle through an acquisition, I figured customers without such expertise would rather leverage a cloud service than build such infrastructure themselves. I created a team that built a suite of managed cloud (dedicated) identity services and worked with many customers to implement account provisioning, authentication and federation. After helping customers at Oracle, I joined Auth0 in its early days and worked with customers of its identity service, many of whom were building custom applications.

The customers came from many industries, including the tech industry, health insurance, banking, law enforcement and education. Their application projects needed account provisioning, authentication, authorization and/or identity federation. Some teams were implementing purchased software and some were writing new applications. Some teams needed to establish accounts for their users and some wanted to leverage existing accounts.

Some needed to implement multi-factor authentication and some wanted the sign-in process to be as simple and unobtrusive as possible. Despite the different industries and unique requirements for each customer, there were noticeable patterns in the issues they faced. Projects were frequently delayed by surprises caused by identity-related requirements missing from the team’s radar screen.

One of the most common mistakes was allocating time to get authentication working but not for logoff, especially in single sign-on environments. Decisions must be made about what happens when a user logs off. Should all the user’s application sessions be terminated or just one? If all, should it occur immediately or just when each session times out? These decisions can require input from multiple teams as they impact user experience as well as security. Leaving logoff design until late in a project can result in delays, bad user experience or vulnerabilities.

Another issue was planning to transfer user accounts from a legacy system to a new system and not realizing that the old system’s passwords would not work in the new system. Passwords are stored in a hashed format that cannot be reversed, and different systems may use different hash algorithms. To use an analogy from childhood, this is like getting a coded message but having the wrong secret decoder wheel, so you can’t decode the message. These challenges can be resolved, but it requires work. Realizing this at the end of a project causes delays.

Yet another cause of delay is inadequate planning for administrative needs. A project may need to immediately terminate access if an employee is fired or handle a malicious account takeover. Similarly, secure processes are needed for forgotten passwords or lost/broken phones used in the authentication process. Even deleting accounts isn’t simple given privacy, audit and security
requirements.

After seeing numerous projects hit with surprises and delays, I started helping customers identify the requirements their project might need to consider. This included handling many of the events in the life of an identity such as:

• Establishing accounts, including passwords
• Selection of appropriate identifier attributes
• Authentication
• Authorization
• Access policy enforcement
• Handling sessions, including log off
• Account management
• Deprovisioning
• Audit and compliance

At Auth0, Abhishek (coauthor for the book) and I worked with many customers who faced similar identity challenges. Chatting one day, we realized we’d been giving many customers the same advice and that it would be helpful to write it down.

With that inspiration, we decided to create a book that would serve as an introductory overview. Our goal was to share with developers, architects and project owners what an application project might need for identity management. We also wanted to provide a high level explanation of popular protocols to help newcomers understand what each was designed to do and how they related to each other. We believe there is a need for more people with identity management expertise, and this will continue to be true given the need for software to control new types of devices. We hope you enjoy reading the book and it inspires you to learn more about identity management.

About the Author

Yvonne Wilson has had many roles in the software industry related to security and identity management as a developer, security architect, customer success engineer working with customers, founder of cloud identity services, and director of a security governance, risk, and compliance function. She was responsible for IT security strategy and architecture at Sun Microsystems, founded and designed the identity management services offered through Oracle Managed Cloud Services, and worked as Director of Customer Success and Senior Director of GRC at Auth0.

In working with business teams at Sun and while founding the initial support team at Auth0, Yvonne worked with many customers, from small startups to large enterprises, and through the implementation of SSO, federated SSO, adaptive knowledge-based authentication, and identity provisioning. From this depth of experience, she realized the need for a basic understanding of identity management concepts by business application owners as well as architects and developers. 

This article was contributed by Yvonne Wilson, author of Solving Identity Management in Modern Applications.