Many technology and security experts predict that “Bring Your Own Identity is the next evolution of BYOD. However, the experts are mixed on the security of BYOI. Some say it will make security stronger because of the way identity is used to connect to websites and networks; others say that by using third-party identities, employees put the network at risk because CISOs (chief information security officers) don’t know how or where these identities are being used.
BYOI represents an evolution in authentication schemes by offering a better user experience and security than the use of, hopefully, multiple passwords for different services. The reality is that BYOI is something that came with BYOD and we have seen that the efforts of enterprises to restrict, control and manage it have not been successful. BYOD accelerates the identity overload we have these days. The more devices and services, the more identities we have to protect. And until now we only protected them with passwords.
As a security expert, I can’t wait for the day when people would not have to use passwords anymore. We have seen in the recent hacks that people use simple passwords. And they tend to reuse that simple password pretty much everywhere. The same applies to the email address. And, of course, many consumers use the same email address to register everywhere and they use for the services the same password used to access their email. So, if one service gets hacked, everything else gets hacked.
One could argue that in enterprises the situation is different. Yes, maybe the password policies force users to create stronger passwords and to change it more often. So, instead of one password, they will create two or three which they will reuse. If the systems in use remember the used policies, then they will write the password on a post-it and stick it on the display or under the table.
So, the problem is the same – the password. With one single service to authenticate, the possibilities to secure it are much better, because the consumers have only one password to remember and it is quite easy to add two-factor authentication so that we don’t have a single point of failure.
Also, not a fact to ignore, single sign-on is used in all social media services. And, social Media is accessed in enterprises through the devices owned by employees, even if the corporate network blocks the access. If social media is a phenomenon that can’t be stopped, so why not making a good use of it? When a company tries to set a security policy, it is always very hard to make people understand that it is in their interest. The employees don’t see the immediate value (assuming there is any) because they don’t understand what’s there that can help them personally. Social media is personal and it can be used to increase the security of the enterprise.
These days the single sign-on is pretty good represented by some well-known standards: OpenID, OAuth. The latter is now used by almost all online services, not only social media websites. And, with about 25 online services per person (in average), services like this are the only solution we have.
© Copyright 2014 Sorin Mustaca, All rights Reserved. Written For: Sorin Mustaca on Cybersecurity
Check www.mustaca.com for the IT Consulting services I offer.
Visit www.itsecuritynews.info for latest security news in English
Besuchen Sie http://de.itsecuritynews.info für IT Sicherheits News auf Deutsch