Do you really know who is accessing your applications and data? Federated identity takes a lot of the guesswork out of this question.
Most data breaches aren’t caused by some sleazy character in a distant location banging on his keyboard at lightning speed while walls of code flash all over the screen. Nobody says “I’m in” as they break through your firewalls to destroy your network or steal your data. Hacking has almost nothing to do with what they show in movies or on TV.
The vast majority of data breaches are caused by human error. Most hackers don’t “break your mainframe”. In most cases, users are careless. They create weak passwords, knowingly give credentials to phishing scams, and leak information to other social engineering attacks.
So how do companies deal with the problem of human error? They minimize these risks by implementing additional safeguards, ironclad authentication systems, and simplifying login processes that otherwise encourage shortcuts. Managing federated identities is a great first step in addressing these three risk management strategies.
Overview: What is Federated Identity Management (FIM)?
Federated Identity Management (FIM) is an identity arrangement established between multiple online domains/applications. This system allows application users to access many domains/applications without going through multiple logins.
I know what you’re thinking: federated identity management is a lot like single sign-on (SSO). Well, you are half right.
Federated Identity Management vs. Single Sign-On (SSO): What’s the Difference?
Federated identity management versus single sign-on is not the right dynamic for these two concepts. SSO Identity Management is a component under the umbrella of the Federated Security Model and although these terms are used interchangeably, they are not identical.
Federated single sign-on deals with logging into a single account that gives you access to many assets. For example, when I sign in to Google, I have access to my email, documents, spreadsheets, Drive, and all other types of Google assets and files I own. I don’t need to sign in to each individual tool and Google recognizes that I’m the one accessing them under federated SSO.
Federated identity management is similar in concept but applies in a much broader sense. Using FIM, I connect to a single identity provider, Okta or PingID for example. This identity provider acts as my validator for accessing a variety of different assets, such as SaaS applications.
So when I log into Okta, I’m presented with a bank of trusted apps which I can then click and log into without providing any credentials since Okta or PingID validates that I’m the one accessing that tool .
2 Key Benefits of Federated Identity Management
Managing federated identities serves a very specific, but important purpose. That’s why you only get two main benefits from these systems, but they are huge.
1. Increased productivity
How much time have you spent madly guessing different passwords after forgetting yours? All that wasted time searching, typing, trying, and eventually changing your password after giving up trying. I’ve lost count of how many times this has happened to me.
Federated identity management eliminates these difficulties by providing a single sign-on location secured by a password and multi-factor authentication methods. No more resetting tons of passwords or contacting your IT or SOC team when you locked yourself out of something.
2. Improved Security
Remember those easy-to-crack passwords? Eliminating them alone does wonders for your safety. Our brains aren’t wired to remember ten to twenty unique passwords for all of our logins, so we come up with an easy-to-remember password and use it over and over and over again. I’m looking at you, the one who still thinks “password” is a smart password.
Federated identity management lets you control your password standards and login procedures for your centralized SaaS application database, dramatically improving your security. You can set character limits, reset schedules, enforce multi-factor authentication, and even monitor when and how your employees access your FIM system.
How a Federated Identity System Works
Although I won’t go into SAML (Security Assertion Markup Language) and other technical details, read my simplified and practical version of how a federated identity system works.
1. User logs in to identity provider
The federated identity provider is the centralized management system that your employees will use to access all of your tools. They’ll enter a username and password that follow the security protocols you set so you don’t have to worry about weak passwords without unique symbols or numbers.
2. The identity provider authenticates the user
Most federated identity management systems also include multi-factor authentication to prevent malicious intruders from accessing resources through exposed passwords. These federated authentication methods include:
- Authentication by SMS token: An SMS message is sent to the user’s phone which includes a one-time code to be entered into the identity provider. This code is usually only viable for a short time.
- Email Token Authentication: Similar to SMS token authentication, except the one-time code arrives via email.
- Software token authentication: Using proprietary software, usually a mobile app, this method requires users to access the app to collect a one-time code or activate an authentication switch.
- Biometric authentication: Instead of relying on codes or switches, this method uses things like fingerprints and facial recognition scans to authenticate the user. Think TouchID or FaceID on iPhone.
- Security issues: This is the weakest (and oldest) form of authentication. Users answer the security questions established during account setup.
Once the user has authenticated their identity, they have access to the identity provider software. If the user cannot authenticate their identity, they will not be granted access, even if they have the correct credentials.
3. User selects desired assets
Now that the user has accessed the identity provider, they can choose the pre-determined applications listed. As an added security measure, rather than giving immediate access to the SaaS application or database of their choice, some identity providers require users to revalidate their identity each time they open an application.
PingOne does this through its software token authentication system. Every time I close an app and reopen it through the identity provider, I’m prompted to validate my identity using the PingOne mobile app.
This prevents malicious users from accessing applications on workstations left alone for short periods with the identity provider window open on their browser. Because who cares about endpoint security, right? This vigilant authentication process is based on the concept of zero-trust security.
Federated Identity Management System Suggestions
I’ve listed some FIM system suggestions that you should consider based on the reviews and ratings we conducted here at The Ascent. If you’re looking for a longer list, check out the other identity management software options we’ve reviewed.
Okta is the highest rated identity management software option on The Ascent and for good reason. It is one of the most well-known solutions on the market, offering many unique features such as adaptive multi-factor authentication, and offering these services at a competitive price, although it is the most expensive of these three options.
2. Google Cloud Identity
Google Cloud Identity is a great option for those who do most of their day-to-day work using Google’s suite of office products, such as Gmail, Docs, Sheets, Drive, and Hangouts. They offer many security features, such as contextualized access (time, location, etc.), application stores and security reports.
OneLogin includes many standard identity management features, such as MFA, SSO, and VPN authentication. OneLogin isn’t doing anything particularly new in the identity management market, but it’s catching up in the pricing department with an affordable starter plan and decent discounts on other subscriptions.
Security doesn’t stop at passwords and human error
Although I attribute much of the responsibility for security breaches to employee negligence, not all data seizures and network bugs are caused by them. Even the most secure networks and databases have vulnerabilities, and it’s only a matter of time before an attacker finds them, unless you patch or remove those weaknesses.
At The Ascent, we want to help you keep your business secure at every level, and that’s why we’ve put together plenty of helpful guides ranging from types of malware to threat-hunting processes to give you a head start. We’re constantly posting new content, and if you want to stay up to date with the latest reviews, best practices, and getting started guides, sign up for our newsletter above.