What is Bring Your Own Identity?
I imagine that we’re all familiar with BYOD–bring your own device–and the benefits and security issues associated with the idea, but now people are beginning to talk about bring your own identity (BYOI). So, what is it and what are the implications for our sites?
Well let’s sort of turn back time and see where BYOI has come from. Back in the 1970s, the only way you could work on a computer was by punching cards or sitting down at a dumb terminal and logging in. That was your relationship with IT and the organization. But nowadays, the relationship is quite different. I may be accessing mainframe information through a browser on my laptop, tablet or smartphone. It’s quite likely that my personal device is newer and more powerful than anything the IT team could supply me with. I treat IT services like I treat other company services (e.g., cars, paper clips, coffee machines). I am a consumer. And expect my experience with corporate IT to be as quick and easy as it is with Amazon, Facebook, Twitter, eBay, etc.
As a consequence of this, I want single sign-on (SSO) to give me access to everything I’m permitted to access. I don’t want to have to remember multiple user IDs and passwords. I don’t want to have to think of a new user name and password when I sign up at a new site or company. I want to bring my identity with me and just get on and do what I want to do. I want to carry around my identity and gain fast and easy access to all the services and organizations I usually access. That’s basically the idea behind BYOI.
One of the clear indications that this is a popular request from people–and not just me–is the fact that many websites allow users to log in using their Facebook or Twitter credentials. And this is where OAuth comes in. Wikipedia tells us that OAuth is an open standard for authorization. What makes it so useful is that it provides a way for clients to access server resources on behalf of a resource owner (e.g., a different client or an end-user). In addition, it provides a process for end-users to authorize third-party access to their server resources without sharing their credentials, using user-agent redirections.
What will come hard to mainframe security people is that OAuth takes entitlement and management away from them and gives it to the end users! There will be a moment’s silence while RACF administrators digest that thought!
Two other open standards, SAML and OpenID. SAML (Security Assertion Markup Language,) address the issue of SSO. The SAML specification defines three roles: the principal (typically a user), the identity provider (IdP) and the service provider (SP). OpenID provides a way for users to consolidate their digital identities by having a single OpenID when connecting to different websites.
Another name you may have come across is the Kantara Initiative. This is an organization founded in 2009 dedicated to advancing technical and legal innovation related to digital identity management. While Kantara isn’t a standards body itself, it does make recommendations to existing standards bodies about digital identity management.
So, if corporations are embracing social media as a way of getting their message out to people–I’m thinking of Facebook pages, Twitter, and perhaps using LinkedIn, Pinterest and Google, etc.–and encouraging those people to buy products or services, what would stop the organization using a Facebook or Twitter validated ID to allow users direct access to their website? Why do we need potential customers to have to create a new ID, which they may forget, on our website? Why do we have to go through all the rigmarole of setting up registration pages and sending password reminders to people who forget theirs? What many organizations are doing is outsourcing log in validation to Facebook or Twitter. Effectively, those organizations are getting identity validation for free!
But, you may well argue, there’s a huge difference between buying a book, perhaps, and authorizing most of your savings to be transferred to an offshore account! You might well feel that a Facebook validation isn’t enough to authorize users to be able to run a CICS transaction against the most secure files in a DB2 database. And is this is pretty much where we are at the moment when it comes to identity and access management–on the one hand we have the need to secure our data and transactions from unauthorized access, and on the other we have users wanting SSO and currently suffering from, what’s called, login fatigue or identity fatigue.
The likelihood is that accessing mainframes from a browser will not just continue, but will grow in popularity. More monitoring products will provide a browser interface, allowing users to see what’s going on from a tablet device. More CICS programs, for example, are being Web enabled. Techies are using Java to get results from the mainframe onto their tablet devices. And I would guess that we’ll see more programs like IBM Security Access Manager for Web and IBM Tivoli Federated Identity Manager that allow users to access and modify mainframe data using SSO. And we’ll see the facilities and functions in those programs being hugely extended.
And when people change jobs or go home for the night, their online identities will simply go with them.
Trevor Eddolls is CEO at iTech-Ed Ltd., an IT consultancy. For many years, he was the editorial director for Xephon’s Update publications and is now contributing editor to the Arcati Mainframe Yearbook. Eddolls has written three specialist IT books, and has had numerous technical articles published. He currently chairs the Virtual IMS and Virtual CICS user groups.