Growing demand for identity management that spans internal and cloud-based systems will push companies towards increasingly flexible and context-reliant user identification that will likely include social media logins and other credentials, an Oracle technical expert has predicted.
Speaking with CSO Australia at this week's Oracle CloudWorld conference, Clarence Cheah, the company's senior manager for identity management, said the increasingly circuitous path taken by users and data – from on-premises systems to cloud-based systems, for example, and to mobile devices and back – had forced enterprises to look past conventional user ID-and-password authentication schema to 'continuous authentication' where user credentials follow their path from one online service to another.
This approach, in turn, requires services to consider a range of factors in establishing a user's identity – including, for example, the device they're using, the country or city they're accessing it from, or the device's current location.
Authentication "used to be simple," Cheah said. "You'd have a username and password, and maybe a token. But if you're going to go to a concept of continuous authentication – to allow the integrity of that application, to allow for SaaS or for using a mobile device – that means we have to know a lot more about you. Yet users expect a simpler, quicker login."
They also want a login that's familiar, he added. And, because identity will be determined by a number of factors, "it's not really a major issue if one of those is a Facebook login, versus the context of your devices and the history of how you transact."
The need for a more holistic view of identity is driven by the fact that "new requirements are being brought onboard quicker than they ever have been," said Richard Watson, Oracle's ANZ general manager for security and identity management.
"I remember talking to clients two years ago, who said they would never accept a social login – but now they're walking around with iPhones and accessing their email and Facebook."
The Australian market has been particularly proactive in revisiting long-held user management practices that had often ended up with each key application maintaining its own user-identification systems, Cheah said, adding that the rest of the Asia-Pacific region was still taking "baby steps".
"The maturity of the Australian market, from a regulatory and governance perspective, has really been able to help redefine what identity means," he explained. "Awareness of what identification is, has evolved well over the last 20 years of silos being built up in different application tasks – and we're still grappling with trying to bring them back together."
With a myriad of cloud applications and mobile devices creating new access methods, there was a risk that new silos could be created – which lent further credence to the positioning of social media as a user-friendly baseline for authentication.
Cheah cited the challenges of authentication to online government services, whose users are charged with remembering usernames and passwords for services they might only visit once or twice a year. The simple task of administering these services imposes such a burden that tying into more frequently-used social services could prove to be a more user-friendly process of user authentication.
"It becomes a matter of the social media [being the baseline] and then augmenting that with other authentication methods," Cheah explained. "It's developing a heuristic awareness that you can continue to develop; you've got to have all of those endpoints tying back through a strong policy control engine."
The benefits for organisations are many, he continued: "That becomes a huge opportunity – not just in reducing the administration costs around resetting usernames and passwords, but also in accelerating the deployment of services. We have a security container that we can deploy on the user's device, we can build a solid core and control the way authentication security flows."
Watson agrees, noting that companies that fail to revisit their ideas of what identity management involves, will fall behind the curve as the increasing fluidity of the user environment exposes the weaknesses in existing authentication methods.
"Start with a convergence outcome in mind," he said. "Unless you've actually invested in the discipline of a converged baseline approach to onboard these requirements, you're still going to be chasing your tail."
This article is brought to you by Enex TestLab, content directors for CSO Australia.