Most data breaches aren’t caused by some shady character in a far off location banging away at their keyboard at light speed while walls of code flash all over the screen. No one is saying “I’m in” as they blast through your firewalls to tear down your network or steal your data. Hacking is almost nothing like they show in the movies or on television.
The of data breaches are caused by human error. Most hackers aren’t “breaching your mainframe.” In most cases, users are careless. They create weak passwords, willingly give up credential information to phishing scams, and divulge information to other social engineering attacks.
So how do businesses handle the problem of human error? They minimize these risks by implementing additional safeguards, foolproofing authentication systems, and simplifying login processes that otherwise incentivize cutting corners. Federated identity management is a great first step in addressing all three of these risk management strategies.
Overview: What is federated identity management (FIM)?
Federated identity management (FIM) is an established identity arrangement made between multiple online domains/applications. This system allows application users to access many domains/applications without going through multiple logins.
I know what you’re thinking: federated identity management sounds an awful lot like single sign-on (SSO). Well, you’re half right.
Federated identity management vs. single sign-on (SSO): What’s the difference?
Federated identity management vs. SSO isn’t the correct dynamic for these two concepts. SSO identity management is one component under the federated security model umbrella and while these terms are used interchangeably, they’re not the same.
Federated single sign-on deals with signing into one account that gives you access to many assets. For example, when I log into Google, I get access to my email, my Docs, my Sheets, my Drive, and all other kinds of Google assets and files I own. I don’t have to log into each individual tool and Google recognizes it’s me accessing them all under a federated SSO.
Federated identity management is similar in concept but applies in a much broader sense. Using FIM, I log into a single identity provider, Okta or PingID for example. This identity provider acts as my validator for accessing a variety of different assets, such as SaaS applications.
So, when I log into Okta, I’m presented with a bank of approved applications I can then click on and log into providing no credentials since Okta or PingID validate that it’s me accessing this tool.
2 main benefits of federated identity management
Federated identity management serves a very specific, yet important purpose. That’s why you receive only two main benefits from these systems, but they’re massive.
1. Increased productivity
How much time have you spent madly guessing different passwords after forgetting yours? All of that wasted time searching, typing, attempting, and eventually changing your password after you’ve given up trying. I’ve lost count of how often this has happened to me.
Federated identity management eliminates these struggles by providing a singular sign-on location secured with a password and multifactor authentication methods. No more resetting tons of passwords or contacting your IT or SOC team when you’ve locked yourself out of something.
2. Improved security
Remember those easy-to-crack passwords? Eliminating them alone does wonders for your security. Our brains are not wired to remember ten to twenty unique passwords for all of our logins, which is why we come up with one easy to remember password and use it over, and over, and over again. I’m looking at you, whoever still thinks “password” is a clever password.
Federated identity management gives you control over your password standards and login procedures for your centralized SaaS application database, which improves your security immensely. You can set character limits, reset schedules, enforce multifactor authentication, and even monitor when and how your employees are accessing your FIM system.
How a federated identity system works
While I’m not going to get into the weeds about SAML (security assertion markup language) and other technical details, have a read of my simplified and practical version of how a federated identity system works.
1. User logs into the identity provider
The federated identity provider is the centralized management system that your employees will use to access all of your tools. They’ll enter a username and password that follows your set security protocols so you don’t have to worry about weak passwords with no unique symbols or numbers.
2. Identity provider authenticates the user
Most federated identity management systems also include multifactor authentication to prevent malicious intruders from accessing assets through exposed passwords. These federated authentication methods include:
- SMS token authentication: An SMS message is sent to the user’s phone which includes a one-time code to enter into the identity provider. This code is usually only viable for a short period.
- Email token authentication: Similar to SMS token authentication, except the one-time code arrives via email.
- Software token authentication: Using proprietary software, usually a mobile application, this method requires users to access the application to either gather a one-time code or flip an authentication switch.
- Biometric authentication: Instead of relying on codes or switches, this method uses things such as fingerprints and facial recognition scans to authenticate the user. Think TouchID or FaceID on the iPhone.
- Security questions: This is the weakest (and oldest) form of authentication. Users answer security questions established during account setup.
Once the user authenticates their identity, they are granted access to the identity provider software. If the user cannot authenticate their identity, they are not granted access, even if they have the correct credentials.
3. User selects their desired assets
Now that the user has accessed the identity provider, they may choose whichever predetermined applications are listed. As an added security measure, rather than give immediate access to whichever SaaS application or database they want, some identity providers require users to revalidate their identity each time they open an application.
PingOne does this through its software token authentication system. Each time I close an application and reopen it through the identity provider, I am prompted to validate my identity using the PingOne mobile application.
This prevents malicious users from accessing applications on workstations left alone for short periods of time with the identity provider window open on their browser. Because who cares about endpoint security, right? This vigilant process of authentication is based on the concept of zero-trust security.
Federated identity management system suggestions
I’ve listed a few FIM system suggestions you ought to consider based on reviews and ratings we’ve conducted here at The Blueprint. If you’re looking for a longer list, check out the other identity management software options we’ve reviewed.
Okta is the highest rated identity management software option on The Blueprint and for good reason. They’re one of the most well-known solutions on the market, offer many unique features such as adaptive multi-factor authentication, and offer these services for a competitive price, although they’re the most expensive of these three options.
2. Google Cloud Identity
Google Cloud Identity is a great option for those who perform most of their daily work using Google’s suite of office products, such as Gmail, Docs, Sheets, Drive, and Hangouts. They offer many security features, such as contextualized access (time, location, etc.), application banks, and security reports.
OneLogin includes many of the standard identity management features, such as MFA, SSO, and VPN integration. OneLogin doesn’t do anything particularly new in the identity management market, but it makes up ground in the pricing department with an affordable starter plan and decent discounts on other subscriptions.
Security doesn’t end with passwords and human error
While I put a lot of the blame for security breaches on the carelessness of employees, not every data grab and network bug is caused by them. Even the most secure networks and databases have vulnerabilities, and it’s only a matter of time before an attacker finds them, unless you patch or remove those weaknesses.
We at The Blueprint want to help you secure your business at every level, and that’s why we’ve put together lots of helpful guides from malware types to threat hunting processes to give you a solid start. We’re constantly releasing new content, and if you want to stay up to date on the latest reviews, best practices, and starter guides, sign up for our newsletter above.