Identity and Access Management for Startups
- Shania Smith
- Senior Marketing Officer - Content - WSO2
Startups can be somewhat small to large scale businesses and they can vary between different fields of interest. With entrepreneurship becoming one of the hot trends of the decade, a lot of startups have shown up on the records. Many innovative ideas are converted into businesses. Some of these startups excel in large businesses whereas many meet the end of their line in a very short span of time. But this doesn’t keep entrepreneurs from capturing business opportunities. Startups keep showing up each day.
New job opportunities are created as a result of the rise of startups. And along with that comes a client base. Staff and clients become the stakeholders of the business, each with their identity. Over the last decade, records have moved from paper to digitized forms. Many software solutions have been introduced to solve the many problems that are faced by businesses. Different problems are solved by different solutions, by different vendors; and managing these solutions can be complicated.
Modern companies are encouraged to move towards adopting a digital infrastructure. These services require access to data which may include sensitive information. Proper security measurements are a must for protecting data from possible attackers. Convenience, in addition to security, is also an important consideration. This is where identity and access management (IAM) comes into play.
Before starting off on the “how” aspect, I’m going to talk about the “what”. So, what exactly is IAM? In simple terms, just as the words say, it’s all about managing different users and defining different methods that these users can access different services. The access can be obtained using different authentication methods that can differ according to the requirement of security.
User Account Management
All stakeholders of a business are users if they take part in the virtual representation of the business. Even a startup needs to have proper infrastructure that can manage these users and give relevant access to data required by these users. It might be an internal system that keeps track of all records of jobs that are done or an online store that is maintained by the startup. Using an IAM tool can always give an upper hand when managing users.
Depending on the domain of a startup, there might be a number of services that can be used. These services might be developed in-house or distributed by a 3rd party developer or vendor. Accessing these services needs the creation of accounts. If a number of apps are used, a similar number of accounts need to be created. Remembering a lot of passwords can prove to be difficult and writing down or saving them can end up resulting in a data breach. The goal of single sign-on (SSO) is to be able to access multiple services using the same credentials bringing in a large convenience factor into the equation. An added value is that once an account is created for a user in one application, access to all the other applications will be granted automatically or can be granted by the admin with ease.
When you go into a website or application which requires a sign-up, the most convenient method of creating the account is signing up with Google or Facebook, isn’t it? Federated authentication allows users access to any provided service using existing accounts. This can be considered even more centralized than SSO.
Two-factor authentication is a well-known security measure taken by a number of large service providers. It increases security by breaking the authentication process into two parts, commonly sending a secret code to either your phone or email address. MFA takes it to the next step by adding a few more steps to the authentication process. There are the 3 types of ways you can prove your identity with:
Things that you know (passwords, pin numbers, etc.)
Things that you own (phone, email, etc.)
Things that you are (biometrics)
But additional security comes at a cost. Adding more authentication methods will result in a lower level of convenience so it’s important to find the right balance between security and convenience. Having good security measures is never a bad thing. Therefore, enabling MFA for apps connected to your startup could restrain the possibility of a data breach.
Adaptive authentication is a method of overcoming the convenience issue that is brought up by MFA while keeping the additional blanket of high security. It has the ability to delegate the steps followed for authentication depending on various factors such as the role of the user or the location the service is accessed from. For example, the level of security required at a café (connected to a public wifi network) can differ from what’s required inside an office building (secure network). This is where adaptive authentication comes into play.
You get to decide who should be using a fingerprint scanner to log in and if MFA is required when accessing a service outside of the secure office network. Still confused? Adaptive authentication lets the level of security required to be set depending on the scenario at hand. Even in a startup, there can be roles that contain or have access to sensitive information which will need to be given extra layers of security. With an increasing number of employees working from home globally, there can be security breaches with working on possible unsecured networks. Having an additional layer of security for authentication can save a startup from the leakage of sensitive information which may lead to an eventual downfall.
Having an IAM system for a new company from the start itself can be very useful in the long run as it helps to move ahead with a solid infrastructure that has the capabilities required for expansion, avoiding any unnecessary identity silos. It also acts as a blanket of security that protects the data from possible attackers.