Are you tired of password prompts? In 2020, I am.
I hate the friction we feel while accessing to the ecosystem of tools that we use daily. I’m myself, why I should prove it two times?
Moreover, with the upcoming security threat, I’m also curious about where I’m typing my passwords—security matters for me.
I remember the first timid attempts at creating SSO (Single Sign-On) solutions in the 2000s. We had many handcrafted tools, using cookies, redirect, and other tricks for getting the job complete. Every company had to reinvent the wheel.
This age ended when OAuth (and then OAuth2) become the standard and helps to create SSO scenarios and authentication sharing with ease.
Well, this was a big step forward, but it is not the end. The Oauth2 protocol solves only one part of the problem: we still need to code for implementing the authentication system.
Coding is wonderful but requires time and costs. We cannot reinvent the wheel each time. That’s why I wrote an article about finding a standard solution for identity access management (IAM) – and you should read it!
Note from Towards Data Science’s editors: While we allow independent authors to publish articles in accordance with our rules and guidelines, we do not endorse each author’s contribution. You should not rely on an author’s works without seeking professional advice. See our Reader Terms for details.
What is the problem with logins?
I can understand if you are entering two different services, from two different providers, like Gmail and Outlook… you need to enter other credentials. That’s the only option. But what if the tools come from the same company? Think about that as a customer, but also as an employer, fighting with the thousand of B2B tools you use every day. ERP, CRM, Time tracking, mail, and you need to enter different credentials.
I’m tired. This is the most common feeling of a typical user.
In most companies is still usual to have multiple vertical application, each one of them lives in its own scope. Somebody call them Silos. Where are fighting for destroing silos isolation using data integration, but we still have to enter our password twice.
And passwords may be different from system to system, with different policies. So you can have the old ERP where you had the same password from 1985, or the new CRM that asks you to change the password every week, forbidding to use any memorizable word and asking to use numbers, mixed uppercase-lowercase characters, and maybe also an emoticon inside.
I’m sure you hate this situation like me, so you will feel a little bit better reading this article to the end.
You will find a practical solution to all these problems and to the other issues not related to user experience (yes, the pain of the user is just the tip of the iceberg).
Why we need IAM (Identity Access Management)?
Identity and access management (IAM) is a platform where you can implement authentication processes and policies. This piece of technology lets you manage all the users in a single place and saves IT managers sleep.
The IAM is the architectural component that allows allocation to know who is who.
In the figure below, you can see that IAM act as a central access point that interacts with users database, implements security standard.
Thinking about authentication, the primary pain I have is about the user experience. Insert the passwords many times sucks. We already told that. But this is the less important point, thinking as an IT manager.
We need to expand our pain points to all the fields of IT: governance, maintenance, but with a particular focus on security.
So, the central area of improvement are:
- Productivity. We already spend a lot of time focusing on user needs. But we have to think also about their productivity. They can only decrease productivity while fighting with passwords and multiple access points. But the higher cost is about developing a hundred of different authentication systems. How does it cost to develop and maintain one access management system for each application?
- Security. Keep security standards high on all the access points is hard. It is also hard to implement the best security policy on each user database.
- Compliance. With the upcoming of strict requirements like GDPR, we cannot fail at any point. What about some policy will ask to add two-factor authentication on each application? How much will it cost to replicate this feature on each application? If you think that this will never happen, look to a simple task like accessing log management. Having many file log to collect form many servers is more problematic than having only one, as is hard to apply the same log policy in all systems.
- Help desk saving. Each forgotten password needs time to be reset: having multiple access point make this hard. You help desk need to access all applications’ control panels, that force to implement and expose this feature from each application. Moreover, more password means more complexity and more forgotten passwords, and a considerable load for the help desk.
In simple words an IAM is a software that centralizes all the authorization issues in only one place, solving them all.
The good news is that the market gives us a lot of software solutions that already implement the best security standard and all common features. Moreover, they integrate out of the box with the existing tools used by the enterprises. Let’s see in the next paragraph how this is possible.
Integration on the actual infrastructure
Many people in business thought that tools like this are suitable only for startups or small companies.
They fear the cost of changing the status quo of the company, maybe touching legacy systems. Basically, they ask "Why I should change something that works?" I always fear this way of thinking because it prevents me from catching new opportunities, but I understand – but not approve – the fear of a change.
What I want to tell the people who are scared by adding an IAM into the company infrastructure, is that there won’t be any breaking change. It is a progressive enhancement of the infrastructure. A well done IAM project integrates with the existing tools and doesn’t move users’ databases if not needed.
Your used data can be left where are, just exposing their usage to the new application.
If I didn’t already convince you, look at Active Directory. Well, it is an IAM, just activating the ADFS module.
Each respectable IAM integrates with the most used user sources, like Active Directory, RDBMS databases, LDAP, and external API.
The translation of this point in a non-technical idiom is that you can leave your users into Active Directory or the ERP. Still, you can enable other applications to use them in an SSO behaviour.
This leads, progressively, to a unique user database where it is easy to implement security policies.
Solutions from the market
Basing on your needs, you can choose an on-premise or online solution. The best online vertical application is Auth0. It comes out of the box with all the features you can desire and comes with a rich free tier that suits well in most of the small-medium use cases. Auth0 has a lot of examples of integration on the most common Programming language and integrates with a lot of user sources (included Active Directory!). If you want to stay in the cloud, but you prefer to use a service from your public cloud vendor, each mega vendor like Microsoft, Google Cloud, IBM, or AWS Identity are right solutions. I tested many public vendor services, and they offer, more or less, the same features at a comparable price. Anyway, if you prefer to stay on-prem, Keycloak is the right tool for you. It is a free, opensource IAM Solution, and Red Hat supports it. Keycloak is as a pluggable opensource software, and you can extend it adapting to your need. Of course, with this solution, you will lose the cloud benefits, but with some PaaS solution or Cloud Kubernetes solution, you can reduce the maintenance costs and get the benefit of a hosted solution.
Conclusions
With the emerging Security issues and user expectations, we cannot entrust custom solutions. User identity is a too much important topic for failing. Moreover, it is the crucial point of the architecture and performance are in the first place. Using standard solutions, better if based on the cloud, helps to reduce the effort and ensure quality standards. The integration with IAM to the user database is usually painless, and you can integrate gradually with the existing application.
