“Within the identity space, we see a disruptive trend toward identity as a business-enabler rather than an IT project. Identity’s long been perceived as ‘how employees access corporate systems.’ Businesses are just discovering the potential to use digital identity management to attract new customers who want to easily manage their finances or health online,” says, Jasmit Sagoo, Head of Solutions Engineering, International at Auth0 in an exclusive interview with EnterpriseTalk.
ET Bureau: What is the future of identity? What are the most important trends you are noticing in digital identity?
Jasmit Sagoo: Digital identity is an old problem. Applications have always needed to know who you are and what you can access. However, this old problem is becoming more complicated as companies move their services online and contend with a raft of automated cyber-attacks, important data privacy laws, and new devices and technologies.
To put this in perspective, the first passwords were used by researchers to access desktop computer terminals. Now, many of us have mobile and IoT devices and have used our face, voice, or fingerprint to unlock them. Identity sits at the intersection of convenience, provided by these new digital services, and an individual’s privacy and security while using them. In essence, it’s an old problem, constantly learning new tricks.
Within the identity space, we see a disruptive trend toward identity as a business-enabler rather than an IT project. Identity’s long been perceived as ‘how employees access corporate systems.’ Businesses are just discovering the potential to use digital identity management to attract new customers who want to easily manage their finances or health online.
The other big trend is identity buying power shifting to development teams. Technologists, the people building applications, are increasingly being invited to the table to give their perspective on SaaS components that should be outsourced rather than built in-house. Authentication appears on this list, alongside payment processing, data management & storage, messaging services, DevOps tools & automation, and monitoring.
ET Bureau: To deliver an omnichannel experience, businesses are embracing a new breed of customer identity and access management (CIAM) solutions from their IAM vendors. What are the benefits that CIAM brings to the company and, most importantly, to the customer?
Jasmit Sagoo: CIAM is the subset of identity management that concerns who you are and what you can access as an end-user. With CIAM, scale and support for the latest technologies are absolutely essential. We’re not talking about thousands of employees with company laptops, but millions of customers who want to log in with the latest smart watch.
Any company with an omnichannel strategy knows the difficulty of providing the same experience to anyone, anywhere, on any channel. But every customer journey starts with login. In other words, identity is the common denominator.
In an omnichannel context, CIAM is meant to centralize the management and security of identities and create a single view of the customer that can be fed down to all the platforms that drive customer experience. For customers, CIAM means easier and more secure access to the services they want to use. They don’t need to create a separate password for each channel; they have access to the latest sign-in options, and they can be notified to change their password or provide additional identity verification when something doesn’t look right.
All of this adds up to a great customer experience and trust for a business, both of which have a direct impact on revenue.
ET Bureau: With data being perceived as a key business resource by various enterprises, the security of that data is one of the key concerns. Data breaches around the globe have expanded definitely in the course of recent years. How is CIAM helping security leaders manage the privacy and security of their online customers?
Jasmit Sagoo: Consumers continue to reuse their passwords because it’s convenient. Businesses know consumers reuse passwords, yet most don’t offer a convenient and secure alternative. Bad actors can make money by selling user accounts on the dark web, so they continue to guess the most likely username and password combinations or download lists of stolen credentials for automated attacks.
How CIAM disrupts this cycle of breach and attack is actually quite clever. Across every industry, but especially in places like retail and digital media/publishing, businesses are using CIAM to scan for anomalies among login data that might signal an attack, including:
- ‘Impossible travel’ where a user logs in from London and ten minutes later from Boston
- New device detected
- Known breached password or IP address
- Spike in traffic indicating a bot or script attack
In all of these cases, a CIAM solution can notify the company and prompt the user to change their password or provide additional identity verification. Having data stored in a centralized system simplifies compliance, too (such as when a customer uses their right to be forgotten). The data can also be shared with log streaming platforms to be used for threat intelligence monitoring by DevOps and security teams.
ET Bureau: Where is the cornerstone of cybersecurity going in 2021 and beyond? What new roles will enterprises create and rely on to keep their data and employees safe?
Jasmit Sagoo: For years, the focus of cybersecurity was to ‘secure the perimeter’. The goal was to try and keep any intruders out by making corporate networks as impenetrable as possible. If people wanted access, they would be asked to enter through the ‘gate’ – like a company laptop and internal applications.
Now, people can access any app, using any device, from anywhere in the world. This makes it a lot easier for bad actors to assume your identity. Companies are needing to reassess their cybersecurity strategy to go beyond the traditional perimeter. Add that the majority of cyberattacks involve stolen credentials, and having an overriding identity strategy becomes an important piece of the security puzzle.
The death of the corporate network is already necessitating closer collaboration between the security and development teams. Expect to see a rise in integrated application development teams tasked with providing both convenient experiences for customers and security and privacy by design.
ET Bureau: How does Auth0 help customers and developers to customize identity capabilities for their exact use case?
Jasmit Sagoo: Like Stripe and Twilio popularized “building blocks” for payments and messaging, Auth0 is an API-based service for authentication. Auth0’s platform provides modular identity building blocks with integrations and industry blueprints, so application development teams can get up and running quickly.
In practical terms, developers can enable 80% of these building blocks out of the box, including 50+ integrations, 60+ SDKs, and 50+ social and identity provider connections. For example, they can add Multi-factor Authentication (MFA) or sign in with Apple to their app by toggling a switch.
We also give our customers the ability to customize the “last mile” of the login flow for their exact use case using extensibility. A beloved developer concept, extensibility is the ability to extend or customize Auth0 by writing code or enabling integrations within the context of our platform. We also have Auth0 Marketplace where customers can extend Auth0 with complementary solutions, like consent management and identity verification. Today 87% of customers extend the Auth0 platform.
Read Also: Is Data Security a Shared Responsibility?
ET Bureau: Could you provide the audience with a few key tips on building the right CIAM model?
Jasmit Sagoo: The key message is to approach identity as an overriding strategy, not a point solution for each application you’re building. Too often, we see companies building and maintaining several disparate identity systems. When you only have a finite amount of development resources – and developers are so valuable these days – you should be focusing capacity on your core business rather than on a solved problem like identity.
Identity is often more complex than people realize. After all, it looks like a login box with two fields and a button. But the hours add up when you’re maintaining the system yourself with the latest sign-in technologies, security features, and compliance requirements. Your development team will thank you for offloading this responsibility to experts, and you’ll see the rewards in your ability to get your new software products to market faster.