Kushan Bhareti: Identity and Access Management for Start-up Businesses

Written by Kushan Bhareti, Software Engineering Intern at WS02 

Entrepreneurship is one of the hottest trends of this decade and a lot of start-ups have been formed through innovative ideas that have been converted into businesses. Some of these start-ups grow into large and successful businesses, while many others will fall by the wayside.  But this does not deter entrepreneurs from developing new business ideas and, accordingly, new firms show up daily.

New job opportunities are created as a result and along with this comes a client or customer base. Staff and clients become the stakeholders of the business, each with their own identity. Over the last decade, records have moved from paper to digitised forms and many software solutions have been introduced to solve the multiple challenges businesses face. Different problems are solved by different solutions and vendors meaning that very quickly managing these solutions can start to get complicated.

As companies are encouraged to move towards a digital infrastructure, so their services require access to data which often includes sensitive information. Proper security measures are a must for protecting data from possible attackers. Convenience, in addition to security, is also an important consideration. This is where identity and access management (IAM) comes into play, particularly for those growing and aspiring companies.

So, what is IAM?  In simple terms, it’s all about managing different users and defining the different methods by which these users can access different services. Access can be obtained using different authentication methods that differ according to security requirements. Here at WSO2 we have some specific features in WSO2  Identity Server that are particularly useful for start-up companies, these include:

 

User Account Management

All stakeholders of a business are users and even a start-up needs to have proper infrastructure that can manage these users and give relevant access to data. There might be an internal system that keeps track of all records or an online store that is maintained by the firm. Using an IAM tool offers businesses a user management feature that can be implemented into various systems. For example, WSO2 Identity Server maintains a high standard on user account passwords as it’s the first point of vulnerability to an attack. While giving the system admins the right to add and manage users, it also has a feature that allows users to self-register.   The admin can set an expiry period for the password entered which can be an added precaution to protect from attacks. A higher level of security can be obtained by using advanced authentication methods such as multi factor authentication (MFA) and adaptive authentication.

 

Single Sign On

A business might be required to access multiple services from multiple vendors. Accessing these services requires the creation of accounts. Remembering a lot of passwords can prove to be difficult and writing them down or saving them in a file can result in a security compromise or breach. The goal of single sign on (SSO) is to be able to access multiple services using the same credentials, making this incredibly convenient.  An added benefit is that once an account is created for a user in one application, access to all other applications can be granted automatically or can be granted by the admin with ease. For example, WSO2 Identity Server enables the user to create an account in an application using SSO, and the credentials can be used in any of the other apps that are in the connected network.

 

Federated Authentication

When you go to a website or application which requires a sign up, the most convenient method of creating the account is signing up with Google or Facebook.  Federated authentication allows users access to any service using existing accounts. For example, WSO2 Identity Server offers several accounts that can be used to login to an app. These include Google, Facebook, Twitter, LinkedIn, and many other platforms. Start-ups that work through services such as Google would find this feature very useful when delegating access.

 

Multi Factor Authentication

Two factor authentications is a well-known security measure. It increases security by breaking the authentication process into two parts, commonly sending a code to either your phone or email address. MFA takes it to the next level by adding a few more steps to the authentication process.

There are the three ways to prove your identity:

  1. Things that you know (passwords, pin numbers, etc.)
  2. Things that you own (phone, email, etc.)
  3. Things that you are (biometrics)

 

WSO2 Identity Server offers several authentication methods that can be set to create a multifactor authentication flow. For apps that contain sensitive information, it is advisable to have additional security layers implemented. These additional authentication methods can vary from one-time passwords (OTP) through SMS or email, to specific identifying questions, to biometric authentication such as a fingerprint. This way, even if an attacker finds out the password to one of your applications, they must still supply other credentials.

But additional security comes at a cost. Adding more authentication steps will result in a lower level of convenience so it’s important to find the right balance between security and convenience.

 

Adaptive Authentication

Adaptive authentication is a way of overcoming this convenience issue while providing high security. It can delegate the steps followed for authentication depending on various factors such as the role of the user or the location the service is accessed from. For example, the level of security required at a café (connected to a public Wi-Fi network) can differ from what’s required inside an office building (secure network). This is where adaptive authentication comes into play. Adaptive authentication lets the level of security required be set depending on the scenario. So, if you have roles that contain or have access to sensitive information these can be given extra layers of security. With an increasing number of employees working from home, there can be security breaches because employees are working on unsecured networks. Having an additional layer of security for authentication can save a business from this type of data leakage.

 

Having an IAM system can be very useful in the long run because it helps a business move ahead with a solid infrastructure that has the capabilities required for expansion, avoiding any unnecessary identity silos. It also acts as a blanket of security that protects data from possible attackers. But the most important aspect for a start-up business is being able to implement a proper IAM system at a low cost. Here WSO2 Identity Server is ideal as it is open source and can be downloaded freely for a number of platforms.  Alternatively, for those who prefer not to manage the set up, we have a subscription-based model.  The choice is yours!

If you would be interested to find out more about WSO2 or your organisation is considering integrating WSO2’s services into your business practices, please visit wso2.com