Self-Service Identity Management Needs a New Layer of Human Security

As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories—Nelson Cicchitto, the President and CEO of Avatier Corporation, shares some expert insights on self-service identity management, why it’s valuable, and how companies can improve the way they use it moving forward.

Identity access management (IAM) has become a significant concern for organizations working from home. Although more employees are returning to the office after the initial COVID-19 crisis, it’s clear that work-from-home is here to stay. According to Gallup, 45% of employees work remotely, and nine out of 10 workers expect to continue working from home at least part-time. IT departments scrambling to give remote workers secure access when the pandemic hit in 2020 are now upgrading IAM procedures to support a remote workforce. Preventing data breaches and implementing more secure self-service identity management requires a new layer of human-assisted authentication.

While self-service identity management has been around for some time, the pandemic has demonstrated that it can be improved. It needs to be more efficient, more secure, and hands-off. During the pandemic, the number of help desk calls increased. Trouble tickets volume was up 35%, and ticket backlogs went from an average of 7.2 days before the pandemic to 12.1 days. Gartner estimates that from 20% to 50% of help desk calls are for password resets. Implementing self-service identity management cuts down on the volume of help desk calls. It also reduces downtime for remote workers since they don’t have to wait for the help desk to respond.

Many organizations allow employees to reset their passwords. However, many organizations still have limited self-service IAM features. Even those organizations with sophisticated IAM technology are still susceptible to hackers. The challenge is to give remote workers more autonomy regarding ID authentication without compromising data security. There needs to be a new approach to self-service identity management that includes a human failsafe to provide the intuition that AI and machine learning can’t.

Continued Reliance on Self-Service 

Self-service online access is on the rise. Seventy-nine percent of consumers say they expect organizations to offer some self-service options, and 81% of enterprise users say they prefer self-service. Using self-service to address enterprise issues has always been preferred since it saves IT and help desk teams time and money.

However, there is good reason to be skeptical of implementing self-service authentication for sensitive data assets. Human error continues to be the most significant factor when it comes to data breaches. Chief executives report that human error as the cause for data loss increased to 53% in 2021 compared to 28% in 2018, and SMBs say it has risen to 28% from 17%.

To eliminate human error from identity management, organizations continue to rely on automated authentication and authorization tools such as:

• Workflow Approval: Application owners, business line managers, IT/security, or others who need to approve access.
• Two-factor Authentication: This is one of the most common ID verification tools, as it assumes that the person requesting access has control of their email or smartphone.
• Single Sign-On: SSO is becoming an increasingly popular tool for enterprise access. After being authenticated once, the system uses the same secure credentials to grant access to multiple applications, boosting productivity and reducing help desk calls.
• Public Key Certificates: These digital certificates store information about the certificate holder and are used to verify the holder’s identity.

What makes self-service identity management so appealing is its convenience. Users can log in from anywhere to change their passwords, request access to new data assets, create new groups, update profiles, extend account expirations, verify user access, verify direct reports—anything that an IT administrator would usually do. Using a self-service approach relieves the burden on IT while simplifying access management for users.

The challenge with any self-service is it requires the business to self-govern access to the entire workforce through a rules-driven workflow. Automating provisioning with self-service lifecycle management tools gives users control over account information and enterprise access without compromising security. The idea is to adopt a zero-touch/zero-trust approach to enterprise security by driving self-service access through secure workflows.

With today’s wireless technology, corporate decision-makers are available at any time. When users send a request to access software, data, or enterprise assets, managers can authenticate users with the touch of a button. User privileges can then be stored in active directories that follow the user through the organization, using additional automations and workflows to keep credentials current based on their role and job responsibilities.

Self-governance doesn’t have to be an added burden to IT personnel. With the correct authentication workflows, access remains secure while providing self-service, complete with hierarchical approvals and an audit trail.

Making Self-Service More Secure

Successful self-service identity access management is driven by automation. Self-service support continues to grow in popularity because it is easy, fast, and eliminates the need for human intervention. As a result, other enterprise processes have become self-service, leading to potential weaknesses in enterprise security. Automating user identity means you rely on machine learning and computer algorithms to validate identity. Humans can still spoof machines.

Your first line of defense should be Multi-Factor Authentication (MFA). The best way to validate users and maintain secure remote access is by demanding a second form of authentication, whether it’s via email, phone, answering security questions, or some other means.

As part of self-governance and to maximize your MFA investment, organizations should supplement automated MFA with a human element. There will be times when automation can’t adequately identify a user request. Just as secure lifecycle management workflows require managers to authenticate users, there should be a workflow that requires human intervention to support MFA when needed. Rather than locking out a user after three attempts or forgetting a security question, the MFA workflow can alert a manager or the help desk to intervene and validate identity.

Authentication rules can be structured into hierarchical workflows with appropriate security checks at each level, from primary self-service login to requests for sensitive data. Applying an omnichannel approach ensures that users can log in and issue access requests when needed from any device. Managers also have 24/7 access to handle requests quickly, verifying legitimate requests and blocking unauthorized access.

Self-service identity management will continue to flourish, but it’s important to remember that one approach doesn’t meet every situation. Providing layers of authentication and authorization, including some level of human assistance, will complement self-service processes, achieving zero-touch administration with zero trust security.

Widget not in any sidebars