Bring-Your-Own-Identity Gains Steam in Information Security

Apr 12, 2016 | by RSA

Bring-your-own-identity (BYOI, or sometimes BYOID) is an emerging concept in Identity and Access Management. BYOI has become interesting because it presents a realistic solution to a pressing problem: the need for better federated identity management.

The Theory Behind Bring-Your-Own-Identity

The BYOI security methodology, like bring-your-own-device (BYOD) before it, contributes more than identity to the InfoSec ecosystem by attempting to solve an evolving and increasingly complex problem. The BYOD movement was started to address the reality that users were increasingly using personal mobile devices in the workplace. Similarly, the BYOI trend addresses the problem that security providers will lose users if the identification and access management (IAM) process is not simplified in a way that is both transparent and secure.

BYOI was created as a response to a chain of events that occurred in commercial workplaces worldwide. Companies were increasingly populated with non-corporate, employee-owned devices, and users didn't want to remember different access credentials or submit to excessive, inconvenient authentication measures, such as fingerprinting and other types of biometrics. Ultimately, users want to minimize redundancy when it comes to identification and authentication, and companies are eager to satisfy their users. This is where BYOI comes in.

According to a Ponemon Institute study, around 50 percent of IT departments are interested in BYOI methods, with approximately the same percentage of IT teams planning to deploy BYOI in the next 24 months. However, any gaps in BYOI knowledge need to be closed before a successful implementation can occur.

Bring-Your-Own-Identity: An Identity External to Your System

BYOI uses an extrinsic identity as an identification source, rather than creating a unique identity specific to the subject system. For example, most people are accustomed to using their Facebook or Twitter identities to access other services, such as ranking systems such as Klout, newspapers and magazines, and other websites and applications. The "Sign up using Facebook" option is an example of BYOI.

BYOI can also include external biometric identifiers such as fingerprints and eye scans. Again, the information that authorizes identity and access in this BYOI method is external to your system.

Benefits for Different User Groups

The perceived benefits of BYOI deployment vary depending on the user population. IT users view BYOI as primarily beneficial for fraud reduction, risk mitigation, and cost reduction. In contrast, business users expect BYOI to streamline their experiences and their customers' experiences and to improve targeted marketing campaigns. These benefits are valid reasons for BYOI deployment, since it has potential for risk and cost reduction, customer acquisition, and income generation.

Risks Associated With Bring-Your-Own-Identity

On the other side of the coin, BYOI may result in increased risks of data breaches and losses when compared to other identity methods. For example, if a third-party identifier such as Twitter or Facebook is used for the BYOI system and the third party experiences a breach, this situation presents an increased risk. Further, many third parties still use basic password authentication, meaning the risk you'd hoped to minimize by eliminating passwords remains only a step away. Finally, in the case of internal ID theft, there is at least the possibility that the internal person represents a lesser risk than if an outside party obtained the credentials. Accordingly, BYOI needs context-specific considerations and careful cost/benefit analyses before it is deployed.

Author: RSA

Category: RSA Fundamentals, Blog Post

Keywords: Bring-Your-Own-Identity, BYOI, BYOID, IAM