James Thew - Fotolia

What does bimodal IAM mean for user credentials?

Bimodal IAM may be a new term, but this new way to use user credentials should probably already be in practice among secure organizations.

I was looking at some analyst research recently and saw a term I'm not familiar with: bimodal IAM. Can you explain...

what this term means and how it affects traditional enterprise IAM paradigms?

While the term "bimodal IAM" was recently coined by Gartner, the reality is many organizations have begun pursuing an IAM framework based on the concept of this type of authentication.

Today almost all enterprise identities are created and maintained by the organization. Regardless of the information being accessed, a set of organizationally-generated user credentials are issued to access all data and services within the enterprise. Bimodal IAM takes this architecture and adds on the consumption of known external credentials for accessing data and applications an enterprise user or consumer may have, such as their AppleID account, a Google account or Facebook account.

With this additional credential, as the enterprise defines which credentials are needed to access various types of information, the end user is allowed to use the externally generated credentials to access the data for less valuable information where appropriate. This allows the enterprise to be relieved of maintaining a number of user credentials as well as the identity lifecycle of the credential.

For more sensitive data with closely monitored access, enterprise-generated identity credentials are still used as in the past. This dual process of using external and internal credentials to access enterprise information is the crux of bimodal (or two models) of identity.

If this starts to sound interesting, or your organization has decided to start consuming external credentials, what do you need to do to deliver a bimodal IAM approach? There are several steps that must be taken:

  1. Know your data -- you should determine what data is appropriate to be accessed by enterprise and external credentials. Today this generally includes low value applications like listservs, marketing materials, newsletters, among others.
  2. Do a risk assessment of your organization's risk appetite -- determine if the idea of using an identity not owned by the enterprise is acceptable. If it is:
  3. Clearly communicate to the enterprise application owners, and seek their approval. Inform them of how these credentials will be utilized and under what circumstances enterprise credentials should be used.
  4. Decide which external credential providers your organization is willing to partner with. Today not all identity providers use the same credential or authorization standards. Your organization must decide if it will support one type or multiple types of credentials.
  5. Determine what, if any additional information to require -- sometimes just having a login is not enough information to determine how or where the external credentials are used. Additional information may need to accompany the credential to ensure proper routing to the application the user is attempting to connect to.
  6. Create a registration process for external users and workers -- this allows end users to select and request the use of their externally-generated credentials for use in accessing the assigned applications in your organization.

With current identity work being done by large consumer-based service providers and private/public sector initiatives like the National Strategy for Trusted Identities in Cyberspace, bimodal IAM frameworks will soon become the norm for most organizations. While today's deployments are far and few between, organizations should be in the planning stage to determine how to consume externally-generated credentials and what applications may potentially use them.

Next Steps

Check out our buyer's guide to multifactor authentication products and find out how to manage your passwords better with this KeePass tutorial.

This was last published in June 2015

Dig Deeper on Password management and policy