I was looking at some analyst research recently and saw a term I'm not familiar with: bimodal IAM. Can you explain...
what this term means and how it affects traditional enterprise IAM paradigms?
While the term "bimodal IAM" was recently coined by Gartner, the reality is many organizations have begun pursuing an IAM framework based on the concept of this type of authentication.
Today almost all enterprise identities are created and maintained by the organization. Regardless of the information being accessed, a set of organizationally-generated user credentials are issued to access all data and services within the enterprise. Bimodal IAM takes this architecture and adds on the consumption of known external credentials for accessing data and applications an enterprise user or consumer may have, such as their AppleID account, a Google account or Facebook account.
With this additional credential, as the enterprise defines which credentials are needed to access various types of information, the end user is allowed to use the externally generated credentials to access the data for less valuable information where appropriate. This allows the enterprise to be relieved of maintaining a number of user credentials as well as the identity lifecycle of the credential.
For more sensitive data with closely monitored access, enterprise-generated identity credentials are still used as in the past. This dual process of using external and internal credentials to access enterprise information is the crux of bimodal (or two models) of identity.
If this starts to sound interesting, or your organization has decided to start consuming external credentials, what do you need to do to deliver a bimodal IAM approach? There are several steps that must be taken:
- Know your data -- you should determine what data is appropriate to be accessed by enterprise and external credentials. Today this generally includes low value applications like listservs, marketing materials, newsletters, among others.
- Do a risk assessment of your organization's risk appetite -- determine if the idea of using an identity not owned by the enterprise is acceptable. If it is:
- Clearly communicate to the enterprise application owners, and seek their approval. Inform them of how these credentials will be utilized and under what circumstances enterprise credentials should be used.
- Decide which external credential providers your organization is willing to partner with. Today not all identity providers use the same credential or authorization standards. Your organization must decide if it will support one type or multiple types of credentials.
- Determine what, if any additional information to require -- sometimes just having a login is not enough information to determine how or where the external credentials are used. Additional information may need to accompany the credential to ensure proper routing to the application the user is attempting to connect to.
- Create a registration process for external users and workers -- this allows end users to select and request the use of their externally-generated credentials for use in accessing the assigned applications in your organization.
With current identity work being done by large consumer-based service providers and private/public sector initiatives like the National Strategy for Trusted Identities in Cyberspace, bimodal IAM frameworks will soon become the norm for most organizations. While today's deployments are far and few between, organizations should be in the planning stage to determine how to consume externally-generated credentials and what applications may potentially use them.
Check out our buyer's guide to multifactor authentication products and find out how to manage your passwords better with this KeePass tutorial.
Dig Deeper on Password management and policy
Related Q&A from Randall Gamby
Learn how to create account lockout policies that detail how many unsuccessful login attempts are allowed before a password lockout in order to ... Continue Reading
When it comes to minimum password length, 14-character passwords are generally considered secure, but they may not be enough to keep your enterprise ... Continue Reading
Enterprise SSO products have matured over the years, so what's the state of eSSO today? Expert Randall Gamby discusses. Continue Reading