As we announced yesterday, we are taking a deeper look at the new SecureAuth Identity Store. Seasonal workers, temporary employees, and contractors have been key to productivity gains, particularly in retail and services. But these non-core employees come with their own set of challenges. A typical non-core worker needs limited, short-term access to the workplace apps, often through a mobile app or a kiosk. The influx of gig economy regulations is forcing companies to demonstrate they can reliably protect their personal data and PII. Should the answer be a heavy-duty HCM solution like Workday, or IT-focused Active Directory, or a lightweight cloud directory? Let’s find out.
Companies could theoretically put all their contingent workers into Active Directory just as they do with their core workforce. However, the engagement of a non-core worker is limited and therefore Active Directory becomes an expensive proposition – additional annual licenses increase costs (and most likely will not be fully utilized), and the IT team would have to manage the rapid joiner/mover/leaver process for each contingent worker with or without the support of a HRIS system and HR staff.
This approach quickly becomes painful throughout the organization from employee on-boarding to off-boarding and everything in between. And so, the IT team or the IAM team looks for an alternative to address the pain points in a more elegant manner: “What if we manage these special use-case workers in LDAP servers or in SQL databases the engineering team can build and maintain specifically for that purpose?”
General purpose user directory and legal compliance
Where the organization runs into issues is not just limited to reliability, performance, and uptime of the user directory either. It’s rather a business question: Does the organization want the engineering team to own the responsibility of keeping these various databases for these accounts secure and always in compliance with the privacy regulations that govern these contingent workers? While certainly doable, it’s never the primary business objective of the engineering team.
This became the starting point for our customers:
- How can we efficiently secure the non-core or contingent worker user accounts?
- How can we provide the right level of user lifecycle management via API from account creation to automatic termination at a pre-defined time?
- And most importantly – How can SecureAuth help us provide user privacy management that complies with HIPAA, GDPR, CCPA and a myriad of other regulations around the globe?
From Active Directory to home-grown user directory server to privacy-first lightweight SaaS directory
From these customer interactions we knew that user data privacy management must be the primary focus for our cloud user directory. Undeniably, it has become extremely complex for organizations to manage a global set of users with differing local privacy requirements and expectations.
GDPR, German privacy laws, the California Privacy Act (CCPA), as well as the “Right to be forgotten” are impactful and help to improve data privacy. However, these same regulatory measures also create massive challenges for engineering and business teams.
SecureAuth’s approach and solution was to develop a purpose-built privacy-focused user data store. We call it the SecureAuth Identity Store and it is a lightweight SaaS user directory designed to manage user identities of part-time or limited-scope employees (essentially every employee who is not a full-time employee), as well as third-party partner, supplier and customer identities.
What makes SecureAuth Identity Store unique?
The SecureAuth Identity Store is built around strong privacy controls and is designed to enable easy integration into existing public or private cloud apps. To comply with a least privilege model, a core principle of Zero Trust, SecureAuth Identity Store lets you set limited scope privileges for each user – effectively granting the appropriate access to admin or help desk personnel. Developers have the same operations available through RESTful Directory API.
- Time-based privileges and user automation – The basic idea is that temp workers, consultants, seasonal employees and interns have a time-limited engagement with specific start and end dates. SecureAuth Identity Store allows developers to set future expiration dates for any privileges or user attributes, thus enabling a high degree of user automation.
- Right to erasure – In addition to time-limited user attribute fields, we also recognized a key deficiency with how existing cloud directories and home-grown LDAP servers handle privacy. In SecureAuth Identity Store we put privacy front and center – so now a developer or an IAM expert can define which attributes are categorized as private. With this comprehensive approach to Personally Identifiable Information (PII), it’s now a question of a single Users API call to trigger deletion of all PII for a given user stored in SecureAuth Identity Store.
- Multiple data stores – With global organizations having core and non-core staff in multiple countries around the world, a looming problem was identified with respect to data residency – where the costs of complying with data residency requirements can be significant. GDPR mandates identities of EU citizens be stored within the EU. The SecureAuth Identity Store therefore allows for multiple data stores, with full data isolation, so that EU users can be stored in our AWS EU datacenter to effectively comply with requirements of the European data transfer rules regarding how EU citizen data are collected, processed and stored.
SecureAuth Identity Store is the foundational building block of a modern cloud IAM strategy for any enterprise organization, and especially a global enterprise. While digital transformation is nothing new, the requirements to provide a distributed cloud directory that provides a single source of truth for all identities – for core workforce or non-core contingency workers – is a hard requirement.
The SecureAuth Identity Store cloud service in combination with SecureAuth Single Sign-on and Adaptive Authentication services securely delivers the lightweight user directory enterprises need to effectively manage their users.