Office 365 – Identity Management (an introduction for the layman)

It seems like the new buzzword or catchphrase is “Identity Management”.  Vendors everywhere are falling all over themselves to get on the bandwagon to provide tools that manage identities across many platforms.  That’s all well and good but for the average O365 user and/or the average small business owner, the concept may be pretty vague or non-existent.  So what the heck is it, anyway?

In very simple terms, Identity Management is the process that positively identifies who you are (authentication) and then assigns specific rights to you (authorization) based on the fact that you are, in fact, who you claim to be.  Of course this is an oversimplification of the process but it does cover the critical basics – authentication and authorization.

All of us are familiar with authentication and authorization because all of us use these things everyday.  We login to email, our PC’s, websites, Office 365, you name it; we are all used to authenticating ourselves to systems.  At the same time we are also being authorized as our logins grant us access to our email, our PC’s, websites, Office 365 and a whole bunch of other things.  So, if we are doing this all the time, what’s the big deal and why is it such a hot topic?  Simple, we are now in a world of “single sign-on”, where we have inter-linked and inter-dependent systems that talk to each other and that pass information about us between them.  This implies that one system needs to trust another system and, more importantly, that systems have to trust implicitly the quality of the initial authentication of the user.  In other words, if I’m going to let you into my system based on a trust relationship with your system then I had better be 100% sure that your system is authenticating and authorizing users correctly.  That is the crux of the whole Identity Management frenzy.

Office 365 and local Active Directory use pretty similar and standard authentication mechanisms:  you have a login (your identity), a password that goes along with your identity and rights that are assigned to your identity in the “back end”.  In a local Active Directory you may be assigned to certain Security Groups that grant you access to certain internal resources such as files shares; in Office 365 it might come down to what you can access in SharePoint (the Sites).  In either case your login and password authenticate you and your rights authorize you.  But Office 365 is Cloud based which means, by definition, that security might (should) be stronger than what you have on a LAN based domain just to make it harder for the “bad guys” to hack into your account.  Office 365 does this by making two-factor authentication available.  Two-factor authentication means you authenticate yourself to the system with two pieces of information, generally with something you “know” (password) along with something you “have” (biometric scan such as a fingerprint, a code sent you your phone, a onetime code displayed on a token).  In the case of Office 365 it is a one-time code sent to your phone.  So, to authenticate, you have to provide both your password AND the code that is sent to your phone.  The idea behind this is that only you should be in possession of the password and the phone.

As you might imagine, the more “secure” and in-depth the authentication process is the better the chances are that the person authenticating as “you” is, in fact, you!

And that really is the basis of the inter-system Identity Management trust that is being built up out there on the Interwebs.  In the case of Office 365 it is the basis of the ability you have to grant “authenticated external users” access to your SharePoint sites, to your OneDrive for Business and, to a lesser extent, your personal OneDrive.  Using SharePoint as a specific example, you can invite external users that have set up a Microsoft Live account that is actually authenticated via a Gmail account; you can also grant access to users that have an Office 365 identity in another Office 365 tenancy.  The reason you can do this is because Office 365 “trusts” the authentication mechanisms of the external provider to ensure that you are really “you”; and, yes, other O365 tenancies are “external” as far as your tenancy is concerned.

Identity Management is driving all sorts of development all over the place because it is only going to get more complicated going forward.  Microsoft, as an example, is working on all sorts of future security mechanisms that will allow for transparent yet rigidly enforced separation of “private” data (your own private data) from “corporate” data (your work information) on the devices you use; other vendors are doing similar things.  It becomes critically important that there is no “fuzziness” in identity in this type of situation.

So there you have it, Identity Management for the layman.  So don’t complain when your Office 365 admin insists that you use two-factor authentication, you now know why it is important!