It seems like the new buzzword or catchphrase is \u201cIdentity Management\u201d.\u00a0 Vendors everywhere are falling all over themselves to get on the bandwagon to provide tools that manage identities across many platforms.\u00a0 That\u2019s all well and good but for the average O365 user and\/or the average small business owner, the concept may be pretty vague or non-existent.\u00a0 So what the heck is it, anyway?<\/p>\n
In very simple terms, Identity Management is the process that positively identifies who you are (authentication) and then assigns specific rights to you (authorization) based on the fact that you are, in fact, who you claim to be.\u00a0 Of course this is an oversimplification of the process but it does cover the critical basics \u2013 authentication and authorization.<\/p>\n
All of us are familiar with authentication and authorization because all of us use these things everyday.\u00a0 We login to email, our PC\u2019s, websites, Office 365, you name it; we are all used to authenticating<\/em> ourselves to systems.\u00a0 At the same time we are also being authorized<\/em> as our logins grant us access to our email, our PC\u2019s, websites, Office 365 and a whole bunch of other things.\u00a0 So, if we are doing this all the time, what\u2019s the big deal and why is it such a hot topic?\u00a0 Simple, we are now in a world of \u201csingle sign-on\u201d, where we have inter-linked and inter-dependent systems that talk to each other and that pass information about us<\/em> between them.\u00a0 This implies that one system needs to trust another system and, more importantly, that systems have to trust implicitly<\/em> the quality of the initial authentication of the user.\u00a0 In other words, if I\u2019m going to let you into my system based on a trust relationship with your system then I had better be 100% sure that your system is authenticating and authorizing users correctly.\u00a0 That is the crux of the whole Identity Management frenzy.<\/p>\n Office 365 and local Active Directory use pretty similar and standard authentication mechanisms:\u00a0 you have a login (your identity), a password that goes along with your identity and rights that are assigned to your identity in the \u201cback end\u201d.\u00a0 In a local Active Directory you may be assigned to certain Security Groups that grant you access to certain internal resources such as files shares; in Office 365 it might come down to what you can access in SharePoint (the Sites).\u00a0 In either case your login and password authenticate you and your rights authorize you.\u00a0 But Office 365 is Cloud based which means, by definition, that security might (should) be stronger than what you have on a LAN based domain just to make it harder for the \u201cbad guys\u201d to hack into your account.\u00a0 Office 365 does this by making two-factor authentication available.\u00a0 Two-factor authentication means you authenticate yourself to the system with two pieces of information, generally with something you \u201cknow\u201d (password) along with something you \u201chave\u201d (biometric scan such as a fingerprint, a code sent you your phone, a onetime code displayed on a token).\u00a0 In the case of Office 365 it is a one-time code sent to your phone.\u00a0 So, to authenticate, you have to provide both your password AND the code that is sent to your phone.\u00a0 The idea behind this is that only you should be in possession of the password and the phone.<\/p>\n As you might imagine, the more \u201csecure\u201d and in-depth the authentication process is the better the chances are that the person authenticating as \u201cyou\u201d is, in fact, you!<\/p>\n And that really is the basis of the inter-system Identity Management trust that is being built up out there on the Interwebs.\u00a0 In the case of Office 365 it is the basis of the ability you have to grant \u201cauthenticated external users\u201d access to your SharePoint sites, to your OneDrive for Business and, to a lesser extent, your personal OneDrive.\u00a0 Using SharePoint as a specific example, you can invite external users that have set up a Microsoft Live account that is actually authenticated via a Gmail account; you can also grant access to users that have an Office 365 identity in another Office 365 tenancy.\u00a0 The reason you can do this is because Office 365 \u201ctrusts\u201d the authentication mechanisms of the external provider to ensure that you are really \u201cyou\u201d; and, yes, other O365 tenancies are \u201cexternal\u201d as far as your tenancy is concerned.<\/p>\n Identity Management is driving all sorts of development all over the place because it is only going to get more complicated going forward.\u00a0 Microsoft, as an example, is working on all sorts of future security mechanisms that will allow for transparent yet rigidly enforced separation of \u201cprivate\u201d data (your own private data) from \u201ccorporate\u201d data (your work information) on the devices you use; other vendors are doing similar things.\u00a0 It becomes critically important that there is no \u201cfuzziness\u201d in identity in this type of situation.<\/p>\n So there you have it, Identity Management for the layman.\u00a0 So don\u2019t complain when your Office 365 admin insists that you use two-factor authentication, you now know why it is important!<\/p>\n","protected":false},"excerpt":{"rendered":"