This Article was first published as a commercial feature on bbc.com and was created by BBC StoryWorks, BBC Global News’s commercial content division, on behalf of Ping Identity.
Richard Bird, the Chief Customer Information Officer at Ping Identity, has been busy. Since stay-at-home orders relegated entire global corporations to the home office, he has been racing to help clients secure the digital identities of hundreds of thousands of employees, condensing projects that typically take months into mere days.
Before the pandemic, Bird says, “Companies were rushing to fill gaps in their business continuity and resiliency plans, and they never really took into consideration that every single person in their company might need to work remotely.” Now that such an unlikely scenario has come to pass, workers are largely stripped of the securities afforded by an office building with badges and other physical controls, and corporations are having to update their security systems to ward off the 80% of corporate cyberattacks that result from issues around remote work.
This abrupt rethinking of workspace has “definitely changed everything the last three months,” says Bird. And no matter if, how or when employees return to the office, “it's going to change everything for the next several years.”
Identity security asks the big questions
In order for employees to log into their work accounts securely, identity security tools ask users to confirm two primary things: Are you who you say you are? And do you have access to what you’re supposed to have access to? These steps are called “authentication” and “authorization” respectively, and they are two of the pillars of identity security.
In the office or from afar, companies are faced with the task of rigorously clearing those checks in a way that doesn’t require employees to enter unwieldy amounts of information every time they log in. “The old days of assuming a user is safe just because they’re on the network are long gone,” said Kris Nagel, Ping’s Chief Operating Officer. “These days, enterprises are shifting to an identity-centered, ‘Zero Trust’ security model that enforces least-privilege access without adding friction.” In other words, companies are increasingly looking for tools that provide airtight security without sacrificing a smooth experience for their employees. “We call it ‘championing identity,’” says Nagel. And these days, identity security needs a champion.
Identify yourself and stream
Before the pandemic, Ping worked with one of the giants of content streaming to create a secure and easy login process for their employees, partners, and studios. The streaming platform needed an “extensible” solution—one that would connect all users to their cloud, mobile, and on-premises applications through a single authentication authority. But connecting users with such a range of internal and external roles requires an agile system that flexibly enforces several levels of access.
Ping helped their streaming customer set up an adaptive process that selects the right authentication factors at login based on a user’s risk level. Weighing a user’s typical activity against factors like their role, location, time of day, day of the week, and the importance of the resource they’re accessing, the system assesses what degree of authentication it needs from any person logging in. Weighing those factors helps make low-risk activities less cumbersome, as well as high-risk activities more secure. The flexibility offered by Ping’s platform was a key component to their successful partnership.
“One of the biggest challenges within large corporations is this need to customize everything,” said Bird. “The more you customize a thing, the more problematic it is to maintain, care for, and feed over the course of its life.” Ping solves the customization problem with open standards and integration kits for non-standard applications, offering a solution that's highly configurable, which eases the burden of maintenance for customers. “Leading the charge on identity security standards for our customers is part of our mission,” says Bird. “We need to champion our customers by fighting for progress that will make their identity security goals easier and simpler to achieve.”
By leveraging PingFederate, Ping’s single sign-on (SSO) software solution, the streaming platform gained an extensible solution that they can build all of their identity services on, including a self-service portal they built to streamline operations and requests between application teams and the identity team. The solution allowed one of the leaders in streaming to be more agile and adapt to the challenges on the road ahead.
The growing global needs of identity security
Of course, each company presents its own unique set of needs, especially when you begin to cross borders and deal with competing regulatory guidelines. “Some of our clients are global organizations with a vast array of privacy requirements,” said Nagel. “And it’s not uncommon for them to have several authentication systems, which can be frustrating for users and engineers alike.”
The Gates Corporation, an industrial manufacturing company, was one of those companies. Once a family business, Gates had grown into a multinational powerhouse with a presence in 30 countries by the time they started working with Ping. In the course of their expansion, they built a set of disparate authentication mechanisms for everything from in-house developed software to SaaS apps. The fractured authentication silos meant that employees would need to maintain several “identities” in order to access company resources, a frustrating experience for a workforce that was increasingly global. It also meant that Gates was forced to maintain multiple authentication systems, which strained the engineering team and drained resources. They needed a “single source of truth” and an identity security firm that put championing the complex needs of global companies at the heart of their mission. That’s when Ping stepped in.
Ping helped Gates set up an SSO authentication authority that allows a user to log into all company applications with one username and password. SSO enables secure access for employees working in any location, a massive benefit for any company looking to empower a remote workforce without sacrificing security. Ping also built a multi-factor authentication (MFA) solution for Gates, which ensures that users are who they say they are, one of the key questions identity security is tasked with addressing. Gates also uses PingDirectory, which securely stores and manages employee data in a single, central data repository.
Next, Gates is planning to extend their identity and access management tools to their customers, providing secure login on both sides of the business. Centralizing authentication mechanisms on the customer side addresses a pain point that’s familiar to anyone who has struggled to remember their login credentials for one of their myriad accounts. “As individuals,” said Nagel, “there's nothing more frustrating than when you're trying to get to your banking details or to watch a movie or whatever it might be, and get stuck in an endless loop around logging in or authenticating who you are.”
From the office to remote and back again
The hurried transition from traditional office life to remote work exposed the seams of identity security for many companies and made them ask vital questions about how to secure a distributed workforce going forward. “A lot of organizations still treat identity security as if it’s just giving their employees an email and a password,” says Bird. “So there’s this urgent need to put the basic building blocks of actual identity security in place, and that starts with things like single sign-on and multi-factor authentication for remote workforces.”
It’s that worst case scenario that has drawn out bigger questions about the value of identity security for modern enterprises and separated the companies that were primed for digital transformation from those that weren’t. “A lot of people were scrambling to resolve issues, and that rush created issues,” says Bird. “Identity security is like anything else: Once you uncover one problem it starts to cascade.”
The shortcuts and concessions made in the rapid-fire, work-from-home shift don’t need to be permanent, though. There’s an opportunity to build a stronger remote work ecosystem and Ping is providing companies with the tools to do it. “There’s been a lot of note-taking from companies about what they need when it comes to identity security,” says Bird. “We’re seeing a once-in-a-lifetime shift to remote work, and because of that, we’re also seeing a shift in how companies are thinking about identity security for whatever comes next. Identity needs a champion for whatever tomorrow brings, and Ping is that champion.”