• English
  • Italian
Blog Image

Digital Identities: Reduce Costs, Increase Security

  • On 14 April 2021

Today it is pleonastic to point out that any company, regardless of the sector in which it operates, needs an IT infrastructure for its commercial activity.

However, we want to focus attention on some aspects, perhaps still too hidden or not completely clear to everyone, related to the use of IT.

Usually, even small-medium sized companies have their own internal domain; definitely use a company email; they use applications for office activities (writing tools, spreadsheets, presentations, planning, …); they have services for sharing documents (typically Cloud-based); they have applications for managing attendance, travel and reimbursement of expenses; they use specific management systems for their sector; last but not least, and in an increasingly exponential way, they make use of APP.

Each of the items listed above corresponds to a user (digital identity), to be created and assigned to users, a user that must also be “managed”, in the broadest sense of the term and which we will explore further on.

In conclusion: every company, even if of medium-small size, needs on average about ten digital users for each of its collaborators; this means that the stock of digital identities is an order of magnitude higher than the actual number of collaborators: a company with a few dozen employees has to manage a few hundred digital identities.

Paradoxically, this means that the resources needed to manage IT users must be higher than those of HR; if a collaborator is hired or changes role or job within a company, or if his employment relationship ends, the human resources manage an identity, the IT department must provide at least ten.

This is already a non-negligible cost item.

But let’s completely uncover Pandora’s box.

Of the tools that the company makes available to each employee, not all have the same weight: if the mail is used every day by anyone, typically the review of attendance by managers is done once a month; connecting to an application after a month, especially if password change policies are in place, means that the access credentials have almost always been forgotten; it is therefore necessary to call in the internal support to set them again.

Gartner Group and Forrester Research (see the dedicated sections on their respective official websites), have been monitoring this aspect for more than 15 years; the analyzes still lead to the same conclusions:

  1. Any internal support group passes from 30% to 50% of its time engaged in the password reset activity.
  2. Each single password reset costs an average of $ 70 (the fork ranges from $ 30 to $ 120, depending mainly on the role played by the user who has forgotten his credentials).

To provide a more incisive figure: in 2019, users with blocked access, overall, in the US involved an expenditure (management and consequences) of about 6 billion dollars: the equivalent of an industrial development plan.

Passwords naturally take us to another crucial issue: SECURITY.

Let’s not focus on those who write their passwords on post-its that they leave hanging on the PC screen or on the pernicious habit of using date of birth, name of children or pets as a password: in my opinion this is the tree hiding the elephant (have you ever seen an elephant behind a tree? No. Then it means that it has hidden well). Because the reality of the facts is that in more than 90% of realities, despite the activation of SSL, TLS and https protocols, the passage of passwords for authentication TAKES PLACE “IN CLEAR”.

Even if “virtuous”, the user who remembers his password (for at least 10 digital identities that belong to him) and who uses “strong” solutions (non-trivial passwords, with special characters) is in any case placed in the condition, by infrastructure itself, to transmit information in a way that even a technician of a lesser level (such as the one who is writing to you) would be able to intercept with a few hours of effort.

The problems highlighted are “important” (“hidden” COSTS of a not negligible amount, important SAFETY problems); the solution is the classic “Columbus’s egg”, if you make a CHANGE of mentality and collaborate with the right partner.

Specifically, it is necessary:

  1. Abandon the approach to user management with the AUTHORIZATION mechanism and finally and consistently adopt the concept of ROLES.
  2. Adopt an adequate and efficient digital identity management tool (Identity Management).
  3. DISABLE THE AUTHENTICATION MECHANISM USING USER AND PASSWORD.

An important change in the approach that will make it possible to move from chaos to order.

SAP, taking advantage of the potential of the services present on the Cloud BTP platform (Business Technology Platform, the new face of the already known SAP Cloud Platform Integration), provides its Identity Management, able to integrate with all applications (SAP and not) present in the company’s IT park. A console from which to create, modify, manage and delete the digital identities of ALL the tools available to collaborators.

The relationship between the HR department and the IT department thus returns to being 1 to 1.

The issue of security is also addressed and strengthened: in addition to the “classic” SSO (Single Sign On) mechanisms, thanks to the recent acquisition of Gigya, SAP’s Identity Management allows you to activate two or two-way authentication mechanisms in a relatively simple way. multiple factors; in this way we are freed from the weakness of having to depend on an access key (the password) that must be remembered, reset if forgotten, in any case transmitted “in clear” (unless you have activated expensive cryptographic mechanisms, which in any case do not compensate for first two drawbacks).

 

PL3 & Partners, as a SAP partner, has acquired in-depth skills in the field of:

  1. Management of users by roles.
  2. Application integration with Identity Management (SAP and no).
  3. Implementation of SSO.
  4. Activation of authentication mechanisms through the exchange of certificates or logon tickets, with two or more levels of authentication.

PL3 & Partners, not only offers theoretical expertise: what we propose is exactly what we use for our internal systems, guaranteeing standards, security and flexibility, without the need to implement and maintain an entire Landscape PO, but by exploiting the potential offered by SAP BTP in terms of data exchange between SAP and non-SAP systems. Obviously we also have the skills, both Java and Groovy, to implement all the necessary customizations, if required and necessary.

PL3 & Partners is the ideal partner to identify the best solution for each specific case: we are a System Integrator who aims to support its partners in the best way to seize the increasingly varied opportunities offered by SAP, whether it be for implement the new, whether the need is to adapt the existing one.

As usual, we are not looking for the ideal solution, but the ideal solution for you.

For any information you can contact us at marketing@pl3group.com

 

Giorgio Morlacchi

SAP System Administrator