Rethinking Identity Management in the Gig Economy

April 10, 2018

For years, the “consumerization” of IT has referred to the practice of employees conducting workplace activities on their personal smartphones and tablets, or using consumer services like Gmail or social media for work purposes. However, the “gig economy” is about to consumerize the workplace to new levels, bringing changes that will significantly impact how CSOs and CISOs protect their businesses.

When large parts of the workforce or even entire staffs are made up of independent contractors, it’s not just devices or services that are being brought onto the corporate network from outside of IT’s purview. These “permalancers” will be operating as complete outsiders to the corporate infrastructure, so to speak, which will test the boundaries of current IT-department protocols. IT will have to think beyond established bring-your-own-device (BYOD) practices; companies relying so heavily on freelancers now need to construct new “bring-your-own-identity” policies that will enable these workers to move freely and safely about the network, while keeping company infrastructure protected.

Traditional IAM Falls Short in Managing Non-Traditional Workforces

Traditional identity and access management (IAM) systems were not architected to manage a large number of workers of this type. IT is used to managing, at most, tens of thousands of employees who are known to the company – users with corporate accounts that the department can assume are trustworthy because they’re operating on closed corporate networks and behind the company firewall.

Now, these freelancers and independent contractors more often than not use their own personal accounts to access company resources, potentially from unsecure locations, such as a coffee shop’s open public WiFi connection. There is a good chance they also work for other companies – maybe even competitors – and their gig might just last a few weeks or the duration of one project.

Workers Are Starting to Look Like Customers

In other words, workers are starting to look more like consumers, in part due to this increased reliance on contracted workers. As such, CSOs and CISOs need to start addressing the security needs of these workers accordingly. Consider marketing writers using their own accounts to upload or edit documents onto shared drives, or freelance programmers checking code into the company’s source code repository. They have created their own accounts, and their identities could be established by a variety of single sign-on providers. Plus, they are authenticated against public services like OpenID and social media. Managing worker access in this environment is much more complex than it is behind the VPN and firewall where HR or IT is simply charged with filling in key profile data for company-created identities, and authenticating users against internal directory services.

Gig Workers Bring New Regulatory Challenges

The management of these freelancers’ data also comes with considerably more complicated regulatory challenges, as the security and privacy bar is generally higher in the customer world. For starters, companies are now indirectly charged with protecting forms of personally identifiable information (PII) they normally would not have stewardship of, starting with a user’s personal email address. Moreover, multinational companies that serve stakeholders in multiple continents must adhere to myriad regulations. It is beyond most companies’ IT staffs to customize traditional IAM solutions to meet the granular legal nuances of dozens of individual countries. So if a U.S.-based company with no offices abroad wishes to hire a group of freelancers across several Eastern European countries, that organization might lose a chunk of its labor savings trying to comply with the regulations of each region and industry in which it does business.

As this convergence of workforce identity management and identity practices normally associated with mobile, Web and IoT customer offerings continues, CSOs and CISOs must know that fusing traditional employee and customer IAM entails more than just a simple tweak of IT’s processes or the purchase of a one-off technology solution. It demands a fresh look from the C-suite because employee access will need a new model, one that accounts for a greater scale, and significantly more intricate security and compliance requirements.

Company leadership needs to get a handle on this new breed of employee. After all, the workers may be temporary, but the gig economy is here to stay.

Sven Dummer leads product marketing at Janrain, helping companies to build better online experiences for their customers through cloud-based customer identity and access management (CIAM). Previously, Sven worked with Silicon Valley startups as well as Fortune 500 companies, including Yahoo, Wind River (acquired by Intel), SUSE and Microsoft in product development, product marketing and management roles. At Intel, Sven also helped launch (and name) the collaborative Yocto Project, an open-source initiative that enables users to create custom Linux-based systems for IoT devices regardless of the hardware architecture.

You must login or register in order to post a comment.

A critical event is defined as an incident that disrupts normal operations, such as severe weather, crime, violence and critical equipment or technology failures. Business continuity and crisis response plans can only go so far if there isn't buy-in across functions, with executive-level support.

In this webinar, security expert Pieter Danhieux explores how CISOs and CIOs can inspire real change, fostering a positive security culture that enables their development teams to become more security-aware, more aligned with internal AppSec specialists and, ultimately, securing code as it is written.