Rethinking Identity Management in the Gig Economy
For years, the “consumerization” of IT has referred to the practice of employees conducting workplace activities on their personal smartphones and tablets, or using consumer services like Gmail or social media for work purposes. However, the “gig economy” is about to consumerize the workplace to new levels, bringing changes that will significantly impact how CSOs and CISOs protect their businesses.
When large parts of the workforce or even entire staffs are made up of independent contractors, it’s not just devices or services that are being brought onto the corporate network from outside of IT’s purview. These “permalancers” will be operating as complete outsiders to the corporate infrastructure, so to speak, which will test the boundaries of current IT-department protocols. IT will have to think beyond established bring-your-own-device (BYOD) practices; companies relying so heavily on freelancers now need to construct new “bring-your-own-identity” policies that will enable these workers to move freely and safely about the network, while keeping company infrastructure protected.
Traditional IAM Falls Short in Managing Non-Traditional Workforces
Traditional identity and access management (IAM) systems were not architected to manage a large number of workers of this type. IT is used to managing, at most, tens of thousands of employees who are known to the company – users with corporate accounts that the department can assume are trustworthy because they’re operating on closed corporate networks and behind the company firewall.
Now, these freelancers and independent contractors more often than not use their own personal accounts to access company resources, potentially from unsecure locations, such as a coffee shop’s open public WiFi connection. There is a good chance they also work for other companies – maybe even competitors – and their gig might just last a few weeks or the duration of one project.
Workers Are Starting to Look Like Customers
In other words, workers are starting to look more like consumers, in part due to this increased reliance on contracted workers. As such, CSOs and CISOs need to start addressing the security needs of these workers accordingly. Consider marketing writers using their own accounts to upload or edit documents onto shared drives, or freelance programmers checking code into the company’s source code repository. They have created their own accounts, and their identities could be established by a variety of single sign-on providers. Plus, they are authenticated against public services like OpenID and social media. Managing worker access in this environment is much more complex than it is behind the VPN and firewall where HR or IT is simply charged with filling in key profile data for company-created identities, and authenticating users against internal directory services.
Gig Workers Bring New Regulatory Challenges
The management of these freelancers’ data also comes with considerably more complicated regulatory challenges, as the security and privacy bar is generally higher in the customer world. For starters, companies are now indirectly charged with protecting forms of personally identifiable information (PII) they normally would not have stewardship of, starting with a user’s personal email address. Moreover, multinational companies that serve stakeholders in multiple continents must adhere to myriad regulations. It is beyond most companies’ IT staffs to customize traditional IAM solutions to meet the granular legal nuances of dozens of individual countries. So if a U.S.-based company with no offices abroad wishes to hire a group of freelancers across several Eastern European countries, that organization might lose a chunk of its labor savings trying to comply with the regulations of each region and industry in which it does business.
As this convergence of workforce identity management and identity practices normally associated with mobile, Web and IoT customer offerings continues, CSOs and CISOs must know that fusing traditional employee and customer IAM entails more than just a simple tweak of IT’s processes or the purchase of a one-off technology solution. It demands a fresh look from the C-suite because employee access will need a new model, one that accounts for a greater scale, and significantly more intricate security and compliance requirements.
Company leadership needs to get a handle on this new breed of employee. After all, the workers may be temporary, but the gig economy is here to stay.