Live Webinar- Through the Eyes of the Adversary: Breaking and Defending Identity
The U.S. Capitol building at dusk, illuminated with lights, is reflected in a calm body of water. Trees and statues surround the building, and the sky is deep blue.

Complying With the Executive Order on Cybersecurity

/in /by

It’s official: our country’s agencies need to improve their cybersecurity. Don’t just take it from us—that directive comes straight from the White House.

Guidelines issued via executive order (EO) on May 12, 2021 state that the government will officially embrace a policy of making comprehensive improvements to the nation’s cybersecurity to protect the government’s most sensitive infrastructure. That policy extends beyond public agencies to any contractors, non-profits, or other private companies that provide services for the federal government.

As the EO explains, “Incremental improvements will not give us the security we need; instead, the Federal Government needs to make bold changes and significant investments in order to defend the vital institutions that underpin the American way of life.”

One of the main components of the EO is moving all government systems to a secure cloud service while adopting a Zero Trust Architecture model. According to the President’s order, this approach is the only way to reliably ensure that security is built into digital services from the ground up, establishing an airtight perimeter.

Many agencies were already moving to a Zero Trust environment, but they regularly face challenges in actually implementing the strategy. The following information can help agencies, contractors, and other organizations understand what they need to do to comply with the EO and what practices make establishing Zero Trust policies easier.

What Are the Main Directives of the May 2021 Executive Order on Cybersecurity?

The main points of the EO (read it here) include:

  • Section 1: The federal government aims to make bold changes and significant investments in cybersecurity, instead of small incremental changes or band-aids.
  • Section 2: Remove barriers to sharing threat information among agencies and contractors, providing more effective defense measures against emerging threats.
  • Section 3: Modernize the government’s approach to cybersecurity while protecting privacy and civil liberties. This includes advancing toward Zero Trust Architecture and multifactor authentication.
  • Section 4: Enhance the security of software used by the government.
  • Section 5: Establish a cyber safety review board.
  • Section 6: Standardize the government’s response to cybersecurity vulnerabilities and incidents.
  • Section 7: Improve detection of cybersecurity vulnerabilities and incidents on federal government networks.
  • Section 8: Improve the federal government’s investigative and remediation capabilities.

Many of these best practices were covered in more detail in a subsequent memorandum published by the Office of Management & Budget (OMB), the office that coordinates compliance among various public entities and public/private partnerships.

The memo (M-21-30 Protecting Critical Software Through Enhanced Security Measures) specifically pertained to any piece of software that invokes “privileged access to networking or computing resources”, or that otherwise “performs a function critical to trust.” Within these guidelines, the OMB memo invokes identity, credential, and access management (ICAM) as a central component to protecting the integrity of sensitive infrastructure while any software is being used.

In other words: Zero Trust is going to be the gold standard to work toward moving forward, and identity and access management (IAM) is going to be the tip of the spear when it comes to implementation.

Challenges Agencies Face When Increasing Cybersecurity Through Zero Trust

One major challenge organizations face: Zero Trust is not a single technology or product. You can’t go out and buy Zero Trust. It’s more of a strategy or approach for improving cybersecurity through a combination of components, including identity and access management. Reaching Zero Trust requires careful thought regarding information architectures as well as how ICAM is handled through every process or service request.

What, exactly, does Zero Trust look like? A Zero Trust Architecture (ZTA) is a network security model or framework that’s based on strict identity verification across all access points. Every user and device accessing resources needs to be authenticated, no matter who they are or where they’re logging in.

The criteria used to allow access should be based on multiple factors, including not just the user’s credentials but their own contextual behaviors. For example, a user with the correct name and password should perhaps be required to perform a step-up authentication if they access a system using an unfamiliar device from a location halfway across the world from where they usually work.

This is different from past IT mindsets, where implicit trust is placed in users based on their typical access to the network. For example, once a user had logged into the general system where they worked, they might well have been permitted access to further systems or functions based on the credentials they logged in with. In Zero Trust, those credentials are verified and tested (authenticated) each and every time.

There’s a good reason for the change: many attacks come from within networks. Further, many users are vulnerable while accessing internal networks from remote sites or while using various devices. With an increasing volume of remote work, users can be acting in good faith yet still unintentionally compromise the systems they access. A recent report from the U.S. Justice Department identified that hundreds of devices and individual accounts across the global energy sector were targeted by hackers from 2012 to 2018. Zero Trust means ensuring that any individuals accessing a system are not only who they say they are, but also that the access points they use don’t carry blanket permissions without diligent IAM checks every step of the way. Otherwise, granting them permissions could also be granting permissions to malware and other hacking or spying tools at the same time.

The directive presents another challenge: complex governance and management require all permissions and access privilege levels to be thoroughly understood. Every part of the network that requires identity to function must be documented, and the new ZTA must acknowledge these complexities and be capable of managing them across various software and systems.

Part of the shift towards ZTA means organizations need to get the right people in the room who can approve the overarching revisions across these various points, including the CIO, the CFO, and other high-level players. Only with their buy-in can the organization comprehend every facet of ICAM, which then enables it to tighten the security perimeter so that it closes all gaps.

Other Challenges to Modernizing Cybersecurity 

Federal agencies and their partners face many other challenges on top of those mentioned above. One of the most common is that they will have multiple applications active over a hybrid infrastructure—e.g. activities that go through private hosted networks, multiple on-prem sites, and shared cloud functions (AWS, etc.). Data may also be siloed across multiple legacy apps and repositories, accumulated over years of operation.

Employees and contractors will also need to be able to access apps from multiple locations. Gone are the days of everyone sitting in one building operating on a secure network behind the firewall!

The further these activities spread and the more systems they touch, the more identity sprawl grows. Identity sprawl and technical debt create a larger attack surface and leave systems vulnerable.

Time-to-implement and scalability present further challenges. Many solutions can take months or years to implement, and might not work across the entire infrastructure. However, there are alternatives that can be implemented relatively quickly to provide comprehensive security through all points of ICAM. These include Radiant Logic’s Identity Data Fabric, which unifies all sources of identity data to lay the foundation for successful ZTA implementations.

Solution: Identity Management with Zero Trust Architecture

The above challenges collectively compel agencies to modernize cybersecurity with optimized identity data management and implement ZTA.

With ZTA, the approach shifts from network or systems-based security to identity-based security. Retooling your infrastructure to support that shift can be done with an identity data platform that unifies many sources to create a total understanding of every user, all from one source. Moving to the cloud is speeding up the process, as are modernized technologies that help with momentum, speed, and agility.

The ability to register and find the needed identity data on subjects, assets, and resources is the key to enhanced identity governance and a Zero Trust Architecture.

A Zero Trust approach relies on a strong identity foundation,” says Wade Ellery, VP of Solution Architects, and Radiant Logic’s technical lead on the NCCoE project. “We believe that offering a single pane of glass for context-driven identity data will accelerate interoperability and eliminate identity integration challenges, making identity an enabler of a secure enterprise architecture instead of a risk vector.

Organizations need to be able to safely connect subjects and resources when needed, no matter where they are. Yet with data spread across your organization, there’s often no unified source or list of users. To remedy this, organizations need a way to authenticate users throughout the infrastructure and pull data from many endpoints and domains. They should be able to do so, with minimal latency, to ensure user access is appropriate without generating friction every step of the way.

Zero Trust and Identity Unification Go Hand-in-Hand

Implementing Zero Trust—and fulfilling the mandates of the EO—may seem like a daunting task. For Zero Trust to be effective, identity data must be highly available, scalable, normalized, richly correlated, and updated in real-time.

The RadiantOne Intelligent Identity Data Platform is designed to fit all of these criteria. With our RadiantOne platform, you can unify your identity stores and implement a single source of ICAM quickly. These advantages will speed and enrich an organization’s ZTA deployment.

The RadiantOne Intelligent Identity Data Platform is the industry’s first and only Identity Data Fabric. The platform doesn’t create another silo. Instead, it unifies all identity data from across an organization and the various technologies it uses. This distributed identity data can be brought together, creating a comprehensive list of all ICAM data and a single point to manage ICAM activities.

These advantages mean that organizations can create a flexible and reusable resource for ICAM while delivering the needed identity-adjacent services on-demand. Your identity data will be secure and available in exactly the set of users, attributes, format, structure, schema, and protocol each application developer needs.

The RadiantOne Intelligent Identity Data Platform can be implemented at any time, with minimal startup. Unlike many other projects, such as AD migration or duplication, Implementation can take only a matter of weeks, not months (or years). The rapid onboarding won’t disrupt existing processes or services. It’s vendor, protocol, and tool-agnostic, so you won’t have to “rip and replace” other apps. Instead, it sits cleanly on top of all IAM-facing systems, bringing them together for one consolidated point of control.

Once the identity data has been unified, the collective repository can be used many times. Identity information also doesn’t need to be duplicated multiple times across several systems. The flexibility offers the perfect launching pad not just for Zero Trust but also for other initiatives, like Single Sign-On (SSO).

Setting Public Agencies and Their Partners up for ZTA Success

Implementing Zero Trust is complex in all contexts, but it is now the preferred default state for software used by public agencies. The faster your digital transformation towards this end, the more secure your environment.

Want to know more about how the public sector can adopt a Zero Trust Architecture model for your government-facing projects? Watch our on-demand video: Experts: You’re Closer to Zero Trust than You Think, or contact us today for a demo.

A person wearing black pants and black shoes stands on a paved surface with a large yellow arrow pointing forward, symbolizing direction or progress.

The Key to Zero Trust: Pick the Right Starting Point

/in /by

Earlier this year, the U.S. federal government released its Federal Zero Trust Strategy to “adapt civilian agencies’ enterprise security architecture to be based on zero trust principles.” The strategy’s goal is to “accelerate agencies toward a shared baseline of early zero trust maturity” in two years so that all public sector agencies, staff, contractors, and partners can do their work efficiently and securely.

Moving to a completely Zero Trust-Based Architecture is a multi-year journey that will require flexibility and the ability to pivot as new technologies and best practices emerge. It’s a complex initiative for the public sector to consider all the devices, networks, and applications they use, their workloads, the data they collect and use, and the security needed. With the clock ticking and some deadlines fast approaching, there’s much work to be done.

When confronted with this mammoth task, where should the public sector start with Zero Trust? We might be biased, but we think unified identity data is a solid starting point for public sector organizations looking to implement Zero Trust Architecture. This post will explain why and how unifying all the underlying identity data lays the foundation for delivering successful Zero Trust for public sector organizations—and it can also keep them on track to meet the government’s deadlines.

Zero Trust Challenges in the Public Sector

Zero Trust (ZT) is hard for the public sector due to siloed identity and the challenges around getting a unified identity set that is flexible enough to support a variety of Zero Trust technologies and platforms. Identity-first security is a big trend for a reason, and the pressure to adopt Zero Trust leads to greater awareness of the role identity plays in securing access—and rightfully so.

Identity data in many public sector agencies is spread across siloed systems that don’t integrate easily with access platforms. Data like user information, credentials, attributes, real-time data like geolocation, and dynamic risk scores, are essential parts of any security strategy, yet are easily missed when scattered across various systems.

Further complicating things are the technology challenges the public sector faces. That includes the legacy tech still in place at many agencies and the technical debt it leaves behind. Many agencies use aging systems that often do not support Zero Trust or other security modernizations without extensive customization. These older systems typically use an “implicit trust” strategy where users log on to the network and have access to everything, which is extremely risky today.

Criminals can easily exploit an entry point and cause havoc throughout the entire agency network or infrastructure. Even if newer systems and infrastructure are deployed, they’re less secure in this type of network because of the flaws of implicit trust. They’d also need to be rebuilt or replaced entirely to implement Zero Trust.

Rebuilding or replacing infrastructure to implement more modern security strategies like Zero Trust can be expensive. It requires significant investments in infrastructure, IT, and expertise that many public sector agencies just don’t have.

Zero Trust relies less on perimeter security and employee training alone and more on identity security. The network is a key component of Zero Trust, but so are users, devices, systems, workflows, etc. A good starting point on the path to optimal Zero Trust Architecture for the public sector is unifying identity data.

We feel it’s the key to unlocking successful Zero Trust adoption across the public sector for several reasons.

Identity Data is the First Step Towards Zero Trust

The founding principle of Zero Trust is “never trust and always verify.” All users, devices, and services must be authenticated before gaining access to resources or data. This is contrary to most public sector setups, which grant access at a network level, otherwise known as the implicit trust model.

It’s essential to enforce trust and access at a more granular level, given how much we do online today and the creativity of cybercriminals. Identity data plays the foundational role in facilitating an optimal ZT architecture that keeps data, systems, and infrastructure safe while not impeding workflows.

Laying the Groundwork for ZT Success

An on-demand source of unified identity data—what we call the “Identity Data Fabric” approach—can help public sector agencies overcome many of their current technology and security challenges to Zero Trust adoption because it’s the foundation of a digital organization.

With an Identity Data Fabric, public sector agencies can:

  1. Simplify IT and infrastructure management: An Identity Data Fabric delivers the always-on, always up-to-date unified identity data that an agency uses every day to drive its digital security architecture. With central access and visibility into complete user information, identity data can be centrally maintained and managed while allowing security systems to consistently authenticate and authorize users and devices everywhere.
  2. Enable dynamic risk mitigation: One benefit of modern security platforms is continuously monitoring and assessing risk through machine learning and other automated processes. Risk-based security models enable you to detect, analyze, and respond to potentially harmful activity at any infrastructure level faster than any perimeter-based security approach. But these solutions need to be fed the information required to make such assessments—and an Identity Data Fabric can unify all that data identity information across a world of disparate sources (from AD and APIs to LDAP, SQL, and more!) so these dynamic assessments can be made actionable.
  3. Simplify password management: The average business employee has 191 passwords to manage, making them a top security threat. An Intelligent Identity Data Platform makes it much easier to enable measures such as single sign-on (SSO) to streamline the number of passwords in use, as well as multi-factor authentication (MFA) that adds another layer of verification to every touchpoint. In fact, enabling MFA is called out specifically in the government’s ZT mandate.
  4. Improve and secure the user experience: Unifying the digital experience for users and adding secure SSO across all digital touchpoints, you improve their user experience with the digital tools they use every day. Public sector agencies are wary of locking systems down too much since it can impact employee productivity. When done right, identity data security removes those roadblocks and ensures seamless access, so employees stay efficient—and agencies become more secure.

Simplify Your Path to Zero Trust 

Radiant Logic has worked with numerous public sector organizations to develop solutions that meet their unique use cases, from university healthcare networks to branches of the U.S. military and several federal government departments, including the Department of Homeland Security. We help public sector organizations achieve a true Zero Trust Architecture across distributed environments while maintaining security for forward-looking organizations dealing with aging systems that can’t easily be replaced.

Our integration professional services team has the expertise to sort out your identity mess and align everything with your use cases. You’ll have granular access control and interoperability across systems, applications, departments, and more. Our solution modernizes systems with low-connectivity issues and decades-old design patterns, without wholesale replacement of technology and infrastructure.

Implementing a Zero Trust Architecture is a complex undertaking. With the new OMB ZT mandate and Presidential Executive Order to modernize public sector identity management and security, it’s critical that agencies start somewhere—and the smartest place to start is with your identity data. It’ll make all your future efforts more efficient to start at the beginning.

Defining use cases for all levels of users is beneficial for several reasons, including highlighting affected systems, employees, and workflows; identifying gaps and areas for improvement; and encouraging collaboration across previously siloed teams.

Transitioning to a ZTA is a long-term project, so identifying all your use cases can help ease the public sector into the work. Certain items should be done first, and quickly, as outlined in the EO mandate and the 180-day deadline. An Identity Data Fabric gives you a solid unified identity data foundation, making later transitions faster and more efficient. And it can accomplish all that identity unification really quickly—think days or weeks instead of months, years, or never.

A woman sits cross-legged on a couch near a large window, using a tablet. She is holding a credit card and appears focused, with sunlight streaming into the modern room.

Get Your Identity Data Right to Deliver the Best CIAM

/in /by

Identity management starts with user profiles containing current and accurate information about all your users, from employees and contractors to partners, prospects, and your all-important customers. This isn’t a major challenge for small organizations with a few employees and a handful of customers. Any changes that need to be made can be done quickly, since there aren’t many to make. But for larger organizations, with thousands to tens of thousands of internal users, and tens or hundreds of thousands of customers, (or even 50 million+ users!!!) it’s very important—and significantly more complex!

Case in point: the same user name across different data repositories could refer to one single user—or it could refer to completely different people. To keep your systems secure, it’s essential to be able to discern same-users from separate-users. This is a challenge seen often within organizations facing the issue of identity sprawl.

How can you keep them straight, disambiguating identifiers to make sure you’re correlating the right users together when they’re actually representing the same person or entity, and not connecting users who have the same name but are actually a different person?

We have a solution to manage this situation for your organization. By deploying the RadiantOne Platform, you can use our powerful logic engine to help you understand all the places that your customer identity data exists—and which pieces of data refer to which user, even if people share the same name or a user is known by (many!) different names. Using this technology, you can choose which pieces of the identity to use to correlate users, so that you don’t join the wrong identities together. This streamlines identity management for internal users and speeds and enriches Customer Identity and Access Management (CIAM) deployments, by enabling enterprises to truly know their customers, across multiple diverse platforms.

Unify Identity Across Diverse Sources (No Hard-Coding Needed!)

Begin by connecting to all your disparate identity sources across different systems. With RadiantOne, it’s not necessary to move everyone into the same directory or database. In fact, there’s no need to change or replace the data stores you already have. After all, your legacy systems represent a tremendous investment of resources, filled with exactly the rich data that can drive your newest, most high profile initiatives, from digital transformation to Zero Trust—but only if you can get to it!

With data stored across different formats, with different schemas, and different identifiers, gaining a global view of all your users and their attributes has long been an expensive hassle. Hard-coding brittle connections is a slow process that can’t keep up with the pace of business. With our identity unification platform, it’s easy to federate your existing identity sources and legacy platforms instead, so you can tap all the richness of your existing attribute sources, while adding much-needed agility and efficiency.

RadiantOne helps you join identity information together to build a 360-degree view of each user, so you can see everywhere your customer interacts with your organization. Keeping your user’s data up-to-date across all these platforms, and making that information securely available wherever it’s needed, is key to enhancing the customer experience.

Eliminate the Latency of Workarounds

Using workarounds to connect all data is a traditional solution. However, there have always been issues with this type of temporary band-aid. Workarounds are resource-intensive, fragile, prone to breaking, and need to be redone for every legacy system. Connecting disparate systems adds a tremendous amount of latency to the system. Customers will end up waiting—and waiting, and waiting—for your system to process their requests and connect them with the business segments they need.

For example, if you’re an insurance company and the customer already has auto insurance with you and now wants to get homeowner’s insurance, those systems could very well be different because your company purchased a car insurance provider, then added a separate homeowner’s insurance provider later. Connecting these completely separate systems, each with its own naming conventions can be a long and inflexible process that leads to gaps in what you can offer. So your customer may not be happy, or worse, leave and go someplace else.

This is a challenge seen often by older brick and mortar companies who have to compete with digital-first enterprises. Digital transformation has to happen fast for them to keep up, despite their technical debt and the lack of resources (this is a very specialized talent pool!) for getting these projects done.

The RadiantOne Platform lays the foundation for CIAM success by pre-correlating user information and joining profiles across the different systems into a single source of customer truth. This not only speeds up the process of deployment, it also builds context within your system, giving you a comprehensive record of each customer’s relationships with your enterprise. So you can link together a user’s auto policy with the life insurance information they discussed with a sales associate, without having to separately search across several different platforms. It’s all in one unified platform now, so you’re much better equipped to offer excellent, relevant service and deliver a better customer experience.

With CIAM, the stakes are high. If you get it right, you’ll attract customers and drive revenue, while positively representing your organization. Get it wrong and your business and image will suffer. Customers may go elsewhere. These trends are forcing many organizations to rethink their CIAM strategies.

We’re happy to help you with your CIAM strategy and keeping your customer profiles correlated, correct, and complete. Contact us today.

A large navy battleship is silhouetted against a vibrant sunset, with colorful clouds and the sun low on the horizon, reflecting on the calm ocean water.

Advanced Federal Use Cases: Identity on the Edge

/in /by

Naval operations project power around the globe, often requiring assets to “sail over the horizon” and lose contact with onshore command and control. To maintain continuity and security in such an environment, ships and their crews require local access to all identity data originally sourced from onshore and integrated with local assets. This model needs to scale all the way up to an aircraft carrier and down to a SEAL team in a RIB (rigid inflatable boat).

Why Accurate Information at the Edge is so Critical (Better Data=Better Decisions)

America has always done well by empowering our soldiers in the field to make local decisions. We see that from our very beginning as a nation, when the rebel army fought for freedom from England in the American Revolutionary War—in many ways a battle between the old and the new. The British Army fought out in the open, using a traditional line formation with very centralized command over large masses of troops. The intent was to overwhelm the enemy with sheer firepower in a face-to-face battle. The colonialists declined to adopt such a model, relying instead on smaller, more nimble groups of Minutemen who would hide behind trees and rocks. This alternative method of “facing” the enemy was greatly enabled by the willingness of the colonial army to empower these smaller teams to work independently. 

These days, the world is watching the breakdown of battle plans based on the old idea of centralized command and little initiative in the field. Whenever there is a shift in the plan—and as German military strategist Helmuth von Moltke said, “no battle plan survives contact with the enemy”—central command generals must come into the field, assess the situation, and give new orders. This not only delays operations and hobbles the forces, it puts the command staff in much greater danger.

The modern United States military, however, has retained the lessons of the Revolutionary War and continues to highly enable its front-line squad and platoon leaders to make critical real-time decisions in the field. But as they continue to modernize and digitize the weapons and tactics of war, a new challenge has arisen: how to effectively provide all the modern IT capabilities—currently highly-reliant on a centralized infrastructure—all the way to the tactical edge.

Identity Has Become a Critical Component of Every Facet of Operations

Driven by the emergence of Zero Trust Architecture as the gold standard for enhanced security, and the demand for cross-entity collaboration and operations, Identity has charged to the forefront of the Federal Government’s effort to secure and deliver reliable services across the enterprise. A “least privilege” policy-driven access model demands the richest possible identity data to succeed, shining a light on the challenges of creating a complete and accurate view of each identity. The sheer number of historical systems, extended sources of granular data, and the nature of identity sprawl prevents a quick and easy aggregation of all identity data. It is not a failure of any one initiative, but in fact the nature of the world we work in, that identity data is created, managed, stored, and deleted in a variety of platforms that do not share a common structure, schema, format, or protocol. Think of identity sources in an environment as diverse and sprawling as the Department of Defense as all the nations in the UN, with a world of different languages, customs, andagendas.

Scalable, Accurate, Consumable Identity Data is the Foundation of Every Operation

Delivering on the security goals of recent Presidential mandates and ongoing projects across the Federal Government requires the implementation of an abstraction layer, between the sources of identity and all the different systems that need to consume some part of that rich identity profile. This abstraction layer must be platform- and schema-agnostic so it can incorporate identity data from all sources regardless of structure, schema, format, or protocol. In addition, this abstraction layer must be able to model multiple simultaneous views of the data, each in precisely the structure, format, schema, subset of users, attributes, and protocol that each consuming application requires.

These consumers of identity span the Identity and Access Management (IAM), Governance and Administration (IGA), and Privileged Account Management (PAM) applications, as well as Zero Trust Policy Decision/Enforcement Points (PDP/PEP), risk engines, AI and Machine Learning systems, and the network segmentation and micro services platforms. Each consuming system needs to get the same identity data from across all the diverse sources of truth, delivered in the precise format it needs to perform its mission.

Enabling Granular Access to Sources of Truth for Collaboration and Security

The abstraction layer also acts as a security layer between all the sources of identity data and the consuming applications or outside world. Only those attributes required for a specific operation or application are exposed and this filtering can be made at the attribute, application, or view level. Instead of asking to set up a share-all trust between organizations, the abstraction layer allows each source of truth to control their own data, and offers an additional layer of insulation that prevents unauthorized access across entities. This capability is very critical when setting up joint operations with coalition partners and industry contractors who need access to secure data, but must be limited in the scope and breadth of what they can see and do.

Let’s take a moment to discuss what an identity is in today’s modern IT world. Traditionally, we thought of an identity as a person and the attributes assigned to them, usually in their Active Directory user record. But this offers a very limited scope, both for the human user and for all the Non-Person Entities that also need to have their identity managed. So let’s define an Identity as any object (breathing or not, tangible or abstract) that can be defined by a set of attributes and relationships. The attributes part is obvious: a soldier has a rank, a server has an IP address, we can associate values for attributes to objects and use them to define that object.

But I would argue that it is even more important to define the relationships that a particular object has to other objects. A soldier has a relationship to their commander, to their squad, to their MOS, to their clearance. A server has a relationship to the service accounts that can access it, to the network segment it inhabits, to the data it holds. So equally important for our abstraction layer is the ability to contain all the wide variety of attributes for each object, while also maintaining the many-to-many relationships between all these objects, so you have a deeper contextual sense of how they inter-relate and interact.

In building an attribute-rich and relationship, or context-aware identity, the key is integrating as many sources as possible, while maintaining near real-time change detection to ensure the most current, accurate data is always available.

Whether we call this a Master User Record (MUR), Entitlement Catalog, Identity Warehouse, or something else, it gives us a “single pane of glass” through which we can see the entire enterprise. This enterprise may be a branch of the DoD, a department in the Executive Branch, or an aggregation of multiple mission partners into a coalition of identities that can interoperate across multiple environments, agencies, departments, industrial contractors, and international partners. Each branch or coalition may have their own version of MUR created for their own purposes and most often stored and deployed in a centralized infrastructure. This centralized and accessible model serves many operations very effectively, but there are several use cases that are not well addressed by a central terrestrial or cloud-based repository of the identity data.

Often local forts, bases, or ports each need the core identity data from the master record source of truth for the objects in their command, but also need to locally augment each identity object with additional data relevant to the location or the organizational element. The abstraction layer needs to operate flexibly, efficiently, and at scale, whether deployed at the central command or as a subset of augmented identities at a lower level in the organization or in a different network security segment.

Back to the Tactical Edge

This brings us to the tactical edge, the tip of the spear, the men and women on the front lines. Just as highly available, comprehensive, and accurate identity data is necessary at central command, and established bases with reliable reciprocal connectivity, it is equally critical at the tactical edge where access to central command in denied/degraded, intermittent, or low bandwidth (D-DIL) environments may hamper or break all access to critical identity data needed for every decision in the field.

The tactical model takes many forms across the Federal Government and the armed forces. It may be something as large as a carrier group sailing over the horizon on a joint operation in the Indian Ocean, or a forward outpost at the front lines of enemy territory, or FEMA resources reacting to a natural disaster that has taken down all reliable communications. If the Identity Credential and Access Management (ICAM) decisions are governed by identity data, those same access controls are in play when a group becomes disconnected. To be sure the right people have the access they need, without compromising security, identity data needs to be able to travel with the team into the field.

For a large deployment, this will include standing up a local abstraction layer that is populated from the Master Records, including only those identities and attributes relevant to the mission. This initial deployment may be then pushed down to smaller entities in the battle group and augmented with existing local identities, resources, and attributes—such as a scenario where a small team is deployed to a Rock in the Ocean, bringing everything they need to operate, including a complete ICAM system populated with full identity sets.

While over the horizon, in the D-DIL environment, or completely cut off on an island, the operations can continue independent of the need for a connection to the shore or homebase. Field operations can assign additional access, update profiles, award field promotions, all in the context of their local copy of the identity datasets. When these forces return to a reliable connection to the homebase master user repository, the data from the field operations can be synchronized back to the master record. Local Governance tools can make decisions on which field updates (like promotions) are retained, and which (like temporary elevated security) are discarded before the master records are updated. The whole mission can be archived or completely wiped so that no residual attack surface remains. When another operation needs to go into the field, the appropriate identities can again be generated and applied for the next mission.

Identity will be at the Center of Operations Going Forward

For more than two centuries, the world and our government operated in a highly analog world of paper, typed orders, face-to-face or radio communications between staff in order to conduct military operations, provide government services, and respond to natural disasters. Just as the commercial world is moving to adopt digital solutions to replace analog paper-based systems, the Federal Government is in the middle of a generational transformation. But its sheer scale, the nature of all its siloed organizations, the layering of critical security and the need to collaborate outside the US creates an exponential level of challenges and complexity for this transformation. Take away one of the core architectural models—the ability to centralize data as sources of truth and disseminate that identity data in a controlled manner—by requiring operations in TAC/D-DIL environments and the hill gets higher.

By adding this powerfully flexible identity abstraction layer of identity, decoupling the sources of truth for identity across all object types, and controlling where and when identity data is provided, it is possible to serve two masters—centralization and tactical autonomy—and remain true to the tenets of security, accuracy, and availability.

Three customer service representatives wearing headsets are sitting in a bright office, working at computers. The focus is on a smiling woman in the foreground. A green plant is visible on the desk.

Go From "Hold Please" to "Glad I Could Help!" With Unified Customer Identity Data

/in /by

Customer service is the linchpin of a quality customer experience, whether you’re delivering the personal touch in a retail setting or solving an issue when something goes wrong. Both are essential to customer retention, but the art of making things right again could be the difference between keeping loyal customers…or losing frustrated ones to competitors.

The call center acts as a critical point of customer service. At this stage, customers have already exhausted all other means of receiving support, and so they resort to waiting on hold in the hope that talking to a human being will bring them the resolution they need.

Yet, consumer dissatisfaction with call centers remains high, for a number of reasons. Chief among them, according to the Wall Street Journal, is the fact that automated call distributor technology allows companies to scale support quickly, but at the cost of depersonalization. Agents and customers alike can become frustrated by the fragmented, piecemeal way in which customer accounts must be managed under a growing number of systems. Fragmented systems—and the need to log into each one separately—generate long wait times, causing friction to build during conversations. Not only that, incomplete views of customer data contribute to these challenges, making it more likely for key information about the account to be missed, or misunderstood.

Businesses looking to resolve this problem must find a method to unify customer identity data and represent it when, where, and how it’s needed for the particular issue at hand, with minimal latency. Radiant Logic’s Identity Data Fabric helps organizations deliver the identity infrastructure that sets the stage for an optimal customer service experience, both from the helpdesk perspective and the customer side. With the unified view of identity data an Identity Data Fabric offers, call center reps can quickly access all the customer information from one single customer service interface. The result is that representatives have all the information they need, right when they need it, allowing them to resolve issues more quickly and with less frustration for everyone involved.

Customers Say: “Don’t Waste My Time!” 

Customers dread calling customer service for multiple reasons. According to an IT support software survey, the biggest pain points are “long hold/wait times while interacting with an agent” and “having to repeat my information multiple times.”

One company’s research showed that half of customers will switch to a competitor after a single bad experience. After more than one bad experience, that number shoots up to 80%.

On the other hand, a positive experience can solidify a customer’s loyalty to the company. A 2021 Customer Expectations Report uncovered that great service is the primary reason for brand loyalty among 63% of those surveyed. Further, 62% of consumers said they’d recommend a brand to a friend after receiving great service.

Also worth noting: when the IT support software survey asked what factors had the biggest influence on a good customer service experience, the number one answer was “I can resolve my issue quickly.”

Streamline Service with an Identity Data Fabric

Unfortunately, the biggest factors that stand in the way of quick problem resolution often aren’t the skill of the agent or the complexity of the problem. Rather, delays, hand-offs, and confusion can all arise from the simple fact that backend technical environments have become intensely complicated. Customer data may be housed on multiple systems for each line of business. Sometimes, each business line also has multiple access points showing different information, such as a system for billing with one address and another address in the system for managing customer contracts.

Customer service representatives handling a complex issue often need to log into each backend system separately, leading to delays and other challenges in the midst of a critical service call. Vital customer information may also be represented piecemeal, forcing reps to juggle complicated assessments, confirmations, and calculations in their head just to answer simple questions and reach a resolution. Needless to say, both agents and customers are being asked to handle a lot in this situation.

An Identity Data Fabric approach simplifies the process, unifying backend account information across all these disparate systems into an intelligent identity data layer, which serves as a single source for quickly retrieving the most current and accurate customer data. With it, service reps are able to access all the data they need at once—no matter where or how it’s stored on the backend—and customers don’t need to reconfirm things multiple times, which never fails to raise their ire.

Just as important, this same unified identity platform gives the business the ability to personalize service and offerings based on the 360° customer view they retrieve. After all, the more you know about your customers, the better you’re able to serve their needs—and deliver customized service. With an Identity Data Fabric, everything you already know about your customers becomes unified, actionable, and available right when it’s needed.

During a support call, a customer service rep can retrieve all the needed information at once, from a single unified source and make any updates in real-time to the unified identity data layer. Any changes are synced back to the authoritative store, so the backend information is always as up-to-date and accurate as possible. Customers are no longer forced to endure long wait times, awkward pauses, and reconfirmation or repetition of the same information. The end result is customers who are less huffy and more gushy, strengthening their loyalty to the business.

Solve Your Identity Silos 

Companies don’t intentionally create silos or multiple—often overlapping—systems. Instead, in most cases, these systems grew up independently of one another, says Wade Ellery, VP of Solutions Architects at Radiant Logic.

New business lines and technology investments cause more than customer data to proliferate. They also create a proliferation of the tools, systems, and customer identity and access management (CIAM) solutions needed to handle them. Adding to the challenge is the scaling up of success. Companies start with a smaller customer base that grows over time as they attract more customers, while adding more complexity to their backend systems in an attempt to serve them better. While this scaling up often happens over years, companies with recent mergers and acquisitions can encounter these issues of scale and complexity literally overnight.

The end result of all this complexity is latency, and that means people have to wait. During a call, whenever a rep needs to retrieve information out of a different siloed system, they either have to log into the different system manually, or wait for a database call, or another sort of authentication or authorization process to complete. Customers are left waiting on the line, and service reps are often forced to play the part of someone who is dealing with poorly performing technology.

In a webinar from fall 2021, Wade Ellery recounted an all-too-familiar situation—and its likely underlying cause:

“Just think about all the times you’ve called a company, and you’ve talked to customer service, and the customer service rep has said ‘Hey, my system is really slow today. Give me a minute here, and I’ll get you the answer to your question.

Their system is not slow. They’ve invested millions of dollars in making these systems as fast as physically possible. The reason they’re telling you that is because that’s their cover story for ‘Um I’m logged into one system with your information. I now have to go log into a different platform and search for you again, and find your information, and look at two screens and try to put them together in my head because we’ve not unified our backends, and I need to have you be on hold or wait while I manually do what a good CIAM system would have done up front for me in providing that 360° view of our customers.”

The RadiantOne Platform resolves this exact issue—well, this and many more—by uncoupling direct links between critical CIAM data repositories and the systems that need information and permissions quickly. Instead, all identity data is collected into a single “fabric” or layer that acts as a one-stop shop for every customer rep-facing system to retrieve the information needed. It’s all performed with next to zero latency, allowing customer service reps to perform actions quickly, seem more competent, and resolve issues with the speed that customers expect, able to quickly meet demands during critical customer support encounters.

Empower Agents, Delight Customers 

Consumer activity is reaching a breakneck pace, and customer service interactions have increasingly relied on digital means. The effects of the ongoing global pandemic mean that customers often have depleted patience, and sweeping changes to businesses in the past few years mean fewer options available for those seeking resolution.

“In these difficult times, even minor encounters can be influential,” writes finance industry consultant BAI. “If your organization is not prepared to provide a winning customer experience, you’ll drive your most important customers to the competition.”

RadiantOne equips your service staff with the ability to quickly access all the needed information, and get customers to the desired outcome faster and more efficiently. It reduces the need for excuses or creative improv that often blames wait times on technology.

Make the most of investments in CIAM, customer problem resolution, and other technology by unifying backend data sources of data and making that unified view of customer data available to the front-end systems customer service reps use to solve problems. To learn more reach out to Radiant Logic to discover how you can keep your customers happier—and get them off the phone quickly.

A black rotary dial telephone and a modern smartphone sit side by side on a light blue wooden surface, contrasting old and new communication devices.

More Factors, More Fun!

/in /by

By now everyone is aware they should be implementing Multi Factor Authentication (MFA) across the board to strengthen their organization’s security posture. From cybersecurity regulations to cyber insurance policy mandates and Zero Trust Architecture Executive Orders, to the massive uptick in cyberattacks and breaches over the past several years, helping users help themselves with this additional layer of protection is a top priority. Some cybersecurity insurance companies are even requiring the implementation of MFA to keep policies active and in compliance. But, easier to mandate than to do.

For modern applications, implementing MFA is pretty standard stuff. But in complex environments with many legacy or “nonstandard” applications, it can be a daunting task to implement MFA at scale. These legacy applications don’t support modern protocols and lack mechanisms for easily adding MFA, and you don’t want to mess with their logic through custom coding either. Centrally managing authentication policies and adding stronger security is no easy feat for organizations with technical debt and identity sprawl. The hard part is to get the various identity sources, Identity and Access Management (IAM) solutions, and applications to play well together—which is where an Identity Data Fabric approach comes in.

We have a very fun magic trick for helping organizations roll out MFA to strengthen security, meet regulations, and protect their users from the cold, cold world—keep reading to learn how we get it done.

Adding Stronger Security to Legacy Applications (and Beyond)

RadiantOne includes a framework for calling authentication services like RSA SecurID and Yubicloud, PingID, or Google Authenticator. This allows standard LDAP applications to benefit from stronger, multi-factor security without custom coding the application.

Unifying all the sources of identity data into a central identity platform with authentication skillz enables MFA to be extended easily to even legacy applications. Those applications can call on RadiantOne to handle authentication as usual, and behind the scenes RadiantOne will call the MFA service on their behalf, returning the authentication result back once the multiple checks (of the user’s credentials, and of the additional factor via the MFA service) have been completed.

Let’s break it down. A user attempts to log in to a legacy LDAP application that has been configured to authenticate against RadiantOne. The user enters their login information, a password for example, and an additional factor—let’s say a One Time Password (OTP) sent to them via the RSA SecurID application.

The client application, just as it normally would, passes these credentials to the LDAP service (in this case, RadiantOne). So far, everything has been “standard” from the application’s perspective—and now this is where RadiantOne does some magic to make MFA happen for this application. RadiantOne translates the standard LDAP authentication (bind) request into a validation of the user’s password to the authoritative source (whatever source that may be) and a call to the external authentication service to validate the rest of the credentials.

Managing Access across a Complex Identity Infrastructure

Let’s break it down further. As everyone knows 😛 authentication has two stages. 1. Identification and 2. Credentials checking.

The first step, identification, can be harder than it sounds depending on the complexity of the environment—how many identity sources need to be searched, what types of sources, what formats, what protocols does it take to access them, is there user overlap and how much? All these variables and more add difficulty in searching the identity system for a specific user and correctly identifying them.

Step two, credentials checking, also has to be done according to the specifications of the identity store. Just as different repositories support different schemas and naming which poses a challenge during the identification phase, they also support different authentication mechanisms which are the challenge of the credentials checking step. This may involve hashing the password value to compare it against a value in a database, delegating the password check to an LDAP or Active Directory, or calling an external MFA service like RSA SecurID.

It’s challenging to authenticate users across an array of sources. If you don’t have a single source of user information, an application would have to look in all the different data stores across the enterprise to find a particular user. We want to avoid this—it’s costly in terms of authentication time, not to mention a pain to set up and maintain.

Let’s break it down… moooooore. Even if a user is listed in only one store, an application still needs to locate them across a number of sources, resulting in multiple queries issued (at least one to each source the user could potentially be located in). However. If you have a master index of identity data, the application only needs to query this ONE list to locate a user, which results in queries to only the backend stores where the user is located. The more sources involved, the more valuable this global index is. It is this miraculous list that is created and maintained by RadiantOne.

All this to say, RadiantOne knows where the user is located and immediately delegates the checking of the credential to that source, bypassing any unnecessary rigmarole of hunting for them in N locations. RadiantOne will handle whatever remapping/transformation is required, and it will support the checking mechanism of that source, which is not a guarantee on the application side (so again, saving you that hassle). Boom, authentication.

Whew! Back to MFA.

Plug In to MFA

Where were we? Oh yes, the legacy client application passed the users credentials to RadiantOne, which is now looking up and identifying the user in your system (using the global index it has built and is dynamically updating all the time), to retrieve the identifier that this user is known by in the SecurID system.

RadiantOne can then use that identifier to call the SecurID authentication service (via its REST API) to check the OTP. After it gets a response (was the OTP valid or not?), RadiantOne checks the user’s password against the appropriate source in your system. If both tests are passed, RadiantOne returns a successful bind to the client application (and the user gains access 🙂 ).

And THAT is the EASY way to implement MFA for legacy applications.

What are Modern Applications, Chopped Liver?

What about the applications in your system that are “federated”—that support modern security protocols like SAML, OIDC, OAuth, etc? Do they get to benefit from this platform? Of course they do.

The RadiantOne platform has six modules to choose from, one of which is the Single Sign On module. It builds off of the identity data foundation created with RadiantOne’s Federated Identity Engine, leveraging that authoritative source to deliver SSO and apply fine-grained access control to users based on attributes in their global profiles. The SSO module has the functionality of a Security Token Service (STS), generating, translating, sending, and receiving security tokens that enable seamless access to claims-aware applications.

Our SSO module, by supporting the standards of the trade (SAML, OAuth, OIDC, WS-Federation and WS-Trust), can of course also communicate with other trusted IdP’s and “chain” together to widen the circle of SSO. You’re now very easily and securely able to connect internal users to the cloud—and external users to your enterprise applications.

As a federated access solution, the SSO module supports a variety of authentication methods—like ye olde forms-based authentication (login and password), certificate or PIV/CAC card authentication, Active Directory, other IdP’s, and two-step verification or external MFA services.

So you have the complete spectrum covered with RadiantOne—from legacy to modern applications and everything in between, it’s easy to incorporate additional security mechanisms when you’ve unified identity as a resource for the organization.

Takeaways:

  • Wrap your users in a warm, cozy blanket of security and MFA by laying the groundwork for success with RadiantOne
  • RadiantOne includes a framework for calling external authentication services like RSA SecurID and Yubicloud; This allows standard LDAP applications to benefit from stronger, multi-factor security without requiring any changes to their authentication logic
  • The plug-in mechanism makes it easy to add multiple external MFA modes to existing applications making LDAP calls
  • RadiantOne offers a Single Sign-On module that supports MFA and other enhanced security features to enable a secure, seamless user experience for claims-aware applications
A woman in athletic wear sprints on a track in an outdoor stadium, leaning forward with one knee bent and arms pumping, with green grass and a building visible in the background.

How to Become Agile, Future-Proof, and Vendor-Agnostic

/in /by

Advancing digital technologies and evolving consumer demands have pushed the pace of business to a breakneck speed. The pandemic, in particular, has upped the ante on how customers expect to interact with organizations of all sorts, from retail to healthcare, and beyond.

Rising expectations and proliferating technologies collectively put a ton of pressure on organizations to deploy seamless new digital offerings for customers and prospects, as well as internal users. Developing these platforms and offering these external services to customers and prospects takes a lot of internal work and collaboration across the organization. But in today’s fast-paced digital environment, improving external offerings while also delivering productive experiences for internal users, such as employees and organizational partners, is crucial for businesses to succeed.

Companies are expected to pick up the pace and take bold risks—even as the very technologies that are supposed to enable them often feel like they’re holding everything back. Complications arise from increasingly complex technology ecosystems, while purchase decisions made years ago can tether businesses to the past. In the end, past choices made to seize opportunities in years gone by can end up feeling like constraints when trying to seize the opportunities of now (and tomorrow!).

What businesses need is a platform that brings everything together to work in concert, while also eliminating the risk that the business will feel “locked in” by aging technology decisions.

Skillful Adaptation is Necessary for Business Survival

The pace of change in the business world has rapidly accelerated over the past 50 years. Well-established global brands at one point enjoyed competitive advantages that seemed insurmountable. But the landscape of the business world has been completely remade with the advent of new digital technologies and the emergence of disruptive innovations.

A 2011 report from Harvard Business Review observed that, over a decade ago, the seeds of this disruptive wave had already taken root. While in 1960 just 2% of companies fell out of the top three ranking in their industry, 14% of companies had done so in 2008.

Being a market leader has also become less of a prize; industries that have the greatest market share now aren’t necessarily the most profitable. While 34% of market share leaders in 1950 also led in profits, just 7% did so in 2007.

According to the report, “Sustainable competitive advantage no longer arises exclusively from position, scale, and first-order capabilities in producing or delivering an offering.”

Adopting new technologies in an agile manner has given companies one increasingly popular method to mitigate risk and hasten innovation. Pilot experiments are run, new business lines or technologies are tested out, and the results of these experiments can inform further changes as the business learns through iteration.

Yet, transitioning from an experiment to a fully-fledged business operation requires time and money—and success is never guaranteed. There are also the risks of unexpected outside factors, with the ongoing global pandemic providing an all-too-real example.

Resistance to Change is a Natural Response to Bad Past Experiences

Businesses attempting to evolve agilely or adapt quickly frequently get stuck at the starting gate. Their dream of implementing new technologies that are intended to improve efficiency or competitiveness ends up being too challenging to execute quickly. Worse, the pain of past experience or the necessity of ongoing integrations can mean that leadership becomes adverse to new changes. The message often becomes “maybe next quarter” or “maybe next year.”

The business may even fall into a pattern of applying a series of band-aid solutions, rather than putting down a solid foundation for future changes. While the latter seems more expensive in the moment, the former actually has greater opportunity costs for ROI compared to doing business as usual, enabling the business to act more strategically and reap greater rewards.

What often holds these businesses back is the challenge of working new technologies into their pre-existing landscape. In the struggle to find a “new normal” they need a way to reduce the pain of adoption, speed up the process of new technology integrations, and reduce the opportunity cost of trying new things.

Simplify Complicated Systems Now, Keep Future Options Open

To keep up with the times, consultant reports encourage businesses to be more agile, more flexible, and more responsive to real-time conditions. Companies need to “design flexible processes that can adapt to meet business needs,” suggests Agile Operations Expert Nick Clarke, of PA Consulting, who also cautions that “rigid technical and procedural barriers can paralyze an organization.”

Yet, the technological investments businesses have made in the past—their technical debt—often slows the pace of change to a grinding halt. Migrating to new technologies means deploying and securing new platforms and products—and that can take months or, more likely, years. This latency makes access in real-time more difficult. Worse, it can delay the intended effects of decisions that were made within the context of a specific time and place.

There’s a smarter, faster way: adopting a platform capable of unifying identity data across hundreds of different repositories and provisioning it for any number of different technologies. By using an Identity Data Fabric approach, identity teams can reduce the innovation-blocking effect of this latency to near-zero.

Businesses are able to quickly secure new technologies and connect them to the business users who need them operable ASAP. This capability not only makes adopting new capabilities a more agile process, but it also gets rid of the excessive costs and migration headaches. The now-enhanced business can now meet new opportunities head-on with excitement, rather than a sense of dread or inertia.

What Is an Identity Data Fabric?

Any time an application, service, tool, or platform has users, it needs to engage in identity and access management (IAM). The primary challenge within IAM is that securing new initiatives within complex cybersecurity infrastructures has long involved two costly and time-consuming choices:

  • Integrate the new technology with their existing directories and other identity data repositories using brittle, custom-coded bridges and workarounds
  • Recreate identity stores from the ground up for each system, duplicating effort, creating silo issues, and adding heavy duplication costs

However, there is a third way: RadiantOne Intelligent Identity Data Platform acts as the foundational identity unification layer making it fast and simple to secure any identity-dependent initiative: everything from IAM, CIAM and IGA to digital transformation, M&A integrations, and Zero Trust—basically, anything that needs a custom view of identity data, as well as access to all the richness that’s siloed across your entire identity infrastructure.

RadiantOne unifies all your identity data from across diverse repositories, gathering all that scattered information together into one flexible, reusable, always-updated virtual repository, then connecting the precise information needed by each application, tool, and service that requires authentication and authorization.

Put another way, RadiantOne virtualizes and unifies identity data from a diverse array of siloed data stores. The platform uses this information to create enriched global profiles for each and every user, containing every attribute that’s available, no matter where or how they’re stored. This rich overarching identity data service can then be used to authenticate users and authorize their access across multiple platforms.

An Identity Data Fabric Connects Everything

What makes RadiantOne so flexible is that it abstracts the identity data stores into one unified data service, modeling identity data in the exact form and format needed by the application or service to confirm the user’s credentials, grant access, and secure a world of high-level identity-driven initiatives. Custom-coded integrations and other brittle workarounds become a thing of the past. In their place is one solution for managing identity data, one that “just works.”

RadiantOne creates what we call an “Identity Data Fabric” that unifies identity across all sources, bringing virtual views of all your siloed data together to drive any identity-dependent initiative. There’s no need to duplicate identity data, either; it can remain exactly where it already exists. This remodeled data can be cached for quick retrieval, preventing the need for high-latency database queries or for workaround processes to eventually retrieve the needed information.

With an Identity Data Fabric, your identity data services become universalized and adaptable to your ever-evolving needs, allowing you to simply use your new investments rather than fighting (and endlessly hard-coding!) to get them to finally work.

A Flexible Identity Platform: More Innovation, Less Investment

Adopting an Identity Data Fabric can rapidly decrease the time and costs of onboarding new systems. What’s more, it can invite opportunities for more ambitious projects, like extensive digital transformation and Next-Gen IAM. It also positions businesses to take advantage of advanced security models, such as Zero Trust Architecture.

Reaching these goals often comes down to a challenge of acquiring the right technologies and putting them together. Some vendors emphatically push a specific product ecosystem, but with a logical Identity Data Fabric approach, identity challenges associated with “locking in” to a specific vendor or solutions provider can be completely eliminated.

Current investments can be preserved into the future thanks to a solutions-agnostic method of managing identity and access. Simply put: businesses can make the optimal decisions for themselves at a given time and realize the outcomes of those decisions with less time and resources needed to reach a point of ROI. Businesses can also start to ignore the sunk costs of adopting systems thanks to the ability to rapidly onboard and implement new technologies. ROI continues to increase over time as the platform is used for additional and more extensive projects, over and over again.

Overall, adopting an Identity Data Fabric approach frees companies from many of the restraints that cause them to feel like their best-of-breed options are limited. They can then rely on the consistent support of an identity data system that is always ready to adopt, adapt, and improve in the face of ongoing—and sometimes unexpected—changes.

A vintage desktop computer in blue with a CRT monitor showing static, a keyboard, a mouse, and floppy disks on top, all set against a blue background.

The Files are IN the Computer

/in /by

At Radiant Logic, we’ve been harping on the importance of bringing together different sets of user information—and the value of leveraging the relationships across these disparate data sets to derive contextual meaning about identity—since the beginning of time in 2013. Which is why we are so utterly delighted that the market seems to be picking up on this concept in a massive way, as evidenced by the growing popularity of “fabrics” everywhere—from the data management space to our world in identity.

Why should you care, practically speaking? This is where a report by 451 Research called “Identity and Access Security: Strengthening the Resilience of Cybersecurity’s Front Lines” is illuminating.

The practice of Identity and Access Security (IAS) is focused on identifying the opportunities for compromise from the attacker’s perspective, to then mitigate those risks. It’s adjacent to and interlocking with the spheres of Identity and Access Management (IAM) and Zero Trust security, but really zeroes in on the “adversary” and what approaches they might take.

The report calls out one of Radiant’s nemesis—identity sprawl. It’s not just a pain in the butt to manage, it’s also a security risk. Identity sprawl leads inevitably to security gaps. “Once the number of entities reaches any kind of scale, however, managing things like access permissions and keeping authentication safe from abuse becomes unwieldy.” So true.

Why does identity sprawl happen to good people? I keep coming back to this idea of reinventing the wheel. For example, one of the workarounds we’ve seen companies going through a merger/acquisition make, is to take copies of user information and synchronize that into various repositories to give those users access to the systems they need. And then they have to maintain that going forward—multiple IDs, passwords, stores, connections, sync flows—in a redundant, expensive, and totally avoidable manner ☹.

Meanwhile, the files… are IN… the computer. (It’s so simple.)

The identity data was there all along—there are tools (okay, mostly just RadiantOne) for repurposing the identity data you’ve already got and making it useful again for new and different applications and initiatives—so you can avoid this very likely scenario.

Which is why we’ve been so stoked about context—and why we’re explicitly connecting it (see what I did there?) with the concept of identity knowledge graphs. The ability to link the digital life of a user across all the different business objects in your system and deliver an easy-to-understand rendering of these users’ various contexts, is the function of an identity graph. It builds a map of each user as a player within your system—no matter how many subsystems make up that landscape, or how many personas that user may operate as.

Let me digress into why RadiantOne is well positioned to help build your identity graph (and enable you to leverage the systems you ALREADY HAVE to build the IAM program of your dreams). Our unique ability (we call it model driven virtualization) to extract existing objects relationships out of data silos and link objects across these silos allows us to generate a global object and relationship map—which allows you to model infinite context-driven views that reflect how objects are related across your company. In the realm of security and beyond, this map means your teams are no longer flying blind when it comes to identity.

Trying to architect an IAM system that is both practical and “tough” enough can be tricky. How can an organization “thread the needle” (see what I did there?) between what’s really doable, and what is best practice? On the one hand, if privileges are too broad or accrue over time and are not revoked as necessary, they may enable unintended access and capabilities–leaving the organization more open to risk of breach. But on the other hand, what are the resources available for setting up and administering a very fine-grained entitlement management system? And on your third hand, how can you even begin setting up that comprehensive program in the face of siloed identity data? …and now you’re way out of hands.

As discussed in this report, entire segments have grown around handling this particular problem—Privileged Access Management (PAM), Cloud Identity Entitlement Management (CIEM), and Identity Governance and Administration (IGA) all play an important role in curtailing unnecessary access, efficiently. The problem that all these systems run into is the data issue–you have to have access to normalized, reliable identity data to feed these tools and drive good decision making. When identity data is sprawled all over the place, in different formats, possibly even inconsistent, you’re going to hit roadblocks over and over when you try to roll out these initiatives. And you’ll never guess what I’m about to say, but RadiantOne accelerates the deployment of and boosts the efficiency of those systems because we unify identity data from all sources, and provide a dynamic stream of up-to-date information to whatever application or tool needs it, in whatever format is required.

The other thing that really caught my eye in 451’s report was what they have to say about graphs and how attackers are already exploiting graph analytics to infiltrate their targets. “There are few more powerful ways that organizations can visualize identity, access and privilege relationships in an environment that expose risk.” They quote Microsoft’s John Lambert, “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” A little melodramatic, but accurate. How can the good guys stay ahead?

A system for detecting security anomalies within identity begins with your own identity knowledge graph. As written in the report, “the ability to make connections between identities, groups, access rights, and privileges” is critical for security. They make the case that “defenders” need to do so FIRST, to make the attack paths visible. So if you start with your own internal identity graph, you are in a good position to make a defensive game plan.

Our suggestions for implementing the techniques recommended in 451’s report:

  1. Don’t reinvent the wheel—re-use the sources you already have and harness the value of the existing identity data through virtualization (aka using RadiantOne)
  2. More closely define and easily manage identity and entitlements by starting with an identity graph
  3. Implement fine grained authorization much more easily with automated groups. Segment groups and memberships to better insulate assets from potential exploitation
  4. Add stronger controls on access like Multi Factor Authentication (MFA) to all applications– including legacy applications

All of these initiatives will be accelerated when you’ve unified identity data into a renewable, enterprise-wide resource. Identity is the common thread that crosses so many (all?) of the critical systems for any digital organization. As I mentioned earlier, we are seeing a sea change in the way identity is understood by businesses and beyond, with much more awareness of the exponential impact data can have when it’s brought together centrally to power multiple identity services. In fact, in a recent RFI issued by the USCIS Office of Information Technology to maintain their Identity, Credential and Access Management (ICAM) program recognizes the power of unified identity: “Traditionally segregated functional areas, such as: Identity, Credential, Access and Federation, when managed collectively, provide security, privacy and process efficiency benefits that would not be achieved if managed individually.”

Building better systems for security, user experience, and operational efficiency based on that common thread of identity is what we deliver with the RadiantOne Intelligent Identity Data Platform. Connecting the bits and pieces of data, making sense of it all, is made possible by extracting the relationships binding those data points. The Identity Data Fabric concept is useful for understanding what we do in an intuitive, visual way—we’re weaving together data to make something functional out of elements that have historically been done separately. Maybe we should have called it an identity data quilt? Brb, pitching that internally.

Anyhoo, catch us discussing modern security strategies with one of the authors of this report, Garrett Bekker, in conversation with our Director of Product Management, Lisa Grady, on April 6!

A woman with long brown hair and a polka-dot top smiles softly at the camera; the background is blurred with blue and orange lights, and a blue outline highlights her silhouette.

Radiant Profile: Meet Systems Integrator Manalee Panda

/in /by

The stereotype remains strong: computer science folks are often seen as strictly technical, not at all artistic. But Manalee Panda doesn’t let little things like a BS in electronics and telecommunications, an MS in computer science, or a client-facing job as a Systems Integrator get in the way of her love for the arts. She writes, she paints—and she inspires me to start doing more (way more!) with my free time.

This March, we’re celebrating the badass ladies of Radiant in honor of International Women’s Month. With April in sight, we’re ending our series with a go-getter who blends technical knowledge, people skills, and a drive to do more with every waking hour.

Early Days in India

Born and raised in Keonjhar, in the state of Odisha, Manalee discovered one of her primary paths in the classroom: “I was introduced to computers, science, and technology back in high school. In India, we grow up learning those things, so we have a fair amount of exposure to the basics, at least.”

Even then, she was creative, balancing her growing technical skills with her love of writing. She entered a lot of writing competitions back in school, where she’d be given a topic, then write an essay about it on the spot or dream up a complete story based around just a few words. When it came to college, though, her technical aptitude led the way. As she explains, “I had good scores for an engineering exam, so I joined an engineering school and did my bachelor’s there.” Once Manalee graduated, she began working as a Systems Engineer at Infosys, one of India’s largest technology companies and a globally known brand.

Her time there was a shaping experience and prompted the next giant steps in her journey, with major changes in both her location and her area of focus. “Working at Infosys gave me more exposure and experience with computer science, and I thought I should explore more in this area and go for a Masters.” She took the GRE and was offered admissions to many different universities in the United States, ending up at the University of Texas at Dallas (y’all!).

Next Steps: Becoming Radiant

Once she graduated from UT-Dallas with an emphasis in data science and analytics, Manalee was eager to find her next great adventure. She hadn’t heard of Radiant Logic but when she came across a job listing for work at its headquarters in Novato, California, she was intrigued.

“I studied a completely different field than what Radiant Logic does, so when I came in for an interview, I had no knowledge of Active Directory, no idea about Identity and Access Management. But they liked my resume and my profile, and I had a background in Java, as well,” so she was hired in 2017.

When Manalee began at Radiant, she was part of the support team, where she had to be ready around the clock to be sure customer deployments ran smoothly. As Manalee says, “the learning curve was very steep in the beginning, the first year was really tough.” (At Radiant, we are proud to deliver world-class customer support and our commitment shows in our Gartner Peer Review ratings—but providing such dedicated service takes real knowledge, grit, and determination, so shout-out to our customer support superstars!) As she says, “back when I was in support, we spent our time troubleshooting issues with customers and it was challenging being on-call 24 hours a day, handling case escalations.”

Helping Customers Overcome Complexity 

In her current role on the integration team, Manalee helps customers deploy our RadiantOne Intelligent Identity Data Platform and make the most of all its advanced capabilities. Her goal is to “keep customers happy and also provide them the most optimized solution using RadiantOne.” She really enjoys how focused her role is, handling one client and one project at a time. “It’s really fun to go between companies and get to know the players.”

RadiantOne unifies identity across disparate sources, but every deployment environment is as unique as a fingerprint. “We have to scope out the specific requirements of each client and then develop unique solutions for them, coming up with a design and deploying things within a very short timeframe.”

As someone on the front lines of customer deployments, Manalee’s work is very rewarding, but it can also be challenging. After all, our customers have some of the most complex identity data infrastructures on the planet (that’s why they turn to Radiant!) and navigating all that complexity takes insight, deep domain knowledge, and no small measure of ingenuity. As Manalee notes: “We face new challenges with every deployment and almost every single day there’s something new to learn.” That’s a plus for Manalee, since “I feel like I’m constantly growing at Radiant.” Almost every single day there’s something new to learn, because each deployment is unique.

She especially loves designing solutions for clients. “Every customer’s requirement is unique and that really gets me thinking, gets me into problem-solving mode.” I like to think that her work is one of the many ways she exercises her creative muscles, a different way to tell stories, to invent new worlds. But it’s not just the intriguing technical challenges she appreciates at Radiant:

“I honestly love working with the people here. Back when I worked at Infosys in India, there were major power differences between the people in the company, but everyone here is so approachable, so open to ideas and opinions. I just love that everyone is so willing to listen and willing to help.”

Always Learning, Always Looking Ahead

While she’s very experienced in the technical arts, Manalee has dreams of doing even more: “I want to grow into some sort of leadership role, because I feel like I have the potential to not just do great technical work but also lead a team of people.” (Manalee would be in great company here at Radiant.)

She has a vision for her future—and the drive to make it happen. “I want to do more courses to grow technically, and at the same time, I want to keep practicing my management skills, my organizing skills, my customer success skills, because that can put me in a good position going forward.”

As she says: “I’ve learned a lot of things at Radiant and even now, I learn a lot each and every day.” And for someone who’s hungry to know more, do more, be more, you can’t ask for anything better than that.

Putting Her Creativity to Work

Manalee still enjoys being creative, as well: “I love art stuff, design, traveling and I’m trying to come up with a blog or something where I could write articles, document my personal experiences with travel.”

Of course, I’d love to have her to write for this blog, as well, using her communication skills to share her deep knowledge of essential use cases and successful customer deployments. After all, she goes into huge companies and makes technical magic happen, so I’d be delighted if she comes for my gig!

Of course, she’s a tiny bit busy these days, vanquishing customer challenges—but I’d love to put her storytelling skills to use. Stay tuned! 😉

Reflection of blue sky and white clouds on a glass building’s grid-like window panels, creating a geometric pattern with sections of sky and clouds.

Surviving Even Thriving? In Today’s Hybrid World

/in /by

Raise your hand if cloud migration has been on your to-do list for… over five years?! If so, you’re not alone–a recent study of 300 IT leaders found that only 4% of large enterprises are fully in the cloud. So strap in, because you’re now going to navigate the wild, wild west of the hybrid world.

Our friends at TechVision address this complexity in their new research document: “Today, we find ourselves with a largely mixed set of IAM capabilities residing on-premises, in the cloud, or both.” No matter who you talk to, complexity is the name of the game in the hybrid world. Now we’ve got to figure out how to survive–and even thrive–within that reality.

There is a saying that “chaos overcomes order.” Welcome to the world of identity sprawl–you’ve got applications far outside of your on-prem environment, and your user data sets are likely delivered by sources out of your control. Not only is your data in a hybrid model, but the many different functional components of your identity fabric might also be in a hybrid model–with different IAM capabilities (such as lifecycle management, governance, privileged access management) sliced and diced across solutions, some in one cloud, some in another cloud, some on-premise. What ties them all together? There’s one thing you can still build your security system around: identities, attributes, and context.

If you’ve got large corporate environments, you might think you can get away with an in-cloud, integrated directory, you might be able to just lift your Microsoft into the cloud, but that’s just one platform. What if you’ve got multiple domains? What about your other assets? Being cloud-first is perfect for a greenfield opportunity–but a large operation built through M&A is not going to be an easy lift to the cloud.

Let’s say you have made the decision to migrate at least part of your infrastructure to the cloud. What are you leaving behind? Mainframe, Unix/Linux, and in-house apps? Web based applications? Your many AD domains, LDAP directories, and databases? In short, the legacy environments that you’ve spent years cultivating and maintaining? And how will you sync changes across these systems?

There’s a lot at stake here. TechVision points out that “From a security perspective, hackers and thieves focus on less-than-stellar integration of on-prem and in-cloud IT functions because that is the way to your data.” If your legacy data sources cannot be integrated with modern security protocols–or if there is inconsistency across users and the way they are managed–you’ve merely expanded your attack surface, and offered up more accounts to be maintained and more entry points.

Securely moving the cloud starts with a discovery and inventory process of your identity ecosystem. You need to understand who the clients are to each of your apps. If you’re going to be moving an application, you need to tell consumers where that application has gone, what impact it has, and what its dependencies are.

Go take a look in your garage. If it’s anything like the garages in my family (looking at you, Dad!), I’d guess that it’s a good metaphor for your current identity environment. You know you need to clean out your garage before you move to that new house. Similarly, you need to start with an inventory of your identity sources before you can safely and securely begin migrating. This is the work of looking through your garage, seeing what’s going with you, what bikes and tools need a tune-up, what boxes need to be reorganized, and what’s going to the dump.

Preparing for a cloud migration is not that different. TechVision has put together a wonderful reference architecture that they’ve laid out as a blueprint for success in the hybrid environment. Within that architecture, they discuss the need for an identity data service as an essential component: “Identity should ultimately be a ‘utility:’ it should be easy to identify individuals, applications and things and provide access under proper security controls that are privacy centric.”

While we are in full agreement here, the part we’d like to emphasize is the identity data component—we would argue that it is the utility itself, the electricity in the wires, and the water in the pipes–that makes that utility so essential.

When you look at it that way, hybrid is not a matter of “on-prem” and “on-cloud.” It’s the whole environment, it’s a holistic view, it’s a smart electricity grid. Starting with a discovery and clean-up of your identity data requires that you look at your IT infrastructure as a single, interconnected, platform. Just like you looked at your internal network as directories, databases, and computers all interconnected on one network-the cloud is just an extension of that now. But how can you get that central visibility? Here’s where you need an Identity Data Fabric that spans, connects, and syncs across all of these sources.

Bringing in an Identity Data Fabric is the organization system for your garage–in fact, for your entire house–that brings the necessary order before you begin your move, or even if you’re halfway through. Suddenly you can find the data you need when it’s requested, radically simplifying the process of bringing in new users, adding a new application, or adding a new security method.

And this is the role of RadiantOne in your hybrid world. This is where providing identity data–whether it’s to applications on the cloud, on (because again, we’re going to be in that hybrid world for an indefinite period of time, so we want a solution that can handle both), and that can be hosted on-premise, or in the cloud, and can consume–and then deliver–identity information that happens to be on-premise, or in the cloud, or in a partner’s infrastructure. Anywhere we can connect to (which is everywhere!), we can bring that identity forward and allow you to build that single source of identity information that your applications need.

A hybrid environment offers a lot of promise, and lets us take advantage of many of the incredible cloud applications while honoring and maintaining the legacy environments that we’ve been cultivating for years. Spending the time to inventory your identity resources and build your Identity Data Fabric will allow you to confidently move forward in the current hybrid reality, building on the best of both environments.

© 2026 Radiant Logic, Inc. All Rights Reserved. | Privacy Policy