Identity is replacing the password: What software developers and IT pros need to know


Identity and access management is pushing application security past single-factor authentication (a password) and even multi-factor authentication to a risk management model says Ping Identity CEO.

Identity and access management systems are making it easier for software developers to secure their applications, for employees and customers to access the tools and services they need and for companies to protect their systems and data. On a recent episode of
Dynamic Developer

, I spoke with Andre Durand, Founder and CEO of Ping Identity about how the changing landscape of identity and access management are affecting software development. We also talked about what it will take for us to reach a “passwordless” world.

The following is a transcript of the interview, edited for readability. You can listen to the podcast player embedded in this article, watch a video above or read a transcript of the interview below.

Bill Detwiler: So before we get started really talking about identity and access management, for those listeners and viewers who don’t know Ping Identity, give me a rundown on the company.

Andre Durand: Well, Bill, so this whole identity thing has become really important and it’s because you can’t secure what you can’t identify. And all of our lives now are being driven largely digital in a way. And all of these digital interactions involve us interacting with apps on our phone, in the cloud, at companies all over the place and identity’s role is to make sure the right user is accessing the right thing. So it really is kind of the foundation of this highly decentralized mobile world we live in and the need basically to tether together this whole concept of appropriate access.

Andre Durand, Founder and CEO, Ping IdentityAndre Durand, Founder and CEO, Ping Identity

Andre Durand, Founder and CEO, Ping Identity

Image: Ping Identity

So for large enterprises, large complex enterprises have very sophisticated multi-generational IT landscape’s going in some cases all the way back to the mainframe and pretty much everything in between. And now they have data centers closing, apps doing the lift and shift to the cloud. And they’re adopting new

applications now in multiple clouds. So, and they’ve got users now through COVID working at home. So for this notion of how do you enable frictionless secure access for employees? Identity is pretty much the linchpin. It’s the steel thread that is now holding together this new paradigm where identity has become the new perimeter.

So what Ping does in this equation is for the global enterprises, really the largest 3,000 companies around the world, we help those companies set up a centralized, what we call authentication and authorization set of capabilities to allow users to authenticate to the enterprise and then gain access to any application or resource, no matter where it’s at. And for the enterprise to have control over what is appropriately authorized for them to access. So it’s this whole notion of identity security.

And we do that for employees, meaning workers who day in and day out have to strongly authenticated, if you will, the enterprise to gain access to everything that they need to do to their jobs, as well as we do it for customers. So great customer experiences, how do end users register and then authenticate to all these products and services through their mobile phone, through websites, really through the omni-channel. Securing that identity and enabling frictionless experiences for all of these different identity types. Workers, employees, partners, and customers. We do that for 62 of the Fortune 100. We protect about two and a half billion accounts globally, where likely here in the US, 13 of the largest, 15 banks here in the US, all trust Ping to a secure identity, secure their interactions.

SEE: Top 5 programming languages web developers should know (free PDF) (TechRepublic) 

How should software developers being thinking about identity and access management?

Bill Detwiler: It used to be that enterprises would set up Microsoft Active Directory and server. They would throw that out there. And that’s the way that their employees would authenticate to the network and then they might have passwords for various systems and applications, but with the move to the cloud, and you alluded to this and the move to everything as a service, the landscape as much more complicated. And especially when you’re trying to integrate legacy systems, like you said, mainframes with new modern cloud-based systems, that gets really complicated.

Must-read developer content

So you kind of touched on this, but I’d love to drill down on it a little bit more, which is how should those people who are looking at either building enterprise applications or looking at how they integrate all these applications together, how should they be thinking about identity and access management to today?

Andre Durand: Well, the world was a little simpler back when everything was Windows and Active Directory was kind of like the default location that we stored employee identities and passwords. And you would essentially authenticate through Windows Active Directory. And in an all Windows on-prem world, we had single sign on invisibly. It was called Kerberos back at the time.

But now the world is more distributed than that. And the control plane has shifted, or the foundation has shifted from being kind of like a on-prem network-centric, AD-centered view of how we manage identity to, Hey, this identity thing. It really is larger and more central in a highly distributed world where all the things that we do kind of on our desktop, if you will, and the apps that we have on our desktop are now being mixed with lots of applications that are SaaS and in the cloud.

And so really what’s happening is identity is centralizing, but it’s centralizing not around Active Directory on-prem. It’s now centralizing to a new centerpiece or control plane for all apps across the
hybrid cloud

. So both on-prem, the legacy stuff, as well as new SaaS and applications that are moving into the public cloud.

So I think the first thing to understand is that from an enterprise perspective, this notion of having identity embedded in apps everywhere is not ideal, right? I mean, so if you’re at a large enterprise you’re responsible for protecting all the crown jewels and enabling appropriate access for every user to everything. What’s the right model? Well, the right model is to have a centralized authentication service that all your users, whether it’s employees or partners or customers, they authenticate to that one thing, if you will. And then they gain access to the applications through standards-based single sign on, new standards that we’ve developed over the past several years.

Without the standards based single sign on, that wasn’t possible. It wasn’t possible to abstract out the authentication to something that was central and then gain access to all the apps. But best practice now is through these federated open standards and things like single sign on best practices to centralize those.

Ping Identity: PingOne cloud platformPing Identity: PingOne cloud platform

Ping Identity: PingOne cloud platform

Image: Ping Identity

So that’s the theme. Enterprises are now centralizing the services, abstracting them out of the applications so that they can create a consistent user experience for end users that isn’t app by app, so to speak. There’s one consistent experience for authentication and multi-factor authentication. And then it’s kind of invisible as to how that integrates in the backend with all these applications and services.

The same thing will happen with authorization. We’re not quite here yet. We’re still in the process of centralizing authentication. But I think you have to look at it from the perspective, it’s an outside in perspective. It says, what is the user experience that we want employees to have, or the user experience we want partners to have?

And you have to think big, at an enterprise level. Is it a good experience to have lots of fragmented experiences, or is it a better experience to have one? And I think if you look at the digitally native companies, so think Apple and Google and Microsoft and Amazon. You don’t…


Read More:Identity is replacing the password: What software developers and IT pros need to know