Identity Resolution and the Workforce

‍What is an Identity Resolution for the Workforce and Why Your Organization Needs It

Origin of Identity Resolution

Identity resolution is the process of accurately identifying and linking different pieces of data that relate to the same entity or individual across various data sets. In simpler terms, it's about connecting the dots between disparate sets of information to form a cohesive picture of a person, entity, or thing.

One of the most common drivers for implementing identity resolution is marketing and customer relations. For example, a business using identity resolution techniques could find "John Smith" from their email list is the same person as "John S." from their website registration and "Johnny Smith" from their loyalty program. By resolving these identities into a single, comprehensive profile, businesses can better understand their customers, provide personalized experiences, and improve overall engagement.

Why hasn’t this been a priority before?

Businesses are assumed to know their internal workforce. After all, they hired their employees. Those employees have to submit extensive documentation to get a job. The business knows exactly who they are as a person.

The problem arises from the digital landscape of the modern business. The rapid adoption of software has created system sprawl within large enterprises. Hundreds or even thousands of applications are present within the environment. These applications are a combination of both in house built and externally developed software that enable the business to function.

What is driving the need for it?

With the sheer number of systems in an enterprise, most organizations don’t know where employees have access within their own systems. They also don’t know how they’re accessing many of the systems or whether the employee is even using MFA to login. There is no visibility.

This is because provisioning and access enablement are typically easy. Between SSO and IAM solutions, granting employees access to many systems can be done rapidly. But many systems within large corporate environments are not connected to SSO. Provisioning within those systems is often done manually by specifically enabled users. The accounts that are created are typically not recorded.

Over time these “dark” access privileges and accounts accumulate, but with no central visibility the true risk is unknown.

Disabling or removing the excess accounts or reducing privileges needed at one time is not done due to the risk of accidentally removing a user genuinely needing access. With no visibility, no central ability to manage these risks, companies are unable to get a true picture of their employees access.

The answer to this challenge is identity resolution.

What does it enable?

Identity resolution can lead to illumination of dark accounts by attributing those accounts to the genuine employee identities and determining whether or not they’re truly required for an employee to do their job.

This enables companies to

1. Accurately understand their true risk
2. Reduce security risks by enforcing least privilege
3. Potentially reducing the licensing burden
4. Reducing compliance issues that may not be known
5. Reduce the overall volume of monitoring required, which has been increasing 20% YoY with the proliferation of systems within the corporate environment

How do we get it?

Identity resolution for the workforce can be achieved by

1. Integrating many sources within an organization to pull identity data into a central placesome text
   1. There are various techniques that can be used in this context including matching algorithms, such as fuzzy and probabilistic matching, and intelligent mapping that using identity context helps to alleviate the human effort required
2. Normalizing the data in terms of identity concepts that correlate accounts to identities, both human and non-human (a.k.a. workloads)
3. Identifying contractors, customers, and other non-employee records that may have access to internal systems
4. Identifying orphaned accounts, by either correlating it to an existing person or to a workload
5. Continuously updating the data to keep it as accurate as possible

The challenges of attaining it

While simple in theory, the real world challenges associated with setting up workforce identity resolution for a company are numerous.

To start, the technical hurdles of integrating the data sets and continually updating them are large. The data often drifts, meaning field mappings change or new enumerated values become included that were unaccounted for. To attempt to set them up and maintain them manually requires a high degree of effort.

Additionally, not all systems have easy connection methods like an API. And legacy systems may have no maintainer who can build them now. Integration options are limited to periodic batch exports or direct database integrations.

Normalization is often a challenge due to the differing methods applications and systems may use in defining an account. This means that usernames may not match directly to any known identity, or the data to correlate is buried in unstructured metadata.

The solution

The best way to approach the challenges is to treat them as a data problem. This isn’t really an identity issue. The fact that the data is in the workforce identity space does present some unique requirements versus traditional identity resolution for marketing.

Treating the issue as a data problem means using common techniques that have been developed in data engineering, such as data profiling, token-based matching, data virtualization, fuzzy matching, and machine learning matching. These techniques provide a much more scalable approach to realizing real identity resolution within organizations from both a set up and maintenance perspective.