Tips for Using IAM in a Gig Economy

IAM can be challenging for security teams and downright vexing for freelance and short-term contract workers. These tips will help smooth the IAM path for all.

Even in the strong U.S. economy—or perhaps because of it—layoffs of permanent personnel are common and an army of freelance or gig workers are increasingly taking their place. This creates an interesting challenge for security teams who need to give this new class of workers the access they need to complete the work, despite knowing little of their trustworthiness. Meanwhile, temporary workers chafe at security measures that slow their progress or require extra steps. It can be a painful conundrum for both sides, but it doesn’t have to be.

A gig economy is one in which temporary positions are common, growing in number and gladly embraced by employers. Organizations contract with independent workers for short-term engagements, but not just to fill peak or seasonal demands. Think of all the drivers for Uber and Lyft, for example. But there are independent contractors who can—and do—fill every job role, from nurses and doctors to engineers and writers.

Brad Smith, CEO of Intuit, the makers of TurboTax and QuickBooks, said in a CNN interview that about 34 percent of the current workforce are independent workers and the gig economy is expected to be 43 percent of the workforce by the year 2020. The “gig”’ or “sharing” economy, according to an Intuit post, has been described as both empowering and exploitative, and as both part of a self-employment movement and the backbone of disruptive companies from Uber to TaskRabbit and GrubHub.

The majority (59 percent) of “giggers,” as the Intuit report calls them, are highly skilled, professional freelance workers. Only 16 percent are lower-skilled driver and delivery people. Either category of giggers can stay connected to a company’s IT systems for short bursts or long periods, depending on the workload and the worker’s own processes. The trick, of course, is to make everything they need accessible, including data and apps, while also making sure that none of these workers turn into insider threats, purposefully or not.

Here are a few tips to help companies smooth the way for both IT and gig workers.

Fashion your BYOI program after your BYOD program: “The gig economy brings freelancers and independent contractors into the game, and often these people use their own personal accounts to access company resources. So, similar to “bring-your-own-device” policies, companies need to implement processes to manage “bring-your-own-identity” [BYOI],” said Sven Dummer, director of product marketing at Janrain, a customer profile and identity management software provider. “Examples include a freelance marketing writer using his or her own account to upload or edit a document on a shared drive, or a freelance programmer checking code into the company’s source code repository.”

Don’t repurpose workforce IAM: “Bottom line: Repurposing workforce IAM solutions for ‘gig workers’ is generally a problematic approach,” said Dummer.

Do adapt consumer identities to handle gig workers. “Identity management solutions that were designed to handle customer identities are typically better equipped to manage this new type of workforce,” said Dummer. “These solutions were architected from the ground up to allow people to register using their own email address or existing social media accounts. They have security measures in place that are tailored for users who cannot be assumed trustworthy and who come to the site from anywhere on the internet without the safety of a corporate VPN and firewall.”

Use CIAM to comply with worker data and privacy regulations, too: “These customer identity and access management (CIAM) systems are also designed to provide maximum security of the personal data these contractors provide, and to comply with a variety of different privacy regulations worldwide,” Dummer noted. “So, if you’re a U.S.-based company with no offices abroad but wish to hire a group of freelancers in the Czech Republic, it will be much easier for you to comply with the EU’s new data protection regulations if you use a CIAM system that is designed to support compliance in almost every region and industry.”

Up your game in behavioral analytics: “Lifestyle changes and technology advancements are putting ever-increasing demands on IAM solutions; for example, IoT, BYOD (bring your own device), BYOC (bring your own cloud), BYOA (bring your own application), mobile workforce, resource sharing, privacy risks, self-service, access analytics, etc.,” said Baber Amin, market leader in the Office of the CTO at Ping Identity. “The increased threat landscape means that single-factor authentication is not acceptable anymore, making strong authentication tied with intelligent behavior analytics another driver for IAM.”

“Too many enterprises focus their security efforts on infrastructure and endpoints, attempting to define how systems should be used. Defense in depth is important, and these efforts are certainly supported as best practices, but not to the exclusion of robust controls around identity,” said David Emerson, vice president and Deputy CISO at Cyxteram. “Multifactor authentication, uniquely identifying metadata and clear rotation policies around static credentials are all much more critical in today’s distributed systems than most enterprises realize.”

Pam Baker