With revelations of breaches at organisations such as Target and Lockheed Martin, it is no wonder the security of external suppliers has come into focus.
As many organisations now grant access to their suppliers for everything – including enterprise resource planning (ERP), manufacturing orders and climate control – identity and access management (IAM) is rising up the problem list.
IAM is one control that can improve security and there are three ways of deploying it, but each comes with costs and benefits:
- Centralised: all access decisions, provisioning, management and technology is concentrated in a single physical or virtual location. Policies, standards and operations are pushed out from this single location.
- Decentralised: local, regional or business units – or equivalent entities – make the decisions for all access choices, provisioning, management and technology. There may be enterprise-wide policies and standards, but these are guidance for the decentralised provider.
- Federated: each organisation subscribes to a common set of policies, standards and procedures for the provisioning and management of users. Alternatively, the organisations can buy in a service from a supplier.
More on extending IAM to third parties
For many large organisations, the centralised model just doesn't scale. There is also the possible issue of the policies and controls only being applicable to one jurisdiction.
Decentralised models, although providing the flexibility to meet local requirements, lead to duplication of effort and inconsistent approaches across an organisation, as well as overlapping and conflicting rights.
This leads us to federation. Organisations can develop a set of centralised policies, check these against compliance regulations by region and create a federation for each jurisdiction – either by purchasing a compliant service or by setting up their own service for suppliers to use.
The benefit here is that IAM can be performed in a centralised manner, in which local regulations can still be met, with both organisation and supplier access rights and roles pre-defined.
Adrian Davis is managing director for Europe at (ISC)2
This was first published in September 2014