Security Think Tank: IAM can improve security and cut costs


Security Think Tank: IAM can improve security and cut costs

With revelations of breaches at organisations such as Target and Lockheed Martin, it is no wonder the security of external suppliers has come into focus. 

As many organisations now grant access to their suppliers for everything – including enterprise resource planning (ERP), manufacturing orders and climate control – identity and access management (IAM) is rising up the problem list.


IAM is one control that can improve security and there are three ways of deploying it, but each comes with costs and benefits:

  1. Centralised: all access decisions, provisioning, management and technology is concentrated in a single physical or virtual location. Policies, standards and operations are pushed out from this single location.
  2. Decentralised: local, regional or business units – or equivalent entities – make the decisions for all access choices, provisioning, management and technology. There may be enterprise-wide policies and standards, but these are guidance for the decentralised provider.
  3. Federated: each organisation subscribes to a common set of policies, standards and procedures for the provisioning and management of users. Alternatively, the organisations can buy in a service from a supplier.

For many large organisations, the centralised model just doesn't scale. There is also the possible issue of the policies and controls only being applicable to one jurisdiction. 

Decentralised models, although providing the flexibility to meet local requirements, lead to duplication of effort and inconsistent approaches across an organisation, as well as overlapping and conflicting rights.

This leads us to federation. Organisations can develop a set of centralised policies, check these against compliance regulations by region and create a federation for each jurisdiction – either by purchasing a compliant service or by setting up their own service for suppliers to use. 

The benefit here is that IAM can be performed in a centralised manner, in which local regulations can still be met, with both organisation and supplier access rights and roles pre-defined.

Adrian Davis is managing director for Europe at (ISC)2

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

This was first published in September 2014


COMMENTS powered by Disqus  //  Commenting policy