Recently I’ve been advising a colleague in a large organization about the options for implementing applications requiring extensive access by multiple third parties, many of which are direct competitors. It’s becoming a common business requirement.
Interestingly enough, in my view the biggest risks are associated with human error and process controls, rather than the strength of the technical solutions. These days you can buy security technology to authenticate and control user access for just about any situation. And even more solutions are in the pipeline. Cost considerations and legacy constraints are also less of a show-stopper than they used to be. But the one thing you can’t easily fix is the impact of a human error, especially given the appalling track record of the less-than-watertight access administration that is to be found in many large organizations.
It’s a tough problem. In my Shell days we were cautious about opening up the infrastructure to outsiders so we spent a lot of time fine-tuning the contractual and administration processes to minimize the risks associated with third party access. Regular site inspections and audits of access control lists were par for the course. But in a fast-changing business world with proliferating external access and multiple communication channels this bespoke approach is expensive to sustain. Some large organisations now have more third party users than employees. We have to run either faster or looser to avoid holding up business operations. So don’t get hung about the technology. That’s the easy part. Focus on the administration processes. Because that’s where the real security risks and the operational improvements are to be found.