Federated Identity Management - The Real Issues

Recently I’ve been advising a colleague in a large organization about the options for implementing applications requiring extensive access by multiple third parties, many of which are direct competitors. It’s becoming a common business requirement.

Interestingly enough, in my view the biggest risks are associated with human error and process controls, rather than the strength of the technical solutions. These days you can buy security technology to authenticate and control user access for just about any situation. And even more solutions are in the pipeline. Cost considerations and legacy constraints are also less of a show-stopper than they used to be. But the one thing you can’t easily fix is the impact of a human error, especially given the appalling track record of the less-than-watertight access administration that is to be found in many large organizations.

It’s a tough problem. In my Shell days we were cautious about opening up the infrastructure to outsiders so we spent a lot of time fine-tuning the contractual and administration processes to minimize the risks associated with third party access. Regular site inspections and audits of access control lists were par for the course. But in a fast-changing business world with proliferating external access and multiple communication channels this bespoke approach is expensive to sustain. Some large organisations now have more third party users than employees. We have to run either faster or looser to avoid holding up business operations. So don’t get hung about the technology. That’s the easy part. Focus on the administration processes. Because that’s where the real security risks and the operational improvements are to be found.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

David, This topic brought back memories. I can remember you and I working on the 3rd party access guidelines for Shell in 1989? You might remember that I had been outsourcing application development and support to a number of 3rd party software houses whose staff then needed access to our infrastructure. The resistance within the IT security department was enormous initially and we got several refusals ('You can't do that!') from that team until I got together with you and convinced you that outsourcing was the way the IT business wanted to go at that time so it was a question for your department to find a solution for us. Eventually thanks your proactive stance to this challenge you came up with the goods. And 'Yes' I agree with you that it is the human beings and processes and procedures in the 3rd party company that is the achilles heel often rather than the technology.