Security Think Tank: CIOs – demand an automated, standardised integration

What is the best way to expand identity and access management to third-party service providers to ensure data security?

It is shocking how many companies using cloud services are poorly integrating their identity systems with those of the cloud provider.

Those same companies may have strict processes for enrolling new users to their internal systems, yet when it comes to provisioning user access to third-party systems, they lower their standards. Why? In many cases, because it is easier, cheaper and "just works". But at what cost?

How many times we have seen such an "integration layer" to be a weekly scheduled FTP transfer of supposedly active accounts? And how often does such a transfer fail, resulting in user accounts being active in third-party systems, potentially opening up the opportunity for account misuse?

Identity and access management (IAM) integration is one of the most important technical controls in an extended enterprise – and yes, that includes cloud.

There is, as usual in information security, not a straightforward reason why this is not being done properly. In most cases, however, companies do not have a proper external authentication and identity provisioning strategy. 

In my opinion, the strategy should be consolidated external and internal identity provisioning system. 

An identity system should treat all its "customers" equally, ensuring that a user entity is properly provisioned and de-provisioned in all systems, regardless of who operates them. There are already cloud-related protocols specially designed for this purposes, such as the System for Cross-domain Identity Management (SCIM).

So what should a CIO do?

Have a session with a chief architect and chief security architect. Ask them about extending identity management systems beyond the company's internal systems. 

If the discussion is leading to uncomfortable "uhmm and hmmm", then it is perhaps time to engage identity management professionals. Don't waste time in non-productive or even counter-productive discussions.

Instead, remind everyone of the final goal of the identity and access management processes: universal cross-domain and extended enterprise identity and entitlement management. Anything short of this is just not good enough for today's fast-moving and connected world.

Vladimir Jirasek is managing director of Jirasek Consulting Services.

Read more on Identity and access management products