Security Think Tank: Eight steps to extending IAM to third parties

What is the best way to expand identity and access management to third-party service providers to ensure data security?

Supply chains are becoming more complex, and the volume of information shared between partners is growing. 

This is increasing the chances of a data breach that damages an organisation’s reputation and financial standing, such as the one suffered by US retailer Target in late 2013 (due to compromised supplier credentials). The impact is still being felt by the company and its supply chain.

So what can be done to strengthen identity and access management (IAM) systems? 

Structured processes are needed to determine what information should be shared with third parties, and how to accomplish this efficiently and securely. ISF research has produced eight recommendations to develop these processes:

  1. Build a business case that helps to reduce time, overheads and complexity for users and maximise use of pre-existing identity and access management systems.
  2. Determine the scope of the programme, to fully understand what applications and systems will be included and identify regulatory or legal constraints.
  3. Establish a governance framework, to maximise alignment with organisational policies. 
  4. Define a set of technical standards, to ensure the best possible levels of interoperability and security. 
  5. Run a pilot, to refine the business case and identify the best approaches for deployment.
  6. Integrate the programme into existing systems and general IT processes, to support other critical business systems and applications.
  7. Define an approach for managing relationships with partners, and build this into the contracting phase of the relationship.
  8. Create a repeatable process, to ensure consistency and sustainability of the overall system.

Following these recommendations will help organisations to extend IAM to third parties with greater confidence. This will increase security and help to keep your organisation’s data where it belongs, with you and those you trust.

Dave Clemente is a senior research analyst with the Information Security Forum.

Read more on Identity and access management products