Security Think Tank: Extending IAM controls to third parties

What is the best way to expand identity and access management to third-party service providers to ensure data security?

Having third parties access enterprise systems is not new and, traditionally, a number of different ways have been used. These include just extending the mechanisms used for staff remote access to bespoke drop-box systems, which enable the dropping off and collection of files.

This system protects the corporate environment from direct third-party access, although there still needs to be access controls on the drop-box to reduce the risk of unauthorised access to its contents. Antivirus and/or anti-malware controls are required, as well as a set of policies, standards, procedures and work practices to govern file drop off and collection. 

A drop-box system can be in-house – either built on a dedicated server located on a demilitarised zone (DMZ) of the internet-facing firewall – or built externally on one of the cloud or commercial offerings. The decision will come down to cost, speed of implementation, maintenance and operational issues, as well as the corporate view of risk.

Should it be decided that third-party access to the corporate environment is a definite requirement, the business should decide what data the third party will need to access to achieve its function. 

The answer here is not “give them all that we have”, but give the least required to perform. 

Knowing the data the third party has access to – and what it can do to the data – will identify the corporate systems, the preferred access mechanism and a security profile that can be used to drive infrastructure configurations. This includes firewall rules, as well as access profiles and policies.

An Active Directory policy can be used to control what files a user can see and what they can do with them. This is a feature of Microsoft Active Directory that is often underused or used poorly in many organisations.

A reasonable half way house is the use of proxies or servers specifically for third-party use and located in a dedicated DMZ of an internet-facing firewall. This provides more function than a drop-box system, but keeps the third party out of the core corporate network. 

A good example of this approach is the use of a terminal services server – such as Citrix, Microsoft or Virtual Desktop Infrastructure – located in the DMZ and placed under Active Directory control for user authentication and facilities authorisation. 

These terminal services servers can provide a locked-down desktop, or the more secure option of published applications.

Peter Wenham is a committee member of the BCS, The Chartered Institute for IT security forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Identity and access management products