Security Think Tank: Pseudonimity key to extending IAM reach

What is the best way to expand identity and access management to third-party service providers to ensure data security?

Identity and access management (IAM) is still a major issue in many larger organisations. Despite the efforts to bring multiple identities and access rights under control, almost every audit uncovers deficiencies and weaknesses in IAM.

In practice, these are not restricted to the organisation itself – increased outsourcing and longer supply chains multiply the number of external users, with their various levels of trust and access to confidential information.

While several approaches are available to simply extend the IAM system – and related tools – to third parties, privacy concerns and data protection laws often restrict stringent implementation. Individuals working for service providers have protective rights, and even a double opt-in clause may not be reasonably justified. 

European data protection initiatives will make it even more difficult to fully integrate third parties under the heading of IAM.

The obvious solution is pseudonimity, as applied to third parties and their employees. In a pseudonymous setting, users are first anonymised, by assigning a numerical code or other token, for example. The service provider thus offers a set of codes that represent employees, but without disclosing their identity. 

The second step is to assign coded individuals to roles and responsibilities as usual, observing the principles of least privilege and need to know.

More on extending IAM to third parties

Where legal or regulatory restrictions apply, pseudonymous employee codes may be held in escrow, by solicitors or a notary public, for instance. It is important to note the service provider retains the right to know personal information about their employees, while the outsourcing organisation should not normally have access to it, unless the third-party employee is required to be processed in a similar manner to an internal employee.

This approach is quite popular in practice and it is even finding its way into legal and regulatory thinking. As an example, the proposed German cyber security bill is likely to establish the principle of pseudonymity to protect organisations and individuals when reporting incidents.

Rolf von Roessing is president of Forfa and past international vice-president of ISACA.

Read more on Privacy and data protection