“It’s not as much of an IAM problem as it is a data access problem," says Jackson Shaw, senior director of product management at Quest Software. "The IAM piece can control access to the systems, but it can’t really control what happens to the data when an authorized person is using it.”
Whether it is price quotation systems, order management systems, product sales training, or collaborative marketing platforms, these systems have undoubtedly been a part of the business process framework within enterprise IT for some time now. And giving third-parties access to some of these systems is hardly new. Many companies have already chosen to grant network access to vendors, clients, or partners in the interest of making it quicker and easier to find inventory information, access quotes, place orders or requisitions, or any number of functions that might make business processes more efficient.
But the increasing use of cloud service offerings -- particularly in the case of the type of collaborative tools often used to share information between organizations -- has served to muddy the waters on the exact mechanism for automating and controlling that access.
“With cloud and mobile coming into the picture, one of the reasons why cloud is more attractive is because it is an enabler of partnering with other organizations,” says Nishant Kaushik, chief architect at Identropy. “It’s not about employees anymore, but it’s about contractors, partners, outsourcing, and working with third parties.”
Cloud options such as IaaS, PaaS, and SaaS make the task of the IT professional easier in many ways, but providing granular access control isn't usually one of those ways.
“So cloud is going to enable that to happen far more easily," says Kaushik. "Because of that, you need to have identity control. In an oblique sort of way, the increased use means you need more of these controls in place to ensure that things aren’t going to go haywire.”
There are number of factors at play. Data might be stored locally or at multiple data centers across the globe. Certain cloud providers may not have appropriate technology to integrate with an organization's IAM systems. And disparate third parties may have their own processes, procedures, policies, and technology to mesh into the framework.
Before running out and buying new cloud-directed IAM products willy-nilly, it pays to take a measured approach. Even with cloud access in the equation, organizations need to go back to the fundamentals of solid asset management, advises Andrew Wild, chief security officer at Qualys.
“Fundamental to management the of IT systems is the ability to identify and classify all IT systems in an environment," Wild says. “Asset management should be a dynamic system that is able to stay current with the ever-changing environment of IT systems. This IT environment is becoming even more dynamic in the era of virtualization and cloud computing.”
Wild believes that planning is one of the strongest steps an IT department can take, and good planning can only come from an awareness of what the systems are and what challenges they present.
"With a strong asset management program in place, an organization can develop the processes necessary to manage the access requirements for a system," he says. "These processes should include flows to support the request, review, approval, granting, revocation, and auditing of access to the system. The processes must consider the people that will participate in the process."
At that point, organizations can better leverage their IAM tools to automate the processes for solid access management that will include third-party access, rather than bolting it on as a less secure add-on to an existing framework for employees. With a solid foundation of access management in place, it may also make sense to consider constraining system access through the use of a virtualized workspace, says Shaw.
“While IAM products can handle the initial provisioning of access to someone and the deprovisioning of their access, you really need a way to manage the access to that data while that person has authorized access,” says Shaw. “Using a virtualized workspace is a good step toward being able to control what someone can or can’t do with that data.”
A sandbox approach offers a way to establish the rule of least privilege without disrupting the flow of business between the organization and its suppliers and other partners. Shaw also reminds organizations that it needs to dot its I's and cross its T's by ensuring common-sense measures like background checks and the signing of NDAs are in place before provisioning.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.