IAM for Consumers, Vendors and Partners

As a part of brand outreach and cloud initiatives, many of our clients are making available to their consumers, vendors and partners, applications that offer product information and services.  From a security perspective this requires them to either manage these users internally, or support federated access from external organizations. They also have to take into account the expectations of end users, who demand ease of use and general accessibility from multiple devices and locations.  In short, exposing applications to external users brings a unique set of security challenges that must be weighed against revenue opportunities and potential cost savings.

Over the years Pontis has built numerous solutions to effectively manage internal and external users for large organizations.  In the past the focus was always first on management of internal users to meet regulatory compliance needs, followed by external user management solutions; today the tables are turned.   Now we see the enabling of secure business models as the key driver for building an Identity, Access and Role Management framework. 

Consider the typical example of an organization which is looking to build an external user management solution:

The organization has a large number of end users, who need appropriate access to one or more applications which may be internal or cloud hosted. To manage administration loads, the organization may choose to allow its vendors and partners administer their own users, which entails the need to support a delegated administration model.  A small subset of applications may already have been made available to end users, using disparate approaches and technologies resulting in silos with inconsistent security standards and user experiences. Ensuring minimal impact to these applications as well as third party applications that are not within the control of the client brings in another multi-dimensional set of requirements.

External user management in the above example would, from a business perspective, look to break apart the silos, with a view to offering a consistent interface that would make available additional capabilities to end users and increase the revenue opportunity for the organization as a whole. External user management from a security perspective would be a critical component of managing the organization’s security posture by minimizing the risks of opening the previously internally managed resources and making them available to external users.

When brought in to work on these projects by our clients we, at Pontis, look at requirements from different levels.  Some of it is typical identity and access management; identifying who is requesting access, their associated authorization levels, and providing an auditable trail of what they did. But there are additional security considerations; users expect to access resources from a plethora of devices and from different locations with differing levels of security. With appropriate context and risk analysis systems in place, we help clients monitor access patterns and identify anomalies. For instance, a known end user logging in from a registered device may be presented a simple authentication challenge whereas the same user logging in from an unregistered mobile phone, or location well outside of their typical usage pattern would be presented with “step-up authentication”. The same would be done for a user requesting to perform a higher value transaction than is typical. The complexity of rules and policies and the number of controls to be supported is far greater than in traditional IAM solutions. Migration strategies and strategies to “white label” legacy or third party hosted applications to conform to the new model brings in its own set of challenges.   For it all to work seamlessly and as expected, processes must be clearly defined and thought through so they optimally leverage the sophisticated security technologies available in the marketplace.

In conclusion, deciding to open up traditional network perimeters and providing access to resources that were until now tightly controlled, requires addressing a new set of identity and access management challenges and a different security methodology to anything used up until now. By bringing in experienced consultants you can reduce the learning curve and some of the risk of making rookie mistakes; however the ultimate success of an external user management  project, like all security projects,  is totally reliant  on the vision of the organization and its readiness to invest in long term governance and well defined security controls.

Scott Swegles