In my previous blog I introduced the concept of the ‘outside-in’ model of Identity and Access Management (IAM). It is designed to meet the needs of increasingly extended, collaborative and digital supply chains. In this blog, I’ll look further into why organizations need to adopt this new model and cover some key areas that you’ll need to consider.
Traditionally, IAM has been a helpdesk IT solution focused internally to give employees secure and efficient access to applications and information. While still important, this is no longer sufficient to meet the requirements of the connected supply chain. Increasingly, data and content are moving across systems, trading partners and geographical boundaries. The need for close collaboration means, increasingly, information that is being stored and shared throughout global supply chains needs to be both identified and connected with the people and systems that need it. Add to this the rise of IoT devices and the connected supply chain represents a major area of vulnerability and risk.
The number of cybersecurity breaches is growing by 64% each year. This is not some spotty teenager or malevolent world power, it’s primarily people linked to the company – employees, suppliers or business partners. In 2017, credentials-based attacks accounted for 81% of all cyber attacks, up from 63% in 2016. Building stronger network perimeters is no longer enough when you know business success depends on effective information sharing. You need better ways to ensure that the right people have access and the bad actors are kept out.
Ownership versus trust
In the past, the IT department could own your identity management strategy. By creating a single database, you could deliver capabilities like Single Sign On to facilitate employee access to the myriad applications they rely on for their tasks. The connected supply chain touches so many internal departments and external suppliers and partners that the responsibility for identity management can’t remain solely within the IT department or, arguably, even the organization itself.
Ownership has to be replaced by controlled trust. The ‘outside in’ model of identity management is designed to create a solution that addresses all the people, processes, systems and things that need to be properly identified and managed, and assigns management of them at the most appropriate level. While retaining centralized control, it lets you work with trading partners to give trusted access to all the information and resources across the supply chain.
Flipping the Identity Management model
The Digitalist Magazine suggests that for companies to achieve the full benefit of the connected supply chain they ‘need trusted cross-functional collaborations internally – and with verified third parties – that are enabled by secure technology that integrates cybersecurity into operations’. The ‘outside in’ model of identity management is a foundational component of this approach and very few IAM vendors even understand this need exists. There are a several things you’ll need to consider when looking to adopt this model:
Switch from compromise to optimize
At a recent Gartner IAM conference, a keynote speaker suggested that the increasing prevalence of disruptive technologies – cloud, IoT and mobile – had left traditional approaches to identity management struggling to respond with organizations adding capabilities that were ‘bolted on just to meet demand’. At the same time, the vast majority of supply chains grow in an ad hoc manner. Research has shown that only 22% of companies take an active approach to supply chain network design. Identity management needs to be built into a proactive strategy of how you grow and develop your supply chain if you are to create the highest levels of security – while also delivering the friction-less experience that users expect.
Uniquely identity everything
It has been a long time since identity management was only about people. Today, it’s about all the people, processes, systems and things that that are interacting together and accessing information. You must be able to uniquely identify all supply chain elements, processes and actors to gain full visibility. This visibility will enable you to both optimize your supply chain as well as manage your information risk – a powerful combination. Enterprises must be able to have a full record of the lifecycle of each element to deliver real time visibility of changes and complete audit and compliance capabilities.
Move from password to person
The password has been at the center of identity management for many years. While still important, it is now only one element of building a picture of who the person is. Organizations are beginning to transition towards identity assurance that combines different factors to determine a user’s authenticity. A range of authentication options – such as passwords, biometrics, push notifications – and be allied to predictive and behavioral analytics to provide sophisticated, multi-layer identity management that also improves the user experience.
Delegate, delegate, control
Delegated administration is an important part of the ‘outside in’ model and yet so few vendors offer it or can deploy it. You need visibility into the organizations that connect with your work. This is best achieved by working with trusted delegated administrators that can govern external users and what they are authorized to do. These administrators will know how to best assign access rights in a way that suits their organizational structure. You must trust the administrator but also be able to control and audit their activities. Importantly, you must have visibility into how identity management is executed at different levels within their organization.
Integrate into your B2B ecosystem
Working collaboratively with your trading partners requires the secure integration of different systems and disparate processes. Identity management must facilitate this integration rather than acting as another burden to the effective sharing of information across the supply chain. Many kinds of data and content need to be effectively exchanged and the correct identity management solution should help insulate you from the cost and complexity of changing document types, formats and network connections. For example, the Covisint Cloud Platform provides all the capabilities to enable secure B2B communications across your systems, processes and trading partner communities.
Things are people, too
Thinking that IoT devices are people too is a piece of advice from Gartner research vice-president Mark Diodati as they are becoming just as sophisticated. Gartner has also provided a new prediction on the growth of IoT suggesting that, by 2020, over 26 billion devices will be interconnected. The analyst firm says there will be 215 trillion stable connections, and 63 million new ones every second. Each of these connections will need to be carefully managed and, for your business, enable the flow of trusted data into other systems and processes in your supply chain. In short, if you have an IoT strategy, then it should include identity and access management at the foundations.
Think pervasive and continuous
Identity management has to cover all the people, processes, systems and things connected to your organization. Your identity management regime has to be pervasive – including not only the all the elements, but also all the interactions between these different elements. Within the connected supply chain, it is also a continuous process. For example, any changes to your systems or processes can introduce the opportunity for weakness or attack. You need to know what rights a person has, when and how they access your systems and what they’re doing while they’re there.
The connected supply chain is a reality for many organizations today and you need to move quickly to minimize the risks that come through the greater inter-dependency you have with trading partners. This begins by changing your thinking about identity management, to find a way to enable access based on controlled trust. This will allow you to embrace the ‘outside in’ model to facilitate secure collaboration and information sharing both internally and externally.
If you’re taking part in projects aimed at bringing your people, systems and things together and want your ecosystem to be secure, flexible and responsive, then you should contact us. We’re experts with large and complex IAM implementations and we’re here to help with yours. If you’d like to see us in person, we’ll be at the upcoming RSA Conference in San Francisco in April and at Enterprise World in Toronto in July. For a personalized and private meeting, please contact us here.