Today we will focus on considerations as they relate to External Identity Management (IAM). External IdM is simply the identity management systems, policies, and practices an organization follows to grant access to external users of their systems and many times other organizations such as suppliers, vendors, etc. Internal employees could also include contractors performing work for the organization. There are a couple methods to manage external identities we will cover here.
It will be important for your organization to determine who will need access and to what level they will need access to systems or data that is internal but being made available to external entities. It might be even more critical to maintain policies and procedures that ensure the Principle of Least Privilege concepts are adhered to when dealing with external identity access management. Even though internal threats are often overlooked and we would always want to maintain awareness about internal threats, many times the majority of internal employees are going to be trusted. Again, privilege creep should be avoided even with internal employees however with external employees companies have to be more vigilant.
One method of managing external identities would be to have external users gain authentication identities within the access management system that is also being used by internal employees. External sites would need to have the ability for external users to sign up and request accounts for access however the IdM would be handled the same as it would be for internal identities. However, it would still be wise to segregate users based upon their internal/external status within the IdM system for example as in distinguishing between internal/external by using different Active Directory User Groups.
Another method of managing external identities would be to pursue Federation, or Federated Access Management. Federation is simply an arrangement between two entities in which the entity providing access would trust the entity requiring access to manage who would have access. In systems set up in this nature if “Company A” trusts “Company B” and allows access to employees of “Company B” based on their need to have access to “Company A” data or systems then those users would authenticate to their own “Company B” authentication system and would have certain rights inherited from “Company A”. Many times this is seen in business to business (B2B) systems in which both companies gain advantages of a Federation and mutual trust.
There are positives and negatives to both types of External Identity Access Management. Many times the amount of external users needing access might determine which system to implement. If there are many users from the same company federation would ease the burden of numerous accounts to be managed and the inability to remain up to date on the employee turnover from that company. The most important thing in Identity Management (internal or external), that simply CANNOT be forgotten, is security and maintaining the Principle of Least Privilege when it involves providing access to data or systems.