Outsourcing and offshoring are a fact of life in many companies, but for some, when it comes to managing user identities and access rights or enforcing rules on governance, risk management and compliance, these are still very early days indeed.
In fact there are a number of good reasons why you should think about IAM (Identity & Access Management) every time you think about GRC (Governance, Risk & Compliance). Despite all the efforts to secure externally managed services and applications through policies and technology, gaps in the safety nets set up by those in charge of GRC remain. Third-party access to outsourced data is a good example. Just take maintenance and management services: written agreements on security standards and policies notwithstanding, reality shows that controlling, audit trails and internal compliance assurance measures are often incapable of closing every loophole.
What are the real problems? Take as an example hosted applications operated by one service provider but originally developed by another. The company information being processed is probably both valuable and restricted. How do you ensure that it isn't compromised when the developer has to run an update? And how is the developer to perform the necessary tests to ensure that the application won't crash once the update has been performed? Finally, how do you ensure that neither service provider can access the confidential data in the system itself?
Again, the answer is IAM when the situation calls for managing access rights, persons and identities in cases where external identities (service personnel) come in contact with internal data. Solving these issues requires legal and contractual procedures on the one hand and technical measures on the other. Given that all this is happening outside the administrative jurisdiction of the company itself, ensuring central management of access rights may very well require an external operations service provider, too.
But what path to follow? For existing installations, technical auditing may be the right answer in order to determine the true current status of access rights and protections. Based on the results, appropriate measures can be decided on and taken. Technically, these may consist in implementing Identity Federation between the three parties involved so as to reduce administration overhead. In the case of new applications, the best strategy is probably to switch to claims-based rights management which does away with individual user and rights management, substituting one-time definition of access privileges for certain resources using challenge-response instead, thus enhancing the federation concept.
One thing is clear, however: In compliance, it never pays to underestimate the potential complexity. For instance, there are data protection issues and information leakage risks, as well as everyday garden-variety IT security problems. If you plan to outsource, these all need to be resolved. And while this may appear simple when dealing with a single outsourcing provider, it may prove a nightmare when a multiplicity of "cloud computing" providers are involved.