Misconception in IT System Crippling Collaboration with Partners, Clients

Bob Styran, IT audit expert
April 29, 2011 /

What IT system designers should start patching up is how to separate identity from access management to enable collaboration between IT services suppliers and customers, suggested several experts in security.

Jericho Forum, an international group of organizations working on de-perimeterisation and discussing about information security, noted that businesses and technology suppliers are misdirecting their focus. The group pointed out that services based on cloud computing largely depend on strong identity.

According to Paul Simmonds, board member of Jericho Forum, the IT services industry must “step back from the technology and focus on what is important.” Simmonds formerly worked as chief information security officer at ICI and AstraZeneca.

Collaborating with customers and partners is a big challenge for the IT industry nowadays, which includes security.

Currently, the Jericho Forum spends time formulating the basic rules on identity which it will propose for consideration among organizations that work on IT system implementation.

The study will be released on May this year and will include an overview on how to enhance practicability of the IT system so it meets the demands of businesses.

Simmonds emphasized the importance to separate identity management from access management especially in the cloud environment as their mixture will hamper collaboration.

Moreover, identity does not only mean people, Simmonds continued, but also about devices, computer code, organizations and agents.

According to Simmonds, device identity is important in making access decisions, code identity must be clear enough to differentiate it from malware, organizations must collaborate, and actors must be divided between digital and human actors.

Subsequently, strong identity is achievable only through a variety of attributes with which a user can be entitled to in any case.

Simmonds cited as an example a board member who has full access to the HR system of a company while using a company device that meets minimum security measures. The same board member should not be able to hold the same level of authority when using a personal laptop that even passes the security requirements.

The Jericho Forum proposed a rules-based system for multiple attributes that will lead to different access decisions. According to the group, this IT system suits the cloud-based surroundings than does the role-based or user-based system.

Although the group expected that this IT system may take 10 to 15 years before becoming a standard, organizations still have the option to promote strong identity while waiting for that time to come according to Jericho Forum.

Simmonds cited as an example the wireless networking system which grants access only to authorized staff members through some endpoint devices. This will also separate identity management from access management, he said.

 

Share your opinion