Jericho Forum: Identity and access management need to be separated in the business
There is a need to separate identity from access management and treat the two as separate entities.
Paul Simmonds, former CISO of AstraZeneca and board member of the Jericho Forum, told SC Magazine that with identity and access management (IAM) the main challenge is containing identities within the perimeter as business communications fragment.
He said: “The issue is on the move outside the perimeter, which is driven 100 per cent by business and the IT administrator is playing catch up, as is security. There is a change to operations and extended identity into that environment. It is not access management, it is 'can I do identity and once I do it, can I use it outside the environment and then take all of it and do access management?' These are two separate things and need to be looked at separately.”
He said that the only way to divorce identity and access management is to move access management from a non-username to a claims-based system. “You have to cover multiple identities and you need access by rules and then these people are included in a project and joint venture,” he said.
“To deal with collaboration, you separate identity and access management and have identity that you can claim locally and have access management that will consume identities from multiple sources.
“The future might be collaborating identity, but are you coming in from a corporate or public machine? Can the machine assure that you can produce a secure sandbox for what you are downloading? The rules are more complex when you can prove who you are.”
Talking about why this was an issue now, Simmonds said that as more access is required from outside the perimeter via remote workers and personal devices, identity is crucial.
He said: “There are two reasons why: the time is right and cloud is taking off. You have got to have identity but no one has done the thought leadership on this, but what problem are we trying to solve? Identity goes to the heart of getting things right. Get it wrong and you go to the heart of the company.
“These are fundamental issues at play and we need to find and expose them, as well as look at identity management solutions.”
Approving of this concept was Julian Lovelock, senior director of product marketing at ActivIdentity. He said: “Identity management is setting up an account on system ‘A' and ‘B', but you do not go across systems and what happens when that person leaves? Access management is about setting up access and when a user logs in, how do they know who it is and is it secure. Access management is about security.”