This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Jericho Forum: Identity and access management need to be separated in the business

Share this article:

There is a need to separate identity from access management and treat the two as separate entities.

Paul Simmonds, former CISO of AstraZeneca and board member of the Jericho Forum, told SC Magazine that with identity and access management (IAM) the main challenge is containing identities within the perimeter as business communications fragment.

He said: “The issue is on the move outside the perimeter, which is driven 100 per cent by business and the IT administrator is playing catch up, as is security. There is a change to operations and extended identity into that environment. It is not access management, it is 'can I do identity and once I do it, can I use it outside the environment and then take all of it and do access management?' These are two separate things and need to be looked at separately.”

He said that the only way to divorce identity and access management is to move access management from a non-username to a claims-based system. “You have to cover multiple identities and you need access by rules and then these people are included in a project and joint venture,” he said.

“To deal with collaboration, you separate identity and access management and have identity that you can claim locally and have access management that will consume identities from multiple sources.

“The future might be collaborating identity, but are you coming in from a corporate or public machine? Can the machine assure that you can produce a secure sandbox for what you are downloading? The rules are more complex when you can prove who you are.”

Talking about why this was an issue now, Simmonds said that as more access is required from outside the perimeter via remote workers and personal devices, identity is crucial.

He said: “There are two reasons why: the time is right and cloud is taking off. You have got to have identity but no one has done the thought leadership on this, but what problem are we trying to solve? Identity goes to the heart of getting things right. Get it wrong and you go to the heart of the company.

“These are fundamental issues at play and we need to find and expose them, as well as look at identity management solutions.”

Approving of this concept was Julian Lovelock, senior director of product marketing at ActivIdentity. He said: “Identity management is setting up an account on system ‘A' and ‘B', but you do not go across systems and what happens when that person leaves? Access management is about setting up access and when a user logs in, how do they know who it is and is it secure. Access management is about security.” 

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...

'Sophisticated' Chinese hackers launched attacks against 43,000 computer systems

'Sophisticated' Chinese hackers launched attacks against 43,000 computer ...

A new report reveals that a Chinese cyber-espionage group is closely affiliated with government and carried out attacks against the likes of Fortune 500 companies and government agencies.