As more IT leaders rely on outsourced application development, operational resources, and more, the importance of governing and securing privileged access has grown dramatically, especially in light of recent massive data breaches.
Protecting against the leading attack vector — compromised credentials — is an important consideration when outsourcing IT functionality. Traditional privileged identity management solutions require organizations to create and manage identities for outsourced IT providers within an internal environment, and then grant VPN access.
But this practice increases risk as the gap grows between the number of remote privileged accounts and an authoritative identity provider responsible for securing enterprise access, and as more third-party laptops establish VPN connections to internal networks. The result: An expansion of potential attack points for hackers, disgruntled insiders, and malware.
Federating identity management
But there’s another option. IT can implement privileged access solutions for third parties that minimize identity-related risks using federated authentication. Federated identity management lets outsourcing providers use their existing identification and authorization infrastructure to gain access to the enterprise network. To be effective, the enterprise and its outsourced IT provider must establish mutual trust, and the enterprise must be able to monitor and audit access and protect against rogue attacks from unauthorized parties.
With this approach, the outsourcing organization retains management control for its employee identities, while the enterprise retains control over granting access privileges to enterprise systems and applications for third-party partners.
Privileged access to specific resources can be governed through automated request and approval workflows. The enterprise can effectively monitor and audit access by providing granular access rights and by capturing and reporting on privileged user activities. In addition, IT maintains the option to terminate privileged sessions if they receive alerts of potential security violations.
Federated privileged access allows the enterprise to streamline access management for any number of outsourced IT firms while retaining the ability to swiftly disable privileged user access. In this way, IT can ensure that employees, contractors, and partners have secure access to the right resources, at the right time, and for the right reasons.
Establishing an identity provider
To implement federated privileges, outsource providers must have their own identity provider in place. An identity provider creates, maintains, and manages identity information, and uses technologies like the Security Assertion Markup Language (SAML) to authenticate its users into apps in the cloud or in an enterprise data center. For example, the Centrify Identity Service uses SAML to provide simple, cloud-based identity federation.
Outsourcing IT providers can manage their own employee authentication, directories, and identity solutions while the enterprise provides secure access to shared enterprise applications and resources.