Multi-Organization Access Governance

Executive Summary

This KuppingerCole Whitepaper explores identity access across multi-organizations and parts of their supply chains, from a single point. By using such, organizations can streamline access and collaboration across their supply chains and third-party users, simplifying administration with delegated user controls and versatile user orchestration. Additionally, the Whitepaper examines key aspects such as user self-registration, delegated administration, access request and approval, access certification, and the application of different user experiences, processes, and policies based on business posture.

Highlights

• Why organizations with a reliance on affiliates and partners need better IAM.
• How to provide secure access for workforce, third parties and partners from a single point.
• The importance of delegating administration at an organization and partner level.
• Why Onboarding tools, user self-registration and invitation-based enrollment are important.
• Why multi-organizations need different user experiences, workflows, processes, and policies to be applied based on organization rules and culture.
• How strong security controls can be implemented without incurring cost for supply chain partners

Overview of Multi-Organization Access Governance

Modern business consists of multiple networks, devices, resources, and users. Participants in many business workflows are likely to originate from outside the organization and include supply chain actors and third parties. Centrally managing identity access across multi-organizations is a major challenge.

Identity and Access Management (IAM) platforms have long been with us, enabling IT security and compliance managers to control internal system access. Without IAM, administrators had little idea of which identities were accessing resources on-premises or in private clouds. Privileged Access Management (PAM) took this one step further by regulating access to sensitive administrative tasks as well as to high value data assets.

However, modern organizations no longer manage internal identities alone. This is particularly relevant to those companies operating in the B2B, B2G and B2B2C sectors with complex supply chains and customer/partner relationships. Third parties in the supply chain such as contractors, freelance workers, external auditors, and customers are now part of the mix, requiring robust secure access that can be regulated centrally by the host organization. The picture becomes more complicated if we consider that suppliers will have connections to their own partners and supply chains (known as Fourth Parties, see Figure 1) and that may impact on the sponsor organization further.

While some IAM and PAM platforms allow for limited third party access, many do not, and businesses may require specialist software to govern supply chain access. This is referred to as multi-Organization or community IAM, which should facilitate secure access and collaboration throughout an organization’s multiple tiers of supply chain and partners.

There are several important challenges that managers need to consider when managing access from across their supply chains. These include the following:

Full Identity Discovery and Management

It can be hard to manage users that require access to systems without a platform to helpsequence large numbers of identities into scalable and easily read directories.

Data and Identity Integrity

With so many identities in the mix it can be difficult to maintain an up-to-date inventory of valid identities and exclude, for example, ex-employees in the supply chain or identities from former or non-active suppliers.

Full Scalability

Any platform must be scalable and able to absorb growth by the organization and rapid increase, change or disruption in supply chain actors.

Secure Onboarding of Identities

Any third-party identity must be successfully and securely onboarded into the host organization as diligently as any full-time employee and be tracked accordingly. Ideally this can be automated and allow for self-onboarding.

Enhancing Legacy IAM

Supply chain access governance adds an extra layer of assurance for third party identities monitored by existing IAM and Identity Provider platforms

Centralized Control

To assist managers in complex supply chain access governance, a central point of control and administration is required. Ideally this would be via a dashboard to give a single view of all activity, as well as drill into more granular views.

Continuous GRC Controls

Adoption of strong, standards compliant, credentials and authentication methods (passwordless, NIST 800-63, etc.) are important in highly regulated industries.

Fourth Parties

Third party suppliers will have their own set of vendors and supply chains which can also impact on the security of the sponsor organization.

An organization could develop and build a multi-organization IAM platform in house to meet these challenges, or it may look at the market for a native solution, or both. To that end, any solution must integrate with legacy applications and infrastructure and harmonize with third party identities for friction-free access.

Multi-Organization IAM in Detail

There is a need for multi-organization IAM especially in fast-moving and highly regulated industries. In this section we look at key capabilities and features needed to deploy IAM that works for employees as well as third parties in the supply chain.

 

To better manage identity and access through multi-organization nodes, senior managers need to consider some basic principles. Identities seeking access will be linked to employees, third party employees, contractors and, depending on the industry sector, customers. Consumer facing industries are increasingly likely to permit access to customers via web platforms.

Figure 1 shows how complex the lattice of supported identities can become, encompassing not just human identities within supply chains but also machine identities and robots. And the internet is a pervasive presence, potentially opening the central organization to cyber threats including ransomware and data theft.

Such a business atlas is not unusual in today’s multi-connected, multi-cloud, multi-domain business environments. Ever since Henry Ford developed automobile mass production, companies have depended on supply chains and trusted partners for delivery of raw materials and services. It is the accepted business model, developed further by globalization. What has changed is the speed of access often required, the number of identities in play, software as a service, the collaborative nature of modern office software and the spread of the cloud across all industries.

A fundamental task of multi-organization identity management is onboarding users securely into the host or sponsor organization. This can be done manually via tools available in Azure Active Directory or via an Identity Provider platform, for example. Both options can work but often require a high degree of technical knowledge on the part of admins and sometimes present a challenge in delivering a smooth end user experience. Marrying security and convenience is a particular challenge for third party access management, given the importance of many suppliers to workflows and business processes. But of course, also the importance and sensitivity of the information at hand, whether PII or IP, and the need to protect it.

However, a specialized IAM platform that can integrate with existing cloud infrastructure and legacy applications may be preferable to ensure that managing identities from multi organizations fulfils new demands for security, compliance, and user experience. Whatever option is chosen, the following capabilities are important to managing identities from multi-organization environments:

Unified Onboarding of Identities Across all Organizations

By unifying the onboarding process of identities from multi-organizations through a single platform, organizations can enforce granular access policies and ensure that users have appropriate permissions based on their roles, and business and security policies. Efficient onboarding plays a vital role in meeting regulatory and compliance requirements. It enables organizations to track and monitor user activities, ensuring accountability and transparency. It also brings consistency to the process. The goal should be to provide a scalable onboarding framework to accommodate new users and organizations seamlessly, without interruption to business processes.

Self-onboarding and Invitation-based Enrollment

Many identities will be onboarded by Admins in the sponsor organization, but some platforms will also enable third party users to onboard themselves. This must be subject to high level policy decision. It is usually applied to verified and trusted partners only as it allows individuals to create their own user accounts or profiles. The productivity gains for the user and the business are clear but such a process must be accompanied by robust IAM security technologies. Invitation based enrollment enables the sponsor organization to pre-approve access through this method. IAM platforms that offer this capability should be considered.

Delegated Administration by Third Party Organizations (MSPs)

Delegated administration at the third-party level refers to the practice of granting administrative privileges or responsibilities to trusted third-party individuals to manage certain aspects of an organization’s systems, applications, or services. This delegation allows the third party to perform specific administrative tasks on behalf of the sponsor organization while it maintains control. This entails a high degree of trust, and any such deployment must be subject to rigorous planning and oversight.

Multi-org and delegated access request and approval

Delegated access request and approval in multi-organization environments help ensure that access decisions are made in line with the policies and guidelines of both the requesting and target organizations. It facilitates collaboration, project execution, and resource sharing while maintaining proper access controls and security measures. Effective communication and coordination between organizations, along with clear documentation of the approval workflow, are essential to streamline this process.

Multi-org and delegated access certification

By implementing access certification in a multi-organization environment, organizations can maintain a controlled access management framework. It helps minimize the risk of unauthorized access, excessive privileges, and potential security breaches while ensuring compliance with regulatory requirements.

Identity Reporting and Analysis

A dedicated IAM platform for multi-organizations should include dashboarding, reporting and intelligence gathering of a quality good enough to make rapid sense of identity activity and movement in and outside the sponsor organization. Such tools should also be able to spot anomalies in behavior or policy breaches.

Simplifying proprietary IAM protocols across multiple CSPs

The architecture supporting multi-organization ecosystems is likely to feature multiple cloud providers and SaaS applications. Any platform designed to enable rapid and secure access to and from the sponsor organization must be compatible with native cloud IAM protocols. Ideally these will be hidden from view to users seeking to onboard or log in from outside the organization. The platform should also support ID verification across different third-party Identity Management tools used in different organizations.

Continuous GRC Controls

Any platform should be compliant with relevant legal and industry standard GRC controls such as GDPR, NIST800-63, German Supply Chain Due Diligence Law (LkSG) and secure authentication methods. Certification should be applied across all parties in the supply chain. The European Commission’s Digital Operational Resilience Act and APRA’s CPS 234 both bring additional focus on the risks associated with the modern supply chain.

Scalability

Any multi-organization IAM platform must be scalable and able to absorb growth by the organization and a rapid increase, change or disruption in the supply chain.

Secure Access and Collaboration

For identities to work across different organizations and for workflows to be completed as intended, secure access must be combined with fast and reliable integration with collaboration tools and dependent architectures.

Collaborative workflows and projects are an integral and important part of modern business infrastructures. The advantages are speed, flexibility, reduced costs, and improved productivity. The rise of multi-organization networks has meant that collaboration has spread across many different companies, third party users and organizations that make up modern supply chains. Managing access to collaborative platforms and keeping workflows secure is a major challenge, especially in highly regulated industries. This would include financial services, healthcare, government agencies and defense contractors, among others.

To ensure that collaboration works across users on multiple applications, a centralized approach to managing access is required. Any Multi-Organization IAM platform should provide an overview of user orchestration, allowing different user experiences to be maintained but unify access processes from third party software platforms, in line with GRC policies and security policies.

For the end users, wherever they may sit in the multi-organization ecosystem, an easy to navigate portal is recommended to lessen access friction to an application running outside of their own organization. All IAM process and authentication should take place behind the portal enabling the user to sign on to applications and resources. End users should enjoy a seamless entry to the sponsor organization – whether they be employees, third parties or customers. Ideally, Single Sign On (SSO) should be made available across all parts of the infrastructure and, in addition, multi factor authentication (MFA) techniques deployed to secure the log on. This could be a mobile phone or other token device that verifies the identity of the user.

For those organizations wishing to allow cross platform use of productivity and collaboration tools such as MS Office or Teams, all workflow processes must be conducted in line with security and compliance policies of the sponsor organization. These should be applied via the IAM platform in use. Further integrations with other applications such as storage apps should be enabled using modern APIs, allowing easy and low code developments to be
added.

For administrators and line managers the presence of a well-designed UX and capable dashboard is essential to keep tabs on collaboration, the types of applications being used and when new apps may be added. Managers should be able to administer team members’ access to on-premises and cloud applications and centrally define and administer security policy for all users.

By centralizing and unifying access control for collaborative users and relevant software, organizations can reduce costs and time for suppliers and partners who do not have to set up free standing IAM platforms which may not meet security standards. As organizational collaboration develops into industry communities, the ability for partners to share credentials and IAM tools will benefit both business and economies across the world.

Exostar Access: One

Exostar is a US-headquartered, global software company that enables secure and compliant multi-enterprise collaboration by providing IAM platforms to organizations that work extensively with third parties and operate complex supply chains. Many of its customers are in highly regulated industries such as Banking, Financial Services, Insurance, Energy, Telecoms, Defense, Life Sciences and Healthcare. As part of The Exostar Platform, Exostar Access: One is designed to provide secure IAM services to employees, partners and consumers in multi-organization set ups.

Exostar Access: One offers a user-friendly interface. The intuitive dashboard provides administrators with a clear overview of user accounts, access requests, and permissions, making it easy to navigate and perform necessary administrative functions. It is a vital element of The Exostar Platform.

The software fulfills many of the capabilities and demands outlined earlier in this KuppingerCole Whitepaper. It meets and extends demands for onboarding of third-party identities by also offering social registration and progressive profiling, which is suited to customer identities. The software also supports end-to-end identity lifecycle management, from user onboarding to the equally important task of offboarding. Administrators will find the tools they need to provision user accounts, define roles and permissions, and manage user identities from across multiple organizations. Significantly, Access: One scans identities to see what roles and what access they have – this is a major part of controlling third party access in multi-organization operating environments.

Different types of access control are supported including traditional role-based access control (RBAC), but also more significantly, attribute-based access control (ABAC). ABAC and other fine-grained access controls allow improved security and governance compared to RBAC alone. This flexibility enables host organizations to tailor access policies to specific contextual needs and the business model, ensuring that users only have access to the resources they need. This is an important step towards implementing Least Privilege across multi-organization infrastructures. Context based authentication extends to including persona-based access and services for step-up access, and workflow responsibilities such as transaction signing.

The software integrates multi-factor authentication (MFA) capabilities, enhancing the security of user authentication processes. By supporting additional authentication factors such as one-time passwords (OTPs), biometrics, and smart cards, Access: One reduces the risk of unauthorized access and strengthens overall system security. It also supports FIDO2 and passwordless access, including the use of Passkeys for secure access for employees, partners, and customers.

There is also Single Sign-On (SSO) support, enabling users to access multiple applications and systems with a single set of credentials throughout the supported third-party ecosystem and sponsor organization. The software also facilitates federation, allowing users to authenticate and access resources across different domains or organizations, fostering better collaboration and secure access to shared resources.

Exostar Access: One incorporates compliance and audit features that help organizations meet regulatory requirements and internal policies. The software generates detailed audit logs, tracking user activities, access attempts, and system events directly from the administrator dashboard. These logs can be used for compliance reporting, monitoring user behavior, and detecting any suspicious activities. Governance capabilities including multi-tier access approval (incl. delegated approvals coupled with a final sponsor authorization) and access certification for both scheduled and pro-active certification, e.g., on an employee changing role or department.

The self-service portal within Exostar Access: One empowers users well. They can manage their own profiles, reset passwords, and request access rights. This reduces the administrative burden on IT teams and enhances user productivity by enabling users to perform basic account management tasks independently.

The software provides APIs and developer tools, facilitating integration, data exchange, and automation of third-party identity management processes and integration of IAM functionalities into their existing systems, applications, and infrastructure.

Overall, Exostar Access: One is a comprehensive IAM solution that provides organizations with robust identity and access management capabilities to manage third party identities. With its user-friendly interface, secure access controls, MFA support, compliance features, and integration options, the software enables organizations to efficiently manage user identities, control access to resources, and collaborate securely. Exostar’s expertise and customer support should further enhance the value of Access: One as a reliable IAM solution.

Recommendations

Dedicated software can undoubtedly help with multi-organization IAM and supply chain governance but not in isolation. Managers must be prepared to make changes to IT and identity governance policies to support software choices.

Whether consumer, B2B or throughout the supply chain, business leaders should take a people centric approach to IAM which provides end-users with flexibility and choice while also delivering stringent security controls.

Implement federation between the centralized IdP and the individual organizations’ identity systems via federation protocols like SAML (Security Assertion Markup Language). OpenID Connect can be used to establish trust and enable single sign-on (SSO) across multiple organizations.

Use PBAC and RBAC principles to define and manage permissions within each organization.

Assign roles to users or groups based on their responsibilities and grant appropriate access rights. Regularly review and update these roles as organizational needs evolve – including delegated certification.

Establish business policies that govern access between organizations, especially for shared resources or collaborations.

Define rules and restrictions on who can access what information or systems across organizational boundaries, ensuring data privacy and security.

Consider tools like security information and event management (SIEM) systems to centralize log data and enable real-time analysis to enhance IAM.

Leverage automation and orchestration tools to streamline user onboarding, provisioning, and deprovisioning processes. This helps reduce manual errors, enforce consistent policies, and improve operational efficiency.

Related Research

https://www.kuppingercole.com/research/an81216/2022-iam-reference-architecture
https://www.kuppingercole.com/research/an72527/maturity-level-matrix-for-iam
https://www.kuppingercole.com/research/lb81102/six-core-principles-for-selecting-yourmost-suitable-iam-implementation-partner
https://www.kuppingercole.com/research/lc80466/ciam-platforms