Digitally-enabled organizations pride themselves in making it easy for employees around the world to communicate and collaborate with their colleagues as well as the contractors and partners that make up the extended enterprise. This means inviting outsiders into the perimeter by giving them access to a number of enterprise tools, including communication platforms like Fuze. But this can raise a variety of security challenges for your organization.
At Oktane19, we brought together four panelists to explore this issue:
- Mason Spencer, Application Engineer, CareerBuilder.
- Alex Perlovich, Director of Infrastructure and Networking, Paysafe.
- Michele Buschman, VP Information Services, American Pacific Mortgage (APM).
- Brent Arrington, Services Architect, Okta.
During our time together, we walked through five questions pertaining to their relationship with the extended enterprise and how they have mitigated any challenges that arise.
Here’s a breakdown of what was discussed.
Guest policy: Do you allow for external guests, and if so how do you manage them?
When it comes to guest access, all panelists were aligned: it’s become a requirement of doing business. Unfortunately, the bureaucracy of compliance that goes along with granting access can seem unnecessarily high-friction to non-IT personnel. Centralized IAM and self-service features like those provided by Okta help mitigate these concerns—it’s so easy and end users don’t feel the need to skirt around it.
How can external guests tie into our central identity strategy?
When external users are only accessing a single app, it’s easy to manage access manually. But in cases where you have a large number of users with multiple applications, panelists agreed that automation is necessary.
The more that can be managed in a centralized identity management solution, the more you can develop a single source of truth and visibility from which to manage the entire lifecycle process. It’s a difficult place to get to, and it has to be an easy process for both the end user and the admin staff to ensure buy-in. The right solution will vary based on the needs of each company—and finding the right balance between the effort needed to build the solution and the weight of the problem it solves is key.
What kinds of controls do administrators need?
As we addressed this question, Michele led the conversation by stating that there’s a need to automate as much as possible, particularly when dealing with a small IT team. And for Mason and Alex, they felt that there’s a need for more self-service capabilities blended with that automation.
At Fuze, we’re exploring automation through timed expiration of guest accounts and company groups that can be shut down when a contract ends. Another option would be to integrate that automation into the process so that when a new app is spun up, those processes activate automatically.
What are your data retention policies for departed employees and guests?
Where the panelists agreed on this topic is that they don’t yet have the answer for how to effectively retain data. For Alex, it’s a question of consolidating as much as possible. When someone leaves, that data has to stay. To improve their data governance and retention, Paysafe links its applications to other third-party apps like Box.
APM has strong data governance policies that are guided by the industry’s regulatory landscape. But currently, the solutions are very manual. When they started using Fuze, they had to train their users on how to abide by regulatory guidelines; particularly when it came to where they could discuss specific topics around loans. But there are no technical controls in place to this effect.
In discussing how Okta is looking to approach this issue, Brent described that there are many possibilities for building customized hooks into the provisioning and deprovisioning flows. He expects to see these in future engagements.
How are you approaching lifecycle management? How do you ensure that users are following best practices?
Based on Michele’s experience, ensuring users follow best practices is one of the reasons Okta is such a valuable tool: the Single Sign-On and provisioning products make compliance easy for end users. Bringing apps together into a single source of truth also makes auditing easier, though there are still specialty apps that aren’t available with SAML 2.0 or Okta. Despite that, automation takes the responsibility off of end users and the next important step is bridging the gap for external users as well.
For Alex, Paysafe almost has the opposite problem: a total lack of automated tools. Lifecycle management without automation makes visibility difficult—and they mitigate this by keeping a continuous audit mentality. Getting external guests to buy into that best practice has been a high-friction challenge for his team.
For CareerBuilder, Paysafe, and APM, the answer to improving workforce productivity in the extended enterprise is driving further automation in the lifecycle management of external guests. And what that looks like will vary based on the size of the organization, the complexity of its industry’s regulatory requirements, the number of external guests, and more. The solutions are still being written, but as more companies move into cloud-based architecture, solving these challenges will become a necessity across the board.
If you’re interested in learning more, watch our Secure, Simplified Access for your Extended Enterprise webinar.