How Agile is Your IT Organization When it Comes to Identity and Trust?

Consider this….It is 4.30pm on Friday afternoon, and you’re on your last conference call of the day before you set off for a family vacation. However, you have just been informed that your company is signing a very strategic contract with a competitor. The deal is highly confidential and teams from both organizations need to immediately start working on the due diligence of the deal – sharing large amounts of business critical information, internally and with external consultants. These parties will require specific access to SharePoint, SAP, salesforce.com and an easy collaboration platform. It is your job - as Chief Information Officer - to facilitate this virtual team and ensure complete confidentiality. Urgency is a priority; the board sees this as an opportunity to showcase your organization’s agility and high-tech capabilities. Initial results have to be obtained in seven days. There is not a moment to lose!

The question is, will you, or will you not enjoy your family vacation? All depends on whether or not your organization is ready to easily and securely stretch identity and trust beyond its borders.

Let’s take a step back from this real-life scenario and look at the dynamics involved and business challenges the enterprise will face:

1. Data access: You need secure access to data from anywhere; data protection, in transit and at rest, both inside as well as outside the perimeter; protection of Intellectual Property and corporate brand; granular control and highly visible audit trails. However is remote access to your organization flexible enough to support external access within such a specific scope? Who manages it? And how is your data protected?
2. Consumerization of IT: Mobile devices used by the teams range from corporate PCs and smartphones to personal Apple Macs and tablets. How will you ensure that all the devices getting access to your system will comply with security policies?
3. Shift to cloud: External parties will require access to salesforce.com, potentially via the cloud, but you need to maintain control. Do your cloud solutions support secure federation standards, allowing you to impose two-factor authentication? Do they have reporting and audit capabilities?
4. Enablement: You need to have a secure, user-friendly, collaboration platform in place as soon as possible - the global nature of the workgroup means that a postal or courier service will not suffice. Do you have processes and solutions in place that enable you to take care of just-in-time delivery of two-factor authentication credentials to a number of people who are not part of your organization? Can you instantaneously revoke those credentials again if needed, any time of day or night?
5. Compliance: Controls and policies must apply; rules can in no circumstances be broken, not even for the sake of a short term workaround. All transactions must be recorded in auditable format and regulations require two-factor authentication and validated identities. But do you have a sufficiently detailed data security policy in place that can be made an integral attachment to the Non-Disclosure Agreement with all parties? On-line security, compliance and confidentiality training? How easy is it for you to produce an audit report that lists all related transactions such as authentications, data access, e-mails, ERP queries and salesforce.com queries, for both your own employees and third parties?
6. Cost control: What are the predictable costs of this project? Is the cost basis OPEX vs. CAPEX. Can it be scaled back down after transaction? Are your requirements covered by suppliers of managed services who charge per use? Or do you now have to go out on the market and buy something and then maintain it yourself?

As you can see there is much to consider and with all of these factors in mind clear due diligence is required before embarking on an identity initiative. But unless this due diligence has been done, there is no way the CIO in our opening scenario will be able to enjoy his vacation!

My next article will cover the role of identity authorization solutions in the evolving enterprise ecosystem, linking to the demands placed on the organization by the consumerisation of IT, cloud services and the evolving talents of cybercriminals.

Learn more about Verizon’s Universal Identity Services – recently launched into Europe.