Let's face it: Managing your partners' identities is not a business you want to be in. After all, it is hard enough to keep track of your employee and customer identities to ensure they are valid before logging in to your systems. The challenges increase exponentially when you consider the prospect of trying to validate all of your partner's user IDs before they gain access. People join and leave companies every day - there is real danger that user credentials will stay around after the user departs. Security breaches happen every day to this very problem.
In my last blog, we looked at the special partner IAM issues facing retailers. In this entry, we'll look at the challenges faced by manufacturers in general with a closer look at Cisco.
Manufacturers cannot make and sell products without the close involvement of their suppliers. Today, that involves much sharing of data back and forth. Many manufacturers offer online portals that give their suppliers one location for the information and apps they need to do business with them. All of this great for the manufacturer and its suppliers, but securing partner access is a tough nut to crack.
Why? For starters, it is difficult bordering on impossible to ensure partner users' credentials are valid. Once partner users are granted access to the system, it can be difficult to ensure those credentials are not shared with others or used once that person leaves the company. This is the stuff of nightmares for large manufacturers, many of which have a large network of suppliers (some of which are themselves large enterprises). The seemingly never-ending task of identity and access management cascades out through the supply network.
Cisco's Move to Streamline Partner Interactions
Let's look at how this used to work at a Ping customer, Cisco, the premier maker of network equipment. Cisco has a portal that its suppliers use to do a variety of functions, from order management to design to tracking quality information. Because Cisco's suppliers number into the thousands, its security architect Ranjan Jain understandably wanted to avoid the burden of authenticating Cisco's partners' users before they could access the portal.
Cisco decided to start with a handful of major suppliers like GE and change the way in which users are authenticated and managed, in order to improve security, lower IT costs and burden and improve the overall user experience for users. Before implementing partner IAM Cisco had all the burden of managing accounts and logins and authenticating users. They had to provide registration for new users that required creating a separate account with Cisco which also put the burden of password resets on Cisco.
Other challenges with that model, as Jain tells it, were managing the normal churn of supplier employees coming and going - it was very difficult to keep abreast of routine employee churn. Another problem: Partner employees sometimes shared credentials, which destroys authentication.
Cisco knew there was a better way to manage partner access through a simple concept called federation. The SAML-based (Security Assertion Markup Language) solution will automatically redirect GE users back to a GE login screen to authenticate the identities via GE's existing directory and send a secure token (SAML assertion) back to the Cisco portal once this step is complete. This is a much better way of approaching the problem: The party closest to the users (as GE is to its own employees) does the authentication.
There are several clear benefits of this system for GE users and for Cisco:
Benefits for GE
Improved Security: GE users sign-on with their corporate credentials
User Experience: GE users no longer need to register with Ciscos
Productivity: GE users don't have to manage and remember additional ids and password across multiple systems
Benefits for Cisco
Cost reduction: Cisco no longer needs to store GE users
Risk reduction: Cisco no longer has the liability of managing ids and passwords for external users
Time to value: Onboarding new partners takes less time than ever
It is difficult to imagine going back to a time when suppliers did not collaborate electronically with the manufacturing partners. Without a partner IAM solution, however, interactions are inefficient, costs are mounting, and the risk of credential compromise and breach are high.