Things to Look Out for When Managing B2B and B2C Identities
By Michael Ribaudo, CTO of CyberIAM
While meeting with a few of our customers a common theme comes up around Business to Business (B2B) and Business to Customer (B2C) Azure Guest access. I thought it would be helpful to note down some of these ideas and challenges to facilitate discussion around the topic.
The Azure Guest Access feature allows for an Azure Active Directory (AAD) guest user account to be created within the company’s Azure Tenant Instance for customers and vendors. This is a practical solution for organisations that need to share access to their internal applications with external parties such as these third-party vendors or customers.
Traditional Business to Employee (B2E) identity and access governance is best implemented and managed using the traditional Identity Access Governance (IAG) Solutions.
CyberIAM are an end-to-end IAM and PAM services business, working with some of the largest companies in the UK assisting them with the implementation of complex enterprise solutions. We help guide organisations through the software selection process by working closely with the business to understand their requirements and, when required, provide a full managed service when customers do not have the resources or knowledge to manage internally.
In the cloud, organisations provide access for their systems and applications to their customers and vendors using Azure Guess accounts in the following scenarios:
When it comes to guest access for third party (B2B) and customer (B2C) identities, the company risk increases where access is not managed in accordance with the company governance and policy guidelines.
Since the joiner, leaver and mover processes are all done manually by admins with Azure out of the box functionality, AAD guest users often put the company at risk by not following stringent IAG procedures. For example, if an Azure manager forgets to request removal of unused guest identities, the company may be unaware that its cloud environment is exposed to threats for an over-extended period.
Companies often forget about third party collaborators that they have onboarded. Once these parties have been given an Azure identity, there is generally little guidance as to how they ought to navigate within the cloud. This has the potential to degrade the integrity of the organisations corporate information security compliance measures while making the company vulnerable to information security breaches.
Even though it may be a quick and easy solution to grant users access to Azure through a manual fulfilment process using the Azure admins, organisations still need to ensure they have the automation, governance, policies and procedures in place to manage the access, and they be enforced by the business.