Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM. Doug holds a double major in Computer Science and Business Administration. While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Published 30 Nov 2021

Abstract

Over the past 30 years businesses have been evolving toward managed services for their Information Technology deployment and operations. The terms ‘off-shoring’ and ‘outsourcing’ became analogous with perceived cost savings, scalability (up and down), and operational expensing (“OpEx”) for corporate tax purposes. Managing these Business-to-Business (B2B) partnerships effectively and securely requires new thinking when it comes to Identity and Access Management (IAM).

This dramatic sea change in how businesses manage their IT infrastructure introduces IAM challenges centered on external people/processes/things needing access to mission critical internal IT systems. Often, managed service providers (MSPs) require highly privileged access rights to deploy, configure, update and monitor IT environments from thousands of miles away. This challenge exists for enterprise IAM enablement of a broad range of vendors – not just MSPs. Network appliance and security vendors, participants in the company’s supply chain, even Human Resources and payroll services often require access to sensitive corporate systems, often from outside the traditional enterprise network security perimeter.

A range of approaches to this conundrum have been adopted over the ensuing 20 years or so, but in reality, no resounding ‘best practices’ for B2B integration have emerged. This report investigates more nascent B2B IAM approaches that may finally lead to the establishment a solid foundation for B2B integration that enables better information security and less IAM integration friction.

Authors:

Contents

ABSTRACT

EXECUTIVE SUMMARY

INTRODUCTION

Defining B2B IAM

SUMMARY OF CURRENT B2B IAM INTEGRATION REQUIREMENTS

A Word About Processes

B2B User Provisioning and Deprovisioning

Access Administration

B2B User Authentication, Including Multi-Factor Authentication (MFA)

B2B User Access Control, Including Privileged Access Management (PAM)

Contextual Awareness and Runtime Access Control

Identity Governance and Administration (IGA)

Billing Questions?

B2B IAM REFERENCE ARCHITECTURE

B2B IAM Use Case Summary

B2B IAM Architectural Principles

Develop B2B IAM Reference Architecture Patterns

3^rd Party IT Partners, Suppliers and Autonomous Business Units

Agent Partners

LEADING B2B IAM SOLUTION OVERVIEW

Saviynt

PlainID

Okta

BeyondCorp/Google

SUMMARY/RECOMMENDATIONS

ABOUT TECHVISION

ABOUT THE AUTHORS

Executive Summary

Beginning in the early 2000’s, businesses around the globe began a gradual yet consistent migration toward managed services for their Information Technology (IT) deployment and operations. The terms ‘off-shoring’ and ‘outsourcing’ became analogous with perceived cost savings, scalability (up and down), and operational expensing (“OpEx”) for corporate tax purposes.

In most cases, every one of these business partners require access to the enterprise’s IT environment in some capacity or other. Managed Service Providers (MSPs) that run the enterprise’s IT infrastructure as a whole – both on premises and in-cloud typically need a massive array of identities and access privileges to perform their contracted services. Many suppliers need ready access to sales, manufacturing and inventory control systems. Human Capital Management providers require access to the enterprise’s HR environments. The list goes on and on. Putting this in Identity and Access Management (IAM) terms: every individual that works for every single business partner needing access to your systems requires an identity and access privileges to be provisioned appropriately across the related enterprise IT spectrum.

This is not a trivial task to perform correctly and consistently. Such widely dispersed 3^rd party access to the enterprise IT environment creates huge opportunities for error, fraud and misuse, not to mention compliance headaches. And many breaches have originated via partner access to various company resources. Traditionally, enterprise IAM environments have been designed to integrate with one or more enterprise HR data environments to automate provisioning and deprovisioning of employees. Contractor management has always been a massive challenge for larger enterprises that rely on significant numbers of contracted workers to run the ship.

Often, there are not adequate linkages between an enterprise’s contract management system, such as SAP or Oracle and the IAM provisioning environment. This leads to multiple instances of delegated administration interfaces to the IAM system that allows one or more “trusted administrators”, whether that person is a contractor himself or a bona fide company employee, to administer additional 3^rd party identities and access privileges. While this sounds good on paper, the reality is that most larger enterprises have massive B2B relationships that entail tens of thousands of identities to be managed outside the enterprise boundaries. In most cases, these identities are far from static – there is a tremendous amount of churn within the MSP industry, for example. It becomes truly impossible to know “who has access to what” with so much disparity, fluidity, and limited oversight. Addressing this requires some specialized IAM capabilities and processes.

All of this has led our customers to throw up their hands and ask: “what are we supposed to do”? That’s what this report is intended to address. While the problem of managing 3^rd party, B2B identities has been long-lived, there are some good practices to understand – and there are emerging solutions from well-known and startup IAM vendors that are genuinely focused on shoring up the B2B IAM conundrum.

A range of approaches to this conundrum have been adopted over the ensuing 20 years or so, but in reality, no resounding ‘best practices’ for B2B integration have emerged. This report investigates more nascent B2B IAM approaches that may finally lead to the establishment a solid foundation for B2B integration that enables better information security and less IAM integration friction.

Introduction

Today, most larger enterprises rely on 3^rd parties for a wide range of services in what are standardly referred to as “B2B relationships”. As defined by Investopedia, “B2B (business-to-business) refers to business that is conducted between companies, rather than between a company and individual consumer. Business-to-business stands in contrast to business-to-consumer (B2C) and business-to-government (B2G) transactions. Business-to-business transactions are common in a typical supply chain, as companies purchase components and products such as other raw materials for use in the manufacturing processes.”

For example, TechVision’s enterprise customers who work in the auto manufacturing industry have extensive B2B relationships with a global range of parts suppliers. Our customers who reside in the retail industry have B2B relationships with manufacturers and wholesalers around the globe. Our customers who work in the energy and utility industry have B2B relationships with numerous private contractors who perform work in the oil and gas fields, manage and maintain power plants, install solar electric solutions for businesses and residences, and many more.

But that’s not all. An additional form of B2B relationship occurs when a business needs the services of another for operational reasons (e.g., a food manufacturer employing an accountancy firm to audit their finances). This type of relationship is of particular importance to most of our customers. For example, we can count on one finger the number of our enterprise customers who do not use an offshore (or onshore) Managed Service Provider (MSP) to deploy, operate and maintain most if not all of their IT infrastructure and operations. MSPs handle the complex, consuming or repetitive work involved in the management of IT infrastructure or end-user systems. MSPs typically perform the following tasks:

• Handle the management of IT infrastructure
• Offer technical support to staff
• Add cybersecurity software to IT
• Manage user access accounts
• Handle contract management
• Assist with compliance and risk management
• Provide payroll services, etc.

A good example of such an MSP is Hindustan Computers Limited (HCL), a multinational information technology (IT) services and consulting company headquartered in Noida, India. HCL provides many of their customers (and ours) with mission critical IT-centric services including:

• DevSecOps engineering
• Application development
• Hybrid cloud management
• Digital workplace services
• Network services
• Cybersecurity services
• Application support and maintenance for SAP, Oracle, Microsoft environments
• Backup and recovery
• Help desk management
• Patch management
• Remote access/control
• And many more…

There are many more MSPs like HCL, including WiPro, TCS, Cognizant, Infosys, Accenture and IBM to name just a few. Taken together, the B2B landscape for most mid-to-large size enterprises is complex, with several large and small services and supply firms comprising the overall “workforce”.

Defining B2B IAM

In most cases, every one of these business partners require access to the enterprise’s IT environment in some capacity or other. MSPs that run the enterprise’s IT infrastructure as a whole – both on premises and in-cloud typically need a massive array of identities and access privileges to perform their contracted services. Many suppliers need ready access to sales, manufacturing and inventory control systems. Human Capital Management providers require access to the enterprise’s HR environments. The list goes on and on. Putting this in Identity and Access Management (IAM) terms: every one of these individuals who work for every one of these business partners needing access to your systems requires an identity and access privileges to be provisioned appropriately across the related enterprise IT spectrum.

This is not a trivial task to perform correctly! Such widely dispersed 3^rd party access to the enterprise IT environment creates huge opportunities for error, fraud and misuse, not to mention compliance headaches. Traditionally, enterprise IAM environments have been designed to integrate with one or more enterprise HR data environments to automate provisioning and deprovisioning of employees. Contractor management has always been a massive challenge for larger enterprises that rely on significant numbers of contracted workers to run the ship.

Often, there are no adequate linkages between an enterprise’s contract management system, such as SAP or Oracle and the IAM provisioning environment. This leads to multiple instances of delegated administration interfaces to the IAM system that allows one or more “trusted administrators”, whether that person is a contractor himself or a bona fide company employee to administer additional 3^rd party identities and access privileges. While this sounds good on paper, the reality is that most larger enterprises have massive B2B relationships that entail tens of thousands of identities to be managed outside the enterprise boundaries. In most cases, these identities are far from static – there is a tremendous amount of churn within the MSP industry, for example. It becomes truly impossible to know “who has access to what” with so much disparity, fluidity, and limited oversight.

All of this has led our customers to throw up their hands and ask: “what are we supposed to do”? That’s what this report is intended to address. While the problem of managing 3^rd party, B2B identities has been long-lived, there are some good practices to understand – and there are emerging solutions from well-known and startup IAM vendors that are genuinely focused on shoring up the B2B IAM conundrum.

Summary of Current B2B IAM Integration Requirements

Before continuing, it is important to understand that this document is NOT an IAM primer. It is expected that the reader has a solid understand of IAM and deployment good practices in general. For a thorough introduction and level set on IAM, please refer to the TechVision document “IAM Reference Architecture”. On TechVision’s website, the reader will find a large number of IAM-specific research reports to help you build a thorough understanding of IAM and its many uses and permutations.

From a B2B IAM standpoint, there are a number of capabilities that are necessary to investigate. These include the following:

• B2B user provisioning and deprovisioning
• B2B user authentication, including Multi-Factor Authentication (MFA)
• B2B user access control, including Privileged Access Management (PAM)
• Contextual Awareness During Runtime Access Control
• Identity Governance and Administration (IGA) that includes B2B identities

In the following sections, we’ll explore each of these and describe how they facilitate B2B IAM.

A Word About Processes

The typical expectation when discussing improved B2B IAM (or any IAM) capabilities is to dive into technology and vendor solutions. All well and good, but first a word about processes. In our research report “Integrated IT Governance Programs for the Digital Enterprise”, we emphasize how IT Governance is absolutely critical to the establishment, management, control and protection of the Digital Enterprise. IT Governance can be particularly challenging in that it is heavily dependent on people; advanced tools can help, but people decide how a business and its information are managed and how decisions are made.

This is particularly important for organizations that include a larger number of contracted workers – again, using MSPs as a prime example. Before embarking on an ambitious B2B IAM project, we strongly encourage our customers to review current contracts and agreements where identity data or access to corporate resources is involved to assess whether IAM requirements are clearly and appropriately addressed. If not, establish a project to implement remedial actions as necessary because embarking on a B2B IAM project that attempts to automate poorly structured business processes will not yield the desired results. In most if not all cases, the B2B IAM project should be spearheaded by a thorough investigation of the processes and procedures currently in place to manage B2B identities. Even if the answer is “there are no processes”, the project can use this as a battle cry to effectively develop them and in turn encompass them in the B2B IAM strategy and architecture.

B2B User Provisioning and Deprovisioning

One of the most pervasive process decisions is centered on B2B user identity lifecycle management. B2B user provisioning and deprovisioning is the Identity Lifecycle Management process of managing 3^rd party identities through their lifecycle (i.e., Join, Move, Leave) and relationship with the enterprise. For example:

1. Join, Move, Leave – events that indicate that a person (or thing) has joined the organization (Join) or changed jobs/functions/roles/locations, etc. (Move) or has left the organization (Leave). If these “events” can be detected on authoritative source systems such as the Contractor Management system or HR (maybe), the events can trigger workflows, notifications, access right changes, entitlement updates, account disablement, and more depending on the rules associated with the IAM provisioning service listening for these events.
2. Identity Proofing – various forms of required proof that someone is who they say they are that are reviewed and verified before an account can be created/provisioned across the IAM-connected systems and applications.
3. Profile Management – the ability to manage one’s set of attributes associated with his/her/its digital identity within the scope of the business relationship.
4. Federated Identity – authentication protocol for applications and other resources, enabling single sign-on (SSO) to applications across multiple internal and external domains. From a B2B IAM integration standpoint, federation can be extremely useful.

Access Administration

Account administration contains the capabilities associated with creating, modifying and deleting/disabling computer/network/application B2B user (or device) accounts.

1. Delegated Administration – the capability for an administrator to manage a user’s or thing’s profile, request access or based on policy, approve access. This is performed typically through a version of the Self-Service UI that is tailored to the administrator view. Quite often, this is the principal means of provisioning B2B users. Unfortunately, because this is a manual process, deprovisioning is often ignored, forgotten or significantly delayed.
2. Access Request and Approval – workflows that facilitate any approval processes that may need to be enacted as part of an access request fulfillment. Access requests may be initiated through a self-service identity registration process, a delegated administrator request or an event trigger listening for changes on an authoritative source system such as the enterprise Contractor Management System (although this level of integration is currently very rare).
3. Access Provisioning – automates the steps required to set up the required B2B 3^rd party user accounts and entitlements and fulfill any required changes on one or more connected systems or applications, such as the enterprise network, Google Suite, Active Directory and so forth.
4. Birthright Access – the set of entitlements a 3^rd party user from a particular supplier can be granted immediately, without requiring workflows and approvals.
5. Time-bound Access – policy that grants specific access for a specific period of time.
6. Group Management – the ability to create and manage static and dynamic groups of 3^rd party accounts that are associated with runtime access control decisions.
7. Policy-based Access (PBAC) – using policies, based on a set of rules, to determine B2B user access during runtime.
8. Self-Service Administration – the capability for a B2B user to manage one’s own profile or request access to specific resources, typically through the Self-Service UI.
9. RBAC, ABAC – Role Based Access Control (RBAC) associates one or more enterprise roles with a B2B user account, while Attribute Based Access Control (ABAC) associates one or more attributes within a the B2B user account’s profile – in both cases this information is used during runtime authorization decisions.

B2B User Authentication, Including Multi-Factor Authentication (MFA)

The B2B IAM provisioning and lifecycle management capabilities typically create user IDs and passwords for each 3rd party end user who will access various parts of your IT environment. Additionally, these processes result in some level of authorization privileges – either “birthright” or enhanced through elevated access requests. From an authentication standpoint, it is advantageous to replace password-based logins with stronger forms such as Multi-Factor Authentication (MFA) or passwordless authentication. Both of these approaches are covered in significant detail in TechVision’s reports “Multi-Factor Authentication (MFA): Enterprise Strategy and Market Assessment” and “Zero Knowledge Authentication & Authorization: Soon the New Normal?”, respectively.

Multi-Factor Authentication is gaining traction as a best practice for enterprise security programs. It is based on the premise that traditional, single factor authentication schemes (like IDs and passwords) are relatively easy to break or share- and as threats escalate, are simply not good enough. Requiring multiple factors from different categories for high risk or high value transactions is the emerging security best practice standard. This is particularly important as the enterprise’s B2B landscape continues to expand and contract, with new contractors showing up and others departing. From a governance and compliance standpoint, it is critical that the enterprise knows who is doing what. In many large-scale MSP relationships, user IDs and passwords are shared or passed on as the revolving door spins. Getting a firm grip on 3^rd party authentication is one of the most important elements of the B2B IAM strategy.

MFA is critical in fraud prevention, and identity misuse is one of the most prevalent and harmful forms of fraud in existence today. Over the past few years, significant advancements in the ability to deploy MFA to wide ranging constituencies – from employees, contractors, business partners to customers have made it much more palatable for enterprises of all sizes and types to consider.

With the advent of mobile device ubiquity and the willingness for end users to deploy apps on these devices, techniques such as ‘mobile push’ have gradually broken down the barriers of cost and complexity to deploy MFA. With that said, it is a good time to consider making MFA a cornerstone of your B2B (as well as enterprise) IAM infrastructure and start saying goodbye to the inherent weaknesses of phishing-vulnerable password-based authentication. As we begin re-architecting our enterprise environments to incorporate elements of Zero Trust, MFA becomes a critical piece of the ZT-puzzle. Many enterprises have begun their journeys toward Zero Trust architectures but have left the B2B door untouched or delayed. In the sense that their MSPs literally have an enormous number of user IDs with myriad access privileges, this is potentially very dangerous and significantly weakens the security posture regardless of how well-managed the employee landscape is.

B2B User Access Control, Including Privileged Access Management (PAM)

As described in detail in the TechVision Report titled “Privileged Access Management: More Necessary Than Ever as Cloud-Shift Intensifies”, most of the high-profile breaches over the past decade or so involved administrative accounts used by systems administrators and administration-centric applications as the ultimate targets for most hackers. Systems administration accounts for Operating Systems like Windows and Linux, network and security devices, cloud platforms, databases such as Oracle and SQL Server, and web servers – as well as those embedded within applications to perform administrative functions in application-to-application communications are the top prize for hackers and thieves. These administrative accounts are privileged accounts, in that they enable the human or system to configure environments and access the data contained therein. Once a hacker has administrative access to a single server or device, the path often opens to move laterally within the infrastructure to hack deeper and deeper within the enterprise – or beyond.

The risk associated with privileged access in a B2B context is even greater in that many administrative and service accounts are shared. To be clear, as we gradually move toward Zero Trust principles across the enterprise, the fact that B2B 3^rd party privileged access and the resultant actions taken during this access cannot be traced to a specific individual or application service will no longer be acceptable. Again, think of the large number of remote administrators (often coming in through the revolving door) that an enterprise’s MSP establishes.

To rescue us from 3^rd party administrative account hijacking, solutions residing under the banner of Privileged Access Management (PAM) are available. Privileged Access Management is sometimes viewed as a subset of the Identity and Access Management (IAM) market but is often deployed as a separate project or program from IAM-centric provisioning, access management, access governance and authentication services.

Technical approaches to PAM are rapidly evolving, as many PAM vendors are increasingly describing their offerings in terms of Just in Time (JIT) PAM. JIT PAM means that system administrators – whether human or application functions, can be assigned privileges in near real time using their existing, or creating temporary, end-user accounts. JIT PAM limits the duration for which an account possesses elevated privileges and access rights in that the creation and deletion of an appropriate privileged account is assigned only to meet that specific period’s mission objectives. The goal is to eliminate the risk surface associated with having privileged accounts that are “always on”.  Privileged access may be granted for just a few minutes or several months, depending on the sensitivity level of the application or the organization’s governance requirements.

With B2B IAM in mind, coupling Multi-factor Authentication (MFA) with JIT PAM processes adds a significant element of trust that the individuals requesting elevated privileged access are who they say they are, and with added contextual information such as device, geo-location, previous requests/approvals and so forth (described next), an organization can better guard against multiple threat vectors. As we have said, with the rapid adoption of more convenient mobile phone-based MFA technologies that include biometrics, PAM solutions are very well integrated with password-less MFA out-of-the-box – providing a more elegant path forward for B2B IAM integration.

Contextual Awareness and Runtime Access Control

With an increasing amount of access from 3^rd parties that typically reside way outside the network perimeter, organizations must increase their ability to contextually aware of the person or device attempting to connect to the infrastructure from the application layer to the network layer. As described in TechVision’s report “Putting Identity Into Context”, contextual awareness pertains to the ability of the identity management system to determine certain characteristics about a user during runtime authentication and authorization and then using this information to both:

• Measure the risk associated with the device, location, information sensitivity and the like during the authentication and authorization request and
• Enforce specific policies regarding the type of authentication and identity information required to access the desired resource to better combat fraud.

For instance, if an 3^rd party administrator wants to access the employer network, contextual awareness provides more detail about the current circumstances beyond simply identifying the user. Context enables the IAM infrastructure to determine what device is being used and whether it is trusted or managed by the enterprise, what location the user or device is attempting to authenticate from and perhaps what level of sensitivity exists for the IT resource to be accessed. Taken together, this is contextual information that can determine the level of risk involved and can step up the level of authentication strength (e.g., password or MFA) to meet the required level of identity assurance. Such context may also invoke JIT PAM in order to deepen the monitoring and auditability of the 3^rd party administrator and his or her activities.

Identity Governance and Administration (IGA)

To be able to perform the requisite level of contextual awareness during runtime authorization, security systems must be able to access the data that supports the actual context. This means that the runtime authentication/authorization components must be able to reference “what good looks like” from a contextual 3^rd party IAM standpoint. The user, device, thing, system attributes, which may include roles, must be managed securely and temporally for B2B identities.

In the TechVision Research report titled “Designing and Implementing an Effective Enterprise Identity Governance and Administration Program”, we go into significant detail regarding how to successfully implement IGA. IGA combines entitlement discovery, decision-making processes, access review and certification with identity lifecycle and role management. IGA operates in the intersection of business process management and access automation allowing people and systems communicate with each other, fulfilling day-to-day operational needs. It focuses on the process and operational components of Identity and Access Management. Over the past several years, many of our customers have delayed implementing IGA for 3^rd party B2B identities. Unless the IGA program has B2B integration clearly in its sights, this leaves the door open for myriad segregation of duties (SoD) violations and related compliance issues.

Fortunately, there are existing and emerging IGA approaches to enveloping the B2B / 3^rd party / MSP within the enterprise identity governance and attestation processes, which we will describe later in this document.

Billing Questions?

Pragmatism often hurts. While it may be relatively straightforward to whiteboard what a technical and even a procedural B2B IAM might look like for your organization, the challenge of “who is going to pay for this?” cannot be ignored. For example, how should the enterprise license B2B IAM services such as MFA, PAM and IGA? These are typically costly investments for large enterprises just for addressing their employee base. There is no “right answer”, but the pendulum does appear to be swinging toward a mutual costing model that is shared by the enterprise and their larger B2B partners, such as their MSP(s).

In other words, when negotiating or re-negotiating the enterprise contract with their chosen MSP, it is the proper time to address who will pay for what B2B IAM security services. It is recommended that your enterprise already has developed their B2B IAM strategy, architecture and if possible, vendor(s) selection. With this information in hand, negotiations can be much more factually based regarding the costs associated with extending “core” enterprise IAM capabilities to the B2B partner landscape. A contract between an enterprise and an MSP to “run the IT” means there is an implicit “duty to protect” agreement. The MSP has a fiduciary responsibility to protect its customers’ information assets exactly as they would if they were “running IT” themselves.

B2B IAM Reference Architecture

It is always tempting to jump right into ‘solutioning’. But, as Lewis Carroll’s Cheshire Cat said to Alice, “If you don’t know where you’re going, any road will get you there.” Taking this axiom to wit, we recommend documenting B2B IAM use cases and requirements first.

B2B IAM Use Case Summary

As we have been explaining, most large enterprises that leverage MSP, vendor and partner relationships have four principal types of business-to-business (B2B) scenarios that are to be addressed in the B2B IAM Reference Architecture. These are:

1. B2B with global IT partners, such as HCL, TCS, Accenture, PWC, etc. who operate remotely but within the enterprise network to provide various ongoing functions such as managed services, consulting services and multiple other operational support functions.
2. B2B with a broad range of suppliers or distributors, who require consistent access to the enterprise (e.g., Enterprise Resource Planning / ERP) modules such as inventory control, production scheduling or similar dynamic resources.
3. B2B across autonomous business units, which allows employees and contractors within each global business unit to login (authentication) and have appropriate access to (authorization) systems and applications in other business units.
4. B2B with customer focused partners, who are classified as vendors that do work on behalf of the enterprise. Such business partners may include enterprise product installers, integration contractors and so on. This group of users might be considered as “agent partners” of the enterprise.

Moving to a robust B2B integration environment hinges on establishing a comprehensive IAM strategy, coupled with MFA and PAM deployment. And it means establishing a robust and secure IGA environment that can properly support data-driven contextual awareness.

In TechVision Research’s report titled “IAM Reference Architecture”, we describe the master template that identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions. However, before jumping into architecture, we first establish some key architectural principles for B2B IAM.

B2B IAM Architectural Principles

Let’s focus on major architectural principles enterprises should be considering as the develop their B2B IAM programs. B2B IAM strategies typically require several of these important features:

• Providing secured, centralized, and automated management of 3^rd party identities for administrative, service and application accounts, as well as enforcement of authentication and authorization policies.
• Controlling and auditing access to shared accounts.
• Providing capabilities to govern and manage administrative access, whether systems and applications are on-premises or in-cloud.
• Maintaining a comprehensive view of 3^rd party accounts and their usage in the IT environment through dashboards and reporting.
• Integrating with enterprise IAM and IGA systems to foster a comprehensive understanding of exactly who (or what) has access to what.
• Integrating with existing IT service management (ITSM) and Contract Management systems and change management workflows for tighter control of administrative access.

With these principles as a backdrop, let’s view the TechVision IAM Reference Architecture with our B2B glasses on. The TechVision Research Reference Architecture for IAM is this starting point; a master template, shown in Figure 1, below, identifies the IAM capabilities (rather than technologies) that can be improved or enabled, allowing business stakeholders and technical architects to achieve a common language for IAM functions – whether enterprise, CIAM or B2B focused, which can then be refined over time.

It is important that your B2B IAM program fits within this overarching architectural context. This high-level template starts the journey:

Figure 1: IAM/MFA Master Template

The capabilities illustrated above are described at the highest level as:

Interact – how end-users and application developers interact with the IAM platform. In the case of B2B IAM, this will involve a variety of diverse people and technology interactions.

Access – the rules that define the roles, rights, and obligations of any 3^rd party actor wishing to access enterprise or connected external assets.

Change – the capability to define and manage the relationships between the 3^rd party user/ application developer and the enterprise assets.

Manage – the capabilities required to manage and upgrade the B2B IAM solution itself.

Measure – the capabilities required to audit and improve B2B IAM activities.

Store – the capabilities required to share 3^rd party identity information and relationships between the components of the IAM solution.

The next level of the architecture outlines the functional capabilities that are the foundation for a best-in-class B2B IAM Reference Architecture. Each category is broken up into multiple capabilities at a level of greater detail. For example, interfaces can be for applications / developers (APIs, messaging services), Lines of Business, self-service or even robotic processes. This applies to each category and, based on stakeholder input, use cases and priorities can be further developed into Reference Architecture patterns or templates for specific services.

As ultimately implemented, different enterprises use different B2B IAM capabilities in different ways to meet different protection needs. And they do so differently for different content and business functions because of the different risks and potential consequences associated with failures and costs associated with protection. One size does not fit all.

Once the required business capabilities are identified, the next layer of the TechVision Research Reference Architecture for B2B IAM allows us to explore each of the specific technology or process elements comprising each capability in the form of a combined portfolio architecture. This is illustrated in Figure 2, below.

Figure 2: Combined Portfolio Architecture

In the template below, we’ve now illustrated the IAM capabilities required for a typical organization’s B2B IAM, removing all other IAM capabilities that are not directly supporting the B2B IAM service. Note that this representation includes a typical ‘user story’ in the form of “As an external Network Appliance Administrator, I want to…”. User stories help keep the focus on the capabilities necessary to support it and we highly recommend you work through your key user stories.

Figure 3: Typical B2B IAM Capabilities Map

Note that this is intended to give you a sense for how to apply the reference architecture to B2B IAM specific capabilities and to give you a sense for typical relative timing. In our example, we have determined that the IAM-related capabilities necessary to support the B2B environment for a large organization can be color-coded as follows:

• Rose – requires significant investment over next year. This typical organization does not currently support these IAM capabilities. An example is JIT PAM (Just in Time access), which is very often a key capability required for B2B access of sensitive IT resources.
• Orange – requires investment over next year. The organization either currently does not support these B2B IAM capabilities or they may require additional investment and deployment in order to achieve a requisite level of functionality. For example, most organizations currently support some form of MFA, but additional investments will generally be required.
• Grey – indicates capabilities that the organization B2B IAM has in place in some capacity, although it could be likely that some augmentation may be required to improve functionality and ubiquity to fully meet the organization’s requirements. An example here is Federation/SSO which may be relatively mature in many organizations – but could be enhanced over the next few years.

Please recognize that your Capabilities Map is likely going to be different than the one shown in Figure 3. The important point is to start with the complete list of capabilities building blocks as shown in Figure 2 and pare that down to represent what B2B IAM requires, color-coding to show where you will likely need additional investment or attention. TechVision can – via dialogues or full consulting engagements, work through this process with your team.

The B2B IAM capabilities are used as input to the development of the Reference Architecture pattern illustrated and described in the next section.

Develop B2B IAM Reference Architecture Patterns

As we described above, B2B IAM looks to provide an additional layer of security in support of administrative and other high-risk access. The policies maintained in the B2B access control service dynamically evaluate the risk of a given operation based on a variety of environmental and risk factors and filter access if risk exceeds a defined threshold. This extends from the internal network to external connections. As the example B2B IAM Reference Architecture pattern illustrates below, the intent is to draw ‘what good looks like’ for your organization. This pattern should be indicative of what you want. It is completely vendor-agnostic in this instantiation so that you have the vision ready to query multiple vendors about how they can support this pattern via Request for Proposal (RFP) or Request for Information (RFI).

3^rd Party IT Partners, Suppliers and Autonomous Business Units

B2B use cases aligned with # 1, 2 and 3 provided in the previous section have distinct similarities in that they are centered on longer-term, ongoing interactions with a “relatively” static group of people who utilize corporate IT systems and applications, and possibly access corporate buildings/facilities on a regular basis to perform their work. For these B2B use cases, the following B2B IAM Reference Architecture integration pattern is illustrated:

Figure 4: The Enterprise IAM Master Template with Azure B2B Tenant

Because many larger enterprises (and almost all our customers) have Microsoft Windows, Active Directory, Azure Active Directory and many O365 SaaS services, our example shows how a Microsoft Azure-centric enterprise might consider enabling their B2B IAM environment on the Azure foundation. The pattern illustrated above, therefore, is essentially a replica of the Enterprise Master IAM (EIAM) Pattern, with the additional deployment of an Azure AD B2B Tenant. For a view of this pattern that removes some extraneous EIAM components – only focusing on the B2B use cases 1, 2 and 3, please see the following figure.

Figure 5: Sample Corporate B2B Integration Pattern 3rd Party Partners, Suppliers and Autonomous Business Units

In our example above, the Azure B2B Tenant is a Microsoft B2B feature within External Identities that lets corporate administrators invite “guest users” to collaborate with the organization. With B2B collaboration, the enterprise can securely share applications and services with guest users from other organizations (e.g., HCL, WiPro, PwC, etc.), while maintaining control over its own corporate data. An invitation and redemption process lets partners use their own credentials to access corporate resources. Additionally, corporate developers can use Azure AD B2B APIs to customize the invitation process or write applications like self-service sign-up portals.

With Azure AD B2B, the partner uses their own identity management solution, so there is no external administrative overhead for corporate. Some of the key benefits of this approach include the following:

1. The partner uses their own identities and credentials; Azure AD is not required on their end.
2. The enterprise will not need to manage external partners accounts or passwords.
3. The enterprise will not need to sync accounts or manage account lifecycles associated with external partners.

In summary, this is B2B IAM federation. These benefits provide enterprise with lower administrative costs, generally more accurate information (updates by those closest to any deltas), reduce risk by not maintaining external credentials that could be compromised and increased flexibility. From an authorization standpoint, corporate IT can use standard Azure AD entitlement management to configure policies that manage access for external users. These can include conditional access policies that require MFA:

1. At the tenant level.
2. At the application level.
3. For specific guest users to protect corporate apps and data.
4. Using this pattern, B2B IAM will be able to delegate guest user management to application owners so that they can add guest users directly to any application they want to share, whether it is a Microsoft application or not.

Agent Partners

The use cases for agent partners, as described in #4 previously, are treated differently in that there is no assumption or provision made for agent vendors to have their own IT infrastructure from which to federate. These types of agent partners are typically “Mom and Pop shops” with fewer employees, minimal IT infrastructure, often less IT savvy-ness, seasonal relationships, and so forth. For these types of scenarios, the enterprise B2B IAM should consider deploying an IAM front-end that closely mirrors their strategy for customers (CIAM). The IAM integration pattern below illustrates the Reference Architecture for agent vendors:

Figure 6: Sample B2B Integration Pattern for Agent Vendors

This pattern is similar to the CIAM Reference Architecture pattern presented in the TechVision report titled “Customers Demand More: Developing a Reference Architecture for CIAM” in that it relies on an SAP/Gigya Customer Data Cloud (CDC) as the identity provider (IdP). Agent partners would be able to register for an account using the CDC account request service via SAP/Gigya’s CIAM for B2B, the offering from SAP CDC for businesses to manage their relationship with other businesses in a transparent way. It supports fine-grained authorization policies coupled with user authentication and identity lifecycle management.

SAP’s CIAM for B2B offers:

• Onboarding of agent partners to all digital properties through a governance process that will enable the business to be in compliance across all connected applications.
• End-to-end agent partner lifecycle management.
• Centralized Policy Based Access Control (PBAC) solution with a governance process to secure applications and resources.
• Self-service delegation of the agent partner organization and agent partner user management with identity, user profile and preference management.

The CIAM for B2B solution described above leverages the IAM capabilities of the SAP Customer Data Cloud, such as authentication and profile update flows, an extensible user database and some pre-built integrations with downstream applications. B2B-centric functional capabilities that fit into categories of agent partner management, policy-based access management and member management. Specific capabilities that fit within each of these categories supporting CIAM for B2B are described below:

Agent Partner Management

• Agent partner organization management – The ability to create, edit, update or delete agent partner organizations directly or support self-service or provisioned partners (for example, from the corporate CRM/sales automation system).
• Self-registration and provisioning onboarding – Supporting the self-registration of new agent partners that then follow a configurable approval process before being activated.
• Agent partner admin and user onboarding – corporate LOB admins can create and manage agent partner admins as well as agent partner users.
• Agent partner admins may initiate invitational flows for other agent partner administrators and agent partner users (subject to corporate policy).
• Delegated administration for agent partner administrators may include user provisioning, activation, role assignment, password reset, revocation

Policy-Based Access Management

• The ability to manage coarse-grained, fine-grained access to assets such as applications, site pages, and user actions.
• Dynamic attribute-based authorization decision-making.
• Full policy life cycle management.
• Run-time authorization.

Member Management

• Pre-built flows for inviting new and existing users to access the specific corporate IT assets.
• Assign members to organizations, departments and roles for coarse and fine-grained access management.
• Easy access management for quick onboarding and offboarding of employees and third-party agent vendor users.
• Use the existing corporate-configured Customer Data Cloud access points in all agent partner access management scenarios.

In the next section, we’ll explore some additional IAM vendors’ solutions (beyond Microsoft and SAP/Gigya) that are explicitly centered on B2B IAM integration.

Leading B2B IAM Solution Overview

There are many different capabilities that comprise a viable B2B IAM strategy and architecture. In this section, we describe a small subset of the vendors who provide strong solutions for many of those capabilities, such as IAM lifecycle management, PAM, IGA and more. In addition to the vendors covered here (and Microsoft and SAP covered in the previous section), vendors such as ForgeRock, Micro Focus and Ping Identity also have solid solutions in addressing several B2B IAM use cases. There are also complementary solutions such as those offered by Radiant Logic that provide the real time “glue” in providing real time date to make partner access decisions.  We’ll now describe the offerings in the IAM partner space from Saviynt, PlainID, Okta and BeyondCorp/Google.

Saviynt

Saviynt, based in El Segundo, CA is a leading player in the Identity Governance and Administration (IGA) space. From a historical perspective, it bears mentioning that Saviynt is a re-branded version of early IGA innovator Vaau, which was acquired by Sun Microsystems in 2007 – which was itself acquired by Oracle in 2009. The long-standing pedigree in the IGA space enabled Saviynt to gain leadership status in the IGA market, competing directly with SailPoint.

Regarding B2B IAM, Saviynt has been embarking on a cloud-first strategy to offer effective identity lifecycle management, PAM and IGA for cloud applications and services, whether SaaS or IaaS. In early September 2021, Saviynt released their Enterprise Identity Cloud (EIC), which brings together identity governance (IGA) along with third party access governance (TPAG), application access governance (AAG), data access governance (DAG), cloud security and privileged access management (PAM).

The admirable rationale behind the EIC platform is to help its customers “protect the complete business ecosystem, provide a frictionless user experience, and enable governance of the entire identity lifecycle.” It also manages both regular and privileged access for human and machine identities to business-critical applications, unifies controls and risk management for applications, data, and third-party access across the hybrid IT organization.

As an example, Figure 7 below illustrates a summarization of their EIC solution.

Figure 7: Saviynt Enterprise Identity Cloud

What’s interesting about Saviynt’s cloud-native platform is that it converges IGA and vendor access management (VAM) in a single platform that is intended to streamline onboarding, automate compliance activities, and document governance. Saviynt is positioning EIC to address the following common B2B IAM requirements:

• Support B2B invitation to help streamline vendor onboarding
• Expand risk-based identity and access governance controls to include 3^rd parties
• Assign sponsors/owners for 3^rd party identities and access rights
• Establish B2B-oriented identity lifecycle management leverages authoritative sources of identity data
• Provide risk-based data access governance controls that extend to external file-sharing with 3^rd parties
• Simplify compliance with Saviynt’s Control Exchange module
• View risk more holistically across internal and external 3^rd party knowledge workers
• Support fine-grained entitlement visibility of 3^rd party identities

By extending Saviynt’s IGA platform with its Cloud PAM solution to incorporate 3^rd party identities, its customers can better mitigate risks associated with privileged access in the cloud. Rather than creating additional user accounts for privileged access that need to be monitored, Saviynt’s EIC solution enables administrators to assign timebound permissions to business partner/3^rd party identities and then provides alerts to help remediate risks.

Additionally, EIC provides JIT access to managed privileged sessions of the Azure console, Privileged Identity Manager (PIM), Azure workloads, tenant administration of Microsoft 365 applications, and other Azure services. Saviynt’s Cloud Security Analyzer solution protects data security and privacy by using automated tools to enforce the principle of least privilege access controls for users within Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) cloud ecosystems.

As an example, Saviynt’s Identity Governance and Administration-as-a-Service (IGAaaS) platform enables organizations using Microsoft Azure a more integrated approach to identity governance and administration (IGA) when managing access to hybrid IT and managing/securing control over data and activities within Azure. Features include analytics, data access governance, SOD management, real-time threat detection, and compliance controls to secure critical Microsoft Azure assets.

Bearing this in mind, Saviynt’s Cloud PAM solution was the first to converge traditional PAM with IGA for certain business-critical hybrid-cloud enterprise applications such as Enterprise Resource Planning (ERP) systems such as SAP/HANA, Oracle, Workday, Cerner, Epic, and Customer Relationship Management (CRM) systems such as SalesForce, SAP Business Suite and Oracle eBusiness Suite.  TechVision views this level of 3^rd party identity integration between identity lifecycle management, PAM and IGA as a significant capability in terms of providing enterprises with a much more comprehensive view of ‘who has access to what’ – and why.

PlainID

PlainID is a Tel Aviv, Israel-based cybersecurity company providing a business-policy based authorization platform. Founded in 2014 by a team of security technologists, the company has built a suite of Authorization-as-a-Servicesolutions for enterprises and engineering teams who require more intelligent solutions to support their cloud initiatives, service mesh implementations and data access governance requirements. PlainID currently has over $21M in funding, employs approximately 150 people and has a rapidly growing presence in North America.

The company has been a leading proponent of Policy-Based Access Control (PBAC), consisting of PlainIDS’s Policy Manager and the Entitlement & Role Manager along with ongoing development of additional PBAC modules. Their objective is to help their enterprise customers modernize their technology stack with more intelligent access control – including fine-grained and coarse-grained decisions, provided by robust policy-based runtime abilities.

The intention of PlainID’s Policy-Based Access Control is to take the best of ABAC and RBAC so that enterprises can support both roles and attributes. What is most appealing to many customers is the ability to code authorization policies in a plain language that is not reliant on XACML. PBAC enables the use a Graphical User Interface (GUI) for writing complex policies, that can be further edited and implemented without the need for extensive IT knowledge.

Most recently, PlainID released a new PBAC module called Partner Manager they recently reviewed with TechVision. This is very significant in the context of this report in that it is solely based on improving access management for 3^rdparty, B2B end users. Their high-level B2B access management model is illustrated below.

Figure 8: PlainID’s B2B Access Management Model

PlainID’s B2B Access Management module enables several key features that we have identified as important in 3^rd party user identity management, such as:

• Partner identity lifecycle management
  • Onboard / suspend / remove a partner
  • Limit number of users per partners
  • Associate users with one or more partners
  • Consolidated management
  • Workflows and notifications
  • Customize look & feel
  • Audit trial and analytics
• Delegated identity management
  • Invite and onboard new users
  • Manage users’ access to services and apps
  • Update users’ attributes
  • Suspend users
  • Remove users
• Partner Access Management
  • Central access role management
  • Automated access roles distribution
  • Automated birthright access roles assignment

Figure 9: PlainID’s Partner Manager Integration Model

As illustrated above, PlainID’s Partner Manager supports direct integration with a broad range of identity providers (IdPs), including Microsoft AD/Azure AD, Ping Identity, Okta and more. Through its Partner Portal interface that is API integrated with the IdP for authentication (AuthN) and as-a-service Partner Manager for authorization, 3^rd party (partner) delegated administrators can manage their own users. 3^rd party users are also able to be managed by an internal IT administrator(s), all according to Partner Manager’s policy decision point (PDP). Note that PlainID also supports what it calls an “indirect integration model” that uses Webhook integration in place of APIs where necessary.

PlainID has established strategic relationships with a number of partners, including SailPoint and Okta.  For example, Policy Manager connects to SailPoint’s identity information store using its built-in SCIM interface. Policy Manager also uses SailPoint’s identity context, which includes identity attributes, roles and entitlements to make real-time access decisions. Policy Manager’s virtual directory capability has the ability to enrich the information it gets from SailPoint and can include real-time conditions, such as time of access, IP address, risk score and more. Similar levels of integration are supported between PlainID and Okta.

Some of the advanced features that are now available in PlainID’s solution that may also be of interest include:

• PlainID’s Policy Decision Point (PDP) is designed to operate within the Kubernetes framework
• PlainID’s Authorization Provider is available also as a sidecar for microservices access enforcement
• Built in support of SCIM protocols for both identities and asset Policy Information Points (PIP)
• Updated Admin reporting with advanced filtering based on date, time, users and action
• Support for CyberArk password vault

While PlainID is a relatively small vendor, it has a strong technical chops and gaining traction in a number of industries, including FinTech and Healthcare. Their particular focus on the B2B IAM integration challenge is worth noting. As such, PlainID may be a good fit for many mid-to-large enterprises that need to improve their B2B IAM security posture with a set of tools that are geared specifically for that purpose.

Okta

Founded in 2009 by a team of former Salesforce executives, Okta is a cloud-based identity and access management platform built on Amazon/AWS. Okta was one of the first IAM solutions built ‘in the cloud’ from the ground up, rather than a cloud-instantiated on-premises solution suite. Their solution has gained a good deal of traction with enterprise customers over the past five years, as more and more companies look to migrate much of their IT infrastructure – including IAM and B2B IAM, to the cloud. Okta’s Active Directory synchronization tool provides the primary mechanism for integrating on-premises identity information with Okta’s Universal Directory (cloud directory). The integration between customers’ AD infrastructure and Okta provides SSO to the enterprise applications ‘front-ended’ by Okta, including a broad range of SaaS applications like Workday, SalesForce, etc.

Additionally, Okta’s Advanced Server Access (ASA) module provides access management to help secure its customers’ multi-cloud infrastructure. Via the Okta Identity Cloud, its customers can manage privileged access to on-premises Windows and Linux servers as well as IaaS vendors including Amazon Web Services, Google Cloud Platform, and Microsoft Azure. This solution enables the centralization of privileged access controls to better mitigate the risk of credential theft, reuse, sprawl, and abandoned administrative accounts. Advanced Server Access utilizes an ephemeral client certificate architecture that replaces static keys.

Figure 10: Okta’s Advanced Server Access

As show in Figure 10 above, ASA is geared toward administrator (human user) and service account (service user) integration and supports SSH and RDP integration with Windows and Linux servers – whether on premise or in the cloud. The solution further offers:

• Okta as the single source of truth for local server user and group accounts.
• Automated provisioning & deprovisioning of local accounts.
• Single Sign-On for SSH & RDP workflows.
• Command filtering through the ability to inject contextual access controls in line with server authorization.
• Monitoring and auditing of all privileged logins, providing a record of who accessed what server from which device and when – exposed via Dashboard or exported to a SIEM.

By leveraging the Okta Identity Cloud for B2B IAM support, Okta ASA creates a single, unified management system that brings all of a company’s servers alongside its applications under a single, secure umbrella of identity-based authorization and management.

Okta ASA also simplifies the increasingly complex compliance requirements. As a SaaS, Okta ASA provides simple internal processes for tracking and managing SysAdmin user accounts and credentials, controlling command-level sudo privileges, as well as capturing server audit logs—all common requirements for compliance standards such as SOC2, PCI-DSS, and FedRAMP. For organizations that have running or planning to run their IAM environment on the Okta cloud, ASA offers B2B IAM-centric capabilities that may make it easier to securely integrate 3^rd parties who need controlled, granular access to enterprise IT assets.

BeyondCorp/Google

BeyondCorp is a Zero Trust Policy Based Management System framework originally created by Google that shifts access controls from the perimeter to individual devices and users, thereby aligning with the ZT model with password-less. BeyondCorp Enterprise enables real-time authentication and authorization of users, devices and resources to allow employees to work securely from any location without the need for a traditional VPN. This level of extensibility is particularly appealing to organizations that have an extensive partner network (e.g., B2B).

The high-level architecture view of BeyondCorp Enterprise is illustrated below.

Figure11: BeyondCorp Enterprise Architecture

BeyondCorp Enterprise is built on the backbone of Google Cloud Platform’s extensive, global network and infrastructure that includes integrated DDoS protection, low-latency connectivity, and elastic scaling.

Enterprise administrators can configure policies based on user identity, device health, and other contextual factors to enforce granular access controls to applications, virtual machines, and Google APIs. This includes the ability to Implement strong authentication (MFA) and granular authorization policies to ensure users have access to the resources they need, whether operating from inside the network or across partner networks.

BeyondCorp Enterprise is available as a Google Cloud Platform (GCP) service that includes the Identity Aware Proxy (IAP). IAP uses identity to protect access to applications deployed on GCP. Administrators create policies to determine which user or group identities should have access to GCP-hosted applications. Working in conjunction with BeyondCorp’s Resource Inventory Service is a Policy Information Point that can provide an enumeration of all the resources (applications, services, and network environments) that are subject to access control.

BeyondCorp works in concert with Google Authenticator as a means for enabling a ZT/password-less service. Google Authenticator is a software token that implements a two-step verification service using a Time-Based One Time Password algorithm (TOTP) and a HMAC-based One-Time Password algorithm (HOTP), for authenticating users of mobile applications by Google.

BeyondTrust Enterprise places heavy reliance on Google Chrome. For example, BeyondCorp Enterprise recently introduced a new feature called protected profiles that provides secure access to corporate resources from unmanaged devices via Chrome – without the need for a VPN or a local agent. For a GCP-centric organization looking to improve its B2B IAM posture, BeyondCorp Enterprise may be a very good fit. As workloads are split among multiple different cloud providers, such as Microsoft Azure and Amazon Web Services, a more ‘general purpose’ offering may be better. Like most things, it depends on your enterprise environment, risk posture, partner network, cost appetite, compliance requirements and so forth.

Summary/Recommendations

To quote our TechVision colleague and security legend Fred Cohen, “There is no “best practice” in cyber security – or B2B IAM; There are reasonable and prudent practices”. And what is reasonable and prudent is not a fixed generic answer. It is highly contextual and depends on a diligent effort to find and do your duty to protect.” There are many reasonable and prudent approaches to B2B IAM, and we have identified but a few. However, it is of utmost importance for you to understand the potential gravity of a poorly operating or non-existent B2B IAM environment and the risk associated with this.

In many-to-most cases, your 3^rd party business partners are amongst your biggest risks. No denigration of any of your partners and their people here: the simple observation is that many of the people who perform IT functions within your enterprise are not your people.  And even if they were your people, you should not trust anyone or anything without certain verification. This is a core premise of Zero Trust and is especially true with your partners. Given that these 3^rdparty actors have only a limited vested interest in your company’s success, doesn’t it make sense to focus attention on how these people are identified, authenticated, authorized and monitored? We think it does, certainly.

In that light, we have seen that adopting and enabling a more formalized B2B IAM strategy is becoming not only widely acceptable by enterprise customers, but the stated course of direction for a wide variety of IAM, cloud and security vendors. We strongly urge our customers to begin an investigation of their B2B IAM environment that incorporates the relevant level of focus on these key functional capabilities:

• 3^rd Party User Lifecycle Management
• B2B User Authentication and Authorization
• Privileged Access Management (PAM) for 3^rd Party Administrators
• Contextual Awareness During Runtime Access Control for B2B Access
• 3^rd Party User Identity Governance and Administration (IGA)

Understand that by making these capabilities key to your B2B IAM strategy, you reduce the risk of ignoring critical IT system misuse, abuse or error until it is too late.

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have access to content. We know major technology initiatives involve many different skillsets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the “hype” from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors in areas such as product and strategy reviews and assessments, requirement analysis, target market assessment, technology trend analysis, go-to-market plan assessment, and gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

Doug Simmons brings more than 25 years of experience in IT security, risk management and identity and access management (IAM). He focuses on IT security, risk management and IAM.  Doug holds a double major in Computer Science and Business Administration.

While leading consulting at Burton Group for 10 years and security, and identity management consulting at Gartner for 5 years, Doug has performed hundreds of engagements for large enterprise clients in multiple vertical industries including financial services, health care, higher education, federal and state government, manufacturing, aerospace, energy, utilities and critical infrastructure.

Gary Rowe is a seasoned technology analyst, consultant, advisor, executive and entrepreneur. Mr. Rowe helped architect, build and sell two companies and has been on the forefront the standardization and business application of core infrastructure technologies over the past 35 years. Core areas of focus include identity and access management, blockchain, Internet of Things, cloud computing, security/risk management, privacy, innovation, AI, new IT/business models and organizational strategies.

He was President of Burton Group from 1999 to 2010, the leading technology infrastructure research and consulting firm. Mr. Rowe grew Burton to over $30+ million in revenue on a self-funded basis, sold Burton to Gartner in 2010 and supported the acquisition as Burton President at Gartner.