Managing Azure Guest Identities
Things to Look Out for When Managing B2B and B2C Identities
By Michael Ribaudo, CTO of CyberIAM
While meeting with a few of our customers a common theme comes up around Business to Business (B2B) and Business to Customer (B2C) Azure Guest access. I thought it would be helpful to note down some of these ideas and challenges to facilitate discussion around the topic.
The Azure Guest Access feature allows for an Azure Active Directory (AAD) guest user account to be created within the company’s Azure Tenant Instance for customers and vendors. This is a practical solution for organisations that need to share access to their internal applications with external parties such as these third-party vendors or customers.
Traditional Business to Employee (B2E) identity and access governance is best implemented and managed using the traditional Identity Access Governance (IAG) Solutions.
CyberIAM are an end-to-end IAM and PAM services business, working with some of the largest companies in the UK assisting them with the implementation of complex enterprise solutions. We help guide organisations through the software selection process by working closely with the business to understand their requirements and, when required, provide a full managed service when customers do not have the resources or knowledge to manage internally.
Managing B2B and B2C Guest Accounts
In the cloud, organisations provide access for their systems and applications to their customers and vendors using Azure Guess accounts in the following scenarios:
Business to Business (B2B):
As per employees, companies with external suppliers, third party vendors, consultants and partners needing access to the network and applications, can be given guest access with Azure.
We have seen this process take weeks before the consultant is given critical access to the network, applications, calendars, emails, files and projects that are fundamental to their service delivery. These delayed onboarding time for these consulting resources come at a high cost to the business.
Azure guest access means that consultants don’t need to be given company laptops, but can continue using their own organisations computers and be up and running within minutes. The Azure guest access feature bypasses lengthy procurement processes and provides identity access via the user’s own devices.
Business to Customer (B2C):
In the online world, identities need to be created and managed for consumer access to company applications. For example:
a) Customer access to online banking portals
b) Customer logins to e-commerce websites
c) Customer zones or portal access for internet service providers (ISP’s)
d) And other back-end applications where customers require continual access to company systems
When it comes to guest access for third party (B2B) and customer (B2C) identities, the company risk increases where access is not managed in accordance with the company governance and policy guidelines.
The Challenge of Managing Azure Guest Accounts
Since the joiner, leaver and mover processes are all done manually by admins with Azure out of the box functionality, AAD guest users often put the company at risk by not following stringent IAG procedures. For example, if an Azure manager forgets to request removal of unused guest identities, the company may be unaware that its cloud environment is exposed to threats for an over-extended period.
Companies often forget about third party collaborators that they have onboarded. Once these parties have been given an Azure identity, there is generally little guidance as to how they ought to navigate within the cloud. This has the potential to degrade the integrity of the organisations corporate information security compliance measures while making the company vulnerable to information security breaches.
Even though it may be a quick and easy solution to grant users access to Azure through a manual fulfilment process using the Azure admins, organisations still need to ensure they have the automation, governance, policies and procedures in place to manage the access, and they be enforced by the business.