The Thorny Issue of Consultant Access

[Tina Bird <tbird () imhotep cerner com>]

Hi all --
Amongst my more mundane duties, I'm working with a couple of groups
within my organization to help develop policy and procedures to 
handle consultant access to our corporate network, as well as access
by Cerner associates >and< consultants to our client locations for
troubleshooting and support.

It's a discouraging mire, to say the least -- to try to balance the
security principles of accountability and least privilege with the
management challenge of the ever-changing population of people who
require access to sensitive systems and information.  We're working with
a couple of home-grown systems, as well as looking at the applicability
of TACACS+/RADIUS and their relatives.

But I'd be grateful for feedback from other people struggling with this
issue.  Does your company permit access into its corporate resources?
How about outbound access into your client base?  What sort of authentication
tools do you use, and how do you manage them?

I'm trying to get a sense for what "best practice" is in this area,
and what other large, customer-service oriented organizations are doing.

Thanks for any feedback.  If people are more comfortable replying to me
privately, I'll summarize for the list.

Cheers -- Tina Bird
Internet Services Manager
Cerner Corporation