Skip to main content

Taking control of third-party access management

(Image credit: Image Credit: Andrea Danti / Shutterstock)

Third parties have become a staple of corporate life: contractors, temporary workers, consultants and the like. organizations typically manage their employees through their HR department’s purpose-built HCMS (human capital management system) and they’re typically managed within the directory service. However,  third parties are a whole other category of employee that companies tend to treat and manage differently. 

In fact, 54% of organizations in a Ponemon Institute report on third-party remote access said they lack a comprehensive inventory of the third parties that have access to their network. Furthermore, 65% of respondents said their organizations don’t know which third parties have access to their most sensitive data. This can’t continue. organizations need to take control of all entities that have access, including third parties. 

Lack of third-party management creates risk  

In addition, the report referenced above found that 51% of organizations have experienced a data breach caused by a third party. The problem isn’t necessarily that third parties are inherently insecure; it’s that the management of the non-employee identities that require internal access is a different practice than management of the identities of employees who require access.  

Third-party management is not a disciplined process among many organizations. Access is often provided on an ad-hoc basis. You might have one department that notifies the HR team they’re bringing a new contractor on board, but they’re managing the process in a distributed fashion. And once the contractor has completed the job, there’s no ownership of notifying HR or IT that the contractor has left so their access/accounts can be removed. Or, even if it is, manually removing that access and deprovisioning the third party can take days, if not weeks.  

It’s hard for the HR department, as well as IT and security teams to know what’s going on with third parties if there is no dedicated, centralized system of record. For instance, what if a contractor is being extended? How long is that extension? Did the contract end earlier than planned, and no one was notified? These knowledge gaps can cause security issues down the road as standing access that’s no longer being used or monitored can be easy targets for attackers.

Why the obvious fix doesn’t fix things 

An enterprise’s HR system is typically intended for and supports full-time employees, who get added to the directory service. Things like network and application access, and employment status fall within that purview. But in most cases, contractors and other third parties don’t get added to these systems for a variety of reasons.  

It seems like the obvious fix would be to include third parties to the HCMS. But there have been a variety of lawsuits involving this very concept. Once a non-employee is added to the internal HR system, it calls into question their employment status—that is, can they still legally be deemed independent contractors? Or are they employees and therefore require benefits typically reserved for full-time employees?

The benefits of identity governance and access 

To make sure third parties have the appropriate access for the systems and applications they need to do their jobs, enterprises need strong identity governance and access (IGA). Their access also must only be for the appropriate period required. This concept is foundational in implementing a least privilege access model, which means users only have the minimum level of access required to do their jobs, for only the right period of time. This often leads to limiting the number of users and accounts with broad or elevated access rights, which works to dramatically reduce the risk of incidents resulting from lateral movement and ransomware. 

By using a comprehensive IGA solution, organizations can streamline the identity lifecycle processes for third parties, including automating onboarding, offboarding, work extensions, and departmental changes. IGA manages access to resources across a hybrid IT environment and improves audit and compliance reporting to ensure continuous risk overview.

Involving stakeholders and knowing what to look for  

It’s not just a matter of securing third parties – deploying a centralized IGA solution will help secure and manage all identities. But making the case for this is a challenge for a variety of reasons. 

It is vital to win the hearts and minds of key leadership from the beginning of the IGA process. IGA deployments that are defined by business units – with executive support – are more successful than those driven by IT only.  

Since security is so often seen as a cost center, it can be difficult to make the business case for IGA. There’s also the matter of total cost of ownership (TCO). Leaders need to ask software vendors what the whole cost will be, both in the short and long terms. Time to value is another consideration, as IGA must function quickly, both to demonstrate its security worth and prevent it from being mired in endless set-up. Ideally, an IGA solution should deliver value in under 12 weeks.  

Configurability and scalability are crucial during the evaluation process for IGA options. While previous implementations focused on customization, today’s priorities are configuration and process alignment to best practices. As a bonus, this perspective will significantly lower TCO. 

Classification of data types is also key. This capability improves management of and reporting on systems with sensitive or data necessary for GDPR compliance, which should only be required by subsets of third parties. Data classification features make general management and oversight of data assets better and allow for fact-based decision-making and conclusions. Look for the ability to easily rest passwords without contacting a help desk and to synchronize passwords across all connected applications so users must only remember one password.

Minimizing risk 

Enterprises have come to rely on third parties to help them fill in the gaps and provide specific kinds of services. Yet their presence within the network can be a security risk if not efficiently managed. Many organizations have been haphazard with provisioning and deprovisioning access to internal resources, but IGA provides easier and smoother processes to smartly automate some of this work. IGA offers enterprises the ability to consistently manage access in an automated way for all third parties across their tenure. Such a system helps reduce both internal and external threats to the network and its assets.

Rod Simmons, vice president of product strategy, Omada

As vice president of product strategy at Omada, Rod Simmons provides vision for where the IGA market is going and how Omada retains a leadership position.