Closing the Gap: How to strategize third-party identity risk management
Over the past decade, organizations have made significant increases in the number and diversity of third-party, or non-employee, populations in their workforce. From partners and vendors to contingent laborers and even non-human technologies such as bots, third parties have demonstrated that they can boost competitiveness and strengthen operations. Unfortunately, while organizations understand the clear benefits, many do not have the proper resources in place to manage the challenges and risks often associated with non-employee access.
Understanding the opportunities and challenges
Enterprises of all scales and sizes have the unprecedented opportunity to innovate, grow faster, improve profitability, and ultimately create greater customer value by utilizing a variety of resources outside of their traditional employee base. Oftentimes, these resources are available on demand, have unique or underrepresented skill sets, and do not require the same long-term monetary investment as full-time employees.
Most organizations, however, have no way to centrally track and manage their relationships with non-employees or the risk that is created by providing these users with access to facilities, systems, and data. Attempts to solve the problem by customizing existing HR or IAM systems or developing proprietary systems are often unsuccessful. While these systems may address some of the operational challenges, they do not help mitigate the risk of this user population.
Identifying third-party identity risk exposure
In most organizations, the day-to-day challenges of provisioning access outweigh the efforts of managing the risk exposure associated with third-party identities. When organizations do focus their efforts on third-party identity risk, they often have trouble assessing their level of maturity.
To gain clarity on how to identify and manage third-party user identities, start with these questions:
● How many vendors do you have?
● How many third-party users do you have?
● How much does it cost to provision access and manage the lifecycle of third-party access?
● How do we evaluate the risk associated with each third-party identity?
This information can be difficult to collect as it is not typically centralized, and the knowledge may be distributed across multiple teams. However, this exercise is a fundamental step for organizations in order to understand the breadth of their third-party identity risk exposure. Once an organization has good, repeatable processes and systems in place around each of these steps, they will be better positioned to make well-informed, risk-based decisions about third-party access.
A continuous process; verification and auditing non-employees
With no authoritative source for non-employees, organizations struggle to verify their third-party user accounts, risk cannot be assessed at the individual identity level, and there is no way to accurately audit these users and their accounts for compliance purposes. This creates massive exposure as overprovisioned users are not detected, access adjustments are typically only incremental and not decremental, and timely terminations do not exist, creating untold numbers of orphaned accounts. A hacker’s paradise.
A comprehensive third-party identity risk solution can create order and control by increasing efficiency, eliminating over-provisioning and untimely de-provisioning, automating audits, and ultimately reducing risk. With a purpose-built system for third-party identity risk, organizations have more transparency into their third-party user populations and as a result can lower the costs of manually intensive provisioning cycles and make well-informed, risk-based decisions about access throughout the lifecycle of their third-party users.
For more information on building an effective third-party identity risk strategy, click here.