Interview with an Expert Series, Paul DeGraaff
Common Gaps in Managing Third-Party Identity Risk
In this episode of Interview with an Expert we gain insight into the gaps that most companies have with third-party identity risk, why the gaps exist, and best practices about how to resolve the issues. We spoke with Paul DeGraaff, an industry renowned IAM expert who has held Identity and Security roles at AIG, DTCC, and Weight Watchers.
Question: Thank you for being here with us today to talk about the challenges organizations face managing third-party identity risk. Could I have you introduce yourself and tell us a little bit about your background as an identity expert?
Answer: Sure, Paul DeGraaff. I’ve been in security for over thirty years, in both engineering and management positions with a concentration in identity management for about twenty-one years. This is always been an area of sincere interest to me. I really enjoy it.
Question: We hear similar questions from organizations as they begin to mature their third-party identity risk strategies and develop best practices of their own. The first question we hear often is “who is directly and indirectly responsible for non-employee and contractor, or third-party technology, onboarding and management at most organizations? And where should that responsibility lie?”
Answer: That’s a very interesting question, and a very complicated one as well because there really isn’t a well-defined owner for that process. When organizations onboard third parties, it’s usually a combination of
departments that are involved. You have the hiring manager, who should define why they are bringing in the third-party and what access will these people need. Procurement may come into play for the contractual agreement, the pricing, and those kinds of things. You also have legal, who review the terms and conditions to ensure the derived contractual language is there. Usually, you’ll find that there is also some kind of vendor risk management group in the security team, that looks at the risk associated with the relationship. So really it may be like four teams that are involved in the beginning of the relationship.
The key to the problem is that it’s all focused on that initial relationship or that initial onboarding and people in the company tend to forget which non-employees have access and who they are sponsored by.
Question: Now that we know a little bit more about some of the initial complications around who’s responsible for the non-employer or third-party access what are some of the additional gaps that you see in thirdparty identity risk and lifecycle management?
Answer: It’s predominately ownership as in “who owns what part of the process and who tends to be really accountable for that relationship?”. There are a lot of those players are initially involved in the
arrangement. After the third party is onboarded there is usually no accountability for procurement or legal, for example, because they are out of the game. It then is a discussion between the hiring manager
and the organization that manages the access.
That’s where the problem comes in because the hiring manager sometimes forgets that they had that relationship, or they left, and it ended but nobody told IT or security that the relationship has ended.
Therefore, access stays around and only gets caught during an access certification processes which is supposed to ensure that people still have the right access. That’s usually is when these things get flagged.
That is referred to as “compensation control” and not a primary control that should actually catch that. That is one area where there is a big gap.
Secondly, it’s around who is actually responsible for that non-employee. HR organizations own employees, but the third-party is a real struggle for HR organizations to deal with. Predominantly, it has to do with
the amount of change that occurs in these organizations and with third parties. Especially those organizations that have large staff augmentation or services like call centers, where there is a tremendous high turnover. The turnover can be high as 20 percent and organizations are not set up to handle that level of change. HR organizations are going to be throwing up their hands and saying, “That is not for us to manage,” and it usually falls upon an IT organization to deal with those issues. To me those are the two biggest problems.
Read more of Paul’s interview by clicking below to get the pdf.