The Identity Blog

Background image

Identity Validation – The Key to Removing Third Party Access in a Timely Fashion.

Nobody told us!

We hear it all the time. We have third parties who are no longer performing contractual duties, yet no one tells us that their access should be terminated.

Most organizations have some sort of contractor extension process. Usually every ninety days an internal resource needs to extend access for a third party. Some employ an unused account process to disable accounts after a period of time.

While these processes might be enough to satisfy some regulatory compliance demand, they do very little to mitigate risk.

What happens when your vendor or partner terminates an employee who has access to your environment and fails to inform you? Or, a manager doesn’t perform the necessary action to suspend account access? Access remains active! If the contractor’s access had just been extended, it might remain active for 89 days or more. Worse, if the person continues to use that access, you are likely losing data. Your unused account process will not capture it, and you may never know it happened.

Access certifications are not timely enough to mitigate this risk, and there is a single point of failure if the internal resource rubber stamps the certification (that never happens). This should be a huge concern considering the facts. According to a survey conducted this fall by the Ponemon Institute, 56 percent of organizations have had a breach that was caused by one of their vendors.

Enter Identity Validation.

Utilizing NE Access’s ability to enable internal users and trusted partner representatives to collaboratively manage third parties, SecZetta has innovated a process to mitigate this risk. We can effectively shrink the window of opportunity for a third party to have inappropriate access to your environment, without being a burden on the internal business.

Third party identity validation is the process of requiring vendor or partner representatives to attest that the individual in question is still employed by the vendor organization and still engaged with you as a customer. This is a “light duty” process that your vendors are incented to complete in a timely fashion.

This process can be automated and conditional, making it a hands off process for your internal organization. If you conditionally drive the validation based on the identity risk profile, you may require this type of validation more often (2 weeks) for high risk third parties than you do for low risk identities (30 days). You can also drive conditionally using any factor, such as third parties who have privileged access. This is a very effective control, as inaction should result in disablement.

With NE Access you can also require self validation. During the onboarding process you would capture the qualified email address of the individual. If they onboard from a specific vendor their email address for that vendor is a required piece of data. We can later use that email address to send a validation token to the individual to enter in the NE Access portal at login. If that individual no longer works for the vendor or partner in question, it is unlikely that they will have access to that email account and should not be able to acquire the access token. This unauthorized third party is now unable to access your resources. Again, inaction should result in disablement.

A quick look at the many high profile corporate hacks reveals that third party access often plays a key role in enabling the hack. This is a high risk area for most companies. Identity validation is one of the most effective tools for greatly mitigating this risk.

Want to learn more?

The bottom line is that most organization would like to do more to mitigate this risk, they just don’t have the tools to do so. If this topic is interesting please let us know and we’ll schedule a time to demonstrate this capability.