The Identity Blog

Background image

Solving the 3rd Party Access Gap in Identity

And Understanding Why the Status Quo is Expensive and Risky

Recently identity industry leaders came together for the “Solving the 3rd Party Access Gap in Identity” webinar, where the discussion focused on the impact of a growing reliance on third-party workers (both human & non-human) on identity risk and the flaws of current systems and methodologies in providing efficient, secure access.

Below are some of the highlights of the exchange between Merritt Maxim, VP, Research Director for Forrester, a consulting firm that’s provided research for global consumer business and technology leaders for more than 35 years, and David Pignolet, founder and CEO of SecZetta, the leader in third-party identity risk management solutions.

Merritt Maxim, Forrester
This conversation needs to start with risk, because ultimately third-party access is about risk and what level of risk you’re willing to tolerate as an organization as you allow non-employees to interact with your data and systems.

When you look at who owns third-party risk programs, most enterprise organizations don’t have a clear answer, and that’s where the problem begins. There’s no consistent ownership across the organization. Sometimes it’s owned by the procurement team, an IT security group, or even a dedicated vendor management group. Each of these teams have different technical aptitudes of managing these processes, so even understanding the underlying risks related to third parties varies a great deal.

David Pignolet, SecZetta
The lack of a clear third-party lifecycle process and risk management makes zero trust, at least in a privileged environment, effectively impossible. Ownership is most often the issue here. If it’s unclear who owns third-party identity relationships in your organization, then you’re not putting a focused strategic effort on managing them, and that leads to a lack of access control. Ultimately, if it’s not owned, it’s not managed, and if it’s not managed, then you’re sitting on an enormous breach risk.

This is especially troubling when so many organizations have a third-party population that’s equal to or more than their employee count. It’s just not a larger amount of people you need to consider, but it’s also the dozens of third-party population types that your organization deals with (i.e., contractors, suppliers, affiliates, partners, volunteers, students, non-human bots, etc.), each of which poses a different risk. You should have a different set of processes for each of those population types that allow you to make decisions about what type of access you’re willing to grant, or whether there are more hurdles to clear for that individual.

If you can’t answer lifecycle management questions about your enterprise’s third parties off the top of your head, then you’re likely an organization who needs to focus on correcting this, and quickly.

Merritt Maxim, Forrester
Let’s look at the actual risks that could come through third-party access. Obviously, things like data exfiltration happen all the time. You could also have supplier fraud where you have a supplier not operating ethically (or even a rogue employee) and they can compromise systems and get into systems that allow them to embezzle or steal funds.

Organizations must also think about disruptions to their business. There have been hacks where a third party is used as an entry point into the main enterprise to disrupt their business. It’s important to understand the impact of what disruption would mean to your organization in today’s business world. And because third parties have access to your systems, they could be a source of disruption, so it’s another reason why you need to have effective, comprehensive management of your third-party access to ensure only those who need access are getting it.

Another underlying issue with third-party access is the balancing act that most organizations are faced with. How can your organization enable your third-party partners to connect with your organization so they can do the things they need to without unnecessarily increasing my risk? This is especially tricky when there are compliance mandates. Not only that, but how can we avoid making the onboarding processes so complicated that your third parties decide to skip it altogether and do business with a competitor instead? Finding that balance is a real challenge.

David Pignolet, SecZetta
Finding that balance IS a challenge because this is a complex process, and that’s why we’ve spent years building a solution that meets a wide variety of use cases that address the requirements around having a centralized identity authority for all your third parties.

Ultimately there are several goals of what we do, and that is to streamline your processes, create operational efficiency, and reduce risk for an organization. We often sit parallel to an HR system; SecZetta is an identity authority for all other identities (AoID’s). But that doesn’t mean we’re totally disconnected from those HR systems or your organization’s departments. What we really do is manage data from many sources (e.g., the vendor’s delegated administrator, the internal sponsor, etc.) to create a holistic picture of that one individual and their relationship to your organization. And we automate the lifecycle processes so in the end there’s a true authoritative record of that individual, as well as their relationship (or in many cases, multiple relationships) within your organization.

Merritt Maxim, Forrester
Ultimately, you want to protect your third-party access blind spots. That means having a centralized repository of the different third-party relationships in your organization so that you have a single view of your third parties, the identities associated, what their risk is, and what those relationships are.

You also want access to things like general reporting and dashboards, where internal stakeholders can see the state of your third-party network and who exactly is accessing your systems.

And these are the types of capabilities that a vendor like SecZetta would help provide and help automate for your organization. They can get you out of the manual processes that many of you are relying on today.

David Pignolet, SecZetta
Thank you, Merit. My final message is to remind enterprise organizations that the status quo is expensive and risky. Enterprises need to change to ensure that the access that’s being granted to third-parties is appropriate.

You can experience the entire webinar by clicking here.  You can also take a self-guided tour of SecZetta’s Third-Party Identity Risk Solution by clicking here.