Third Parties Occupy the Wild West of Governance
Who are you?
Who do you work for?
This is new territory. The laws are young. The sheriff is tasked with properly enforcing order.
These are just a few of the concerns that keep members of an identity management team up at night.
Organizations have eagerly embraced growing and diverse populations of partners, vendors, and other contingent labor as well as non-human technologies like service accounts, bots, and smart devices to boost competitiveness. While these efforts are intended to fortify competitive strategies, many organizations are just now realizing the extent to which utilizing these third parties creates new operational challenges and dramatically increases cyber-risk exposure.
Advantages of a Third-Party Workforce
- No ramp up time is necessary when engaging knowledgeable resources
- Quickly collaborate across diverse and established skillsets
- No long-term commitment between employer and worker is required
Drawbacks of a Third-Party Workforce
- They are outsiders with insider access
- Vetting requires contribution from various lines of business
- Once given access, it can be unclear who really manages them
Unlike a normal employee onboarded through the Human Resources department, the identity governance of third-party users is far more chaotic and less linear. For starters, even large enterprises often lack formal procurement vetting and identity management processes for third parties. Responsibilities are often distributed across lines of business, such as HR, Compliance, and Information Security. A third-party relationship needs to be managed by internal resources, sponsors, and external resources, their own organization.
When we begin a discovery session with a client, simple questions often snowball to reveal greater confusion and disparity within an organization. For example, the question “How many vendors do you have?” can lead to “What is considered a vendor?” and “Do we want to manage only those individuals associated with vendors specifically?” Sometimes the flood gates open, triggering further internal conversations amongst other teams for questions, answers, and decisions. This is the opportunity to consolidate and streamline processes; an awareness which is not lost on our clients.
Nightmare scenarios which can be addressed
- A former employee who appears on the Not Eligible for Rehire list subsequently joins a vendor team and receives access to the organization’s resources without being checked against that list.
- A former consultant who left the organization on poor terms changes names before being hired through another consulting team
- A sponsor who manages vendor resources exits the organization, leaving a gap in sponsorship for the third party
- A vendor representative leaves without providing your organization with contact information for a successor
- Without your knowledge, a third party’s employment is terminated and moves on to work with other clients, meanwhile access to your organization remains
- Access granted manually may have been given hastily or in a pinch, thereby unintentionally provisioning more than necessary
With the proliferation of security breaches, regulation of data security and privacy is evolving to address the risks. The European Union’s General Data Protection Regulation (GDPR), which came into effect in 2018, requires an organization to delete information of a former employee (or the former employee of a vendor) if requested. This is known as the Employee’s Right to Erasure. Likewise, California Consumer Protection Act (CCPA) which protects applicants and former workers will take effect in 2021. Both GDPR and CCPA come with heavy fines for non-compliance. Two of the largest GDPR infractions this year cost H&M €35 million and Google €50 million, respectively.
In addition to geographic regulations, certain industries are governed by additional compliance requirements such as healthcare (HIPAA, HITECH), manufacturing (OSHA, DOT) and financial services (FINRA, SEC). In the past, it was common for an organization to move the accounts of terminated users to a special Active Directory organizational unit instead of deleting them, but this may no longer be sufficient. As compliance requirements are introduced, organizations require the ability to grow the systems designed to protect personal user data accordingly.
Without a doubt, the landscape is a challenge to command confidently but rest easy because SecZetta has the platform and the expertise to assist organizations to improve the lifecycle management of third-party populations. We can help your team to chart the terrain of your governance needs and bring order to the Identity Management frontier.