Securing Third-Party and Vendor Access
Most organizations today utilize multiple vendors and 3rd party companies to conduct their businesses. These vendors and companies provide services ranging from HR, operations, strategic help, and deployment/implementation. CredenceIA discusses how organizations can manage vendor access in an operationally manageable, organized, and efficient way.
Vendor Access and 3rd Party Access
Organization in the past has had a set network perimeter and the most commercial relationship they had used to occur within their network. More and more organizations are going cloud and leveraging SaaS applications. Today’s organizations rely working closely with external vendors, partners, suppliers, advisors, and contractors to get the work done. This means all those external users and entities will need access to the organization’s applications, data, and system.
When we talk to our clients, we see many manage external vendors/suppliers as contractors and lack standardized processes and technology to manage user lifecycle, access, and governance for external users. This approach results in risks, as there is no standard way to ensure ownership for such entity, identity, and issues related to excess or orphan access.
The risk to organization was always there, but in the last several years, the risk has risen manifold with move from mostly on premise static business model to hybrid model of having on premise applications plus external vendor or 3rd party services accessible via cloud platform and SaaS based applications that business can’t live without.
The Reason Why Vendor Access Management is Hard
Organizations have robust policies, rules, and processes for managing employees in a centralized location via Human Resources Management System (HRMS). Each employee has an ownership/sponsorship defined by way of their manager. Managers are trained and are reminded by HR team to keep up to date records, and established process augmented by technology (e.g. IGA) will help the manager mange employee lifecycle events such as joiner, mover, and leaver. Additionally, there will be periodic certification requirements to ensure that employees have the right access to perform their job.
Now imagine this with such external users. External users defined as any non-employee, contractor, external, vendor/partner resources, and 3rd party business users. Most organizations manages external users – most likely – in distributed non disciplined fashion and the same rigor/policies that apply to an employee wouldn’t necessarily applied to this non-employee users.
External users may be managed by a project/program manager or by a manager/director level user or a department designate who will take responsibility for immediate project/task such user and/or external vendor is hired for. These external users will have access to data, system and applications at varying level which may also include privilege access. Often times there is no clear way to know when the contracts are over (we have seen expirations being tracked in spreadsheets). In absence of automation and standardized processes, when the contract expires or when external users leaves such identities become orphan. When that user is moved around into another department or with different team/project, the access they had prior are not removed which result in excessive access.
Due to lack of standardized and centralized way of managing all external users, non-employee identities and their access, it is hard for IT and Security teams to conclusively know who has access to what and the risk organizations have from external users’ identities.
How to Address Vendor Access with IGA?
Managing vendor and 3rd party access (aka external users) require combination of organizational support/stakeholder buy-in, process and technology. A successful external user’s management include:
Stakeholder identification and their buy-in to support the new processes and technology utilization. It is equally important to identify at this stage who will own process, technology and costs. Cost include resources who would implement and support the processes, which technology to be used, any software license costs, any hardware costs (in case of on premise approach) and ongoing support/maintenance costs. This will help drive clarity among stakeholders on roles, responsibility and total cost of ownership (TCO) to the organization. Having buy-in from stakeholder is crucial to ensure new processes and technology are successful and no out of band siloed practices would continue.
Next is identifying the authoritative sources where these identities are created. Most likely this will not be the HRMS but Active Directory or similar. There could be more than one such sources (e.g. directory, database or even flat-file) where in an organizations identities are created for external users.
Once these sources are identified, on boarding of those sources as a target application within IGA solution is the next step. Thinking governance driven external users’ lifecycle management is key. The change in thought process will allow organizations to start enforcing all external users identity creation as a centralized solution vs. continue allowing each department or procurement to do their siloed approach. The risk to organization of not being able to know how many external users identities are in use, when contracts are expiring can be efficiently reduced with IGA solution.
Next is the identification and prioritization of the non-employee use cases such as following:
External user’s classification
Invitation based and self-service registration of external users
Allow delegated administration for external users
Set expiration date (future termination) for an user
Remove access at time of contract termination
Remove non-required access (excess access) during external user’s movement within organization
Temporary disable and reactivation of same account with same rights during contract renewal
Ownership and succession management
The last stop in managing external users identities is continuous monitoring to ensure the defined processes and technology combination are working as expected and doing period audit reviews to ensure no outside of defined sources are utilized for creation and management of external users and access is removed on timely basis.
Not all IGA solutions are created equal. However, in our experience the process and approach laid out here allows most of the third party related use cases can be address with combination of processes and technology that helps organizations achieve automation, reduce risk, foster standardization for managing external user’s identities and avoid risk of external users accounts fall through the cracks.
Contact us to find out how we can help you!
About CredenceIA Consulting
CredenceIA Consulting brings over 20 years of experience working with organizations of all sizes and complexities. This allow CredenceIA Consulting advisors to get the best value and outcome within time and budget. CredenceIA Consulting provides advisory and implementation solutions. We have a successful track record of IAM implementations via our award winning team. CredenceIA Consulting brings value with its robust project planning, execution and management expertise.