It’s 9 o’clock in the morning, do you know where your third-party contractors are? For some, the answer may be yes, for many others, likely no. Even for those that do, keeping track of third-party identities and managing their access and entitlements while ensuring productivity throughout the identity lifecycle can be a tall order.
Third-party risk management is also made even more complex when the third-parties you are contracting with, have third-parties they rely on themselves. Further, third-parties can be particularly challenging to account for, especially when organizations use undefined and/or decentralized third-party monitoring systems. Then there are the basic capabilities of ensuring that third-party identities are provisioned enough access to be productive from day 1, but the day their contracts end, access needs to be promptly removed so as not to violate least privilege. If all of this seems a bit mind-numbing, rest assured, you’re not alone. Here’s a few tips to keep in mind to help simplify managing and governing third-parties that require access to your environments.
1. Identify who they are.
The first step in any IAM program initiative is to get the lay of the land. For third parties, this means identifying what third parties are currently contracted to work for your organization, and what they do. After this initial survey, taking that next step in determining who has access to what, particularly sensitive data, infrastructure, employee personal identifiable information (PII) and cloud consoles will provide a natural roadmap for where to start. Fourth parties, or a third-party’s third-party, are also a part of this equation, and determining who has access to your partners’ infrastructure and data will also help provide a strong background so you can determine what needs to get done first.
2. Assess your third-parties as if they were your own.
Third-parties inherently run their businesses differently than how you run yours. This includes different ways of doing device checks, patches, data processing, and more. As a way of bolstering a third-party risk management program, IT and security teams should run both in-house and independent assessments and questionnaires on the third-parties that they are doing business with. This includes checking and verifying their security policies, certifications, compliance, as well as how they ensure that they are remaining secure themselves. This way your organization will be able to ensure that everyone is taking appropriate measures that make sense for your business with the proper context.
3. Monitor their status.
Security and governance are not one and done items. Third-parties need to be continually managed and monitored to ensure that they are performing their jobs efficiently, effectively, and securely. As such, having systems in place to monitor access requests, logins, and tasks performed, is not only critical for security, but also for audit and compliance purposes. As supply chain security and third-party vendor management become increasingly under the microscope, we suspect this will only continue in importance in audit requests from regulatory and compliance boards. Additionally, as third-party workers continue on in their contracts, some may be chosen for extensions, either to continue working on a project, or take on a new one. However, if access is set to be deprovisioned in the system after 60 days, as an example, the IT administrator may forget to extend that access, so having controls and visibility in place to extend soon-to-be-expiring third parties can help ensure productivity is not lost during periods of extensions and/or transitions.
4. Automate, automate, automate.
Managing third-party workers can be incredibly time-consuming. This is where automation comes into play and a strong governance program will enable automating tasks for the entire identity lifecycle for third-parties. First, administrators need to make sure that third-parties have the proper access rights on day 1, otherwise known as provisioning. Third-parties are somewhat tricky, because they can’t just be thrown into the directory service, or HR system without careful consideration. In some cases, this could qualify them as full-time staff, which can change the employment contract accidentally, and can lead to discussions on should these workers be granted benefits as a full-time employee. For this, a centralized system is recommended to keep track of third-parties alongside employees, so that access can be efficiently monitored, but without blurring the lines of who’s who. Next, being able to adapt access rights if, and when contractors’ roles change can help save a lot of legwork in right-sizing access to ensure that as roles change, new access is granted, but old, unneeded access is removed. Finally, when the third party’s contract expires, automatically removing access can not only be a time-saver, but a huge security check, as unneeded access has been seen in many a third-party breach.
As with anything, there is no one-size-fits-all that works for every organization, particularly with something as complicated as third-party risk management. However, with these four tips are a good foundation for how to get in control of third-parties and stay on top of emerging threats while also improving efficiencies for IT, security, and operations, as well as the third parties themselves.
For more information on how Omada’s approach to modern Identity Governance may help enable and secure your third-party workforce, click here.