Whether it’s contractors, vendors, partners, suppliers, retailers, or seasonal workers, managing third-party identities is something we see a lot of companies struggle with. During this short discussion, two of our IGA Directors talk about what makes managing these identities effectively and securely such a challenge and how organizations can get it right.
Seczetta, who’s IGA platform focuses on third-party identities, did some research and found that:
55% of organizations fail to deactivate these workers once they’re no longer performing work
78% report that it’s likely that they have multiple identity records for a single third-party individual or organization.
Granting access to non-employees is a high-risk endeavor, so it’s important that you manage their identities effectively and securely.
Let’s talk about some of the reasons why managing them securely is such a challenge.
Governance of third-party identities is often not a reality
Many organizations don’t track third-party identities in their system of record. Instead, they rely on the “account expires” attribute in Active Directory to create a 90 or 180 day period for the account expiration. The problem is that this doesn’t control what the external resource has access to and it can end access prematurely. This method can also create dangerous security gaps by unknowingly giving access to someone after termination.
There’s no authoritative source and no standard set for third-party identities
Third-party identities can originate from different areas within an organization, with no company-wide standard to follow regarding how to manage them. They’re often treated individually, with manual tasks required to onboard and provide the access they need to perform the job they’re hired to do. That’s very often where their lifecycle management process ends.
HR systems can’t or won’t accommodate management of third-party personnel
HR is usually concerned with benefits, payroll, and regulations that apply full time employees. Contractors have their own HR department and systems managed by their employers. Companies hiring third-party employees see tracking these identities in their HR system as a duplicated effort, having little value to the HR department.
Multiple sources, owners, and practices that need to be unified to holistically manage third-party access
Multiple sources of data are often used for managing the third-party, with varying levels quality and detail. The inability to create a unified and accurate source creates both management and security challenges.
The identity is often added directly into Active Directory by administrators based on a service request, so inconsistencies are common
We’ve found that when AD or other directories are the authoritative source for third-party identity records, manual data entry causes inconsistencies and a “good enough” approach. Another dangerous practice is that a new contractor will be blindly given the same access as a previous contractor that joined months or even years ago.
Shared accounts in third-party access to internal systems
Shared accounts are the worst case scenario for external access, which makes it almost impossible to determine what access is needed. Access levels for third-party identities will often need to be temporarily increased for specific jobs. When shared accounts are used, this increased access is often passed along to another user. Beyond the obvious security gaps, if the shared accounts are actually misused, it’s much harder to determine who did what.
Lack of communication when the third-party organization terminates their worker
When an external resource has left their third-party organization, the internal procedures do not always include alerting the contracting company so access can be removed. .
Ownership or sponsorship of third-party identities is sometimes tracked but never updated
This is a hard issue to solve for both internal and external identities.
When sponsors undergo changes in responsibilities, reassigning the responsibilities for the external identities they managed does not always happen. This is even a bigger problem when the sponsor moves on to another organization.
Metadata of the third party organization is or cannot be tracked internally in technical systems of record like Active Directory
The more data you can gather on your external resources will allow for better management and access decisions. Active Directory is the typical de-facto directory for most organizations to record this information, but because it might not have been built for this purpose, it’s not able to capture all the available (and useful) data.
How does Integral Partners help organizations manage third-party identities effectively and securely?
Gaining full visibility into guest (non-employee, vendor, contractor) access risk is complex and challenging. Integral Partners has broad and deep experience helping enterprises evaluate risk, analyze requirements and use cases, and successfully implement the third-party identity management solution that’s best suited to their needs.
Some of the services we offer include:
- Risk-based analysis of 3rd party identities, their sources, and key attributes
- Establishing best-practice lifecycle processes in the organization and leveraging existing or proposing new technologies that properly enable these third-party focused processes
- Establishing IGA third-party or external user lifecycle in the existing or new implementation of an IGA system. Most IGA solutions can provide base level management of third-party identities.
- Integration of third-party identity tools like SecZetta with top IGA solutions for enablement of appropriate joiner, mover, leaver automation
- Active Directory analysis and cleanup efforts. Sometimes organizations just simply don’t have the manpower to go over the data, classify accounts, and reach out to potential business owner sponsors to get into a clean slate approach in the main network access
We focus exclusively on IAM. It’s all we do. We can deliver the results you need, on time and in budget. You get high-touch guidance, quick answers, and access to our deep base of expertise.
- We’re trusted partners with all leading vendors but tool agnostic
- We have over 20 years of experience with IAM and IGA
- We can help – from strategy, evaluation, purchase, implementation and support
Want to learn more? Schedule a quick conversation with one of our IGA experts. They can answer any initial IGA questions you have or other IAM related issues.
Click here to reach out and get started.