Why does your enterprise need to invest in better third-party IAM (identity and access management)?
In part, you can attribute this need to the continued prevalence of outsourcing; the risks associated with third-party access stem directly from this commonplace business practice.
Much like digital transformation, outsourcing offers as many benefits as they create risks. Outsourcing allows enterprises to manage their business processes and tasks, saving them internal costs and hiring.
Perhaps then it is so small wonder enterprises spend increasing amounts on outsourcing. In fact, according to technology research firm Gartner and identity security provider Identity Automation, IT outsourcing should grow to become a $335 billion industry this year.
However, so much outsourcing results in a proportional rise in non-traditional digital identities connecting to your network. Unfortunately, legacy IAM systems can’t properly process or protect either these third-party identities or your enterprise; they just don’t have the capabilities to process anything beyond the closed-circuit IT environments and limited workforces of an exclusively on-premises world.
You need to understand the potential pitfalls of third-party IAM, and how a next-gen identity and access management solution can help secure your enterprise.
Here’s what to know about third-party IAM:
The Problems with Third-Party IAM
Third-party identities and users connect to, operate on, and interact with your IT environment; these include human users such as vendors and partners, but they can also include nonhuman actors such as applications or databases.
However, third-party actors generally aren’t listed in the enterprise Active Directory of a legacy identity and access management solution. As such, these identities don’t trigger the usual protocols of authentication policies. Additionally, they may not activate the normal processes of provisioning, deprovisioning, and access auditing as traditional identities do; third-party IAM on a legacy solution could suffer from access request, lifecycle tasks, and privilege issues.
Let’s explore some of the issues with third-party IAM in greater depth.
Privileges within Third-Party IAM
What can you third-party actors access in your network?
You should not treat this question as idle. Several major enterprise breaches, including the Home Depot and Target breaches, began with hackers exploiting inappropriate third-party privileges. Controlling the privileges of all the actors is vital to ensuring better third-party IAM.
Third-party IAM should follow the Principle of Least Privileges; this states users should only possess the permissions necessary to performing their job duties and no more. However, legacy identity and access management solutions don’t have the privilege visibility necessary to enforcing this principle. Otherwise, these identities could allow malicious actors to access sensitive databases and assets far too easily.
Moreover, legacy solutions often can’t prevent third-party actors from escalating their own privileges without oversight or approval; both hackers and insider threats can exploit this escalation to gain permissions beyond the scope of the user’s identity.
Your third-party IAM must be subject to identity governance and strong role management; your IT security team should monitor and regulate the permissions each external actor connecting to the network; they must limit them to only their explicit functions.
Additionally, your enterprise could benefit from fine-grained access controls to address remote vendor access. But a legacy IAM solution can’t provide either function.
Visibility in Identity and Access Management
A lack of visibility constitutes another third-party IAM issue. If your legacy identity and access management solution only monitors identities in the Active Directory, third-party users could completely evade their detection capabilities.
In turn, this allows hackers to use these identities as convenient stepping stones into your IT environment; they can conceal their movements and access requests from view, and thus cause untold amounts of damage before detection and remediation.
You identity security solution should provide visibility into all of the users connecting to your network. Additionally, it should establish a behavior baseline for each identity to more quickly identify suspicious actions and suspend permissions pending an investigation.
How to Improve Your Third-Party IAM
Now that you know your third-party IAM is inadequate, what can you do?
First, Replace Your Old IAM Solution
Legacy solutions cannot provide protections your enterprise needs, plain and simple. Not only does this apply to providing third-party IAM (which is true) it also can’t handle enterprise digital transformation or cloud adoption. In some cases, legacy identity and access management can’t even process hybrid environments.
Of course, legacy identity security solutions can offer a comforting sense of familiarity and a recognizable user interface. However, they limit how your enterprise can handle identity and access management issues; some still rely on spreadsheets and emails to track third-party relationships.
Initiate MFA for Third-Party Users
You should deploy multifactor authentication on all of your identities. Single-factor authentication such as passwords allows hackers to too easily guess or crack the login. Two factor is stronger but can still be spoofed. Only multifactor authentication can deter all but the most dedicated and talented hackers and insider threats.
Every user should be required to input multiple authentication factors before they can access the full range of their databases and business processes. You can do this as an upfront request or as a step-up authentication model. What matters most in this case is consistency across all identities.
Federate Your Partner Access
Federating your third-party IAM coordinates your own authentication with the authentication efforts of your partners; this allows you to ensure your own security by utilizing the security of others.
For example, home-realm federation forces third-party actors to log into their home network before they can log into yours. This ensures that if they were let go of their position at your third-party partner, they also lose access to your IT environment.
Vet Your Third-Parties
We’ve said before you cannot consider your identity security or overall cybersecurity policies “set-it-and-forget-it” affairs. We stand by that statement, now more than ever.
For example, you need to impart the seriousness of identity and access management best practices on your employees through continual education programs and evaluations. Additionally, you need to participate in your identity security by ensuring employees and third-party users have permissions which follow the Principle of Least Privilege.
However, third-party IAM requires far more than that. Before making any business arrangement, your enterprise must take the time to verify the reliability and legitimacy of your third-parties. Selecting the most affordable option may blind you to potential security issues in their processes or in how they handle their employee identity lifecycle. If they continue to risk their identity security for the sake of efficiency or profitability, partnering with them could put you both in significant danger.
Cybersecurity is a two-way street. You need to look both ways if you intend to cross safely.