Managing Third-Party Privileges with Identity Automation

third-party privileges Identity Automation

In the already oft-neglected realm of privileged access management, one type of permissions is even more forgotten: third-party privileges.

Enterprises of every size and every industry are partnering with third-party vendors to fulfill the functions and roles they either do not have the personnel or the resources to do themselves. According to one study, 71% of enterprises are looking to increase their usage of third-party vendors by 20% or more. Yet the security risks in creating third-party privileges are evident:

  • According to a separate analysis, 23% of businesses fail to monitor their remote vendor or third-party activity.
  • According to another survey, 66% of enterprises said they suffered a data breach due to third-party privileges.
  • A third expert report found that 56% of companies experienced a third-party privileges data breach  

To make sense of the issue, we turned to Texas-based privileged identity and access management solution provider Identity Automation. In their report “How to Minimize the Identity and Access Risks Associated with Third-Party Relationships,” their researchers found that 63% of enterprise breaches are the result of third-party privileges. Additionally, 94.3% of enterprises weren’t confident in their tools for managing third-party privileges.

Why Do Third-Party Privileges Get Abused?

Identity Automation’s findings confirm much of our own research on the perils inherent in third-party privileges:

  • 40% of enterprises never bother to look for all of the privileged accounts on their network.
  • 63% don’t have security alerts in place for failed privileged access account login attempts.
  • Only 34% can identify specific threats stemming from their privileged access users.
  • Only 35% of enterprises have total visibility into the privileged accounts in their IT environment.

This is important to remember because, as Identity Automation reminds us, third-party privileges can create a weak link in your network if it isn’t paired with increased network visibility. By creating third-party privileges you tie your security with the external vendors—and if they are weak, so are you.

Identity Automation points out that some of the biggest brands in the world—Target, Home Depot, Wendy’s, and Anthem—all suffered breaches due to third-party privileges being stolen or abused. They further found that the average third-party data breach costs an enterprise $7.35 million. So stopping these breaches before they happen should be a top priority.

Monitoring Third-Party Privileges

Identity Automation provides several detailed suggestions on how to secure your third-party access, including:

  • Have a proper view of where your most sensitive data and who has access to it (aka monitoring).
  • Assess the security of your vendors.

But above all, Identity Automation points out that legacy IAM and privileged access management solutions just don’t have the capacity to monitor modern privileged accounts, let alone third-party access. If your enterprise is looking to expand its third-party vendor network as part of its scalability efforts, it may also be time to update your privileged access management solution and your third-party privileges monitoring.

If you’re interested in learning more about securing your third-party privileges, you should download the Identity Automation “How to Minimize the Identity and Access Risks Associated with Third-Party Relationships” available for free here.  

Other Resources:

Thycotic Releases “2018 Global State of Privileged Access Management (PAM) Risk and Compliance”

Insider Threats, Intellectual Property, Risks and Ruin

Key Findings from the Bomgar 2018 Privileged Access Threat Report

The Role of Identity in Digital Transformation

Kurt Long: Third-Party Bad Actors and Insider Threats

Key Identity and Access Management Findings from the Identity Automation Blog Q1 2018

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner