New Challenges in Third-Party Identity Security: What You Need to Know

What are some new third-party identity security challenges your enterprise must face in the coming year? Why do these matter now more than ever? 

Recently, the SolarWinds hack – already one of the worst in history – took on a new dimension. In addition to hackers affiliated with the Russian government, it appears that hackers possibly associated with the Chinese government also exploited a vulnerability. This vulnerability exploit allowed this hacking group access to the US Department of Agriculture’s National Finance Center.

The incident reveals the perils inherent in working with third parties. A third-party refers to another business that maintains access to your network, often to fulfill critical tasks. These can involve cybersecurity, financial data, human resources, and more. Almost no business today can function without employing at least a few third parties in their work processes. 

However, third parties open new cybersecurity challenges for enterprises of all sizes. For example, one of the most famous breaches of the modern age, the Target Breach, involved a third party; in that incident, hackers exploited an HVAC company with Target network access to steal millions of credit cards. 

So your business needs to recognize the importance of third-party identity security. But where can you begin? 

Third-Party Identity Security: What You Need to Know

1. What Third-Parties Does Your Business Work With? 

Yes, it really can come down to something this simple. Katie Nickels, Director of Intelligence at Red Canary, gave this statement to Wired: “What we saw for the first week or two, even after the initial SolarWinds revelations, was some organizations just trying to figure out whether they even use SolarWinds products. So I think the shift has to be to knowing [their] dependencies and understanding how they should and shouldn’t be interacting.”

Do you have a complete understanding of all the third parties that operate on your network? Does your organization have a concrete, systematic process for onboarding and offboarding third parties? Are all business partners subject to third party identity security processes? 

These aren’t idle questions. You need a higher level of visibility than you might realize to best secure your IT environment.

2. What Privileges Do Your Third Parties Possess?

The other major problem that faces enterprises is knowing what third parties can do on their network. While third parties may receive initial privileges, they could accumulate others over the course of your business interaction in an insidious example of access creep. This bloating of privileges makes those accounts prime targets for hackers, and indeed could cause unbelievable damage over the short and long term. 

Therefore, you need to exercise the Principle of Least Privilege on your third parties. The question becomes how.

3. Identity Governance Can Help

Identity Governance and Administration (IGA) can help your business with its third-party identity security. First, it can identify the accounts currently operating in your IT environment, and help find any orphaned accounts that might linger out of view. Second, it can help revoke unnecessary privileges on accounts, enforcing the Principle of Least Privilege. In fact, it can also limit new privileges, assigning set time limits so that accounts can’t bloat with access creep. 

IGA might just be the solution you need for your third party identity security. Find out more in our Identity Governance Buyer’s Guide.