Who has a supply chain today?
For the purposes of this blog installment, I want to first-off take the liberty to expand the definition of “supply-chain” as it relates to today’s digital economy. Traditionally when the term supply chain is used, we tend to think of market segments like manufacturing, retail, etc. In fact, if you “google” the words here is how they define it: “The sequence of processes involved in the production and distribution of a commodity”.
Today however, as more business go through digitalization and digital transformation, these organizations are finding themselves not only exposing more of their enterprise services as the new way to do business with their customers and clients; but also opening access to critical systems like mainframe, ERP systems, inventory management or other financial and operations “crown-jewel” applications, to conduct business with their partners, vendors, suppliers, etc. For the remainder of this article, I will simply refer to these entities as “vendors”.
By expanding that definition this now starts to include non-traditional businesses managing this set of processes and the vendors that support their business’s ability to deliver their goods and services. Now, we need to include markets and organizations such as; hospitals and healthcare, telecommunications, utilities/energy, hospitality, logistics and even media/entertainment/content companies.
It’s true – almost every company now has a “supply chain”.
What’s more, is that organizations are discovering that reducing costs and improving efficiencies for vendor management within the supply chain can fundamentally help drive more black numbers to the bottom line of the balance sheet. As recently as a few months ago, I had a client in the hospitality business tell me “we are now a supply chain company, that happens to have casinos and hotels” – meaning that managing the economics of their supply chain and the network of vendors that create it, is just as critical (perhaps even more so) as bringing customers through the doors of their business.
YES – Identity is at the center!
As these organizations move more of their processes into the digital realm and expose them online to their “supply chain” – they are also exposing themselves to greater risk. Many of the applications that need to be exposed to drive your business in this new digital world are sensitive and may even be subject to regulations like SOX, PCI, HIPAA/HITRUST, FERC/CIP and GDPR… Oh my!
Meaning that now more than ever it is IDENTITY at the center of it all. Companies must now have an understanding of critical identity controls for; who has access and to what? how they got it? how long do they need it? do they still need it? who approved this access? what they did with it while they had it? Perhaps most importantly being able to provide your auditors and risk-compliance people with evidence of the answers to these questions. Today it is not only a must to protect your corporate brand and customer loyalty… In many cases, it’s the law. Worst of all it could have severe economic consequences for your company – and possibly even you.
Improving controls while streamlining vendor access.
So how do we answer those “who, what, where, when and why” questions, and better yet, ensure the controls are there without creating friction for the vendors in your supply chain? If we make it too hard to do business with our company – we will have a hard time keeping good reliable vendors in our network.
Over the years, I’ve worked with a number of companies, that I believe got it right. I want to share a list of things I’ve seen work for these organizations as they implemented controls within their vendor management processes.
- Onboarding New Vendors and Users:
Before a vendor can conduct business with your company, you need to onboard and grant access to the vendor itself as well as users from the vendor’s organization. Traditionally this has been done through help-desk and manual processes, but this can take days or weeks to accomplish which isn’t going to improve efficiencies. By exposing a registration portal to your vendors, they can quickly create and maintain a profile with your company and add or remove users as needed to support the scale of your mutual business process.
- Self-Service, Delegated Administration and Access Request:
Now that your vendor exists and has identities registered with your company, you’ll want to expose capabilities to allow for resetting of passwords and user IDs, as well as request access to your systems for conducting their business with you. If they supply your company widgets for instance, they’ll need access to your inventory control system to understand how many to ship and where. You don’t want to have a large internal staff at your company creating and maintaining these users in all the various business systems. You’ll need to expose excellent self-service and delegated administration functions. The access request mechanism needs to be simple, intuitive and easy to navigate – again to reduce friction and streamline the process. By designating one or more delegated admins, especially in vendors with large numbers of employees, you can streamline access to critical business systems and reduce costs of managing vendor relationships getting a two-for-one benefit that has direct positive implications to the bottom-line of your financials.
- Approvals and Manual Controls:
With all this delegated authority, especially outside of your company, you will need to introduce better controls in the newly enhanced processes. The good news here is that you won’t need an army of employees to govern this. By putting in place single or multi-step approval processes, it will only require a small number of people to allow your company the final say on just who can get access to these critical applications. Furthermore, integrating these services into your help-desk solutions can create additional audit trails – especially when the setup of access requires some sort of manual effort as part of the workflow process. Regardless putting approval processes and in some cases explicit air-gaps in the access request and onboarding processes are a very effective control in limiting access to only key vendor users that require it to conduct their business with your company.
- Roles and Analytics:
I could (and may) write a whole blog just on this topic…Closely related to Access Request and the next topic Access Reviews are “roles”. For the purposes of this article, we just define roles as a grouping of entitlements that may span one or more applications and can be granted to a user in order to provide them that access. Doing this for vendors is not any different than doing it for employees and contractors. However, for many organizations this is a massive undertaking ultimately resulting in less than stellar results. But the well-meaning intentions are not in vein. When a company can successful map entitlements into roles, they simplify access request process, and the access review process considerably. It doesn’t have to be that hard…So how do organizations make roles work effectively, 3 key steps:
- Use a role modeling solution to do application bottom-up and organization top-down modeling to find a minimal number of roles to cover 80-90% of the access entitlements therefore only the remainder become exception handling.
- Periodic review of role composition and ownership for both “birthright” roles and “functional” roles, to ensure the roles continue to map to the current state of your business.
- Leverage real-time analytics to evaluate access and exceptions to suggest new roles as your business evolves. Also analytics can ensure existing roles don’t create unintentional SOD violations especially when coupled with ad-hoc access requests.
Companies that take this approach, tend to have a much greater success delegating administration of access and driving end-user adoption of self-service because it increases convenience, eliminates administrative overhead and simplifies the user experience.
- Access Reviews and Application Governance:
Periodic inspection of who has access, what they have access to, and what they’ve done with that access, in many ways, is why you must do all the aforementioned processes and controls. That said, you’ll also need a good way of facilitating regular access reviews for your vendors. Just like you do access review for your own employees (whether currently automated or not), companies are finding that auditors are requiring them review access for vendors and partners – especially if they are touching systems that are subject to regulations. Depending on the size of the vendor or the number of vendor users that have access to corporate applications, the first step in this review process may indeed be with the delegated administrator or relationship manager at the vendor itself. By empowering the vendor to govern itself they can reduce their risk of having a user from their company create risk or exposure to your company. Ultimately however, someone from your firm will need to review and certify access for all the vendors and their users. These are usually vendor management personnel and the application owners themselves. Access reviews can determine the who and the what, even help pin-point SOD violations, but they also need to tie into SIEMs and UEBA solutions to gain further understand of whether the access is being used enough to justify having it, and whether that access when used, is being done so in accordance to safe and expected behaviour. One more key notion is remediation – if it is determined during the access review, that a vendor’s access is no longer needed or desired – your process should include, where ever possible, automated remediation of the removal of that access, closing the loop and preventing manual administration mistakes from creating an exposure for you and the vendor.
- Access Removal and Off-Boarding:
Finally, there may come a time that either employees of a vendor transfer departments, leaves the vendor outright, or the relationship with a given vendor may come to an end. Providing timely removal of access for these users is critical, especially to your sensitive “crown jewel” apps. Think about the damage that could be done if a person leaves Vendor A, goes to work for Vendor B, but still uses their Vendor A credentials to access your systems? This can be handled in many ways, but most commonly; the delegated admin at the vendor can remove or change access for the user, even remove the user entirely; The vendor may submit a request to a help-desk ticketing system to initiate the change request, especially for manually administered systems; or worst-case it is caught during, and then remediated as part of, the governance process of a periodic access review. The key take-away here is that automating access change and user removal will undoubtedly reduce exposure and improve your risk posture as it pertains to your supply chain vendors.
So, how can Saviynt help?
Obviously, companies that have made this journey are reaping the financial benefits of better vendor relations, reduced friction with their vendor management process and lower economic costs in their supply chain; but perhaps most importantly, they are achieving their goals of better compliance as it relates to regulations and protecting the corporate brand – which ensures customer loyalty.
Saviynt has a rich set of solutions focused on identity administration and governance, application governance, data governance and infrastructure governance that can deliver all the above stated controls to your mission critical supply chain vendors and ensure maintenance of a strong security and compliance posture. Saviynt offers deep out-of-the-box SOD, access governance controls and powerful analytics into “crown-jewel” systems like SAP, Oracle EBS, EPIC, Cerner, Workday and many others – so that you can ensure not only your employees and contractors have just the access they need, but your vendors and partners as well. Lastly, all of these can be delivered as a no-compromises SaaS for hassle-free consumption, at enterprise scale, without maintenance and up-keep burdens.