VAM: Who Do You Trust?

MJ Kaufmann

MJ Kaufmann

The impact of COVID-19 goes far beyond physical health and the long-term impact is just now being assessed. Sudden mass migration of workforces and enabling them to function completely remote has left organizations dealing with new cybersecurity risks and navigating a vastly expanded attack surface. What does this mean for those who rely on vendors and contractors? It means now and into the future organizations face new vendor access management risks due to the fact that their third-party business partners’ workforces are now mostly if not entirely remote.

Few if any modern organizations function without the use of contractors or vendors. Even less of them want the burden of managing these non-employees in their HR system which is often the authoritative identity source for their IT ecosystem. In providing much-needed services, third party associated individuals often require access to organizational resources such as shared tools, applications, or data sets. Rarely will they need ongoing access, which means it’s only appropriate to grant this access for a limited period. Ensuring that this access is properly managed and removed in a timely fashion is imperative and it is just one of the many vendor access management challenges organizations must overcome. Saviynt plays a key role in helping many organizations simplify the vendor access management process and reduce non-employees risks.

Hitting a moving target

When working with third-party organizations, the identities are rarely managed directly by the enterprise but instead by the sponsored entity itself. The third-party manages their own staffing and turnover may dictate they circulate different individuals onto a project to deliver the appropriate knowledge, or expertise needed. Throughout the duration of a project some individuals may stay while others rotate in and out. All of them require access and that access requires frequent updating of permissions to critical assets. Provisioning, deprovisioning, and risk remediation is burdensome and that burden increases as does the lag time when volume scales.

Saviynt is a master of birthright provisioning and access management throughout the identity lifecycle. As a new user is brought in, no matter their affiliation, Saviynt utilizes its intelligent analytics to review similar peer access and grant appropriate birthright permissions throughout the organization’s IT ecosystem. These permissions are subject to periodic review by the sponsor to ensure that permissions granted are still appropriate. When a user’s access is removed because they are no longer on a project, Saviynt will roll back and remove their permission throughout the organization to ensure smooth and timely transition.

Consistency is Key

Organizations commonly have multiple methods of non-employee onboarding depending on the business unit. One approach is to directly make the third-party associate a user in the organization, another is to utilize federation for allowing the third-party access but falling back to manual assignment of rights and permissions. While federation removes the fear of remembering to end access after a non-employee terminates employment, it does not provide last minute provisioning of fine-grained access which often leads to a manual process instead. Inconsistencies such as these make organizations reluctant to collaborate with vendor companies from fear that exposure will arise due to how access is provisioned and managed. Efforts to simplify methods of non-employee access management risk dangling permissions, missed deprovisioning of assets or over assignment of permissions.

Saviynt’s vendor onboarding process uses a standardized sponsorship approach to manage the onboarding process. Each non-employee entity has an internal sponsor which manages them and all their associated contractors throughout the lifecycle of their engagement. This sponsor sends out invitations to the third-party leading to a form that creates a guest user for them. This user is then associated with the sponsor throughout their lifecycle. Saviynt also integrates with authentication solutions to allow the benefits of federation such as expanding upon the metadata that comes from identity providers such as Azure B2B. This allows ease of access for the external entity while still removing the administrative overhead for your organization.

To ensure in depth oversight, the sponsor is given a single pane of glass interface to view the risk context of what the guest users have access to allowing the sponsor to manage the access. This visibility provided to the sponsor helps decrease risk. Through this interface, periodic reviews are conducted to ensure the access is still needed and appropriate. The interface also allows a viewport into how the access for the guest identities have been utilized.

Removing Barriers

Many Vendor Access Management (VAM) solutions rely upon IGA solutions to ensure access governance for the vendor. Unfortunately, most IGA solutions are designed with reliance upon the VAM solution to handle all of the identity governance. With each portion only handling part of the picture, the full visibility of the ecosystem is extremely limited as neither solution shares their context with the other. In turn, they lack the context of overall risk for any given identity.

Saviynt takes a different approach converging both IGA and VAM into a single platform, destroying the barriers and consolidating access governance and identity governance. Vendors are managed through a single authoritative identity that is managed through their sponsorship. The sponsor has a single pane of glass to not only manage the vendor’s access but see a holistic view of what the identity has access to and the overall risk associated with that access. This convergence of both identity and access provides an in-depth VAM solution that allows organizations to collaborate with vendors while still protecting their organization and adhering to compliance rules.

A Better Way

In spite of a rapidly changing threat landscape, collaboration remains a driving force for innovation. Safe third-party collaboration requires the aid of a robust IGA and VAM solution to provide visibility of both non-employee access AND activity. Saviynt takes IGA+VAM to the next level by re-inventing the process and removing artificial barriers. It streamlines vendor onboarding while implementing a framework that makes it simple for internal sponsors to empower third-party associates to create their own managed users with your organization. Users who are automatically granted birthright access are managed and followed by their internal sponsor throughout the lifecycle of their engagement in a project. As the access requirements for these users progress over time the need to increase the profile detail increases as well.

By simplifying the process, the internal sponsor can easily manage the rights and permissions granted to various identities, while Saviynt captures the needed profile details inline between the connected systems throughout the ecosystem. While it is great to progressively profile non-employee users this is only half of the security story, the other half being the activity of the users. After access is granted the activity of the third party user needs to be monitored for anomalous behavior and access changes that could represent risk to the organization. Saviynt seamlessly brings these data elements together providing a business friendly view of the relevant risk that the data represents.

To learn more about how Saviynt reinvents the way vendor access is handled and to reduce vendor access management risks for your organization, sign up today for a demo or  join us for our upcoming webinar.

Schedule a Demo

Ready to see our solution in action? Sign up for your demo today.