Vendor access management has become a key component of organizational security. User registration and seamless sign-on are only the first steps toward securing vendor access. Organizations need to manage all the risks associated with vendor identities, specifically the granular access associated to the enterprise applications. Regardless of organizational size, focusing on vendor identity administration and governance will enhance security and meet increasingly stringent compliance requirements for maintaining information integrity.
What Federation Can and Cannot Secure
Managing vendors and contractors is much more than just onboarding another population of identities; they are rarely directly managed by the organization, but still sometimes need privileged access to fulfill their obligations. Organizations have to consider much more than just creating a “federated” vendor account in today’s business market. Traditionally, one of the biggest fears for managing vendors’ and contractors’ access was remembering to remove access when the contract ended. In an attempt to manage this risk, most companies attacked the problem using a federation. Federation delivers streamlined authentication, protecting access to systems and data from external threats. However, this approach has limitations. Federation does not provide last-minute provisioning of fine-grained access, a deficiency which often leads to manual processes. Since the addition of the access is manual, the removal is often neglected, resulting in overprovisioned access in endpoint applications. To protect data integrity, confidentiality, and availability, companies need to monitor vendor access privileges and enforce time-bound rules. For example, an organization may provide privileged access rights to IT consultants onsite to implement a solution. The consultant signs in to the corporate network and into the privileged account via SSO. SSO prevents individuals other than the contractor from obtaining access to the company’s cloud environment. However, upon the contract’s termination, the company needs to ensure that the consultant no longer has access. Continued access to cloud-based applications can lead to malicious or accidental data corruption.
How to Prevent Vendor Access Misuse
While many companies understand the external risks that vendors pose, they can often find managing the internal threats overwhelming. However, internal threat management mirrors external processes.
Start with Service Level Agreements (SLAs)
All business partner relationships begin with the contract. SLAs define the relationship between the two parties, including security controls and access to data assets. To comply with internal controls, companies need to clearly define access requirements based on unique contractual requirements and ensure “least privilege necessary.” To prove governance over their compliance, they need intelligent identity that enables them to audit and reconciles identity changes as well as auditing vendor setup and identity maintenance processes. They need a way to prove that the vendor access and identity aligns with the controls set forth in the SLA.
Continuously Monitor Access and Activity
Whether human or application, vendors with privileged access place sensitive information at risk of a data breach. Vendors need access to internal organization information and platforms that allow them to meet contractual requirements. Whether using SaaS applications to collaborate on documents or PaaS for DevOps, vendors request access to an integrated set of cloud locations. However, to protect data and meet increasingly burdensome compliance requirements, organizations need to monitor that access during and after the contractual period. For example, organizations hire vendors on an as-needed basis. An IT contractor may come onboard to help deploy a solution. This vendor needs privileged access to complete the contracted work. However, once the contract terminates, the company needs to revoke the privileged access. Moreover, in some cases, the company brings the vendor back on to update the solution. Intelligent identity streamlines the suspend/deactivate/rehire process to better secure access. Moreover, vendor identity and access analytics ease the process of establishing permissions by using peer-to-peer analysis so that the company can find similarly situated vendors and use these attributes.
Ensure Compliance with Data Retention Requirements
The European Union (EU) General Data Protection Regulation (GDPR) incorporated a “right to be forgotten.” While most companies focus on the right to be forgotten in terms of consumer information, this also applies to contractors. Organizations lacking governance over vendor access may violate the right to be forgotten by maintaining contractor information longer than necessary or being unable to locate information upon request. A primary objective within GDPR is the capability to provide opt-outs. To maintain compliance with the far-reaching regulation, companies need automation that eases this process.
Protect Data Sovereignty
Organizations adopting modernized IT infrastructures need to ensure that their CSPs maintain data in specific geographic servers. Part of maintaining data sovereignty requires cloud privileged access management strategies that allow the enterprise to monitor access and storage across the ecosystem.
How To Ease Vendor Access Risks
To manage the unique struggles incorporated in vendor access, organizations need intelligent IGA solutions that enable them to monitor and document who accesses data, what data they access, when they access the data, from where they access the data, why they access the data, and how they access the data. There are a number of very key use cases which organizations need a modern IGA solution to solve. From the first interaction with the vendor, issuing invitations to create an account is the new paradigm. Saviynt’s Identity 3.0 helps organizations wrap governance around the account invitation process, triggering its issuance it via a contract ingestion or sponsor request and including an automatic end date. Whether it is a discrete vendor add or a bulk import, the solution enables identity proofing during account creation to add another layer of identity assurance and security. But once a vendor is onboarded, sponsorship and local vendor tenant admins can fall through the cracks when a sponsor leaves or moves within the organization. Saviynt’s solution provides for automatic sponsor/tenant admin succession, whether it’s individual or bulk. When a vendor needs access to a high-risk or privileged resource, Saviynt provides the governance around that request, easily including the control of an end date and requiring reviews of the access. Even if the sponsor leaves, the processes Saviynt puts in place won’t let the vendor accounts fall through the cracks. Of course, Saviynt wraps all of the other identity governance capabilities around vendors to ensure that common actions like data reconciliation to Azure AD, access reviews, and access requests. There are more nuances to vendors, however, such as the frequent need to deactivate and reactivate the same account, with the same rights, when a contract ends briefly before being renewed. Or, vendors often have a different set of privacy rights under GDPR and similar legislation, and an organization needs Saviynt’s right-to-be-forgotten capabilities. Saviynt understands and works to fulfill the full wealth of unique use cases around vendors. Our solution helps organizations to do the same.
Why Saviynt? Intelligent Access. Smarter Security
Saviynt starts with people – who they are and what applications they need – to create a holistic set of identities across the cloud ecosystem. This approach enables customers to govern vendor access from cradle to grave, providing continuous visibility of access to enforce internal controls that align with regulatory and industry standard mandates. Saviynt’s intelligent access request and certification interfaces incorporate a powerful analytics
engine to help evaluate the current processes and identify risks within the organization. If you would like to talk more about how Saviynt eases vendor access management burdens, please contact us for a demo