Vendor Access Management is the process of managing third-party access to your organization’s computer systems. VAM systems provide “least privilege” temporary access for vendors to an organization’s systems on a need-to-access basis. When a vendor no longer needs access, the VAM system will simplify the process of revoking access.
Providing third-party access to your organization’s systems involves particular risks and poor vendor access management may result in a security breach.
|Healthcare||Contract Doctors and Nurses||Medical Billing||Suppliers||Clinics, Outpatient Services|
|Government||Healthcare Contractors||Postal Contractors||IT Services||Suppliers|
The use of third-party resources is widespread throughout many industries, yet many organizations don’t know how many of these relationships they have.
Managing vendor onboarding without a centralized process is a challenge that leads to a variety of different workflows. The process for setting up accounts and granting permissions varies across the board. Without a direct means of flagging accounts as temporary or mapping them back to their respective managers, orphaned accounts can persist well beyond their acceptable lifespan, creating challenges for maintaining compliance.
Additionally, visibility into the full scope of the onboarded vendor’s access must be maintained in the system to ensure compliance. Auditors are more inclined to look for third-party risks since most companies haven’t applied the same scrutiny and resources to third-party relationships as they have to employee identities. To combat these risks, organizations must have a consistent methodology for onboarding vendors, ensuring full visibility into an identity’s access and managing the lifecycle of their access from onboarding to decommissioning.
As best practices for managing vendor access, we recommend these five steps:
Consolidation doesn’t have to happen all at once. You can begin with finance and procurement. Any contractor providing services to any department in your company should be identified and cataloged in an authoritative System of Record (SoR) that includes any standing access privileges assigned to current users. There should be multiple gateways for onboarding, including delegated and federated onboarding.
Your company should scan usage records to determine the last time third-party organizations used the credentials. This step allows you to locate and mitigate orphaned accounts. Credentials that have not been used in a specified time should be flagged for follow-up and de-provisioning if the user has left or is in a different role.
This is also a great time to assign sponsorship and joint accountability to third-party administrators. These administrators have better visibility to joiners, movers, and leavers from within their companies and should be the focal point for recurring access reviews and certifications. Service-level agreements (SLAs) that stipulate the third-party organization’s responsibilities and commitment to administrative support should be included as contract renewals occur.
Your company and the vendor need to determine a workflow for vetting and onboarding users to ensure they are who they say they are and that their onboarding process follows the concept of least privilege. They should be given only the appropriate access to complete their assigned roles. The role definitions should be specific to the actual tasks and not simply duplicated because the roles are similar.
Having a clear workflow between your company sponsor and the third-party administrator will reduce the phone calls and emails that typically slow down the process.
Your company and the vendor should define and continually optimize policies and controls to identify potential violations and reduce false positives, which helps reduce administrative workload.
Test policies and controls regularly – monthly or quarterly – with the administrators from your company and third party. Running periodic access reviews and ongoing certifications will help ensure no user is over-provisioned and that orphaned accounts won’t provide a conduit into sensitive data.
Vendor access is rising in importance with several regulatory frameworks and is becoming a focal point for auditors. For example, Sarbanes-Oxley (SOX) includes several controls for managing third-party risk:
Ultimately, the goal is to bring all vendor access under the same compliance required of employees, so there is consistency across the entire workforce, and any violations get mitigated quickly. You can tie compliance controls to user type and enact auto-remediation policies to take swift action on non-compliant identities.
Having out-of-the-box regulatory compliance reports for Sarbanes-Oxley, HIPAA, GDPR, PCI-DSS, and others makes it easier to enforce compliance controls and more efficient to provide audit documentation.
Once you complete the first four steps, you can raise your cybersecurity maturity through converged governance of your entire workforce using a combination of IGA, Privileged Access Governance, and Third-Party Access Governance.
Using a system that provides a converged view gets you a single-pane-of-glass for complete visibility of your entire workforce. It also provides another level of safety by immediately revoking access to downstream systems if warranted and providing time-based access so that access gets revoked when a contract ends. Adding Application Access Governance can allow you to identify potential and actual cross-application Separation of Duty violations across SaaS and on-premises applications.
Saviynt’s Third-Party Access Governance (TPAG) solution is able to mitigate the third-party identity security risks in enterprise ecosystems. It allows organizations to apply the same compliance controls as they would to employees. Any identities found to be non-compliant can be managed through auto-remediation actions to bring them back into alignment.
Tailor invitation processes, creation policies, and end dates
Assign sponsors and initiate access reviews to prevent orphaned accounts
Use just-in-time provisioning to provide no standing privileges access
Saviynt’s Enterprise Identity Cloud (EIC) converges IGA and TPAG in a single platform that streamlines onboarding, automates compliance activities, and documents governance. For example, here are some of the features relevant to managing vendor access:
With TPAG, you can securely manage third parties throughout the engagement lifecycle. Internal and external sponsors shepherd the account from inception, through access management, periodic reviews, and eventual decommissioning.
Learn more about Saviynt’s Enterprise Identity Cloud and Third-Party Access Governance.