Vendor Access Management (VAM)

What is Vendor Access Management (VAM)?

Vendor Access Management is the process of managing third-party access to your organization’s computer systems. VAM systems provide “least privilege” temporary access for vendors to an organization’s systems on a need-to-access basis. When a vendor no longer needs access, the VAM system will simplify the process of revoking access.

Providing third-party access to your organization’s systems involves particular risks and poor vendor access management may result in a security breach.

Risks of Poor Vendor Access Management (VAM)

It’s common for today’s enterprises to have suppliers, service providers, and technologies (human and non-human) touching sensitive data. The risks are high. A study from the Ponemon Institute noted “66% of companies surveyed had no idea how many third-party relationships they had or how they were managed, even though 61% of the surveyed companies reported having a breach attributable to a third party.” New types of attacks and increased oversight from regulators make managing third-party relationships critical to your business.
Industry Use Case
Healthcare Contract Doctors and Nurses Medical Billing Suppliers Clinics, Outpatient Services
Manufacturing Contract Manufacturers Suppliers Distribution Customers
Retail Seasonal Workers Franchisees Suppliers eCommerce
Government Healthcare Contractors Postal Contractors IT Services Suppliers

The use of third-party resources is widespread throughout many industries, yet many organizations don’t know how many of these relationships they have.

Managing vendor onboarding without a centralized process is a challenge that leads to a variety of different workflows. The process for setting up accounts and granting permissions varies across the board. Without a direct means of flagging accounts as temporary or mapping them back to their respective managers, orphaned accounts can persist well beyond their acceptable lifespan, creating challenges for maintaining compliance.

Additionally, visibility into the full scope of the onboarded vendor’s access must be maintained in the system to ensure compliance. Auditors are more inclined to look for third-party risks since most companies haven’t applied the same scrutiny and resources to third-party relationships as they have to employee identities. To combat these risks, organizations must have a consistent methodology for onboarding vendors, ensuring full visibility into an identity’s access and managing the lifecycle of their access from onboarding to decommissioning.

Best Practices for Managing Third-Party Access

As best practices for managing vendor access, we recommend these five steps:

Step #1: Consolidate Third-Party Organizations

Consolidation doesn’t have to happen all at once. You can begin with finance and procurement. Any contractor providing services to any department in your company should be identified and cataloged in an authoritative System of Record (SoR) that includes any standing access privileges assigned to current users. There should be multiple gateways for onboarding, including delegated and federated onboarding.

Your company should scan usage records to determine the last time third-party organizations used the credentials. This step allows you to locate and mitigate orphaned accounts. Credentials that have not been used in a specified time should be flagged for follow-up and de-provisioning if the user has left or is in a different role.

This is also a great time to assign sponsorship and joint accountability to third-party administrators. These administrators have better visibility to joiners, movers, and leavers from within their companies and should be the focal point for recurring access reviews and certifications. Service-level agreements (SLAs) that stipulate the third-party organization’s responsibilities and commitment to administrative support should be included as contract renewals occur.

Step #2: Institute Vetting and Risk-Aware Onboarding Processes

Your company and the vendor need to determine a workflow for vetting and onboarding users to ensure they are who they say they are and that their onboarding process follows the concept of least privilege. They should be given only the appropriate access to complete their assigned roles. The role definitions should be specific to the actual tasks and not simply duplicated because the roles are similar.

Having a clear workflow between your company sponsor and the third-party administrator will reduce the phone calls and emails that typically slow down the process.

Step #3: Define and Refine Policies and Controls

Your company and the vendor should define and continually optimize policies and controls to identify potential violations and reduce false positives, which helps reduce administrative workload.

Test policies and controls regularly – monthly or quarterly – with the administrators from your company and third party. Running periodic access reviews and ongoing certifications will help ensure no user is over-provisioned and that orphaned accounts won’t provide a conduit into sensitive data.

Step #4: Institute Compliance Controls for the Entire Workforce

Vendor access is rising in importance with several regulatory frameworks and is becoming a focal point for auditors. For example, Sarbanes-Oxley (SOX) includes several controls for managing third-party risk:

  • APO10.01/APO10.02: Vendors must be selected per the organization’s third-party vendor risk management policy and processes
  • APO10.03: A designated individual must regularly monitor and report on whether third parties are meeting the organization’s service level performance criteria
  • APO10.04: Third-party service contracts must address the various risks, security controls, and procedures to protect information systems and networks.

Ultimately, the goal is to bring all vendor access under the same compliance required of employees, so there is consistency across the entire workforce, and any violations get mitigated quickly. You can tie compliance controls to user type and enact auto-remediation policies to take swift action on non-compliant identities.

Having out-of-the-box regulatory compliance reports for Sarbanes-Oxley, HIPAA, GDPR, PCI-DSS, and others makes it easier to enforce compliance controls and more efficient to provide audit documentation.

Step #5: Implement Converged Governance

Once you complete the first four steps, you can raise your cybersecurity maturity through converged governance of your entire workforce using a combination of IGA, Privileged Access Governance, and Third-Party Access Governance.

Using a system that provides a converged view gets you a single-pane-of-glass for complete visibility of your entire workforce. It also provides another level of safety by immediately revoking access to downstream systems if warranted and providing time-based access so that access gets revoked when a contract ends. Adding Application Access Governance can allow you to identify potential and actual cross-application Separation of Duty violations across SaaS and on-premises applications.

Saviynt & Vendor Access Management (VAM)

Saviynt’s Third-Party Access Governance (TPAG) solution is able to mitigate the third-party identity security risks in enterprise ecosystems. It allows organizations to apply the same compliance controls as they would to employees. Any identities found to be non-compliant can be managed through auto-remediation actions to bring them back into alignment.

Assess Risk During Onboarding

Tailor invitation processes, creation policies, and end dates

Ensure Governance with Sponsors

Assign sponsors and initiate access reviews to prevent orphaned accounts

Provide Seamless Third-Party Access

Secure remote access to internal or cloud resources without a VPN

Gain Cross-Functional Controls

Enable controls cross-mapped across regulations, industry standards, platforms, and control types

Protect Your Data

Block external file-sharing and require authorization for third-party data release

Implement Least Privilege

Use just-in-time provisioning to provide no standing privileges access

Saviynt’s Enterprise Identity Cloud (EIC) converges IGA and TPAG in a single platform that streamlines onboarding, automates compliance activities, and documents governance. For example, here are some of the features relevant to managing vendor access:

  • Simplify Vendor Onboarding with B2B Invitation Support to
  • Leverage Risk-Based Identity and Access Governance Controls
  • Assign Sponsors/Owners
  • Manage Identity & Access Lifecycle with Authoritative Sources of Identity
  • Share External Files with Risk-Based Data Access Governance Controls
  • Simplify Compliance with Saviynt’s Control Exchange
  • View Risk Holistically
  • View Fine-Grained Entitlements

With TPAG, you can securely manage third parties throughout the engagement lifecycle. Internal and external sponsors shepherd the account from inception, through access management, periodic reviews, and eventual decommissioning.

Learn more about Saviynt’s Enterprise Identity Cloud and Third-Party Access Governance.

Questions People Often Ask About VAM

Lorem ipsum dolor sit amet, consectetur adipiscing elit?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas malesuada neque metus. Duis sed tellus nec odio lacinia interdum eget a augue. Pellentesque dignissim, odio ut suscipit fermentum, nulla nisl feugiat massa, eget fringilla lectus metus non ligula. Mauris sit amet finibus libero. Maecenas imperdiet arcu sed ligula gravida finibus quis vel nisl.

Lorem ipsum dolor sit amet, consectetur adipiscing elit?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas malesuada neque metus. Duis sed tellus nec odio lacinia interdum eget a augue. Pellentesque dignissim, odio ut suscipit fermentum, nulla nisl feugiat massa, eget fringilla lectus metus non ligula. Mauris sit amet finibus libero. Maecenas imperdiet arcu sed ligula gravida finibus quis vel nisl.

Lorem ipsum dolor sit amet, consectetur adipiscing elit?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas malesuada neque metus. Duis sed tellus nec odio lacinia interdum eget a augue. Pellentesque dignissim, odio ut suscipit fermentum, nulla nisl feugiat massa, eget fringilla lectus metus non ligula. Mauris sit amet finibus libero. Maecenas imperdiet arcu sed ligula gravida finibus quis vel nisl.

Lorem ipsum dolor sit amet, consectetur adipiscing elit?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas malesuada neque metus. Duis sed tellus nec odio lacinia interdum eget a augue. Pellentesque dignissim, odio ut suscipit fermentum, nulla nisl feugiat massa, eget fringilla lectus metus non ligula. Mauris sit amet finibus libero. Maecenas imperdiet arcu sed ligula gravida finibus quis vel nisl.

Lorem ipsum dolor sit amet, consectetur adipiscing elit?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas malesuada neque metus. Duis sed tellus nec odio lacinia interdum eget a augue. Pellentesque dignissim, odio ut suscipit fermentum, nulla nisl feugiat massa, eget fringilla lectus metus non ligula. Mauris sit amet finibus libero. Maecenas imperdiet arcu sed ligula gravida finibus quis vel nisl.

Lorem ipsum dolor sit amet, consectetur adipiscing elit?

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Maecenas malesuada neque metus. Duis sed tellus nec odio lacinia interdum eget a augue. Pellentesque dignissim, odio ut suscipit fermentum, nulla nisl feugiat massa, eget fringilla lectus metus non ligula. Mauris sit amet finibus libero. Maecenas imperdiet arcu sed ligula gravida finibus quis vel nisl.

Schedule a Demo

Ready to see our solutions in action?

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >