Sponsorship and Delegated Administration Are the Keys to Efficient Third-Party Access Management
Complexity. Lack of visibility. Large numbers of vendors with no centralized access control. The increasing reliance on third-party vendors in today’s organizations is a cyber attacker’s dream come true.
In March, 2021, more than 1 billion CVS Health search records were accidentally posted online in a data breach incident by an unnamed third party vendor.
In February, 2020, a third-party breach at General Electric resulted in the exposure of personally identifiable information such as names, addresses, Social Security numbers, bank account numbers, passport numbers, and dates of birth. The attacker gained access through a third-party email account.
And the list goes on. One thing’s for sure, it’s imperative to institute an effective third-party access governance program, and that includes managing the additional workload. Here’s an example of how your workload can increase when you add third-party vendors into the equation. Imagine having to manage the identities and access of every employee in your company. Consider all of the different roles and the entitlements that each person should have so that your company can truly embrace a Zero-Trust model of cybersecurity. Now, multiply that by the number of relationships you have with third-party organizations and all of their users and you can see how the workload quickly gets out of hand.
In the first part of this series, we discussed the steps necessary to secure third-party access. The second installment recommends consolidating all of your third-party relationships into a system of record. This allows you to begin to address the biggest challenge with developing a third-party access governance program: most companies have no idea how many third-party relationships they have.
Now, we’d like to focus on the ways you can reduce your third-party access governance workload by using sponsorship and delegated administration to get the work done and stay in compliance.
Teamwork Makes the Dream Work
Because there may be many departments using third-party vendors, teamwork is a critical part of creating a successful third–party access governance program.
It takes a concerted effort to track down all of the contracted organizations providing services to your company, especially since many of the relationships are initiated within individual departments. Finance, IT, marketing, and other groups likely have existing third-party vendors with little consolidated oversight, other than legal or procurement teams negotiating and implementing contracts.
First, you’ll need to identify an internal person to lead the consolidation effort. That person should identify internal and external administrators to make sure that the program starts with a clean consolidation of all vendor relationships. Then you can work together to define roles and responsibilities — and set expectations that should result in service level agreements.
Today, cross-company access to systems and data heightens the cybersecurity risks that companies must monitor and mitigate. Defining third-party accountability, ensuring a company’s sensitive information remains secure, and requiring any breaches are immediately disclosed should now be standard contract terms.
Delegate Regular Access Reviews to the Third-Party Administrator
Best practices that reduce risk and boost efficiencies include using self-service registration, identity proofing, and applying policies. It’s also important to delegate regular access reviews to the third-party administrator to minimize your governance burden and keep the third party in touch with what’s happening with their employees. Having up-to-the-minute access review visibility keeps both you and the third-party organization in sync — and reduces risks associated with orphaned accounts.
Regular access reviews are a good best practice and — when combined with certifications — can help a company identify any potential risks by putting monitoring and mitigating controls in place. This approach ensures third-party users are not completing activities outside granted access. If they do occur, these activities can be stopped immediately and the organization can revoke access before serious damage occurs. In some cases, these are accidental and can be quickly corrected. But if they are malicious, the third-party organization can deal with the issue. This creates greater trust between the two organizations, knowing that they are working together to provide a safe and secure business environment and can eliminate potential harm to either organization.
Secure Third-Party Access With the Same Seriousness You Secure Employee Access
As third-party relationships become more prevalent, regulators and auditors see access administration as a growing threat vector. Companies need to take their third-party access as seriously as they do their employee access. By tapping the power of teamwork and regular communication between the third-party vendor and your company, you reduce complications and increase visibility by coordinating efforts, resulting in greater efficiency and lighter workloads.
Having clear reporting and documentation that shows the company is focused on Zero Trust and provides the least privileged access necessary will impress auditors — and more importantly help protect against cyberattacks.
Perhaps most important, the company can move forward with the third-party resources, specialized skills, and on-demand workforce to continue to drive business results and shareholder value safely.