The Challenge with Non-Employees
The traditional approach to managing identities with homegrown solutions, customized IAM/IGA products, or HR systems is no longer enough. Identity orchestration for 3rd party, non-employees is more complex than ever. Managing the business processes for identity lifecycle is critical for these identities, as two-thirds of all data breaches today occur because of a third party. Businesses need a solution for managing, identifying, and assessing the risk of all people that touch the corporation, including non-employee identities.
At SecZetta we believe that any system that gets put in place needs to address the complexities that exist when managing varying non-employee population types, associated identities and all the potential relationship(s) with an organization.
Let’s take a look at identities and relationships as it relates to non-employee identities (people and things).
What Is An Identity?
It may seem like a trivial thing but most people in the Identity and Access Management (IAM) space speak about identity and accounts synonymously. There are very important distinctions, and to manage them appropriately it is critical to understand the differences.
Other common identities are Vendor and Account Credentials
Most importantly, EACH identity has its own, distinct and sometimes complex life cycle. So how should companies be thinking about each? In order to figure that out, one must also consider relationships.
What Are Relationships?
Going back to the Person Identity, we see that the identity data can be a mix of personal data (e.g. name, home address) and data referencing other identities (e.g. Department, Mobile Device). In this case, there is a relationship between the Person identity and other identities.
Likewise, each identity can also have other relationships. A vendor can have a relationship with a Person (i.e. assigned or owned by that person) and a relationship with your companies Department.
In IAM terms, this is significant. Your company could terminate its relationship with a Person; however, if it is not aware of or fails to terminate the relationships, that Person could potentially retain access to your sensitive data. Often, they are not aware of the identities or the relationship and rely on weak controls such as inactivity reports. This is where so many companies fail to mitigate breaches tied to third parties.
Just About Everything With An Identity Has Relationships
We can look at the Person and see relationships with many other identities.
We can look at one of those relationships, vendor, for example, and see there are additional relationships which aren’t revealed just by looking at the Person identity. You can see that a vendor may have relationships with a lot of people.
In fact, the number of relationships can grow exponentially as the business grows and develops more relationships with 3rd parties. A robust, 3rd party identity management solution must be able to identify and manage all these relationships.
Why a 3rd party Identity System?
With a successful implementation of a 3rd party identity solution you should be able to easily answer a few questions:
- How many 3rd parties are in our environment?
- Who is the sponsor of a particular 3rd party?
- What partner does a particular 3rd party work for?
- What is the risk this individual poses to our organization?
- Does this third party still work for said partner, and are they still engaged with us?
If you can’t answer these questions, it is likely you should not be providing access to sensitive data for these individuals!
When you can answer these questions easily, you can also take conditional action. For instance, determining the level of access a person will be allowed should be conditional on several of these factors
- High risk individuals don’t get highly sensitive access
- Or proactively automating validation that 3rd parties are still engaged
To maintain these answers about the individuals, we need to de-couple the idea that an account is synonymous with an Identity. It is not.