The reliance on third-parties and non-employees for essential business and technical operations continues to rise dramatically. The ecosystem of partners, consultants, affiliates, contingent workers, agencies, and other supporting entities have become a core extension of daily operations. Within this ecosystem are supporting technologies and services such as APIs, Service Accounts, IoT devices, bots, and streams of data. This complex mesh of people and technology will always present challenges. One of the most difficult of all is balancing the benefits of this extended ecosystem while managing and mitigating risk.
Understanding third-party risk depends on many elements, but the management of risk ultimately comes down to visibility. We cannot measure or mitigate what we cannot see. The relationship with a third-party begins with people, not organizations. Individual knowledge workers are the ones who get access to mission critical systems, applications and data. It’s ultimately the third-party individuals who pose the risk, not just the third-party organization.
Who or What is a Non-Employee / Third-Party?
A third-party is any entity, individual, organization, or even technology, typically governed by a written contract, that works with a company to provide services and/or products. In fact, the variability of what is considered a third-party highlights how broad and all-encompassing these relationships are. Some examples of third parties include:
● Business and Technology Consultants
● Agencies
● Contractors
● Contingent and Seasonal Workers
● Third-party Technology Services
● MSPs/MSSPs
● Public Cloud Providers
● Lawyers/Accountants/Auditors
● Business Partners and Affiliates
● Resellers
● Service Accounts, Bots and IoT Devices
The Importance of Due Diligence and Non-Employee / Third-Party Risk Management
Areas of risk that require analysis during due diligence, engagement and disengagement need to occur on two distinct levels: The Organization and The Individual Identity:
● Organizational Level - Information security and breach exposure
● Organizational Level - Compliance risks
● Organizational Level - Reputational damage potential
● Organizational Level - Operational and strategic issues
● Individual Level – Standard Business Process for requesting Third Party Identity creation
● Individual Level – Standard Method of vetting and on-barding new Third Party Individuals
● Individual Level – Third Party Identity Lifecycle Management (engage, change, disengage, re-engage)
● Individual Level – Third Party Identity Audit History
The Process of Building a Non-Employee / Third-Party Ecosystem that enables the business while reducing risk
Building a trusted third-party / non-employee ecosystem can be thought of as building a workflow process. However, it should be noted that a non-employee / third-party ecosystem management is an ongoing process akin to a lifecycle. It starts with due diligence –at the organizational AND individual levels, but also includes regular relationship-building exercises:
Pre-engagement and due diligence
Automated due diligence is conducted at the organizational and individual levels. This process often requires cross-organizational collaboration. The due diligence process often involves a series of documents, spreadsheets, and emails that go back and forth to capture the series of steps for individual and organizational onboarding. This process should be captured using a central repository, centralized workflow process, and audit trail that captures all steps in the individual non-employee / third party onboarding process.
Any red-flagged non-employee / third-party can be pushed through a remediation process. Fourth-party (e.g., sub-contracted via a third-party) visibility is often opaque. However, enforcing a centralized process, that can be securely delegated to trusted third parties, can make fourth, fifth, N-parties visible.
Identity Proofing and necessary methods of ensuring third-party individual identities is common practice in physical security principles whereby a security guard will ask for some form of validation of the individual's identity through a state or federal issued identification. This same basic identity proofing safeguards should be considered when implementing digital transformation initiatives.
Continuous monitoring
Once onboarded, automated risk management mandates that non-employees / third-party are monitored to ensure adherence to policies, procedures, and regulations. Continuous monitoring includes ongoing risk assessment, reviews, and technology checks and evaluations.
Offboarding
Automated offboarding captures performance metrics and enables the appropriate business process such as knowledge transfer, documentation, disabling of access, etc. Post-engagement activities is another event within the non-employee / third-party lifecycle. Effective third-party ifecycle management ensures on-going security and risk mitigation, as well as audit readiness.
Conclusion
Anomalix is a global leader in Identity Management that works with business and governments to solve challenges focused on non-employee / third-party Identity Lifecycle Management. Third Party access to assets, information and data extends to human and non-human digital identities. A holistic Third-Party Risk Management approach is inclusive of the the individual and the organizational business and technical impacts to engagement and the subsequent lifecycle events.
If you’d like to learn more about how Anomalix’s IAM solutions can help your organization, contact us for a demo.