Managing Third-Party Risk: Technology-Centric Considerations

November 3, 2020

Regardless of the business model or industry vertical, technology plays a critical role in efficiently operating and managing critical business functions. The emergence of leveraging Third Parties has become synonymous with dynamic, agile and digital business models. The 4th Industrial Revolution has taught us that critical Third Party services are now being performed by humans and non-human service accounts, Bots and Things. Third Party Human and non-human identities and lifecycles are often de-centralized and the business process associated with the lifecycle events are ad-hoc. The due diligence and risk management that often occurs at the organizational level for third-party vendors, needs to be extended to the individual level. Regardless of whether the identity is a Human or a corporate Non-Human asset.

Third-party vulnerability is a common culprit in many modern data breaches. Cybercriminals view third-parties as ideal pathways to breach a larger enterprise. A recent example is the Cultura Colectiva Breach. The company developed a third-party Facebook app, which was not secured and was consequently breached, allowing for the exposure of 540 million data records.

Types of Software Used in Third-Party Ecosystems

Software is a key enabler of successful and streamlined third-party ecosystems. The mass-adoption of Software-as-a-Service (SaaS) solutions has made data sharing, interacting, and collaborating with third parties much easier. Take these well-known examples:

● Salesforce offers Customer Relationship Management (CRM) SaaS packages for third-party and customer management

● Slack is a SaaS collaboration portal that allows teams to collaborate on projects

● Atlassian offers project management and tracking software

● BambooHR is an HR-as-a-Service for tracking applicants and managing various aspects of company employee culture

All of the above systems also have their own ecosystem of associated applications and application programming interfaces (APIs). However due to configuration variability and communication features, the technology used in the most common third-party ecosystems has the potential to open up many security gaps inherently through the hyper-connected infrastructure of SaaS.

Third-Party Technology Management Considerations

Security and compliance risk assessments should be extended to both products as well as people. The following considerations are key to managing the technological risk of third-parties:

Policies on technology stack use across an ecosystem

Security policies must include the extended nature of SaaS solutions and other third-party apps and APIs. This assessment should include:

● Usability. Poor usability can lead to circumvention and other security problems.

● Security and configuration. Today, a third-party's security posture and operating environment are just as important as your own.

● Functionality. Third-party technology that inherently facilitates security is important. For example, does a given solution support multi-factor authentication (MFA) or single-sing-on (SSO) standards?

Third-party identity management vs. access management (IAM)

Technology solutions must also be able to properly support the full identity lifecycle of third-party individuals spanning engagement, change, disengagement, and even re-engagement. Important questions to ask include: “Does your current access management system support all identity lifecycle activities?”, “Does it address the risk management assessment?”, and “How are third-party individuals treated in comparison to third-party technologies?”

Penetration testing, auditing, and monitoring of ecosystem technologies

Penetration testing of any solution should include the use of that software by third-parties. In addition, visibility is a fundamental part of managing third-party risk. Important questions to ask are: “Does the solution support the auditing and monitoring of third-party use? “Does your current identity and access management system (IAM) support all identity (human and non-human) lifecycle activities?”

Conclusion

Trying to evaluate how both technological components and individuals properly fit into your third-party and individual risk model? Unsure about your vulnerabilities and want to better manage non-employees / third-parties at your organization? Anomalix is the first and only trusted identity management solution provider in the world and it does all that and more.

Anomalix’s patent-pending, purpose-built trusted identity management system elegantly automates both lifecycle and risk management for non-employee / third-party individuals and services.

If you’d like to learn more about how Anomalix’s world-class solutions can help your business, contact us for a demo. 

Download this blogBack to blog

Mohammed Elkhatib

Founder and CEO

Mohammed is an Identity Management and Access Governance thought leader with over 16 years of Information Security experience and over 20 years of IT and Business experience. Mohammed has worked with over 500 Identity Management and Access Governance clients. Mohammed’s significant and numerous contributions at the most successful Identity and Access related startups have led to three successful exits in excess of $825MM.

View Linkedin