Introduction
The changes over recent decades in businesses' and government's IT environments have rendered the traditional security model obsolete. The sophistication and technical aptitude of adversaries constantly increase to take advantage of every attack surface, including the ones emerging from the shift away from on-premise "fortresses". A set of principles called zero trust has been in development over the past decade to address this situation. A Zero Trust methodology must be considered for Third Party identities. Third Party identities are not typically vetted by HR and are subject to informal and manual lifecycle processes that identify, approve, onboard, manage and off board. Zero Trust IAM for Third Party identities can automate and streamline manual business process associated with lifecycle events such as engagements, changes, disengagement and re-engagement. Enforcing business, security and compliance policies throughout the lifecycle is imperative to managing and mitigating risk.
Massive Increase in Risk
Numerous recent reports[1] have catalogued the sharp rise in system breaches and ransomware attacks. The number of attacks has been increasing for years. Awareness and often preparedness has also increased in many organizations. U.S. regulators in the FTC are considering scrutinizing businesses more intently regarding cybersecurity[2]. In spite of this, security teams do not seem to be able to reduce the risk of computer system compromise.
On the positive side, security risk assessment methods and frameworks are freely available. Several threat modeling methodologies are available for identifying security risks. Automated tools exist to identify patterns of behavior that indicate imminent or active attacks. Computer security is a relatively mature field with a common vocabulary and concept of risk. The federal government is developing programs[3] to increase the size and improve the training of the cybersecurity workforce. Federal agencies are increasing staffing[4]. In spite of these positive conditions, security teams are having a harder time protecting digital assets. Digital assets that are being delegated and assigned to Third Parties. There will continue to be an increase in reliance on Third Party individuals and services to execute.
Misguided Placement of Trust
Security controls often continue to be deployed in a castle-and-moat approach. This involves coarse segmentation of employees and assets into a single enclave, or scattered across a few enclaves. The rest of the world - entities and devices - is considered to be outside this enclave. And there are only a few gateways into the enclave. This approach no longer models the actual state of affairs where users access enterprise resources on devices and via infrastructure not owned by the enterprise, and the resources themselves might not reside on enterprise-owned infrastructure. Third Party identities often require privileged access to perform mission critical business and technical operations.
Third Party risk management must be extended to the identity level full true visibility and management. The process to identify, request, approve and onboard Third Party identities is often conducted via emails, meetings, spreadsheets, and other adhoc manual processes. The process often requires collaboration across multiple Lines of Business, HR, IT, Security, Risk and Compliance personnel. and service accounts require standardization of business controls, processes and risk mitigation efforts.
Third Party Risk Management needs visibility into the individual identities, not just organizations
The current business process to create, onboard and manage third party identities is disparate and requires a lot of internal collaboration between LoB managers, HR, IT, Operations as well as external orginazation. Manual processes, emails, phone calls and spreadsheets are typical activities that proceed the creation and management of any third party identity. Unlike with employees, where HR is the authority for identification and vetting, third parties are an adhoc, and often, out of band processes.
The average time to identify a third party that requires onboarding to the time the identity is created can vary between 4-8 weeks. There is typically very little by way of audit history and ability to react to lifecycle events of either the third party individual or the sponsor of that individual. By automating the business process associated with identification and vetting of third parties, organizations can implement repeatable policies and procedures that ensure risk is properly managed on an individual basis, not just at the organizational level.
Automation of Third-party Identity Lifecycle
Having a definitive inventory of identities is the first pillar of zero-trust IAM operations. And one of the biggest gaps in any organization is third-party identities, the management of whose lifecycle may often be dismissed within Human Resource Information Systems (HRIS). An authoritative repository is the foundation for managing the third-party identity lifecycle. Third Party identity lifecycle management oversees the engage, change, disengage, and reengagement events.
Automation of Non-human Identity Lifecycle
Having a authoritative inventory of all non-human identities such as bots, service accounts and IoT devices is another pillar of zero-trust IAM operations. The expansion of cloud services, devices and IoT hardware devices make it difficult to have central visibility. Central visibility is foundational for correlation business and tehcnical users that are responsible for making lifecycle and access. These non-human identities need the same diligence in oversight as human third-party identities.
Zero Trust IAM for Third Parties
Identity provenance is the biggest challenge to any Zero Trust or Digital Identity strategy. IAM zero-trust security controls must establish the trustworthiness of the identity's creation. Especially with respect to third parties/non-employees as their identities have been established and verified outside our purview. A well-rounded third party risk mitigation strategy for an organization begins with establishing identity context.
Identity proofing is a good baseline for identity context as we would establish a zero trust baseline of any third party requires logical access. Identity proofing is extremely valuable in vetting remote contractors and temporary workers. It's essentially the same thing organizations have been doing for years in person when a contractor enters a physical building, except is all done virtually.
HRIS may not be involved in vetting and on-boarding non-employees to the extent that they vet prospective employees. This gap should be filled before any non-employee entities are allowed to access an organization’s resources. It is not enough to trust the third-party vendor without knowing more about each of their staff members who are is assigned to any project.
[1] See this report by Cybercrime Magazine (6/3/2021).
[2] See this Wall Street Journal report, for instance (9/29/2021).
[3] Training materials here; public- and private-sector commitments to increasing the nation's cybersecurity posture here; DHS internal initiative here..