Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

Developing an IAM strategy for third-party vendors

This Beyond the Page informs InfoSec pros of the security concerns related to third-party vendor access, and how an enterprise IAM strategy can help.

Third-party vendors have been fingered as the weak link in the chain in recent security breaches. When it comes to identity and access management (IAM), and safeguarding enterprise systems and data, information security professionals can no longer ignore that there are non-employees who -- because of the nature of their work -- must access sensitive corporate data and systems. Yet these same firms, and their employees, are in many ways beyond the direct control of the enterprise security team.

Information Security Beyond the PageThis Beyond the Page edition presents three in-depth looks at managing third-party IAM. In his feature, technical tip and video, security expert Michael Cobb considers the next frontier in IAM: the management of third-party vendors who access your systems and data. He reviews recent breaches and how third-parties proved to be the access way for hackers. He also delves into how IAM policy needs to be revised to address the third-party issue. This Beyond the Page is chock full of valuable and actionable advice on the latest means for protecting the enterprise from hackers and other bad guys.


Enterprise IAM: Managing third parties

The right enterprise IAM system is crucial to protecting your systems from lax third-party vendor security measures. In this video, security expert Michael Cobb explains why third-party vendors are a major threat to enterprise security and how enterprise IAM can help.


Is third-party management the next IAM frontier?
The activities of contractors and business partners -- that is, your third-party vendors -- must be monitored carefully when it comes to their access to your systems and data. Learn why IAM for non-employees is something you must consider.

Tech tip

Third-party risk management: Avoid the dangers of weak controls
In order to secure your enterprise's systems and data, you must understand the risks that even trusted business partners present, and adjust your IAM strategy.

About the Author

Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. He has also been a Microsoft Certified Database Manager and registered consultant with the CESG Listed Advisor Scheme (CLAS).


Article 4 of 7

Next Steps

Read the full August 2015 edition of Information Security magazine

This was last published in August 2015

Dig Deeper on Two-factor and multifactor authentication strategies

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Have you considered applying your IAM strategy and policy to your third party vendors? If so, how? If not, why not?
At SecZetta we work with companies of all sizes who have issues on how best to address third party identity and access management.  The challenge most companies have is how best to address third party identity first, then access. The pitfall most of our customers fall into is either a customized IAM or HR system, both of which are not capable of effectively handling third parties. We built a solution to address third party identity risk and lifecycle.

Get More Information Security

Access to all of our back issues View All