The lax security practices of third-parties continue to be implicated in high-profile data breaches, from Target Corp. to Jimmy John's. Third-party access to corporate data and information systems has become a business necessity, but it introduces operational, compliance and reputational risks.
"Many existing IAM systems have become a security liability and are putting data at risk," said Michael Cobb, CISSP-ISSAP and managing director of Cobweb Applications. In this video, Cobb explores business and technology controls that address potential weaknesses in enterprise IAM programs for non-employees such as contractors and suppliers.
Monitoring is prone to error
Most enterprise IAM programs today have to manage a far wider range of access points and users types. Without the right IAM programs, monitoring non-employees and their level of access to corporate resources can take hours of IT effort, and the process is prone to costly human error.
"In large enterprises, hundreds to maybe thousands of vendor-supply technicians may require remote access to information resources to help maintain operations," said Cobb. "Without careful management. these relationships pose risks that can significantly affect revenue and expenses."
Know what to protect
To create an IAM program specifically for third parties, you should have a detailed understanding of what data and services on internal networks and outlying cloud infrastructures you need to protect from non-employees. You then have to document how and by whom those resources will be accessed, notes Cobb.
This assessment requires business managers and IT to bring up to date the data-asset registers and classifications for resources (on-premises and off). Access points and access rights for third parties -- including applications and devices -- can then be drawn up so the appropriate authentication methods to control non-employee access can be selected.
This review process will help create a clear list of requirements and priorities for creating a successful enterprise IAM program for non-employees. Many organizations should expect more C-level involvement in any reviews of enterprise IAM strategy as executives are held more accountable for brand-damaging breaches.
An enterprise IAM program that automates day-to-day tasks and makes authentication secure yet simple for third-party users will pay for itself by freeing IT staff to perform more value-added responsibilities, according to Cobb. It will also keep data assets protected while enabling them to be used in new and innovative ways. "And that's the great thing about this generation of IAM products," said Cobb. "Many offerings can be deployed on- or off-premises or as a hybrid."
About the author:
Michael Cobb, CISSP-ISSAP, is a renowned security author with over 20 years of experience in the IT industry. He co-authored the book IIS Security and has written many technical articles for SearchSecurity.com and other leading IT publications. He was formerly a Microsoft Certified Database Manager and a registered consultant with the CESG Listed Advisor Scheme (CLAS).