1 Introduction
Digital transformation is no longer optional for businesses and organizations if they wish to stay competitive and deliver more value to customers. But as they seek to embrace the advantages of Cloud, remote working, edge computing and other projects across extended infrastructures, organizations need to be aware of the identity risks that digital transformation also creates. While these risks are serious, they can be significantly reduced through well-structured deployment of well-designed identity management solutions.
Identity management is central to the secure and efficient implementation of any digital transformation programme and as identities have multiplied, the need has become more acute. Organizations must also become accustomed to managing identities of non-traditional third-party actors such as vendors, customers, contractors, and others not on the official payroll that by nature of their tasks need access to what was once a closed infrastructure. Simply blocking non-traditional identities or applying laborious and time-consuming “border checks” in the form of poorly configured legacy IAM platforms is not tenable if organizations are to remain competitive.
Instead organizations must rethink how best they manage third-party identities and no longer consider such identities as less important than traditional employee identities, both in terms of value and risk. Central to this is the drive to shift people and roles away from traditional identifiers and allow all access management systems to measure risk and authentication based on the principles of zero trust and least privilege. By doing this, identities can be treated as an equal risk until authorised, whether they belong to third-parties, machines, or regular employees. Once authorised they can begin to deliver value to all parties and stakeholders.
However, the challenge then is to manage the increasing number of non-employee identities securely throughout their operational lifecycle. This is where a gap often appears in existing IAM tools: non-employee identities are granted access, but the identity lifecycles are not properly managed. The organization grants access with less information than they have for their full-time employees rather than acknowledging that these identities pose a security risk. According to a recent Ponemon Institute survey, 59 percent of global companies said they have experienced a data breach caused by one of their vendors or third parties. In the US, the percentage is higher at 61 percent.
The focus must be on removing the risk inherent in third party identities at point of access and that all access is granted on the principle of least privilege. Identity services need to be designed to support vendors, customers, suppliers, and other partner organizations by providing capabilities such as support for multiple identity types, user delegation at different levels, strong authentication, self-service, and automation options, to name a few.
Such tools must support key identity processes such as onboarding of staff, whether employees or contractors, setting of entitlements, typically via an approval process, deprovisioning of users when they leave the organization and a governance process to allow entitlements to be validated and audited.
Thus, there often remains a security gap at the beginning of any process to manage third-party identities which will affect the middle and the end and the security of the host organization.
The new platform from SecZetta potentially offers organizations the ability to manage non-employee identity lifecycles from onboarding through to offboarding and manage the needs of those third parties while in the care of the organizations securely, while at the same time providing greater efficiency. The product aims to solve the question of “who manages third party identities?” – should it be a task for HR, LOB or IT teams, or a mixture of all three? The fact is for many organizations the answer is not clear and causes overlap and inefficiency and a less secure management of third-party identities as they travel across the organization. SecZetta is a privately funded US-based company that specializes in third party identity management solutions and was founded in 2006.