Facing Third-Party Threats With Non-Employee Risk Management

By Ben Cody, Senior Vice President of Product Management, SailPoint

According to recent research, 54% of businesses suffered a third-party data breach during the previous 12 months alone — and the cost of those breaches continues to rise. Today, the average cost of a data breach has risen to $4.45 million in the United States, an increase of more than 15% over the past three years, and the data indicates that third-party involvement is one of the most significant exacerbating factors.

The term "third-party breach" leads many to believe that fault for such an incident lies with the third party, but that isn't always the case. While it is important to thoroughly vet the security practices of potential partners and vendors, organizations also need to effectively secure and manage non-employee identities to avoid putting themselves at unnecessary risk. As the volume and severity of third-party breaches continue to grow, implementing effective non-employee risk management practices will become increasingly critical for modern business.

Non-Employee Identities Are Skyrocketing

The volume of identities in use by the average organization has skyrocketed over the past several years, and non-employee identities are no exception. A recent study by McKinsey found that 36% of the US workforce is now made up of gig, contract, freelance, and temporary workers — up from 27% in 2016. In addition to contract workers, today's businesses work closely with partner organizations, supply chain vendors, consultants, and other outside entities, all of which require varying degrees of access to the organization's digital environments.

The volume of non-employee identities is significant enough without getting into nonhuman identities, such as those associated with the 130 different software-as-a-service (SaaS) applications the average company uses today. To work within an organization's digital environment, these non-employee entities each need properly provisioned identities, and those identities need to be effectively managed throughout their life cycle to reduce their risk and avoid becoming a potential threat.

The Non-Employee Identity Life Cycle

One of the biggest challenges when it comes to securing and managing non-employee identities is the onboarding process. IT and security departments don't always have the necessary information about the specific job functions a non-employee worker may need to perform, which makes provisioning difficult. And because security teams are often under pressure to avoid obstructing business operations, the path of least resistance is often to grant more permissions than necessary. This helps streamline operations, but it's also dangerous: The more permissions an identity has, the more damage an attacker can do if that identity is compromised.

The transient nature of non-employee workers also makes managing the identity life cycle difficult. Orphaned accounts are a significant problem: If no one tells IT or security that a contractor has left, their account — complete with all of its permissions and entitlements — can remain active indefinitely. Equally dangerous are legacy permissions or duplicate accounts. It's important to regularly reassess the permissions a contract worker needs, eliminating entitlements that are no longer necessary. It sounds simple, but today's organizations often manage hundreds or thousands of non-employees. Keeping them properly provisioned is a significant challenge, but one that is essential to managing non-employee risk.

Best Practices for Non-Employee Risk Management

Organizations need a solution capable of visualizing all non-employee identities from a single dashboard — one that can also clearly illustrate the permissions and entitlements each identity enjoys. That means having a solution that can incorporate automated features, making it easier to provision new accounts and decommission older ones.

Creating predefined roles for certain positions can make onboarding faster and more secure, and when a new non-employee starts work, their permissions should have an end date. It's also important to assign an internal "sponsor" to each non-employee worker, someone who knows what permissions they need to perform their job and is responsible for alerting IT about any changes in their status. By extension, it's also critical that the solution track when sponsorship changes — such as when the sponsor leaves the organization or takes on a new role.

An effective non-employee risk management solution should also make the revalidation process easier. Organizations should perform regular checks to validate whether non-employees are still working within the organization. This might include a monthly notification sent to each non-employee's sponsor to confirm their status.

The system should also be capable of monitoring whether permissions are being actively used and notifying the IT and security teams if an identity appears to be either dormant or overprovisioned with entitlements it does not need. Verifying that identities have only the entitlements they need and avoiding the problem of orphaned accounts are among the most important elements of non-employee risk management.

As businesses utilize an increasing number of contract workers, third-party vendors, SaaS applications, and other non-employee entities, adopting a modern approach to non-employee risk management is no longer optional — it's essential.

About the Author

Ben Cody has over 30 years of experience building and delivering enterprise software products, as well as success leading innovative and efficient product organizations. As SailPoint’s Senior Vice President of Product Management, Ben oversees the company's product strategy, roadmap, and delivery. Prior to joining SailPoint, Ben held senior product management roles at Digital Guardian and McAfee. His expertise spans identity and access management, data protection, threat detection, cloud security, and IT Service Management. Ben holds a B.A.A. in Management Information Systems from the University of Oklahoma. When he is not building products that protect identities, he is an avid winegrower.