Identity authority not only solves IT outsourcing issues, but can protect the entire supply chain
As organizations around the world continue to embrace new technologies, IT outsourcing is on the upswing as well. IT outsourcing is when systems are deployed by other departments or third-party organizations other than the central IT department. Most companies use shadow IT to overcome with shortages in their department or infrastructure.
Both large enterprises and small and medium businesses are known to outsource most of their tech support and tasks due to a shortage of manpower. As such, cybercriminals often target MSPs and IT service providers to launch a cyberattack on an organization.
While a number of cyber breach incidents targeting service providers and causing major fallout for their business customers, companies are becoming vigilant in outsourcing their IT operations. But this is only a small part of the problem. Realizing the potential of infiltrating companies through third-party options, cybercriminals are now targeting the supply chain of organizations.
Today, companies rely on a variety of third-party suppliers in their supply chain. It’s no longer merely IT service outsourcing. From logistics to cleaning services, these services can serve as entry points for cybercriminals. Identity access management is now a growing concern for almost all organizations, especially with growing cyberattacks caused by vulnerabilities by third-party providers.
Third-party providers in the supply chain of an organization are becoming increasingly riskier. Accenture’s State of Cybersecurity Report indicates that as organizations have become better at preventing direct cybersecurity attacks, “attackers have moved on to indirect targets — such as third parties in the supply chain—and costs are becoming unsustainable.”
It’s all about (out)sourcing an identity
So how can companies now secure the supply chain? The problem with today’s identity programs is that most of them are not aligned with modern business practices which require organizations to provide a system and data access to a growing and the diverse number of onsite and remote third parties like supply chains, contractors, vendors, partners, affiliates, and even bots, RPA, and IoT devices.
Many organizations try to solve this challenge internally, with time-consuming manual efforts like homegrown solutions or expensive customizations to existing technologies. Unfortunately, these options fail to automate key identity processes or manage the complex relationships organizations have with third-party users. This results in operational inefficiencies, like costly and time-consuming onboarding processes, as well as increased third-party risk from an inability to apply Zero Trust principles, over-provisioning, and lack of timely terminations.
For David Pignolet, CEO and founder of SecZetta, the supply chain needs access just as employees need access. “What we don’t have in a supply chain is called an identity authority. An identity authority is really the what, when and who of access granted to an organization. It informs cybersecurity systems who should have access when they should have access and what level of access they should have. This is not just only stop with humans but also includes bots and RPA.”
Giving third-party organizations in the supply chain access to mission-critical workloads opens up large security risks for an organization. Most ransomware attacks occur because of shared credentials and because there is a lack of identity authority in the supply chain.
“If you’re in manufacturing, you have suppliers, IT contractors, managed service providers, facility staff, etc. We call them population types. Each of these populations has its own requirements,” explained Pignolet. “It’s important to enable self-service in the process. Enabling those third-parties to be part of the process so that can be a participant in managing their identities in real-time is critical.”
Airbus, which uses SecZetta’s solutions, has its third-party supply chain providers participate in this process to ensure secure access. “In healthcare, most of them used to have home-grown solutions in managing this. But now, they realize their third-party users are huge. About 40% of our business is in healthcare because they deal with a large diverse population of third parties,” added Pignolet.
At the same time with organizations considering going passwordless, Pignolet believes that the question organizations should first look at is who is getting access to these. Before any means of authentication, an organization needs to establish its identity. This includes proving the individual or device is who they claim to be, having visibility on the tools and their levels of access.
For example, a third-party bot or IT outsourcing company requesting access to data. A company needs to know who the bot or employee is, why is it requesting access and how much access they can provide it with. The identity authority establishes the identity based on several characteristics.
With increasing social engineering attacks targeting accounts and identities, Pignolet pointed out that compromised accounts are normally a result of an identity that has been compromised. For businesses to deal with this, Pignolet suggested using identity proofing processes on accounts whereby users would need to verify who they are to extra steps of validations. This can be in the form of sharing an ID or even a selfie of themselves holding their ID and such.
In fact, Pignolet pointed out that some organizations have more third-party users compared to employee users, signifying a calling for the evolution of the identity process. He added that some of SecZetta’s customers have three external users for every internal user, with third-party taking over a lion’s share of the identity program.
“To be successful, organizations need to automate best practices for managing the dynamic relationships required by their third-party resources and redefine the lines between identity and risk management. Most organizations are applying their customer identity tools to their employees. This doesn’t work for third-party suppliers, which is why breaches are increasing. You don’t have the control over your third-party suppliers as you do over your employees.”
4 October 2022