The threat vectors for many organizations have increased in the last half-decade as the migration to a more robust digital environment advances, the realities of maintaining business operations in a pandemic persist and the dependence on third-party vendors heightens organizational risk. Jennifer Kraxner, the Vice President of Market Strategy at SecZetta recently discussed these issues with the editors of Security Technology Executive (STE) magazine.
STE: As organizations increasingly prioritize digital transformation initiatives, their cyber risk continues to grow. What factors are contributing to this increased risk and what steps can organizations take to proactively address their cyber risk as they execute digital transformation initiatives?
Kraxner: As organizations continue to drive their businesses forward in new markets and through new initiatives (e.g., digital transformation), their reliance on third parties, including vendors and contractors, along with non-human workers like service accounts and IoT devices, grows. As the number of third parties with access to an organization's systems and data increases, so does its attack surface, due to unauthorized and unmanaged access that is too often provided to third-party identities.
Further, today’s digital transformation has dramatically changed the security landscape from the perimeter defense standard that afforded access strictly to an organization’s employees to one in the cloud where security best practices must be incorporated far beyond the walls of an organization.
To continue driving innovation while mitigating the dynamic third-party risks that come with it, there are several steps organizations can take, including:
● Manage the lifecycle of all third-party identities: According to a 2021 Ponemon Institute study, 65% of organizations have not identified the third parties with access to the most sensitive data of the organization. However, with an authoritative source of non-employee data, organizations can better position themselves to provision access, have visibility into high-risk identities, and deprovision users as needed.
● Conduct regular audits: Despite organizations knowing very little about their third-party users and rarely, if ever, performing identity proofing tactics for remote users, they still often provide them with privileged, insider access. To mitigate this risk, organizations should conduct regular, comprehensive user audits to ensure users have access based on Zero Trust and least privilege principles. Additionally, it’s key to identify and remove all active accounts that no longer need access.
● Conduct risk assessments. Most organizations will carefully review a new vendor or partner’s security controls, but only through a high-level, organizational lens. Instead, businesses must also assess the risk of each individual identity from those organizations that require access before granting it. Risk rating should be a continuous process over the lifecycle of an identity, as risk factors, individual characteristics, and access needs continually evolve.
STE: The COVID-19 pandemic has shattered the concept of a working perimeter and made knowing who has access to your data and where they are located more challenging and more critical to manage than ever. What implications do work-from-anywhere policies have on third-party identity and risk management programs, and how can organizations better manage access in a “perimeter-less” world?
Kraxner: The COVID-19 pandemic accelerated work-from-anywhere policies, presenting a new level of complexity to organizations in knowing who has access to what systems, where individuals are located, and generally making it more difficult to track, monitor and manage employee and non-employee identities. To better manage access privileges and address the changing requirements for individual identities throughout their lifecycle, organizations need to adopt a real-time authoritative source of data.
Most organizations have no way to centrally track and manage their non-employee relationships and the access to enterprise assets their roles require. This is particularly challenging given the nature of non-employees, as they are inherently riskier due to their outsider status. Without an authoritative source of information, organizations often rely on the third party to conduct vetting of their own employees, assuming that they are maintaining accurate, updated information on each of their employees, managing the information in a timely manner, and notifying the organization of any changes. This potentially misplaced trust can result in an organization being both out of compliance and vulnerable to security breaches by granting an identity the wrong level of access.
Organizations that maintain a centralized, automated, authoritative source of non-employee data have access to timelier and more accurate non-employee information, which allows them to better understand each identity’s location and access permissions – and better manage risk.
STE: Too often, organizations grant privileged access to third-party identities without properly assessing those third parties’ security and privacy practices. What considerations should be taken at the individual identity level when providing third parties insider access to facilities, systems, and data?
Kraxner: A study by the Ponemon Institute found that 51% of respondents believe their organizations grant access to sensitive information without properly assessing the security and privacy practices of their third-party connections. A common practice for risk management teams is to assess a third party’s risk controls by evaluating the outside organization’s responses to a Standardized Information Gathering (SIG) questionnaire. However, SIG assessments are inherently subjective, leaving an organization to trust that the person (or people) who completed the assessment did so accurately, and may give the organization false confidence in the vendor’s actual security posture.
Trust factors aside, SIG assessments also fail to meet the level of granularity required to paint a full risk picture because they assess an organization as a whole and not as a collective group of individuals that each poses a different risk. A third party’s risk factor should be assessed individually and routinely managed throughout the entire identity lifecycle.
By implementing a comprehensive third-party risk management solution, organizations have better transparency into the dynamic relationships they have with each individual third-party identity, enabling them to make well-informed, risk-based decisions about provisioning, verifying, and deprovisioning access to these high-risk users. Proactively managing and monitoring the lifecycle of third-party identities through identity proofing and onboarding, accurately provisioning access, and executing proper off-boarding processes, helps organizations reduce overall risk, increase operational efficiency and cut costs.
STE: In today’s dynamic environment, what type of cybersecurity strategy should organizations adopt to protect against third-party vulnerabilities?
Kraxner: To combat third-party vulnerabilities and blindspots, organizations must adopt a holistic approach to security that considers the dynamic risk landscape and other risk factors that can compromise their security. To minimize the attack surface and ensure users have access to only what they need, Zero Trust and least privileged access policies must be implemented.
A robust cybersecurity strategy should serve each facet of an organization and be integrated into every element of business (e.g., IT, HR, finance, supply chain). When organizations take a security-first approach to their overall business decisions, they are better positioned to proactively manage and monitor cyber risks, rather than react and recover post-breach or attack. This can only be achieved if cybersecurity professionals are given a seat at the leadership table to provide counsel, proactively voice concerns and help influence decisions that both drive the business forward and improve the organization’s overall cybersecurity posture. This includes putting the proper systems in place to manage third-party workers' identity lifecycle and risk with the same or greater diligence as their employees and ensuring zero trust policies extend to third-party users.