Building Identity Into Your Third-Party Risk Management Program

Identity management has been an often-overlooked component of a third-party risk management (TPRM) program, but understanding non-employee identities, both human and non-human can unlock a new vision of risk.

Identity Management Overview


Approaches for managing third-party risk continue to evolve as quickly as the threat landscape itself. TPRM practitioners are adding risk intelligence tools to obtain deeper risk insights beyond what questionnaires can provide and promoting a data driven view of inherent and residual risk levels. Regardless of the chosen risk management methodology, one of the most common methods for understanding the risk a vendor may pose to your organization is understand what types of data they will handle, store, or otherwise process during the contract period. This understanding of potential risk relies on the concept of identity; however, identity management is often an overlooked and underappreciated aspect of managing vendor risk. In this article, we outline two methods for creating a more robust understanding of how non-employee identity can be part of any TPRM program through vendor tiering and ongoing identity governance processes. These two methods of employing the concept of identity occur at different points in your vendor management lifecycle but can be linked to provide a more robust understanding of inherent and residual risk.

Regardless of the chosen risk management methodology, one of the most common methods for understanding the risk a vendor may pose to your organization is understand what types of data they will handle, store, or otherwise process during the contract period. This understanding of potential risk relies on the concept of identity.

Vendor Tiering


One of the most common challenges that we see our clients encounter is the development of meaningful “tiers” to separate vendors based on inherent risk. This tiering is critical for understanding the types of due diligence that you may apply to a vendor, and for providing meaningful risk intelligence to senior-level stakeholders. A critical factor of that tiering should be whether the vendor will access critical systems, data, or other infrastructure. However, rather than addressing this as a “check-the-box” or yes/no question, a consideration of the types of identities that the vendor may assume could be more helpful. For example, if the vendor requires a technology integration to provide their services, will there be service or other non-human accounts associated with the service? If the vendor employees will access systems and data directly, are there defined data sets that they will need access so that access can follow the concept of least privilege?

You may be tiering vendors during onboarding, which could make identity insights difficult to define. However, it is likely worth more consideration than a binary decision if your goal is to separate vendors into meaningful tiers. Vendor tiers should also be fluid, and as knowledge around a vendor’s identities is gained later in the vendor management process, the initial tiering levels should change based on that knowledge. This leads us to the next point around ongoing identity management.

Identity and Access Governance


In many vendor management workflows, risk teams may lack insight into what happens after a vendor is onboarded and their risk assessment and mitigation plans have been completed. Vendors will be passed to identity teams that are responsible for ensuring that the vendor gets the access needed to provide their services. This represents a fundamental disconnect between risk and identity. Permissions that include access to data and resources provide the pathway for risks to manifest in your environment. This makes understanding the “what could go wrongs” associated with your non-employee roles so critical. Risk practitioners have become familiar with data breaches caused by compromised credentials, even for accounts controlled by seemingly low risk, including HVAC, vendors. By drawing a link between what the identity management team does and what risk teams are tracking in the vendor’s risk profile, a more complete picture of a vendor’s residual risk can be tracked throughout the vendor lifecycle. If a vendor’s inherent risk level changes, for example, based on a breach, risk practitioners can drive changes to vendor access to mitigate the potential impacts.

Conclusion


Approaches for managing third-party risk continue to evolve to incorporate leading risk insights and workflow management platforms. However, a failure to consider how identity should be used as a measure third-party risk can result in an incomplete view of the impact a vendor may have on your environment in the event of a security breach. A more robust consideration of identity during vendor screening may inform tiering considerations that drive due diligence. As a vendor gains access to systems and data, the risk level of the roles they utilize should also be factored into the risk calculations that security teams monitor to report on overall vendor risk posture. These strategies will result in a more holistic view of risk and even allow for meaningful actions to control risk impacts if an adverse event occurs