By now, we all know that vendor engagement is key to business sustainability. Organizations cannot focus on their core business without outsourcing non-critical functions to third parties. From a 20,000 foot view, third party management becomes an operational activity governed through contracts, engagement analyses and effective risk management. Where organizations fall short is in implementing continuous monitoring of vendors from a bottom-up approach - taking into account identity as a threat vector.
Vendor Risk Management is top of mind for the C-suite. For the financial services sector, The Office of the Comptroller and of the Currency (OCC) expects enterprises to practice effective vendor risk management regardless of whether the bank performs the activity internally or through third party. This means that the burden of responsibility is no longer transferrable, and increased regulatory requirements drive the need for holistic risk management frameworks to fully onboard and monitor vendor activity as an ongoing process. But how can we streamline the vendor access management process to be efficient and effective, without losing sight of access governance? In other words, how do I make sure my vendor gets access to do their job on day 1, without accidentally giving them too much access... unknowingly?
Privileged accounts, exceptional access, and access to high risk applications introduce additional risk when not governed and monitored closely. At the heart of this lies the 500-pound gorilla of Identity & Access Management (IAM), giving people the right access, at the right time, to the right resources. In siloed organizations, managing vendor access risk is challenging; the risk management organization may not have visibility into access risk, and the IAM team fails to engage the vendor management team when conducting 3rd party access reviews. A broken business process widens the gap between siloed functions, and continues to increase the risk of compromise.
Understanding access risk starts with understanding what access our vendors have:
Are they violating a segregation-of-duties policy?
Were they granted inappropriate access without the proper level of approval?
Do we have a process to continuously check-in on their access?
One aspect of continuous monitoring of vendors is the need for ongoing access recertifications. Third party engagements can touch on multiple projects within an enterprise: a short-term project in HR, a 6-month engagement with sales operations, and staff augmentation in IT. By clearly identifying these projects, granting access based on job function or role, and launching certification campaigns periodically, organizations can identify, assess and remediate access before overreaching access turns into an incident. The simple act of completing a review is bare minimum; organizations must architect reviews to be easily consumable by the end users, and the right person should be conducting the review.
There are a few key considerations when architecting a campaign for continuous access monitoring:
- What is in scope for the review: It is critical to manage what systems the vendor has access to. This is both an operational challenge and a risk management exercise. Taking a governance-driven approach to understanding what the access should look like, then streamlining provisioning activity, not only speeds up vendor onboarding; it also mitigates access risk.
- Who should conduct the review: Is the technical asset owner equipped with enough knowledge to understand what entitlements a vendor should have? Or should it be the vendor's supervisor?
- Is the review consumable: Too much technical jargon in a review is confusing. Use business friendly descriptions to make reviews consumable.
- How often is the review conducted: This is dependent on the length of the engagement, the risk of the project, and the criticality of applications involved. A long-term engagement that affects multiple functions without the enterprise could require reviews more frequently than a low risk engagement. Understanding the engagement holistically is critical to understand project risk.
Another key point to consider when managing third party vendors is understanding who the vendor's vendors are ("4th party risk"). A thorough engagement analysis from an operational perspective is a must; but this also carries over to the access risk landscape of the vendor. Is your vendor enforcing SoD policies for their vendors? Does your vendor terminate the access of their vendors, once an engagement is complete? Your vendor's access risk profile poses a threat to your enterprise, and including 4th party assessments brings visibility to 4th party controls to mitigate risks.
Risk, compliance, continuous monitoring- these are all great ways to increase visibility and mitigate threat, but it all starts with access... so the question becomes, is managing vendor access manually really 'good enough'?