Today’s enterprise requires IT organizations to fully engage external users. This audience includes such as contractors, business partners, vendors and suppliers. The Gartner Identity and Access Management (IAM) for Third Parties webinar offers best practices for managing third-party identities and access control.
Lori Robinson, Gartner Research VP, relates challenges in managing third parties access, while protecting the business. Her research provides insight into third-party access risks and offers ways to mitigate them.
The Parameter Has Fallen
Third parties create a significant identity management security risk. Ms Robinson cited Target and Edward Snowden as worst-case examples. Both breaches underscore the importance of third party identity and access management. Each involved contractors who were third party workers.
The definition of identity and access management must expand. It must include all identity scenarios that address third party needs. This means Business to Business, and even Business to Consumer relationships. The model must incorporate contractors, partners, distributors, and suppliers.
Organizations often do not develop critical use cases for these relationships. To address third party access, organizations need to consider the following areas:
- Identity Lifecycle Management (ILM)
- Authorization
- Authentication
- Privileged Access
- De-provisioning
- Governance
Separate Authorization from Authentication
Ms Robinson advises separating authorization use cases from authentication. She encourages keeping access and authorization activities distinct from authentication practices. She recommends practicing the principle of least privilege and extending multifactor authentication over all third parties with privileged access.
For multifactor authentication, you have numerous options. Depending on your vendors’ systems and compliance, you’ll likely need several options. Some common authentication methods leverage the following options:
Alternative Email: Send passcodes to alternate email addresses.
Biometrics: Use fingerprints, facial recognition, voice, and iris patterns.
Challenge Questions: Ask users questions at login.
DTMF Token: Automate authentication tokens via voice communication.
Federated Web Services: Use a Security Token Service (STS).
LDAP: Issue LDAP and Active Directory operations for authentication.
OAUTH: Define delegation protocols across a network of APIs.
One-time Passcode: Send passcodes and PINs to phones and tablets.
PIV/CAC: Personal Identity Verification (PIV) and Common Access Cards (CAC).
RSA SecurID: Allow users who forgot their token device to authenticate.
Secure Token: Send smart card and key fob owners new login codes.
SML: Define XML-based protocols for authentication and authorization.
SMS Codes: Send SMS codes to web pages, email, and mobile phones.
Social Login: Incorporate Facebook, Twitter and Google+ login.
Telephone PIN: Authenticate through a touch-tone phone system.
Voice Recognition: Match to a unique voiceprint and characteristics.
WSFederate: Add WSFederationAuthenticationModule to ASP.NET apps.
Authorization and authentication keep CIOs and CISOs up at night. To grant and de-provision third-party access, leverage an authoritative source and workflow. However, granting access through workflow is not enough. You must also ensure third parties accessing the right applications and files. You must prevent credential sharing among third parties particularly privileged users. This level of accountability requires access certification monitoring and reporting over privileged access.
Multifactor authentication can be used to enhance governance over third-party users. Privileged third parties present monitoring challenges that are time consuming and costly. To control access, start by automatically expiring third party privileges upon termination. Formulate metrics that apply to third party use cases. Then, include this information in your access certification reports and compliance reviews. In doing so, you’ll build an IAM program addressing third party relationships.
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.