Solving the third-party access management problem

Do you know what sensitive information is shared with your vendors? Or, moreover, how many former  vendors still have active accounts within your IT estate? My conversations with dozens of CISOs leads me to believe the answer is likely, “no.” Recently, a new Oleria customer wanted to show me something: Oleria Adaptive Security uncovered numerous dormant accounts and shared links with third parties they’d stopped working with years ago. The CISO was disappointed and in disbelief. “You’ve got to be kidding me. We thought we had offboarded these,” he said.

This isn’t the first time something like this has happened, and it points to a key problem we’re helping organizations solve: managing third-party security.

Why third party access control is a major vulnerability

Third-party risk management comes up in every conversation I have with CISOs — and for good reason: roughly 1 in 3 breaches stem from a breached third party and nearly every organization (98%) today works with a third party that itself has experienced a breach, according to a 2023 report from SecurityScorecard. That same report found third-party vendors are five times more likely to have security gaps that expose them to breach risk. Gartner says 9 in 10 organizations have experienced a breach via a third party in the past five years.

And even beyond the issue of vendor breaches, the lack of visibility and control into third-party access poses significant risks to protecting sensitive data. Do you really want vendors having long-lived access to applications, shared resources and documents (some of which may be continually updated with sensitive data), especially after their services are complete and any confidentiality provisions have expired? The answer is obvious.

Much of these third-party risks stem from vulnerabilities around third-party access control due to a painful lack of access visibility. A recent report from Imprivata suggests that half of organizations cannot get a comprehensive view of all third-party access within their IT estate. For the other half, they probably just don’t realize that they lack full visibility into this issue. And, their limited visibility depends on slow, error-prone manual processes.

This leads to the two most common causes of third-party breaches:

• Overprivileged/unintended access: Third-party accounts with over privileged or unintended permissions to sensitive information they do not need to (or legally should not be allowed to) access.
• Dormant accounts: Open doors left by third-party accounts that were never offboarded when the organization stopped working with a vendor or partner.

Manual offboarding is too slow and error-prone

The challenge for IT and security teams is that their decentralized IT estates just keep growing. Business units add more apps and more systems — each with their own access control schema. And since these apps are where modern productivity and collaboration happen, the business priority is getting vendors and other third parties onboarded to these apps and systems to keep work moving forward. Offboarding those third parties — when a project or working relationship ends — doesn’t get the same urgency.

Due to the constraints of legacy IAM products, that third-party offboarding process typically relies on manual workflows: IT or security personnel trying to figure out everything a third-party vendor may have had access to and closing those open doors — user by user, app by app, one by one. It’s easy to see how things get missed and organizations end up in the situation I described earlier: dormant access permissions remaining for years.

But when you consider the scenario of a breached third party, which the stats show us is (unfortunately) very common, the risk of manual processes combined with limited visibility really comes into focus. I’ve had CISOs tell me that, even in the context of responding to an incident — where offboarding a breached third party is getting their full attention and resources — it still might take them weeks to fully identify and then remove access from systems.

Oleria gives you full visibility in two minutes

At Oleria, we’re solving third-party access control by starting with composite visibility. We built Oleria Adaptive Security, powered by Oleria’s Trustfusion platform, to connect all your identity silos across both enterprise IAM and decentralized apps. That means you’re starting with a single view of who has access to what — including external users.

The Access Inventory feature within Oleria Adaptive Security brings all the identity data into one place to simplify third-party access management and specifically help with faster, smarter offboarding processes. Oleria lets you pull up a specific user, users, or user group and quickly see and adjust all their access permissions.

The Account and Group Utilization functionality target unintended and dormant access, highlight inactive users and groups. This helps security teams enforce least-privilege principles and guard against the risk of overprovisioning.

On a day-to-day level, Oleria gives organizations what most are missing today: a simple, straightforward way to manage third-party access, so you can quickly and confidently onboard vendors and collaborate through apps and systems, without opening up undue risk.

When it comes to investigating data leaks or incident response — when you know a third party has been breached — Oleria Adaptive Security is perhaps even more valuable. In fact, when I recently showed a customer how Oleria can take those two-week offboarding processes and condense them into two minutes, their eyes lit up and they said, “That’s awesome.” Those are the types of outcomes that we’re creating here at Oleria.

Ready to learn more? Schedule a demo today.