KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
In a 2018 study by Onus & Ponemon on data risk in the third-party ecosystem, more than 75% of companies surveyed said they believe third-party cybersecurity incidents are increasing. Those companies were right to believe that.
As our world becomes more digitized, and thus more interconnected, it becomes increasingly more difficult to safeguard organizations from cybercrime. Tack on to that challenge a global pandemic that all but forced organizations to become “perimeter-less,” if they weren’t already, and the potential access points for bad actors through third-party access increases exponentially.
The problem is two-fold.
The landscape of third-party users is vast and continues to grow. From third-party non-employees like vendors, contractors and affiliates to non-human third parties like IoT devices, service accounts and bots, more organizations are engaging third parties to assist with their business operations and help them to innovate, grow faster, improve profitability, and ultimately create greater customer value – faster. On average, companies share confidential and sensitive information with more than 580 third parties and in many cases, an organization's third-party workers can actually outnumber their regular, full-time workforce.
Yet, despite the increased use of third-party workers in business, most organizations lack the proper third-party risk culture, processes, and technologies to protect themselves against the long list of third parties with access to their sensitive data and systems. Organizations have these systems in place to manage their full-time employees but lack the same level of rigor to manage these higher-risk third-parties. As a result, many third-party users are provided with more access than needed for their roles, and most disturbingly, that access is frequently not terminated when the third party no longer needs it.
Without the right third-party identity lifecycle management procedures in place, businesses unwittingly expand their attack surface, unnecessarily put sensitive information at risk, and create additional access points for hackers.
In a 2018 study by Onus & Ponemon on data risk in the third-party ecosystem, more than 75% of companies surveyed said they believe third-party cybersecurity incidents are increasing. Those companies were right to believe that.
As our world becomes more digitized, and thus more interconnected, it becomes increasingly more difficult to safeguard organizations from cybercrime. Tack on to that challenge a global pandemic that all but forced organizations to become “perimeter-less,” if they weren’t already, and the potential access points for bad actors through third-party access increases exponentially.
The problem is two-fold.
The landscape of third-party users is vast and continues to grow. From third-party non-employees like vendors, contractors and affiliates to non-human third parties like IoT devices, service accounts and bots, more organizations are engaging third parties to assist with their business operations and help them to innovate, grow faster, improve profitability, and ultimately create greater customer value – faster. On average, companies share confidential and sensitive information with more than 580 third parties and in many cases, an organization's third-party workers can actually outnumber their regular, full-time workforce.
Yet, despite the increased use of third-party workers in business, most organizations lack the proper third-party risk culture, processes, and technologies to protect themselves against the long list of third parties with access to their sensitive data and systems. Organizations have these systems in place to manage their full-time employees but lack the same level of rigor to manage these higher-risk third-parties. As a result, many third-party users are provided with more access than needed for their roles, and most disturbingly, that access is frequently not terminated when the third party no longer needs it.
Without the right third-party identity lifecycle management procedures in place, businesses unwittingly expand their attack surface, unnecessarily put sensitive information at risk, and create additional access points for hackers.
So maybe you could have Martin on the left side, a short introduction from you. And then we go on to the right side through David and Martin again. Yeah. I'm responsible for the presets team at Ohada Martin.
Coolman, I've been for many years in the identity and access management business, and I think I've attended almost every EIC that has ever happened. So I'm kind a, kind of a dinosaur in this area and I'm really used to being on stage or being in meetings with two or more Martins. So we will manage, Thank you, David David Pin, I'm the CEO and founder of sex EDTA.
I have a, a long history and identity originally as a system integrator. And then after that created our products and, and really focus on third party identity risk, and, and identity authority. So I think I keep it short, probably everyone knows me. So Thank you Martin. Again. So to very quickly start into the topic of a first person account of third party identity risk management. So my first question to you three would be, do you already see an impact of the us executive orders regarding zero trust, maybe starting at David? What's your opinion on that?
Yeah, sure. So, so obviously I'm I'm from the us. So the executive order on zero trust is definitely sort of at the forefront at least of my world in cybersecurity, but I think the important factor here is awareness and the awareness really extends well beyond the cybersecurity industry in, in the us now. Right? So a presidential order obviously makes national news that goes along with all of the breach news is, you know, front page type of news in the us these days. So there is an impact already in just the awareness around the cybersecurity issues that we're facing.
So Yes, and I, I think, I mean, we see many companies intending to do zero trust and also this gets, this kind of produces more traction for identity governance, administration, governance solutions. And I think everybody is also pretty much aware that this should be one topic for internals, for enterprise people, and also for external people for third parties. That's a topic that we are talking about today.
And I think from my perspective, what still has to improve is this, these solutions, they are still seen a lot as compliance solutions as opposed to being really security solutions as part of a zero trust architecture. And I think this has to become, has to get in the mind of the people much more. And I think the most of the solutions can cover the risk based approaches already, technically already pretty well.
For example, if you make access requests, if you integrate factors into that, that's that's possible right now, but the risk models that have to be defined by the, by the organizations, that's the part that's sometimes still missing that I, I, I also would add probably processes and something you probably can touch on a minute, but going back to the executive order, I think the interesting point is awareness. Yes, it is also as usual with these things. It is what does it mean concretely, but it has impact.
I talked with, which said, okay, we first have right now to undergo pen testing in a different way. We probably have had to do before. I think it also shed a li light on this entire third party risk, which is a yes software piece. So we learned ZK, this is a part of the risk and it's also a risk of all onboarding off onboarding of these externals and, and we need to get better. And I think it's, this is really, you know, it's a call to action and it's important one.
And so yes, and I would absolutely also see that, that this entire partnership party, whatever we name it area is, is the one where we have the biggest gap for today. Great. Thank you very much three of you. So if we are now looking more into the software relations, what do you think? What are the most important elements for cybersecurity supply chain identity, risk management also called like C S cm. What must be checked there? So maybe you can start again at Martin on the left side. Yeah. I think the, the things that have to be checked there is really the identities have to be approved.
Of course. And I think Dave can talk a little very much more about this. Maybe I can raise one topic. That's important.
Also, when you, when you talk about governance and access management, as a result of these checks, I think it it's really important that the information simply the, the information is correct about these third party people, because the information like, for example, what are these people doing, which come, where are they coming from? Where are they working?
Cetera, this is the key element for making access decisions for setting up rules for they are basis for granting them access. And I mean, it's the same, like for internal people, you know, the HR information must be correct, but for third parties, it's much harder to keep this correct.
I mean, this is just a small piece, but I think it's an important piece. Yeah, a absolutely.
I, I totally agree and appreciate that. So, you know, in a zero trust model, you, you can't go about managing access for third parties. The way that that organizations always have done it, which is through access request, right. You really need to know who the people that you're granting access to are. And you need to know all the context to Martin's point here. The context, the rich rich set of context is what allows an organization to drive appropriate access both, you know, at, at birthright and through their entire life cycle with the organization at any time.
So, you know, in the supply chain, we always talk about third party risk and, and they talk about the organizational risk aspect. Well, that's great.
We, we know something about the business for whom we're doing business with, but what about the people that work for that business that are actually being granted? The access? Usually an organization knows very little about those people And, and it's the people and it's the, the software at the end of the day, depending on what, what you have, but people is, is I think the fascinating thing is, and maybe this is why we didn't care that much about maybe we cared, but, or we knew what we didn't care because it's the most complex area. So it's not that there's the one third party type of access.
There are people who are very loosely coupled, there are people who are very tightly coupled, there are different types of who, who requests access, who proves the accesses itself manage. This is managed by the external organization, by the internal organization. There are so many where Ryans, and I think this is you are you're bossing this or boss with that in, in the real world implementation. But I think this is exactly where the challenge comes from.
Yeah, no, it's also about like different people. We very different types of sensitivity of these people. There. Some people are just using, I mean, applications that are, that are not really sensitive and others are working as contractors and kind of working in mergers and acquisitions, for example, which is highly sensitive. Right.
I, I think we see just about in every enterprise, organization's a minimum of a dozen population types, right. And they all have their own requirements, their own risks to the, they pose their own risks to the organization and all that's a consideration for, you know, who they are and their relationship to the organization, which then should equal appropriate access for that, that individual. Yeah. And sometimes it even gets worse or take an insurance company. You can be a, a partner of the company selling insurance contracts. You can be a customer, you can be an employee. Yes.
All at the same Time, all different population types. Yep.
Yeah, exactly. I cannot add anything to that. That's very great answers. But if I want to implement a zero trust strategy, what do I have to consider from a third party side?
So, yeah, I'll, I'll take that first, I guess. So again, you can't really have zero trust if you don't know the information in the relationship for the people who you're gonna grant access to. Right. Because the assumption is, is that nobody has access, which, you know, probably isn't true, but that's the, that's the idea with zero trust. Nobody has access until they're proven worthy of that access. And if you tie in things like identity proofing, where you can prove somebody is who they say they are, that's, that's a good piece of the puzzle, but it really is about what are they doing here?
Who is this? And why are they here and why do they need this access? That should answer the question of, you know, what access are they granted and do they need it right now? Yes. Yeah. Are they still working at that sort? Exactly. Yep. Absolutely.
I mean, that's a, that's one of the key, one of the key questions and sometimes mysteries that people have to solve. Anyway, I, I think there are two, two important things that characterize third parties. One is it's, there's a lot of change. Yeah. And secondly, there's potentially not so much trust. And I think if you, if you wanna understand what the result of this is is, or the impact of this is there need to be a tight control of access. That's one conclusion from this. That means that if there are a lot of changes, if people have multi affiliations, the access must really fit.
Of course, the people must be able to work seamlessly. On the other hand, it must really fit and must be restricted. And on the other hand, of course there must be accumulation of access must be prohibited and timely deprovisioning, things like that. And of course, potentially frequent recertification should be done. Yeah.
I mean, I think that all of those things are a result of really well defined, centralized, good business process in managing the life cycle of third parties and the risk assessment of those third parties. So, so to solve the access problem, it's not a matter of just looking at access for third parties. You have to look at the business and provide the business with the tool to provide that appropriate context. Yeah. You're speaking to my heart because I think we, we would have such some so much simpler life in, in, in identity management, if we would think more about processes. Yes.
So if we define processes and, and I think Martin knows that from discussions we had probably also 15 years ago, I'm a big believer in, in well defined processes. And I believe it, it also makes a lot of things simpler because if you have to find the process, it also makes implementation way easier. So I'm absolutely this. And the challenge is we are not talking about the partner process, right. You're talking about a ton of different processes here. That's what you said, 12 populations, or more means 12 different types of processes. Right. Great.
So last but not least from my side, my question to you all three would be, so we hear from Martin that there could be a lack of trust, but how could we over get that in a, maybe a cultural field to change that we can adapt the zero trust or a zero trust strategy? You mean cultural changes towards a zero trust?
Yeah, I think, I mean, if you think about zero trust, my gut feel is if I look at zero trust architectures and think about a CIO, who's someone who has to make an investment. I think many CIOs still see the biggest kind of, or, or put a focus on investment on the endpoint security firewalls and things like that. And I think the value of identity and access governance as a core piece of zero trust architecture is still underestimated from my perspective. And I think that's, that requires a cultural change.
And if you look at the cases, of course, at the, that happen, for example, I mean, if, if you look at identity at, at theft of, of credit card information, things like that, I mean, the, the reason for this is because of course somebody broke in somewhere, but I mean, they are hijacking partner counts with too many access rights. Or if you look at, you know, at the first GDPR fine was for a hospital, which granted access to doctors who weren't, who weren't doctors. Right.
I mean, of course that's also a compliance thing, but we have to see that this is also a security thing. And, and to, to make people understand that zero trust that identity and access governance is a key element of zero trust. I think there's some work to be done still. Yeah. That's great points. And I think, you know, to, to add to that is, you know, how, how does the business look at cybersecurity? So we talk about cybersecurity practices and, and a cultural change, really, you know, there's probably three facets of a cultural change. There's the general populations awareness.
So it ties right back to the first question, awareness of cybersecurity issues. There's the business, right? Their awareness of cybersecurity issues. And then I think that there's a cultural change as cybersecurity practitioners that has to happen, right? So forever, we've asked the business to speak our language right on accounts and access, right. We need to provide the tools that really speak their language and us, let us be the translators of their language to cybersecurity. Right?
So, so, so I think two things to add the one is it's always difficult to do that change. So, so people built their, their reputation and organization. We are a firewall experts, VD, whatever experts. And this is clearly a, a bigger change. If focus is shifting and focus is shifting. So when we look at zero trust, it started with zero trust networks. So few people speak about zero trust networks as the main term, it's just zero trust. It's also just missed zero. Trust is missed zero trust networks.
And, and I did a, did many talks about serial trust. And I use a picture and I have done the traffic lights with red to yellow, to green on how, how good our CRI is. And the CRI Martin's identity. This is green Martin device is more difficult. It's yellow because we might connect the device to market.
But we, we may not be able to control the device because it's B by O D the network, which network can be everything. Martin's home network to his internet provider, to whatever, work from home red, how to control to get a full grip on that. We can collect data. We need to collect data. It's not that we don't need network security, but way more complex access again is way simpler. It's green because this is the Martin is doing that. So identity access are the things where we have the best script data is a little bit more complicated because you're lagging the data governance piece.
But at the end, I think this is the point. If you take that picture, it becomes clear identity and access is at the forefront at the core of every zero trust strategy. Absolutely. So I think before we end the session, we can maybe ask if we have a question from the audience, because on online audience, we don't have a question. Is there a question in the room from somebody we can take in? Okay.
Then not, but then of course we would like to thank you all three Martin from O David of course, from Zach Zeta. And of course, one of our founders, Martin also, and I think they all deserve applause from your side. Thank you. Yeah. And there's this call to action. Take third party access management earnest. Yes. Yep. Thank you. Thank you. Thank you.
