KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
How do we control what we do not see?
Supply chains are like that. The problem is that while you may have sight of your nearest third-party relationships, if you look further out to their relationships, things start to become a bit obscured. And that is where the risk lies.
In recent years Okta, Toyota and Morgan Stanley have all suffered data breaches that originated with an attack on the supply chain.
In this presentation, we explore the complex nature of supply chains/digital ecosystems and all the parties involved. We’ll look at the pattern of some recent third-party attacks, examine their root cause and what lessons we can learn.
Finally, we'll explore the critical capabilities that are needed as the foundation for a solid third-party strategy; one that provides active, continuous monitoring while reducing the overhead for compliance.
How do we control what we do not see?
Supply chains are like that. The problem is that while you may have sight of your nearest third-party relationships, if you look further out to their relationships, things start to become a bit obscured. And that is where the risk lies.
In recent years Okta, Toyota and Morgan Stanley have all suffered data breaches that originated with an attack on the supply chain.
In this presentation, we explore the complex nature of supply chains/digital ecosystems and all the parties involved. We’ll look at the pattern of some recent third-party attacks, examine their root cause and what lessons we can learn.
Finally, we'll explore the critical capabilities that are needed as the foundation for a solid third-party strategy; one that provides active, continuous monitoring while reducing the overhead for compliance.
Welcome. Thanks for taking the time, attending the session. As Mike mentioned, I'm Frank marrying, I'm senior solutions engineer at Savian and I would like to talk about the dark side of the story around identity management, primarily towards the entire supply chain security. Since we just heard from Michael and that temporary accesses and remote workers and your external companies, the entire supply chain you are working with needs to be managed and governed as well.
And that in an effective manner in order to de develop processes and strategies around compliance, monitoring, compliance situations, especially towards the new, this regulatory which has been released end of last year, which gets immediately effective in autumn 2024. And related to that, every single external identity is certain risk.
We've seen it throughout the media and the publications in the past that there were quite a lot of breaches going on, especially the octopus breach and Toyota, which happened in February 22 where hundreds of millions of accounts have have been stolen, which was the fact that Toyota had to shut down major plants due to a leakage due to misconfiguration in one of the suppliers, which was a, a plastic manufacturer within the supply chain of Toyota in order to stop Toyota on producing their own cars, which is a huge reputation damage at the end of the day.
But the missing revenue because of not selling cars and not shipping cars, was quite immense. And we've seen it throughout the octopus attack in August 22, where 130 organizations were affected cuz from this chain itself there was a breach within the services that October were using.
And there, there are a lot of reports and studies going on also from the Pone Institute that only 60% of the companies are dealing correctly and if efficiently of the management of the third parties. And quite a lot of companies don't even know how many relationships they have with externals, especially within the entire supply chain. Who's working with you guys or who are you working with?
Externals, external organizations, suppliers, is there a manufacturer in in the audience? How many organizations are, are working for you? External organizations? Do you have that in mind? You dunno?
Oh, 60%, right. So, and especially also Gartner, I know that this is a co coal event. Gartner says that just 23% of these security and risk management leaders monitor effectively the entire third parties and and regards to cybersecurity exposures. And that is the what comes into the compliance topics around the supply chain security by the N two regulations, which talks about the risk management measures and what is a supply chain for you guys at the end of the day, which supply chain are we talking about?
We are talking about quite a lot of globalization, remote workforce, what does an supply chain entirely and what does it mean for me or for my organization? And every single vertical has its own description in regards to the supply chain and the deliveries of external executions, external processes within the supply chain.
Well we just used from PTC a picture on comparing the supply chain from man manufacturing side as well as from the services side where there are quite a lot of equal information but still changes within the performance demand patterns, sourcing options and to, to get it managed and to get it properly. And especially what we see nowadays from the perspective is that the digital ecosystems are getting more and more complex, more and more solutions will be introduced and the IT infrastructures, the entire cloud sprawl is expanding.
Companies are open-minded towards cloud SaaS applications in order to get them managed and externals will leverage, will maintain those cloud solutions as well as SaaS solutions for you on your behalf as a manufacturer, as a company so that the sprawl is expanding more and more in, in your IT infrastructure. But what is a third party and what does it mean for you at the end of the day?
Does someone recognize the picture of the lady on the right hand side, ex Machina who has seen the the movie brilliant movie And that is a proper description for, so the supply chain as well as talking about the identities working for you as externals, having accounts and your IT infrastructure. Will it be human accounts, will it be robots service accounts?
And in, in that particular case, we'll see a lot of Analyst companies that states that you might have more or there are more service accounts and bot accounts nowadays as you have as regular employees within the company. And another concern on on that is that 70% of the global global organizations are quite unable to fully discover their service accounts or their bought accounts in the digital Porwal in cloud services, in cloud infrastructures in your on-premises infrastructures.
And 20% of them have never changed their account passwords on their service accounts, which is also a security related topic, right? And, and those regards, it's not only the human identities that are working for you within the entire supply chain, it's all so the silicon accounts that needs to be managed, that needs to be governed. But on the other side while talking about human accounts is that the third parties are nowadays working remotely too throughout the pan manic corona, big topic, stressed quite a bit. There were no, no visitors in in your facilities, in your premises.
And you have put actions in place and measures in place on allowing your external identities to dial into vpn, get access over Citrix or whatever in order to perform the job, to maintain security applications, to maintain applications, to maintain infrastructures and appliances without maybe a clue on what they are really doing. And what we see throughout the last couple of years, and that's also a report that can be Googled so to speak, is that companies using the the wrong solutions for securing the remote workforces, securing the identities from external or organizations.
80% of the report states that they're using homegrown applications. Just a few percent have outsourced providers for for that and 5% are using a contractor MO module out of the HCM solution. Only 10% use of a focused third party risk management or third party access governance solution in order to properly manage the external organizations and manage the external identities that are working for me as an organization. And what we can see over here is that due to the fact that quite a lot of percentage, 80% are using an homegrown application, is it properly maintained and developed?
Is it up to date? Yeah. And this will will result in a nice take that you can do that we need to move from a culture of fear to a culture of awareness Or to a culture of measurement act now because in this two is coming, it's approaching fast like autumn 2024 is almost tomorrow, especially when we talk about aligning processes within my organization and aligning the technical measurements in in the organizations, introducing the tools that allow me to be compliant with N two regulations.
Who has looked into the NS two compliance in a deeper fashion On ISO 27 0 35, 36 about the security measurements and for remote accesses for governing third parties, this two around every company larger than 50 employees in a turnover of a minimum of 10 million euros, if I'm not mistaken, throughout a variety of different verticals, finance institutes, healthcare, et cetera, et cetera, manufacturing are being affected by that.
So almost every second company in Europe is affected by N two on managing the third parties and that is something that needs to be done from the governance perspective, assign the necessary rights for the right amount of time for your external consultants for the external identities In order to build a foundation for 30 for a proper and a solid third party strategy. There are four guiding principles that we recommend companies keep a focus on while developing their approach. The ultimate goal is to sign the right access for the right amount of time safely along the way.
You want to focus on the user, both the third party organizations and the third party users identities. But the user friendly experience, which is one of the key topics that you also need to to consider the user experience while reducing the compliance overhead and regulatory overhead with the assured compliance measurements and monitoring along the line. And those principles are being mapped into the five key principles on the onboarding of third parties, onboarding of the organizations.
Quite a lot of companies have external databases, organization databases that can be connected for the management of external identities. The user registration, user onboarding is quite an extensive part, but the user experience is also a huge topic that comes into the game over here and which is similar to, to your requirement on the user experience that you have for your own workforces, for your own internal identities on requesting access. And then the access provisioning is having the right amount of maybe risk where access being provisioned to the individual external user.
Just because the user's member of a group, like a developer's group for example, doesn't mean that they should have all the same access as your internal employees related. The access to the job that's being done for the externals or not needs to be considered. Same as the excess reviews and compliance topics in conjunction with the delegated identity managers. It's a huge topic. Who needs to perform recertification campaigns? Who needs to re-certify the external identities in general? And who needs to tell me if an external identity is still working for the external organization?
I cannot say within my supply chain if man who is still working, sorry for misusing you. Now for, for my external company, for the external company who's working for me? Who's maintaining my network appliances. So excess termination and revocation is also a huge topic that needs to be considered. And there is good fauna. Good. Who do you know him? Who knows him? No one. As an writer, what is your inclination on that? To build or to maintain? Do you wanna do it properly? Do you wanna maintain what you already have? We already have that. Sorry for that.
And that is what we as salient can, can contribute to in order to give you the ability on meeting the Nest two requirements. Meeting the compliance regulations around is L 27 0 35, 36 in order to manage the life cycles of your entire supply chain.
In regards to the lifecycle management, what Michael just talked about in in the Signal labs session, the the entitlements management, huge topic which res results in the permission that in particular external identity has in in one of my target applications, which is attached to the excess request workflows as well as the right amount of permissions and I the the externals have in the connected target applications in really addressing key security related questions on what access do I have, how is the access being used and what does the access at the end of the day secure And those key questions towards compliance regulations.
My own security reportings are a key nowadays and especially to the management of a couple of thousand organizations. We need to talk about scalability and performance.
How many externals are working for you, external organizations, external identities, scalability is a huge, huge topic and therefore the third party governance key processes are being drawn over here towards the entity enablement, organizational onboarding, policy modeling based on the entity itself, does my external vendor a needs to, to need to have the same amount of permissions, the same amount of structure and processes as the other vendor, as the other external organization who's being then responsible for the user onboarding? Do I want to do it as an organization?
I just want to have a sponsor who enables the external organization to get access to my infrastructure and then I want to delegate the administration, the user onboarding into the external organization cuz only the people in the external organization know what kind of identities require access to my infrastructure enable in order to provide the right amount of access and the necessary accounts to the external workforces, to the external identities, which drives them my compliance init initiatives and my compliance monitoring around it to be able to Get reporting in place that I know 24 hours a day, seven days a week, 365 days in a year that I'm meeting leaders.
Two compliance that I'm meeting the ISO 27 0 35 and 30 36 compliance, which goes along the delegated administration, delegating the entitlement management, account management into the external organization to onboard those accounts. The keys you can reach yourself. We talked about the risk management, integrating proofing technologies, making sure that the accounts are the accounts we are talking about.
Self-services registration were we assent can help with, with the enterprise identity cloud, there is a dedicated module in place for governing external or onboarding and governing external organizations, external identities in order to provide the right amount of accesses that they should have into your target applications, into your infrastructure to achieve a single pane of glass. Not only managing your internal workforce identities, but also your external organizations and external identities as a standalone product or as a converge platform.
One platform that's hosting my internal lifecycle management as well, as well as the external lifecycle management processes. With that, I want to thank you for the attendance. Have a good day. Have a good
Okay, in the absence of a question, I will just ask Juan, what is your single most important advice? Should people start? What would you recommend Right now? Right now immediate action is being required in order to comply within this two regulations.
Again, autumn 2024 is approaching fast. Thank. Thank you very much, Frank. Thank you. So now we'll hand over to Shikha and There there is one question, Mike, What is the relation between the two and S one or two? So the question is S one or two, What is the relation between the two? Regulation and SDA and S two? I know. Let's take it offline. I'll come to you. Thank you. Thank you.
