Five Ways to Secure External Identities
If you stick with any movie through the end credits, you’ll see – not just the household names who act and direct – but the full scope of players who make a film happen. The scroll can seem endless: writers, CGI designers, location scouts… animal handlers and the illustrious “best boy grip.” It’s a wide-ranging ecosystem where everyone plays a role. And it’s very similar to the high-stakes cloud and digital initiatives that today’s enterprises are driving forward – and today’s attackers are targeting.
A successful transformation requires a diverse cast. Securing them calls for a closer look at who has risky levels of access to sensitive resources. It’s not only the IT employees working in critical environments. And it goes beyond the sharp increase in everyday employees accessing sensitive data in applications.
Roll the credits for any top enterprise initiative, and you’ll see an ecosystem of contributors from outside the workforce who also need access to internal resources, to do their jobs. The scroll would look something like this:
- Vendors
- Suppliers
- Contractors
- Partners
- Clients
- Agencies
- Franchises
- Affiliates
- Dealerships
Every day, external business-to-business (B2B) contributors use enterprise-provided applications, portals and services from various devices and locations. And attackers know it.
External B2B Users: Key to Success and Key Attack Targets
Consider how many outside contractors work for your organization and imagine just one falling victim to a phishing attack. A malicious actor tricks them into sharing their password for an enterprise app, digs around until locating high-value resources and makes a devastating next move. It’s a movie we’ve seen, but the script is flipped – to entail third-party vulnerabilities that are hard to control.
One example: an insurance company’s extended workforce of third-party agents who use the company’s online portals on the road – one compromised identity could result in the data of millions of policyholders being leaked. For a private hospital system’s network of electronic healthcare data vendors, this type of attack could result in a central database of patient records being held for ransom.
“It’s a movie we’ve seen, but the script is flipped – to entail third-party vulnerabilities that are hard to control.”
And that’s just considering external B2B users who are actively working with organizations.
Third-party risk often stems from B2B users who no longer work with an organization but still have lingering access to its applications, data and environments. IT security teams are already bogged down with manual processes for managing full-time employees’ access. The complexity grows when considering external users. One missed step in a manual, error-prone offboarding process can allow threat actors to exploit inappropriately provisioned, overprivileged or orphaned accounts.
How to Provide Protection and Positive UX for External Collaborators
Across any industry or use case, there’s a common link: external B2B users need as fierce protection as your employees. In addition, their user experience in accessing your applications and resources must be designed to help them succeed. Here’s a brief look at five areas of best practices to help you achieve that balance.
1. Ensure Secure, User-Friendly Access to Applications
A frictionless experience is essential for external B2B users when they authenticate into applications to engage with your organization. This helps vendors and contractors do their jobs; it also helps ensure that clients and partners view your brand favorably. But how can you achieve these outcomes without sacrificing security? Here are a few building blocks to keep in mind:
- Allow external users to access applications with a single set of corporate credentials via intelligent single sign-on (SSO), reducing password usage.
- Verify users with adaptive multifactor authentication (MFA) that draws context from user behavior analytics to determine whether a log-in attempt is low- or high-risk – and, in turn, provide easy or difficult authentication factors.
2. Bring Structure to Identity Data Storage and Management
As your organization’s digital and cloud initiatives grow in scope and scale, the number of external B2B identities requiring protection is surging and disparate. So, how can you ensure their information is accounted for and protected while not making things difficult for partners? Here are some best practices:
- Store identity information for external B2B users in a secure, centralized repository.
- Allow external B2B organizations’ admins to use their trusted identity providers to authenticate end users via a cloud-hosted directory service that supports identity federation.
- Simplify administration tasks and oversights while helping eliminate adoption barriers among external partners’ IT and security teams.
3. Balance Flexibility with Security in Identity Administration
It’s challenging enough to stay ahead of identity administration for employees. The job can feel unwieldy when factoring in external users. You can reduce the burden and risks of third-party identity administration by giving partners a mix of autonomy and security-first features, including:
- Provide external B2B partners’ IT teams with a hierarchical, multi-tenant delegation model that allows admins to manage identity data across a shared environment.
- Introduce an overall tiered approach through which a designated partner admin can manage their end users, overseeing their access rights as roles change over time.
- Delegate administration responsibilities to peer admins and trusted non-admin users (as needed).
4. Automate Processes and Tasks for Managing Identities
Automation can help IT security teams escape from the pattern of manually connecting dots and scripting integrations between variables like data and applications. The same applies to manual procedures and workflows for granting, adjusting or revoking access.
Here are some examples of how automation can help IT security teams regain bandwidth and reduce risk:
- Provision access automatically and manage entitlements throughout your external B2B users’ lifecycles, from onboarding to offboarding.
- Bolster defenses around siloed applications with custom security features and standardize your approach across apps through a simplified security model.
- Eliminate manual tasks with flexible workflows and automated orchestration of data, processes, tasks and events.
5. Secure Access for Third-party Privileged Users
While the nature of third-party risk has expanded beyond the traditional definition of privilege, it remains critical that organizations secure the identities of external users with the highest levels of sensitive access.
Take, for example, an IT user working for one of your vendors. If this user’s identity is compromised, the attacker’s next steps – e.g., lateral movement and privilege escalation – aren’t limited to the vendor’s environment. They’re a stepping stone to yours. Here are a few capabilities and controls that can help you secure third-party privileged access:
- Ensure privileged users from external vendors confirm their identities each time they need to access critical assets via biometric MFA.
- Implement just-in-time (JIT) provisioning for vendors when they need to access business applications and sensitive information.
- Gain full visibility into vendor activities via privileged session monitoring, with complete reporting, auditing and remediation capabilities.
Next Steps: Achieving High-Quality UX and Security-First Access Balance
The cast of characters playing essential roles in driving your high-stakes initiatives continues to grow in number, scope and risk. Keeping their identities secure is essential for preventing third-party breaches and attacks – and for protecting everything these external B2B users are building for your enterprise.
Similar to the movies, this blog post has a director’s cut with additional content. For a deeper dive look at the controls and capabilities needed to protect external B2B identities, read our recent whitepaper, “Secure Your External Users’ Access to Enterprise Applications.”
John Natale is a senior content marketing manager at CyberArk.