Risky Identities: Third Parties

October 28, 2021
by Paul Roberts

The concept of third party risk isn’t new. As far back as the 2013 hack of Target Stores, risks associated with third party access to enterprise environments were well understood. (That attack resulted in the theft of data on 40 million Target customers and began with the theft of credentials used by a subcontractor that provided HVAC services to a number of Target stores.) Since then, however, the cyber risks posed by external identities have only multiplied, while tools to track and manage that risk have lagged. 

The New Normal

Today, breaches linked to lapses by third parties are a frequent occurrence. Car makers including Volkswagen and Mercedes Benz have seen customer data leaked by third party entities. The Colonial Pipeline was breached by way of an orphaned remote access account that was not secured with multi-factor authentication. And, of course, recent incidents like the compromises at Solar Winds and managed service platform provider Kaseya have underscored the myriad of ways the modern organizations have subordinated their own security to third party service- and platform providers, including MSSPs. 

A Growing Population of External Identities

Today, so-called “external identities” that are tied to third parties constitute one of the biggest risks to the security of corporate IT assets and data. A number of factors have contributed to this growing risk. 

First: digital transformation has opened the corporate firewall to an endless parade of third party platforms with hooks into enterprise IT data (and the credentials needed to access that data). API-based integration with these platforms helps bridge the divide between on premises and cloud based applications and data. But it can also obscure suspicious or malicious activity. 

Also, the “gig economy” has given rise to entire new categories of contractors. These days, it’s not just HVAC repair techs that IT security teams have to contend with. Contract developers, outsourced PR and marketing teams, managed service providers – even “fractional” CxOs all demand access to enterprise environments, while straddling the “insider/outsider” divide. Finally, the pandemic has exploded the number of remote workers (and remote connections) into enterprise environments, adding lots of “noise” to the signal of legitimate (or illegitimate) contractor activity.

Questions To Ask About Your External Identity Risk

Organizations that want to get a handle on their external identities need help – and tooling that makes the important job of managing these identities easier. Here are some simple questions to ask of your IT and security teams as you assess the risk to your organization posed by external identities. 

What is our permissions model? 

First and foremost: your organization needs to establish a normalized permissions model if it hopes to manage the risk posed by external identities and third parties. To prevent sprawl, identities stored in corporate directories (Active Directory, Okta, Workday) should map to application-specific accounts and permissions for all supported applications in your organization in a manner that is consistent, predictable and audit-able. The permissions model should account for every assignable permission for each application and track whether a given permission is privileged or not.

Who are our external and third party identities? 

This sounds like a straightforward question, but it can be devilishly hard for organizations to answer with confidence. The embrace of remote work and the proliferation of software as a service offerings means that third party access to enterprise environments is mushrooming. These external identities may- or may not trace back to an entity within your corporate directory (Active Directory, Okta, etc.). Either way, you must track what third party identities have access to your applications and data, and then verify and classify those accounts. If the identity is linked to a contractor, ask yourself: is this contract still active? Are these permissions consistent with our permissions model and with the scope of the individual’s contract? Getting a handle on who your external identities are, whether they need to exist and their permissions is a critical step toward managing third party and external identity risk. 

Have we identified orphaned external accounts? 

When you detect application accounts that belong to external identities, your organization needs to establish whether they are orphaned or no longer needed. This is a common problem within large or even just under-resourced organizations. Orphaned external accounts might correspond to current- or former business partners, third party vendors or consultants that required access to your corporate environment at one time, but no longer do. Once identified, these accounts should be subject to an access review process and eliminated or brought in line with your permissions model.

What service accounts have been created for third parties? 

Service accounts are typically non-human accounts that are used to run automated processes. They are created for third party application integration and can pose significant risks. Active Directory service accounts created for third party use, for example, may start with limited access to corporate assets and data, but may get included in groups that grant much broader access. Organizations should scrutinize both role assignments and group memberships for service accounts linked to third parties and verify that “least privilege” security is maintained. 

Are we compliant? 

User access reviews are an element of a number of government and industry compliance regimes. Among them: SOX, HIPAA, GLBA, PCI and SOC 2. Your organization needs to review user access and permissions to verify your ongoing compliance with these frameworks and be able to document that compliance. 

Got Questions? Talk to Zilla! 

Zilla Security’s mission is to help organizations answer these questions, and streamline the process of managing entitlements for cloud-based infrastructure. Our solution delivers comprehensive visibility into permissions across SaaS, IaaS, PaaS, internally developed applications, and on-premises systems. We offer a broad suite of built-in integrations that can connect with any deployed service to monitor permissions and access settings. Automation eliminates manual and repetitive work and makes it easy for IT security staff, application owners or business managers to make the access decisions with confidence. 

If you want to learn more about how Zilla helps organizations stay on top of their third party and external identity risk, contact us!