IAM Sprint: Third Party User Management
14 May, 2024, by Natasha Free
It is hard to imagine these days, but there was a time when access to enterprise systems was restricted to staff only. Today, enterprises expose their systems, applications, and platforms to trusted third parties on a regular basis. But those third parties need to undergo some form of vetting, periodic review, and ultimately, have their access denied when it is no longer appropriate for them to interact with your enterprise systems.
HR do a pretty good job of managing the state of employees. In most organisations, however, the HR function refuse to take on the management of non-employees. In other words, for most organisations, there is no such thing as a single authoritative source of identity information for non-employees.
How can these third parties be managed in an effective way for my business? This is becoming a more pressing question as demands for access and streamlined procurement and management increase.
The Warm Up
What type of non-HR managed users do you have in your organisation? Where can you find this information (Excel is a surprisingly common answer)? The following persona types may help you answer these questions.
Staff Augmentation Suppliers
Many organisations outsource certain aspects of their business operations to suppliers who are clearly trusted third parties. Contracts will be in place; due diligence will have been completed; and those suppliers will be included on the Preferred Suppliers List or PSL.
It is commonplace to find business operations such as HR, Call Centre, IT Infrastructure & Hosting, or IT Development being outsourced to third parties and in many cases, those third parties are supplying many people to address the tasks at hand.
Similarly, many organisations regularly dip into the contractor market to augment their staff.
B2B - Purchasers
As part of the B2B purchasing and service consumption process it is now common for buyers of your services need to interact with some of your critical assets and may need access to re-ordering systems for example.
Tenants
There are organisations who have prime real estate, elements of which they may sub-let to tenants. In many cases, those tenants may require access to the letting organisation’s network, systems, and/or physical security platforms. Universities are a great example of organisations that will have commercial enterprises taking up tenancy agreements to get access to research students.
Guests & Work Experience
Many organisations offer short-term work experience placements to students in secondary education. These placements may require both physical and logical access to systems meaning a requirement exists to manage the extremely short-term lifecycle of such users.
Students on a work experience placement programme are limited to a maximum of 2 weeks of experience under UK law. That is short-term, but it isn’t quite as short as for guests – those people who turn up for a conference or a meeting. In these instances, an organisation may want to offer access to a guest network and certainly to guest services available within a restricted area, for example refreshments and meeting room/bathroom access in a specific conference space. This may also include parking validation.
Non-Human Entities
The point of the HR system is that it manages the lifecycle of Human Resources who are directly employed. But non-human identities already outnumber human identities. And by quite a multiplier. Taking control of your system and service accounts, robots, and Operational Technology (OT) has become more relevant as the bad guys turn their attention to these identity types in their attempts to find a back door route into your systems.
Once you have established the user types you are dealing with you will need to review their existing access arrangements. The UMT tool allows you to set up third party administrators to manage these groups, further reducing your administrative burden.
And finally, are there any persona-specific lifecycle rules you need to adhere to? Your risk and compliance team may have something to say about this.
The Sprint
It’s fair to say that no Identity Management or Governance software adequately provides use case realisation for third party user management out-of-the-box. Configuring those platforms to add the necessary data input screens and life-cycle rules is something that needs to be accounted for from a total cost of ownership perspective. Worse? Some of the big players in the IDM/IGA space don’t provide a means of configuring their software to address third party needs at all!
But a dedicated third-party management tool does exist in the marketplace – and it is offered as Software-as-a-Service. Madigan’s UMT is available as a free trial, specifically to fit into a sprint that can address the following use cases.
Use Case 1 – User Creation
Who in your organisation should be capable of creating a user record for a third-party user in your systems? And should the distribution of this administrative capability be identity type specific?
Ideally, Department Managers should undertake the administration of contractors/consultants who report to them although some form of approval process to ensure a relevant purchase order is in place would be mandated.
For tenants who rent office space in your buildings, however, it might be more prudent to delegate that responsibility to a tenant administrator.
Use Case 2 – Continuous Review
When we talk about continuous review, we are not necessarily talking about the periodic certification of access rights, necessarily. Instead, we are reviewing whether the user should continue to be regarded as an active resource.
Contractors normally have both contract start and end dates, but contractors (and organisations) can terminate such contracts early. Any system put in place to manage third-party users should have the ability to constantly ask the question of third-party user administrators: “does this person still have a contract?”
Use Case 3 – Off-Boarding Process
A contract end date is a great date to flag a third-party user as no longer existing and it can be used to trigger the process of removing that user’s access rights. Similarly, a contract end date with an over-arching supplier (like a staff augmentation provider) can also be used to trigger the automatic removal of access rights for all identities associated with that supplier.
Supplementary Use Cases - Life-Cycle Rules & Automation
Why should life-cycle rules require development by someone with a degree in Computer Science? There is very little excuse for a modern-day platform to require an administrator to develop a life-cycle rule in Java or JavaScript or VB Script or PowerShell. Therein lies the path to technical debt, after all.
What do life-cycle rules look like and what should you consider implementing? Here are some simple examples that can provide instant benefit:
|
Trigger
or Event |
Action |
|
User
contract start date has been reached |
Set
user status to ACTIVE Send
alert to Department Manager or Owner |
|
User contract end date approaching |
Send alert to Department Manager or Owner |
|
User
contract end date reached |
Set
user status to INACTIVE Send
alert to Department Manager or Owner |
|
Organisation contract end date approaching |
Send alert to Organisation Owner |
|
Organisation
contract end date reached |
Set
all associated users’ status to INACTIVE Set
organisation status to INACTIVE Send
alert to Organisation Owner |
The UMT service provides these rules out-of-the-box, but the platform will allow a suitably authorised administrator the ability to create their own rules.
The Warm Down
After running a successful PoC, it is time to reflect on what has been achieved; what worked well; how rules and the creation of third-party entities and user types can work for your business; and crucially, work out how the tool can augment your existing identity governance solution.
Remember, HR is authoritative for employees. There’s no reason why a Third-Party Management tool can’t be authoritative for all those users that fall outside of the HR processes.