Managing Third-Party Onboarding and Access Governance
Unlock On-Demand Webinar
Video Transcript
Kyle Benson:
Hi, good afternoon everybody. My name's Kyle Benson. I'm the director of product marketing at Saviynt, and we will kick off in just a minute or two. We see that we've got quite a few folks that are coming in out of the waiting room, so just going to give it a minute or so as people transition from other meetings perhaps.
Michael Engle:
Yeah, everybody has back to backs today. There's no time in between.
Chandra Sekar Rajendrakumar:
Yeah.
Michael Engle:
Have you guys had any luck setting up 45 or 55 minute meetings and sticking to it? Yeah, you try to give that five minute break. It doesn't seem to be sticking for me.
Kyle Benson:
Okay. Well, I think that it looks like we're getting a pretty good full room here, so we'll go ahead and get started. Thanks for joining us today, everybody. As I said, my name's Kyle Benson. I'm the director of product marketing here at Saviynt and I'll be moderating our discussion today. So I want to say thank you all for joining today's webinar that we've titled Challenges with Third Party Onboarding and Access Governance. And before we jump in, of course, got to go through a few housekeeping items. If you would like you can submit your questions into the Q and A or into the chat box and we'll answer all of the questions at the end of the webinar or get back to you separately. And there is a recording of the webinar that will be going on and that will be delivered to your inbox next week.
So I am very pleased to be joined by a couple of friends that are both experts in the field of identity security today. So joining us today is Mike Engle, and Mike is a proven information technology executive. He's been a company builder and an entrepreneur, and he's an expert in information security, business development and product design and development. His career includes being the head of information security at Lehman Brothers. He was a co-founder of Bastille Networks and the co-founder at 1Kosmos as well as a general manager at 1414 Ventures and a board member at the Kantara Initiative. Also joining me is Chandra Sekar Rajendrakumar, and there I just did the toughest part of my whole pitch today.
I call him Chandra, but Chandra comes with decades of experience in the identity and access management domain with various vendor technologies. So he's been helping to secure client identity all through era. Currently he works as a director of IGA product management and offerings at Simeio. And Simeio of course is a premier partner for Saviynt. So Chandra is responsible for all of the features and offering development that goes on to match the needs of the market. So welcome to both of you and thank you for sharing your expertise today.
Michael Engle:
Yeah, thank you so much for being here. I'm looking forward to the discussion today.
Chandra Sekar Rajendrakumar:
Thank you. Thank you Kyle.
Kyle Benson:
Alrighty, so we'll move on. So why are we talking about this topic? Why are we talking about it now? Well, for those of us who are in the IAM space, we are seeing that the risks that are associated with third parties have been increasing quite a bit over the past few years. It seems hard to believe that it was a target breach that kicked off third party attacks way back in 2013, 10 years ago. But the hackers liked to replicate their successful attack vectors, and what we started to see was significant uptick in ransomware attacks via third parties over the last couple of years. Now, back then was the old double extortion play. I'm going to lock down your systems and I'm going to steal your data, and then you have to pay once to get your systems back and then you have to pay again to get your data back but all comes together.
But more recently the focus seems to be shifting again to a little bit more of an Nth party approach where the hackers are gaining access to a company only so that they can gain further access to their original targets, customers and partners. That way they get exponential return on investment. So let's take a look at a few examples. So back in February of 2022, Toyota completely shut down some of their operations in Japan. You may have heard about this, but it was after one of their major plastic suppliers, a company called Kojima suffered a data breach. Now because Kojima had third party access to Toyota manufacturing plants, they had to shut things down. It was just necessary to protect the data across the entire enterprise, but this breach also affected some of the operations of Toyota's subsidiaries. So you start to see this waterfall effect.
So that halted or at least decreased production and it may have hurt Toyota's bottom line because it really slowed down the car production, reduced the number of cars that Toyota produced by, in this case a few hundred, but it could have been much, much worse. So that brings up a key point about these third party relationships that companies don't normally think about, and that is to reduce your risk of a breach, it's really important to be aware of the security measures that your third party organizations are employing and to negotiate better ones if they're not up to your company's standard. More recently, Morgan Stanley and Upstox have had significant breaches. They were just a couple of hundreds of attacks that have been taking place over the last couple of years and mean that it's been accelerating quite dramatically in the last six months or so. So we want to do a little bit more podcast style here. So at this point, Mike, maybe bring you on, third party breaches definitely on the upswing. What kind of things have you been seeing?
Michael Engle:
Yeah, so these are the ones when they make the news, they're a really big deal and it gets a lot of public attention. It gets maybe regulators thinking about what could we do? But then there's a couple other categories that we're going to touch on here today as well, getting more into the individual third party risk. So how do you know who's joining your company? They are a third party until they get their butt in that seat, and now they're working on your technology and working for you, whatever it is they're doing. And that applies to both new employees, new contractors, and the risks of other third parties getting into that process. So they're both really top of mind and I have some pretty good stories that I can tell around this as we get to some of the material.
Kyle Benson:
Okay, sounds good. So in addition to the compliance drivers that we see out there, the scale of a lot of organizations, utilization of third parties as a part of their regular business practices has been increasing exponentially as well. A lot of that had to do with the pandemic, of course, a lot of it had to do with things like mergers and acquisitions and onboarding of third parties from the acquired companies, business models, et cetera. I mean, if you stop and think about it during a merger or an acquisition, you probably have thousands of employees, but then potentially many thousands of third party users that have to be added in to that parent company's identity management system. And that's a lot of work to do in a very compressed timeframe. So that's really ripe for things like rubber-stamping of approvals over provisioning users, it's a potential for a big mess.
So organizations really need to have this ability to quickly and efficiently onboard people into the new company and still have that auditable trail of what was done and who approved it. Because without automation it can take hundreds of hours to determine which of these employees and the third party users are valid if there are duplicates that exist. And then to do the migration of the workforce records from the acquired organization's systems. Importantly, those companies need the ability to manage the relationships with these identities across their entire lifecycle and then just make sure that they've got timely termination of access when they're just no longer required. Hey Mike, I know that the elephant in the room is here, so how do I even know who these third party people are?
Michael Engle:
Well, yeah, that's one of the key factors is if you know that it's John coming in, then the other parts you mentioned, are they rubber-stamped into something? That's a whole different set of problems with authorizations and deprovisioning, but just knowing who it is that's coming in is getting more and more important for a couple reasons. You got a remote workforce, not only does your company have one, but of course all these third party contractors that you're allowing to come in have a remote workforce as well. So that same problem is extending and growing exponentially. So there's some really innovative and low friction ways now to prove who it is that's accessing the system. And if you can make that one statement, it's sort of a flavor of zero trust, how do you know who's at the door before you open it? It'll make things a lot easier for every other IT function. So that's what I'll be diving into here today.
Kyle Benson:
Okay. Well there's clearly a misalignment between the strategies that organizations are currently using and what's actually required to protect them from their cyber attacks due to those third party vulnerabilities. So I think companies really need to have both the tools and the services like third party identity lifecycle management to make sure that they both improve the operational efficiencies, but then hopefully reduce the cost in all of the risks that are associated with managing this kind of dynamic higher risk relationships with third party individuals. So with that said, I think it's really easy for us to think of third parties as just the contractors and supply chain partners, maybe students or some of the other humans that just don't work for your company but still need access to your systems or your data. It's a mistake to think of third parties as only humans because the non-human identities are posing the same or even greater risks than human identities.
Did some reading, I saw that Forrester estimates that non-human identities including things like your bots and your service accounts, robots, OT and IOT devices are growing up to 10 times as fast as human identities across a lot of different organizations. So another big concern that's out there I think is a percent of global organizations just aren't able to fully discover their service accounts. And about 20% of them have never changed the account passwords on their service accounts. So you've got service account and password admin. So really need a way to create and maintain an authoritative record for all of your non-human workers at the worker level as opposed to just the access level. And then this serves as your unified source for managing and monitoring the identity lifecycle of the non-human worker, and it helps reduce the risk of human errors and security risks and the compliance violations that go on.
So if you do take a proactive approach, you can continuously monitor and manage these non-human worker identities, improve the operational efficiencies, make sure that you can prevent those costly cyber attacks and data breaches before they happen. So with that said, if we go back kind of to our problem statement, it's mainly the companies are playing catch up in the race to secure third parties. Ponemon Institute says 60% of companies just don't know how many third party relationships they have. Not to mention what access those third parties have, and the statistic may surprise you, but if we were to stop right now and just do or something, we're not going to do that. I know those are annoying sometimes, but if we did an honesty poll, chances are many of you could tell us about how many employees you have and what kind of access that they get.
It'd probably get pretty close, but third parties are much more difficult. And what I find astonishing about the 60% figure is that 49% of the companies have already had a third party breach. And the key point here, we brought it up a little bit earlier and that is when we talk about the third parties, we really need to consider the Nth party breaches. So what's an Nth party? Third parties have other third party business to business relationships, of course. So that could be with your competitors, it could be with their supply chain, it could be with contractors that they use. But just like in the Target breach, Target wasn't actually breached by the HVAC refrigeration vendor directly that the breach came through, someone gained access by breaching the HVAC vendor.
So that's why securing third party access is so critical to auditors and regulators, and that's why they're really taking notice now. So it's a big issue, but it is something that has to go all the way back to when you start your third party relationships, the contractual agreements that you have in place, and being able to make sure that you're doing risk analysis upfront and making sure who you're really dealing with. So Mike, I think that the slide that we have here sums up the attack vector of criminals don't hack in, they log in.
Michael Engle:
That's right. When I was growing up in InfoSec land and I was in the 90s and 2000s when I wore that hat and was trying to protect the Wall Street Bank, it was all about just hardening the infrastructure and making sure the bad guys couldn't compromise a web server and then move laterally and get in through your reverse proxy or whatever it is. It was about them hacking in. And all of the breaches today, you don't hear that anymore. It's very uncommon for there to be some massive Java exploit That is the way people get in.
Instead, they just get a credential. They call up the help desk and pretend to be somebody. They send you a thousand push messages until you say yes, and there's no real identity in that process. So they just log in. Imagine if you knew who it was, who's logging in, you could just stop what is now the biggest vector, and I'm sure the Okta breach, the Cisco breaches, they were by somebody getting access to employee or contractor credentials. So again, something I'll be focusing on here in just another slide or two to get into the weeds on how we can mitigate this with today's standards.
Kyle Benson:
Okay, well let's jump ahead and we'll talk a little bit about that.
Michael Engle:
Let's do that. Yeah, so there's two buckets here on the left, which is highlighted now, there's how do you get people into your environment in a modern way? The old way is email them a link and send them a username and password, or they have to call a line manager. You can do all that digitally today. You have billions of smartphones that are now a very effective conduit, and we now have standards that say, here's how you do it in a way that minimizes risk. So the first standard, NIST 800-63-3 is the government standard that says, I'm going to prove this as Kyle Benson and I'm going to ask Kyle to present his government credentials. I'm going to verify them and match a face. That's kind of the gist of it. There's other ways to do it as well. And so if you are looking to onboard identities, this is the golden standard of standards.
And there's a certifying body called Kantara, as Kyle mentioned on my bio. This is an organization that it's nonprofit, I'm on the board of, and their goal is to certify people to say that they do this well. So two important factors there. And then on the other side of the house, if you hit the right arrow for me, Kyle, it's the usage of that credential. So just scanning a driver's license isn't enough. You have to link every activity back to that verified person. And here that same standard says, here's how you do it. You can see the difference on the left and right. It's IAL, identity assurance versus AAL, authentication assurance. So again, just handing somebody a six digit code generator is not assurance because that can be given to somebody else or stolen. So putting these two together, and of course Fido authentication is now a public key cryptography way to use credentials.
You put them together and it really strengthens the entire picture. There's Fido certification. So you're dealing with a vendor that really takes the stuff seriously and you put them together with real biometrics. You have to look Kyle in the face to know that Kyle is the person sitting there or you could use his voice or some other thing. But it has to be something. This is one of the really important factors. Something you have, something you are. So this is really starting to resonate. This middle word iBeta is one of the big certifying bodies that says you do biometrics right. So we call these the identity based standards, and I'm going to show you some examples next of how these standards can get implemented when you're onboarding a new hire or a contractor, if you'll progress forward for me. Perfect.
Kyle Benson:
And we'll get it started for you, Mike.
Michael Engle:
Let's do it. So there's an app involved or we can do it without an app, which sets up a couple of really basic factors. You have a key which was just put into the phone or on the desktop automatically, a pin it's used for recovery. And then your touch ID, face ID. You see I just enrolled three factors in about 20 seconds. Next we can onboard identity verification. And this is where I mentioned scanning a driver's license as an example. Now this live selfie is one of the ways that you verify an identity so you truly know who's logging in. So now on this stage, I just simply prompt the user to scan their government credentials. And you can do this in 200 countries today. The license is verified, the face is matched, and you have a very high level of assurance and you can even do global identities such as a passport, which you see here in this third pane.
So not only can you scan, verify, match but you can read the NFC chip. Now you've got a digital credential that you're onboarding, and again, the face is matched in real time and all this comes together. So you saw how simple we can now use these technologies and these standards. This is the highest level of assurance that you would need to get into your medical services, into government services for KYC, for banking, et cetera. And you have to do this for new hires anyway. You have to verify their face matches a credential before you can pay them because you have to do taxes and so forth. The I9 process here in the US. So thanks for that. So now I have this identity. Let's take a look at how to use this. I'm going through talent acquisition and it says, congratulations Kyle, we just hired you.
Come to the portal. Scan this QR code, give your consent, prove it's you. So here's some real zero trust biometric stuff going on, and my data is decrypted out of my store and transmitted over to the HR department, verified, prefilled, nothing for anybody to really type in. On the next screen, you simply say, all right, where would you like to send the digital credential? Well, let's use the email that we've been corresponding for talent acquisition or send it to their cell phone number, the same number that I've been working with them on.
So this gets sent to them. They now have a digital credential that can get them into the firm and you'll see me accepting this credential here back into my authenticator. Press the red button, do one final form of authentication, and these are customizable layers depending on the risk of what you're trying to do and you're in. All right. And as we talk a little bit more about some of these concepts, I'm going to show you how we can then use that to get into a system in just a couple of minutes. So thanks for letting me show that, Kyle.
Kyle Benson:
All righty. So we've got another big issue and we talked about it for just a second, but that is the fact that third parties are remote as well. And while we know that remote work styles where employees can its own access risks, the risks become a whole lot higher when third parties are using various security technologies. So they may not be using the standard that your company is using. Matter of fact, they could be using conflicting types of technology to secure their environments and to provide access. And the security can be all over the map, multifactor authentication, endpoint security, network security, data security.
And each of these comes with its own risks that's associated with things like patching and update risks. So unless you've got centralized control, what's to say that a rogue third party won't just download data and sell it on the dark web? Also, you've got the insider threats that are a major issue and third parties just became insiders. And Mike, we had talked earlier and I don't think that we picked it up, but I think this is a good place to do it. And that's maybe talking about the proxy environment and what's happening with those guys.
Michael Engle:
So there's two really important third party risks that are now happening. Our clients are seeing that and coming to us and asking for a solution. The one is proxy interviewing. So I am Mike Engle, I interview, I do a crush it, I'm a master developer and now I get the offer and I accept it. On day one. Somebody else shows up at work, somebody else shows up to log in remotely is really more how it's going to be. And a lot of times the people that you're interviewing with are all these experts in the other groups, so they're not going to remember who it really was. So on day one, you could have somebody working there maybe even has four jobs and pretending to work a full day, but you don't even know who it is. So the process of that identity onboarding that I showed you earlier can fix that problem because then on day 1, 2, 10 or a hundred you can say, "Can you just look into the camera again and prove it to you?"
You can do that based on risk or on a programmatic regular basis. The second challenge is, so you have proxy interviewing is a contractor or employee jacking. That is where I'm already in, I'm working and then I go give my seat away to somebody else just so they can do day-to-day work. So I'm still here working, but I'm subbing my seat out maybe to do a developer in Eastern Europe and using old authentication and identity mechanism, user name, password, one time code, I just have to WhatsApp a code to that person in Romania and boom, they're in and they're logging in. So using these identity constructs that I showed earlier, we can mitigate both of those very real and happening now risks.
Kyle Benson:
So that's a big gap.
Michael Engle:
It is, yeah.
Kyle Benson:
So the question is how do we see companies responding to these threats today? And honestly it's not a pretty picture, but here goes, okay. So as I said, oftentimes third party access is an afterthought. And since access is needed really quickly, provisioning access and providing security is often dumped in the lap of the IAM or IT security team. And the trend that we see for solving for third party access is that IT security teams... Look, they're busy too. They're just looking for the most expeditious way to automate mostly manual processes via homegrown applications, or it could be a combination of spreadsheets and collaboration tools, Slack and Teams and phone calls and spreadsheets. But these things are rarely built for purpose and they're really just a bandaid to get the project, this third party management off the ground. And while they may help in terms of doing things like inventorying and maybe provisioning some of the vendors and users, they typically don't do very well for the ongoing governance of things like access reviews, certification, time-based deprovisioning, make sure that you've got your continuous compliance.
Now other companies, and by the way, those homegrown apps from the research that we've looked into, it looks like about 80% of companies are taking that approach. Now, other companies and typically these are your larger enterprise companies, they may outsource to a provider like a global systems integrator for example. These solutions are typically pretty well thought out because they've come from a history of Legacy IAM systems. They may be well thought out from a policy and a process standpoint, but they may not have the flexibility and they probably come at a fairly high cost. And so for those companies that may not have the resources of a large enterprise, they may try to adapt a contractor module of their HRMS system. And again, these help with the onboarding, but they typically don't handle the rest of the governance that's required. And oftentimes this is where you'll find friction going on between the HR team and the IT security teams because HR probably doesn't have the resources to dedicate to administratively managing this huge inflow of third parties as well as all of their users.
And they may not want to assume the risk of maintaining the regulatory compliance that can be a career limiting project in and of its own. So that leaves a focused third party management solution like we're talking about today. And about 10% of organizations that have been surveyed have deployed some version of these. Now these aren't necessarily a panacea either. And since this is a relatively new space compared to the IGA space, there are just a few companies that are offering a purpose-built solution for third party access. And the problem is that this is all that some of these companies offer. So once again, you have a point solution that you as a customer have to deal with and then it keeps you from having that integrated view across your entire workforce. So Chandra, I think it's time we bring you in and be the savior here. Tell us what it is that we should do about this.
Chandra Sekar Rajendrakumar:
Absolutely. I think couple of key items that I just wanted to highlight as well. The type of proxying that we see with aspect interviews, people joining in, that's been something pretty massive in the times after that remote work become a big standard in the industry itself. And also looking at the metrics, which is a very solid insight about the type of breaches that's happening with the third party access as we don't see nowadays people hacking more than people are logging in to get the data itself. I think it's time everyone also realizes that the third party access governance is no more a nice to have type of an element in the organization. It is the most important must have in terms of enabling an organization for its standards. If we have to enable a solid third party access governance in an enterprise, there are key four major pillars to look at it.
One is it's not just about trying to give access to the people, it is also about giving the access only to the right time. Making sure we are able to enable the least privileged principle. Principle itself is very important for us to address. And that's something that's very important to have that as a pillar in third party access governance. Second is to make sure we are going to have lot of external identities. We going to have lot of third party suppliers and users coming into the organization. It's very important to have a very user-friendly mechanism for them to do their own activities, be it from an requesting of an access, be it from an reviewing its access or be it from a delegated administration perspective. So trying to keep that as simple as possible increases a lot of protectivity for the organization.
And the next important aspect is to get the automation enabled using the service and technology that is available in the market today, which ensures you to have a most efficient way of handling the governance that is required for the third party itself. Third party identities, not just human non-human identities too. All of this put together will always give you a solid governance and solid metrics and management that is required for you to handle your compliance needs in the organization. So all these are the standard four pillars to look at if an organization is getting started with a third party governance management to be enabled. We'll also look at what are the critical capabilities of an organization to be addressed in terms of a third party access. Kyle, you want to go to the next slide?
Kyle Benson:
It's interesting, we had a question pop up in the chat and Zade said, "What about shadow it? Especially when they bounce between internal services and client services." I think that leans right into the next slide that we've got because we're looking here at what critical capabilities are important.
Chandra Sekar Rajendrakumar:
Yeah, exactly right. So looking at some of the examples that is here that we might have gone through for a fact like let's say and hospital as in a scenario, looking at, we go interact with the doctors and nurses there who are not generally the employees of that hospital or the systems that is there. Mostly the billing systems are third party owned. You see a lot of other aspects like the suppliers who supplying many indisposable and many other supplies that is required for the hospital's management supply chain, which is another set of third party identities to be handled within the hospital itself. Even if you take a simple example of a hospital, there's going to be multiple different types of third party identities and human and non-human identities to be looked at. And when looking at all these identities, it's also about looking at what are the key capabilities to be addressed on each of these identities.
One, taking care of the entire service of the life cycle for them. And then looking at what type of a request management, what types of an approval management to be handled, how do I actually take the governance capability of that to understand what type of an access has to be reviewed, what type of an access has to be killed in terms of any review that goes off the plate? And also addressing how can I actually create some of the standardized policies in the organization to make sure, okay, the third party identities, this is how they come in, this is how the policies will be defined, this is how the set of access that they will get to all the different systems. Because all of the times that we see in the different organizations, the third party identities do have access to lot of the critical data in the enterprise itself.
It's not that only employees do have access to it, there is also a conduit towards the third parties because they do a lot of other activities that is required for an enterprise to function. In that sense, they will automatically have access to some of these important critical data in the organization. So that's where it's very important to have all these key capabilities enabled for all the third party identities as well. Not just looking at the enterprise B two E scenario to build all the other capabilities for the employees and enterprise users. We need to consider all the other third party identities also at an enterprise users level to make sure we have the same set of policies, same set of scrutiny with respect to the access that is required in building that least privilege principle itself.
Kyle Benson:
I think Chandra too, it's interesting when we think about the business cycle where we are right now, things like scalability and performance, those outcomes and pricing are very important because we've got to make sure that we're building a great system but we're doing it with a great return on investment and then just the lower total cost of ownership over time. And that's where a lot of people are looking towards an integrated identity platform, a converged identity platform that can touch on multiple parts of the identity security program. So I think that that's really important. Otherwise you end up trying to integrate all of these things together in a piece parts approach. So let's go on and we'll move ahead. Let's just talk about some of the key processes that you see Chandra as important.
Chandra Sekar Rajendrakumar:
Yeah. So see the key processes that is very important when it comes to the third party access governance itself is right. It is slightly different from a typical identity or an enterprise user process. The reason is one, we need to make sure we onboard the entity itself as one of the important element in the third party access governance, for example, a supplier company itself needs to get onboarded and all the employees or part of the employees in the suppliers need to get onboarded as an identities into the enterprise. So we have in entity onboarding, which is basically the actual organization becomes a B2B type for us to get onboarded into the enterprise. Then comes the set of employees that is part of that supplier group enabled as an external identities to have come into the system. Bringing the third party identities has got some processes as well.
There could be a way where we can actually do an invitation based invites, you get their identities into the system. There could be a way that we probably do it as a manual delegated administration activities, which is typically that we have seen is a old scale or old school way of doing it. Now that we bringing identities into the system. There is going to be lot of accounts and lot of access that they would need across the different applications in that enterprise, which is where they're able to perform their day-to-day function for that organization,
and third party identity. How do we drive a set of automation? How do we drive a set of policy based access there based on this supplier coming in from this region needs to have these type of access to these type of applications. So that's another important key process to get defined in the third party governance itself.
Now that we have those identities getting different access then comes to situation for us to make sure we are actually reviewing that access in a periodic fashion. So trying to build in the certification capability that Kyle touched upon in the beginning to make sure the access that is given to set off identities, which is a third party identities is always been reviewed to make sure that they have the right access at the right time. It is also important that we remove the access if it is not even applicable for an identity itself. And then it comes to another important capability and a feature that is required, which is very important to set up is the delegated administration. The delegated administration process is very important in a third party perspective is because lot of these identities are going to be managed by the company's own delegated administrators itself.
For example, I'm a delegated administrator for a particular supplier chain company. I become the responsible person for me to onboard the set of identities that is required from my supplier side into the organization and I have to be the responsible person for the set of access that they have, set of activities that they're doing in the enterprise and all of those things. The delegated administration is a very key important aspect into the third party governance itself. And one of the most key and important factor in the entire life cycle is going to be your offboarding process because an entity or onboarding is there and you have a third party in identities getting onboard and there's different access being given. When an termination process or a lever process is happening, we need to make sure that the entire set of access given to the third party identities is going to be removed at the time that they are terminated.
That's very important because there's a lot of times that you see a lot of these breaches even happening when you see that the employees left the organization. You know what? This third party identity is still having an access to those set of applications because it's not been removed. So it's a very important process in an organization to make sure there's a very clear defined lever process for any third party identities, as well it's equally important for an employee type identities, but it is even more keen and important for a third party identities.
Michael Engle:
Yeah and I'd love to dive into the user onboarding section here. So this blue button on the right, which I'm going to show here on the next video, we already did self-registration and identity verification. I went through that full flow standards based high level of assurance. Now let's use it to get into a Saviynt provision system for example. So at the time of access, you could ask the question, is this Mike Engle? So this is how I would authenticate into a Windows workstation on day one, assuming we want to set up this level of authentication, go ahead and roll the tape. So rather than username, password, which we know can be stolen, we're going to use the same identity that we enrolled a few minutes ago. Simply scan a QR code. The certificate is in my authenticator, I present that along with my biometric. That was a real biometric, which could only be done by me and I'm staring at the desktop.
I cannot give my face to somebody else in that example. So that is again, one of the highest levels of zero trust authentication you can do and it can't be stolen, coerced very easily at all. Now you can do that at certain times, but I experience it with even less friction. So I've already authenticated, I lock my workstation and now I'm going to unlock it. Let's make it less friction. Simply send a push message to the phone or in this case I tap except on my watch and I've unlocked my workstation in about one or two seconds. So applying identity-based controls, not only does it increase the security and the assurance level of what all of the IGA processes are doing, but it's a better user experience and it's really rare to introduce controls that are fun to use and get you a high five from your peers across the enterprise. So thanks for letting me show that. That's the last of my demos and I think we'll get into some best practices next.
Kyle Benson:
Yeah, we certainly will. So Chandra, if we could talk about implementation because we've got the technology, what are the best practices?
Chandra Sekar Rajendrakumar:
Yeah. So see, one of the things to look at is understanding the industry itself is important. The reason is that every different industry has different types of third party identities to be handled compared to a manufacturing industry, to a retailer/ for example, in retailer we will have franchisees, we will have suppliers. In manufacturers, we will have distributors. In hospitals, we will have doctors, even outpatient services and all of those things. So every different industry has different types of third party identities to be handled. So the process definition for all of these different types of third party identities is very important to understand before even we start putting together an implementation for the client. So one is understanding the industry. Second is to make sure that as we know that there's going to be different types of third party identities, different types of handling of third party identities is required.
How do we actually create a standardized process across these things? There's going to be set of global standard process, for example, all the third party identities needs to follow and get these set of access. And then when it comes to the suppliers, they need to get only these set of access. When it comes to distributors, they get only these set of access. So the definition of the processes that is required needs to get pretty much standardized because if we don't standardize it and do it specific to every single entity that we get onboarding it for, it is going to be a nightmare for us to do a maintenance and management services for that later. So as and when we bring more standardization to this, it is going to be more wise for us to onboard more number of identities and also control the identities in a standard scale.
And then the next important aspect is to make sure the technology, for example, Saviynt has got a solid third party governance capability. Utilizing the technology towards less to make sure we are not doing a lot of customizations to it and try to utilize lot of the features that is already enabled in the technology to leverage that for the third party identities. That makes it more viable and also efficient in terms of automation as well. So that is very important to make sure we are trying to use whatever the maximum capacity that the technology is all already offering with respect to all the different set of use cases in implementation that we need to do. And apart from that, just doing the implementation is not the end of it, it is also important for us to make sure we are continuously monitoring the entire program with respect to the third party governance itself.
And from a senior standpoint, we have clearly defined the benchmarking metrics and KPIs that's been established for the third party governance, which enables the organization to understand, okay, are they in stage A? Okay, there is still these three parameters to be fixed wherein they can go to the stage B when that's what the most matured stage from a third party governance itself. So we also take care of that in terms of measuring and monitoring the entire aspect of the third party governance to see how we can actually get to a very matured state of third party access governance itself in the solution that we put together.
Kyle Benson:
Absolutely. Chandra, thank you very much. I think that it's critical. Putting together a third party identity program, it doesn't have to be overwhelming, but it does have to be a structured process and things need to happen at certain times appropriately to get the outcomes that you're really looking for. So just as a reminder, third party access governance from Saviynt, it's part of the end-to-end enterprise identity cloud, which includes privileged access management for just in time rather than just in case access management. We have a module for application access governance. So that allows you to monitor for those separation of duty violations across SaaS and On Premise or multi-cloud applications. And the difference with our solution there is it gives you very fine-grained visibility. So I could be looking across SAP and Oracle or even Salesforce, but I get fine-grained visibility deep down into the security models of those applications where it's just one of those places it's SOD violations, hide away.
So that's only something to consider. And data access governance prevents your sensitive data from being exfiltrated from your systems. And of course we have our flagship identity governance and administration tool that handles all of the employee identity lifecycle management. So the enterprise identity cloud is a single code base. This is a key differentiator. This was born in the cloud, it was designed for the cloud. So it's not a bunch of stitched together solutions from a bunch of companies. You actually do get a single pane of glass into your identity application and data governance. So that was the commercial.
Michael Engle:
No, that's great. And just expanding on that, if the middle box of that was identity, and so you still have the providers do what they do well, so let Microsoft or Okta do their SSO. Let 1Kosmos verify the identities and do all the authentication and the platform, your orchestrator will rely on those to do what they do best. In our case, it may be proving that the user is who they say they are. So I think it's very well said Kyle.
Kyle Benson:
Yep, something that we've released recently and you'll hear more and more about is Saviynt Exchange. And so we do have our integrations online and available now and we will have third party solutions that will be available as well through Saviynt Exchange, just making it easier for our customers to get to the solutions that they need. So in summary, do these things. Inventory your partners, your suppliers, contractors, temps, volunteers, the IOT devices, service accounts, and make sure you have a thorough understanding of what your third party exposure is. Make sure that you go through the steps to have all of your information get clean and stay clean and have it optimized for your third party exposure and work hard to ensure that you've got a great user experience with limited complexity. So that's why a lot of the upfront work is required to make sure that you end up having buy-in both within your organization as well as the third parties as well.
So that's our best advice. Again, I want to thank Mike, I want to thank Chandra for your time and your expertise and everybody that's on the call, I want to thank you for your time. Please feel free to reach out to any of us if you have any additional questions that you might want to have after our session today looking up into the questions. And we did have an attendee who asked the question, how do we implement these practices when our third party users are a small mom and pop shop with whom we may have to do business when we are in an extremely global model?
Michael Engle:
Yeah. So I think making sure you do have global coverage, from my perspective, I could onboard any identity in 200 countries. So if it's important to you, you could have them get a higher level of assurance before they're allowed to access, but then also taken into consideration as the privacy of the platform, your global footprint for privacy varies depending on country and in the US even state to state. So it's really understanding your partners and being able to come up with a business model that handles them, from my perspective. Kyle or Chandra, I don't know if you have any other thoughts on that one.
Kyle Benson:
I actually... Go ahead Chandra.
Chandra Sekar Rajendrakumar:
No, I mean I was just saying yeah, with respect to the third party identities that we have, if we need to do an assurity of an identity to come in because the third party identity governance as in from an onboarding standpoint is a new required even it is a small mom and shop. But if it is another aspect of also verifying or validating the entry of that identity to come in, that's basically depends on the way that we just talked about, based on the countries and the policies that is there and that's how it should be taken for forward for.
Kyle Benson:
I want to take a little bit different slant on it because I want to take the slant of the mom and pop organization. Chances are they are smaller, they may not have a lot of the technical expertise that you might expect, but this is where it's really important to work with your line of business members within your own organization, the people who are starting those relationships and even when you're doing the contractual relationship that you're doing even with a mom and pop organization, to take that time to educate them and make sure that you're putting in place a technology that is going to be able to make both of you much safer.
Because if you're a large global organization, a breach is going to hurt. If you are a small mom and pop organization, a breach could be an existential problem. So I think having that discussion early on is something that would be very important. I had another question that came through and that just had to do with, so what happens if I have delegated administration? So let's say I've got a thousand third party organizations, my supply chain, what if the delegated administrator out at company X, Y, Z leaves, then what happens?
Michael Engle:
Yeah, I guess I imagine that comes down to making sure you have controls in place with them to be notified about that and invoke the property provisioning.
Kyle Benson:
Yeah and-
Chandra Sekar Rajendrakumar:
And defending a so solid legal process with respect to the transfers and all of those things to make sure the responsibility is moved to the other third party delegated administrator.
Kyle Benson:
Yeah, that's right. So that is a key capability that we do have in TPEG is succession management. So you do have somebody who leaves, you automatically have a rollover of those users to a secondary delegated administrator. So just another layer of safety that that's built in there. I think that's all the questions that we had. Again, thank you everybody, and like I said, feel free to reach out to any of us individually if there's anything else that we could do to help.
Michael Engle:
Yeah, I'll just add one thing. I know all three of our companies will be at the upcoming RSA shows at Identiverse, so if anybody wants to meet up there, please just hit us up, LinkedIn or whatever and we'd love to get into the weeds on any of this stuff with you.
Kyle Benson:
Okay.
Michael Engle:
Kyle, thanks so much for having me on. It was a lot of fun.
Kyle Benson:
Yeah, my pleasure.
Chandra Sekar Rajendrakumar:
Thank you.
Kyle Benson:
Thanks everybody. Bye now.
Hi, good afternoon everybody. My name's Kyle Benson. I'm the director of product marketing at Saviynt, and we will kick off in just a minute or two. We see that we've got quite a few folks that are coming in out of the waiting room, so just going to give it a minute or so as people transition from other meetings perhaps.
Michael Engle:
Yeah, everybody has back to backs today. There's no time in between.
Chandra Sekar Rajendrakumar:
Yeah.
Michael Engle:
Have you guys had any luck setting up 45 or 55 minute meetings and sticking to it? Yeah, you try to give that five minute break. It doesn't seem to be sticking for me.
Kyle Benson:
Okay. Well, I think that it looks like we're getting a pretty good full room here, so we'll go ahead and get started. Thanks for joining us today, everybody. As I said, my name's Kyle Benson. I'm the director of product marketing here at Saviynt and I'll be moderating our discussion today. So I want to say thank you all for joining today's webinar that we've titled Challenges with Third Party Onboarding and Access Governance. And before we jump in, of course, got to go through a few housekeeping items. If you would like you can submit your questions into the Q and A or into the chat box and we'll answer all of the questions at the end of the webinar or get back to you separately. And there is a recording of the webinar that will be going on and that will be delivered to your inbox next week.
So I am very pleased to be joined by a couple of friends that are both experts in the field of identity security today. So joining us today is Mike Engle, and Mike is a proven information technology executive. He's been a company builder and an entrepreneur, and he's an expert in information security, business development and product design and development. His career includes being the head of information security at Lehman Brothers. He was a co-founder of Bastille Networks and the co-founder at 1Kosmos as well as a general manager at 1414 Ventures and a board member at the Kantara Initiative. Also joining me is Chandra Sekar Rajendrakumar, and there I just did the toughest part of my whole pitch today.
I call him Chandra, but Chandra comes with decades of experience in the identity and access management domain with various vendor technologies. So he's been helping to secure client identity all through era. Currently he works as a director of IGA product management and offerings at Simeio. And Simeio of course is a premier partner for Saviynt. So Chandra is responsible for all of the features and offering development that goes on to match the needs of the market. So welcome to both of you and thank you for sharing your expertise today.
Michael Engle:
Yeah, thank you so much for being here. I'm looking forward to the discussion today.
Chandra Sekar Rajendrakumar:
Thank you. Thank you Kyle.
Kyle Benson:
Alrighty, so we'll move on. So why are we talking about this topic? Why are we talking about it now? Well, for those of us who are in the IAM space, we are seeing that the risks that are associated with third parties have been increasing quite a bit over the past few years. It seems hard to believe that it was a target breach that kicked off third party attacks way back in 2013, 10 years ago. But the hackers liked to replicate their successful attack vectors, and what we started to see was significant uptick in ransomware attacks via third parties over the last couple of years. Now, back then was the old double extortion play. I'm going to lock down your systems and I'm going to steal your data, and then you have to pay once to get your systems back and then you have to pay again to get your data back but all comes together.
But more recently the focus seems to be shifting again to a little bit more of an Nth party approach where the hackers are gaining access to a company only so that they can gain further access to their original targets, customers and partners. That way they get exponential return on investment. So let's take a look at a few examples. So back in February of 2022, Toyota completely shut down some of their operations in Japan. You may have heard about this, but it was after one of their major plastic suppliers, a company called Kojima suffered a data breach. Now because Kojima had third party access to Toyota manufacturing plants, they had to shut things down. It was just necessary to protect the data across the entire enterprise, but this breach also affected some of the operations of Toyota's subsidiaries. So you start to see this waterfall effect.
So that halted or at least decreased production and it may have hurt Toyota's bottom line because it really slowed down the car production, reduced the number of cars that Toyota produced by, in this case a few hundred, but it could have been much, much worse. So that brings up a key point about these third party relationships that companies don't normally think about, and that is to reduce your risk of a breach, it's really important to be aware of the security measures that your third party organizations are employing and to negotiate better ones if they're not up to your company's standard. More recently, Morgan Stanley and Upstox have had significant breaches. They were just a couple of hundreds of attacks that have been taking place over the last couple of years and mean that it's been accelerating quite dramatically in the last six months or so. So we want to do a little bit more podcast style here. So at this point, Mike, maybe bring you on, third party breaches definitely on the upswing. What kind of things have you been seeing?
Michael Engle:
Yeah, so these are the ones when they make the news, they're a really big deal and it gets a lot of public attention. It gets maybe regulators thinking about what could we do? But then there's a couple other categories that we're going to touch on here today as well, getting more into the individual third party risk. So how do you know who's joining your company? They are a third party until they get their butt in that seat, and now they're working on your technology and working for you, whatever it is they're doing. And that applies to both new employees, new contractors, and the risks of other third parties getting into that process. So they're both really top of mind and I have some pretty good stories that I can tell around this as we get to some of the material.
Kyle Benson:
Okay, sounds good. So in addition to the compliance drivers that we see out there, the scale of a lot of organizations, utilization of third parties as a part of their regular business practices has been increasing exponentially as well. A lot of that had to do with the pandemic, of course, a lot of it had to do with things like mergers and acquisitions and onboarding of third parties from the acquired companies, business models, et cetera. I mean, if you stop and think about it during a merger or an acquisition, you probably have thousands of employees, but then potentially many thousands of third party users that have to be added in to that parent company's identity management system. And that's a lot of work to do in a very compressed timeframe. So that's really ripe for things like rubber-stamping of approvals over provisioning users, it's a potential for a big mess.
So organizations really need to have this ability to quickly and efficiently onboard people into the new company and still have that auditable trail of what was done and who approved it. Because without automation it can take hundreds of hours to determine which of these employees and the third party users are valid if there are duplicates that exist. And then to do the migration of the workforce records from the acquired organization's systems. Importantly, those companies need the ability to manage the relationships with these identities across their entire lifecycle and then just make sure that they've got timely termination of access when they're just no longer required. Hey Mike, I know that the elephant in the room is here, so how do I even know who these third party people are?
Michael Engle:
Well, yeah, that's one of the key factors is if you know that it's John coming in, then the other parts you mentioned, are they rubber-stamped into something? That's a whole different set of problems with authorizations and deprovisioning, but just knowing who it is that's coming in is getting more and more important for a couple reasons. You got a remote workforce, not only does your company have one, but of course all these third party contractors that you're allowing to come in have a remote workforce as well. So that same problem is extending and growing exponentially. So there's some really innovative and low friction ways now to prove who it is that's accessing the system. And if you can make that one statement, it's sort of a flavor of zero trust, how do you know who's at the door before you open it? It'll make things a lot easier for every other IT function. So that's what I'll be diving into here today.
Kyle Benson:
Okay. Well there's clearly a misalignment between the strategies that organizations are currently using and what's actually required to protect them from their cyber attacks due to those third party vulnerabilities. So I think companies really need to have both the tools and the services like third party identity lifecycle management to make sure that they both improve the operational efficiencies, but then hopefully reduce the cost in all of the risks that are associated with managing this kind of dynamic higher risk relationships with third party individuals. So with that said, I think it's really easy for us to think of third parties as just the contractors and supply chain partners, maybe students or some of the other humans that just don't work for your company but still need access to your systems or your data. It's a mistake to think of third parties as only humans because the non-human identities are posing the same or even greater risks than human identities.
Did some reading, I saw that Forrester estimates that non-human identities including things like your bots and your service accounts, robots, OT and IOT devices are growing up to 10 times as fast as human identities across a lot of different organizations. So another big concern that's out there I think is a percent of global organizations just aren't able to fully discover their service accounts. And about 20% of them have never changed the account passwords on their service accounts. So you've got service account and password admin. So really need a way to create and maintain an authoritative record for all of your non-human workers at the worker level as opposed to just the access level. And then this serves as your unified source for managing and monitoring the identity lifecycle of the non-human worker, and it helps reduce the risk of human errors and security risks and the compliance violations that go on.
So if you do take a proactive approach, you can continuously monitor and manage these non-human worker identities, improve the operational efficiencies, make sure that you can prevent those costly cyber attacks and data breaches before they happen. So with that said, if we go back kind of to our problem statement, it's mainly the companies are playing catch up in the race to secure third parties. Ponemon Institute says 60% of companies just don't know how many third party relationships they have. Not to mention what access those third parties have, and the statistic may surprise you, but if we were to stop right now and just do or something, we're not going to do that. I know those are annoying sometimes, but if we did an honesty poll, chances are many of you could tell us about how many employees you have and what kind of access that they get.
It'd probably get pretty close, but third parties are much more difficult. And what I find astonishing about the 60% figure is that 49% of the companies have already had a third party breach. And the key point here, we brought it up a little bit earlier and that is when we talk about the third parties, we really need to consider the Nth party breaches. So what's an Nth party? Third parties have other third party business to business relationships, of course. So that could be with your competitors, it could be with their supply chain, it could be with contractors that they use. But just like in the Target breach, Target wasn't actually breached by the HVAC refrigeration vendor directly that the breach came through, someone gained access by breaching the HVAC vendor.
So that's why securing third party access is so critical to auditors and regulators, and that's why they're really taking notice now. So it's a big issue, but it is something that has to go all the way back to when you start your third party relationships, the contractual agreements that you have in place, and being able to make sure that you're doing risk analysis upfront and making sure who you're really dealing with. So Mike, I think that the slide that we have here sums up the attack vector of criminals don't hack in, they log in.
Michael Engle:
That's right. When I was growing up in InfoSec land and I was in the 90s and 2000s when I wore that hat and was trying to protect the Wall Street Bank, it was all about just hardening the infrastructure and making sure the bad guys couldn't compromise a web server and then move laterally and get in through your reverse proxy or whatever it is. It was about them hacking in. And all of the breaches today, you don't hear that anymore. It's very uncommon for there to be some massive Java exploit That is the way people get in.
Instead, they just get a credential. They call up the help desk and pretend to be somebody. They send you a thousand push messages until you say yes, and there's no real identity in that process. So they just log in. Imagine if you knew who it was, who's logging in, you could just stop what is now the biggest vector, and I'm sure the Okta breach, the Cisco breaches, they were by somebody getting access to employee or contractor credentials. So again, something I'll be focusing on here in just another slide or two to get into the weeds on how we can mitigate this with today's standards.
Kyle Benson:
Okay, well let's jump ahead and we'll talk a little bit about that.
Michael Engle:
Let's do that. Yeah, so there's two buckets here on the left, which is highlighted now, there's how do you get people into your environment in a modern way? The old way is email them a link and send them a username and password, or they have to call a line manager. You can do all that digitally today. You have billions of smartphones that are now a very effective conduit, and we now have standards that say, here's how you do it in a way that minimizes risk. So the first standard, NIST 800-63-3 is the government standard that says, I'm going to prove this as Kyle Benson and I'm going to ask Kyle to present his government credentials. I'm going to verify them and match a face. That's kind of the gist of it. There's other ways to do it as well. And so if you are looking to onboard identities, this is the golden standard of standards.
And there's a certifying body called Kantara, as Kyle mentioned on my bio. This is an organization that it's nonprofit, I'm on the board of, and their goal is to certify people to say that they do this well. So two important factors there. And then on the other side of the house, if you hit the right arrow for me, Kyle, it's the usage of that credential. So just scanning a driver's license isn't enough. You have to link every activity back to that verified person. And here that same standard says, here's how you do it. You can see the difference on the left and right. It's IAL, identity assurance versus AAL, authentication assurance. So again, just handing somebody a six digit code generator is not assurance because that can be given to somebody else or stolen. So putting these two together, and of course Fido authentication is now a public key cryptography way to use credentials.
You put them together and it really strengthens the entire picture. There's Fido certification. So you're dealing with a vendor that really takes the stuff seriously and you put them together with real biometrics. You have to look Kyle in the face to know that Kyle is the person sitting there or you could use his voice or some other thing. But it has to be something. This is one of the really important factors. Something you have, something you are. So this is really starting to resonate. This middle word iBeta is one of the big certifying bodies that says you do biometrics right. So we call these the identity based standards, and I'm going to show you some examples next of how these standards can get implemented when you're onboarding a new hire or a contractor, if you'll progress forward for me. Perfect.
Kyle Benson:
And we'll get it started for you, Mike.
Michael Engle:
Let's do it. So there's an app involved or we can do it without an app, which sets up a couple of really basic factors. You have a key which was just put into the phone or on the desktop automatically, a pin it's used for recovery. And then your touch ID, face ID. You see I just enrolled three factors in about 20 seconds. Next we can onboard identity verification. And this is where I mentioned scanning a driver's license as an example. Now this live selfie is one of the ways that you verify an identity so you truly know who's logging in. So now on this stage, I just simply prompt the user to scan their government credentials. And you can do this in 200 countries today. The license is verified, the face is matched, and you have a very high level of assurance and you can even do global identities such as a passport, which you see here in this third pane.
So not only can you scan, verify, match but you can read the NFC chip. Now you've got a digital credential that you're onboarding, and again, the face is matched in real time and all this comes together. So you saw how simple we can now use these technologies and these standards. This is the highest level of assurance that you would need to get into your medical services, into government services for KYC, for banking, et cetera. And you have to do this for new hires anyway. You have to verify their face matches a credential before you can pay them because you have to do taxes and so forth. The I9 process here in the US. So thanks for that. So now I have this identity. Let's take a look at how to use this. I'm going through talent acquisition and it says, congratulations Kyle, we just hired you.
Come to the portal. Scan this QR code, give your consent, prove it's you. So here's some real zero trust biometric stuff going on, and my data is decrypted out of my store and transmitted over to the HR department, verified, prefilled, nothing for anybody to really type in. On the next screen, you simply say, all right, where would you like to send the digital credential? Well, let's use the email that we've been corresponding for talent acquisition or send it to their cell phone number, the same number that I've been working with them on.
So this gets sent to them. They now have a digital credential that can get them into the firm and you'll see me accepting this credential here back into my authenticator. Press the red button, do one final form of authentication, and these are customizable layers depending on the risk of what you're trying to do and you're in. All right. And as we talk a little bit more about some of these concepts, I'm going to show you how we can then use that to get into a system in just a couple of minutes. So thanks for letting me show that, Kyle.
Kyle Benson:
All righty. So we've got another big issue and we talked about it for just a second, but that is the fact that third parties are remote as well. And while we know that remote work styles where employees can its own access risks, the risks become a whole lot higher when third parties are using various security technologies. So they may not be using the standard that your company is using. Matter of fact, they could be using conflicting types of technology to secure their environments and to provide access. And the security can be all over the map, multifactor authentication, endpoint security, network security, data security.
And each of these comes with its own risks that's associated with things like patching and update risks. So unless you've got centralized control, what's to say that a rogue third party won't just download data and sell it on the dark web? Also, you've got the insider threats that are a major issue and third parties just became insiders. And Mike, we had talked earlier and I don't think that we picked it up, but I think this is a good place to do it. And that's maybe talking about the proxy environment and what's happening with those guys.
Michael Engle:
So there's two really important third party risks that are now happening. Our clients are seeing that and coming to us and asking for a solution. The one is proxy interviewing. So I am Mike Engle, I interview, I do a crush it, I'm a master developer and now I get the offer and I accept it. On day one. Somebody else shows up at work, somebody else shows up to log in remotely is really more how it's going to be. And a lot of times the people that you're interviewing with are all these experts in the other groups, so they're not going to remember who it really was. So on day one, you could have somebody working there maybe even has four jobs and pretending to work a full day, but you don't even know who it is. So the process of that identity onboarding that I showed you earlier can fix that problem because then on day 1, 2, 10 or a hundred you can say, "Can you just look into the camera again and prove it to you?"
You can do that based on risk or on a programmatic regular basis. The second challenge is, so you have proxy interviewing is a contractor or employee jacking. That is where I'm already in, I'm working and then I go give my seat away to somebody else just so they can do day-to-day work. So I'm still here working, but I'm subbing my seat out maybe to do a developer in Eastern Europe and using old authentication and identity mechanism, user name, password, one time code, I just have to WhatsApp a code to that person in Romania and boom, they're in and they're logging in. So using these identity constructs that I showed earlier, we can mitigate both of those very real and happening now risks.
Kyle Benson:
So that's a big gap.
Michael Engle:
It is, yeah.
Kyle Benson:
So the question is how do we see companies responding to these threats today? And honestly it's not a pretty picture, but here goes, okay. So as I said, oftentimes third party access is an afterthought. And since access is needed really quickly, provisioning access and providing security is often dumped in the lap of the IAM or IT security team. And the trend that we see for solving for third party access is that IT security teams... Look, they're busy too. They're just looking for the most expeditious way to automate mostly manual processes via homegrown applications, or it could be a combination of spreadsheets and collaboration tools, Slack and Teams and phone calls and spreadsheets. But these things are rarely built for purpose and they're really just a bandaid to get the project, this third party management off the ground. And while they may help in terms of doing things like inventorying and maybe provisioning some of the vendors and users, they typically don't do very well for the ongoing governance of things like access reviews, certification, time-based deprovisioning, make sure that you've got your continuous compliance.
Now other companies, and by the way, those homegrown apps from the research that we've looked into, it looks like about 80% of companies are taking that approach. Now, other companies and typically these are your larger enterprise companies, they may outsource to a provider like a global systems integrator for example. These solutions are typically pretty well thought out because they've come from a history of Legacy IAM systems. They may be well thought out from a policy and a process standpoint, but they may not have the flexibility and they probably come at a fairly high cost. And so for those companies that may not have the resources of a large enterprise, they may try to adapt a contractor module of their HRMS system. And again, these help with the onboarding, but they typically don't handle the rest of the governance that's required. And oftentimes this is where you'll find friction going on between the HR team and the IT security teams because HR probably doesn't have the resources to dedicate to administratively managing this huge inflow of third parties as well as all of their users.
And they may not want to assume the risk of maintaining the regulatory compliance that can be a career limiting project in and of its own. So that leaves a focused third party management solution like we're talking about today. And about 10% of organizations that have been surveyed have deployed some version of these. Now these aren't necessarily a panacea either. And since this is a relatively new space compared to the IGA space, there are just a few companies that are offering a purpose-built solution for third party access. And the problem is that this is all that some of these companies offer. So once again, you have a point solution that you as a customer have to deal with and then it keeps you from having that integrated view across your entire workforce. So Chandra, I think it's time we bring you in and be the savior here. Tell us what it is that we should do about this.
Chandra Sekar Rajendrakumar:
Absolutely. I think couple of key items that I just wanted to highlight as well. The type of proxying that we see with aspect interviews, people joining in, that's been something pretty massive in the times after that remote work become a big standard in the industry itself. And also looking at the metrics, which is a very solid insight about the type of breaches that's happening with the third party access as we don't see nowadays people hacking more than people are logging in to get the data itself. I think it's time everyone also realizes that the third party access governance is no more a nice to have type of an element in the organization. It is the most important must have in terms of enabling an organization for its standards. If we have to enable a solid third party access governance in an enterprise, there are key four major pillars to look at it.
One is it's not just about trying to give access to the people, it is also about giving the access only to the right time. Making sure we are able to enable the least privileged principle. Principle itself is very important for us to address. And that's something that's very important to have that as a pillar in third party access governance. Second is to make sure we are going to have lot of external identities. We going to have lot of third party suppliers and users coming into the organization. It's very important to have a very user-friendly mechanism for them to do their own activities, be it from an requesting of an access, be it from an reviewing its access or be it from a delegated administration perspective. So trying to keep that as simple as possible increases a lot of protectivity for the organization.
And the next important aspect is to get the automation enabled using the service and technology that is available in the market today, which ensures you to have a most efficient way of handling the governance that is required for the third party itself. Third party identities, not just human non-human identities too. All of this put together will always give you a solid governance and solid metrics and management that is required for you to handle your compliance needs in the organization. So all these are the standard four pillars to look at if an organization is getting started with a third party governance management to be enabled. We'll also look at what are the critical capabilities of an organization to be addressed in terms of a third party access. Kyle, you want to go to the next slide?
Kyle Benson:
It's interesting, we had a question pop up in the chat and Zade said, "What about shadow it? Especially when they bounce between internal services and client services." I think that leans right into the next slide that we've got because we're looking here at what critical capabilities are important.
Chandra Sekar Rajendrakumar:
Yeah, exactly right. So looking at some of the examples that is here that we might have gone through for a fact like let's say and hospital as in a scenario, looking at, we go interact with the doctors and nurses there who are not generally the employees of that hospital or the systems that is there. Mostly the billing systems are third party owned. You see a lot of other aspects like the suppliers who supplying many indisposable and many other supplies that is required for the hospital's management supply chain, which is another set of third party identities to be handled within the hospital itself. Even if you take a simple example of a hospital, there's going to be multiple different types of third party identities and human and non-human identities to be looked at. And when looking at all these identities, it's also about looking at what are the key capabilities to be addressed on each of these identities.
One, taking care of the entire service of the life cycle for them. And then looking at what type of a request management, what types of an approval management to be handled, how do I actually take the governance capability of that to understand what type of an access has to be reviewed, what type of an access has to be killed in terms of any review that goes off the plate? And also addressing how can I actually create some of the standardized policies in the organization to make sure, okay, the third party identities, this is how they come in, this is how the policies will be defined, this is how the set of access that they will get to all the different systems. Because all of the times that we see in the different organizations, the third party identities do have access to lot of the critical data in the enterprise itself.
It's not that only employees do have access to it, there is also a conduit towards the third parties because they do a lot of other activities that is required for an enterprise to function. In that sense, they will automatically have access to some of these important critical data in the organization. So that's where it's very important to have all these key capabilities enabled for all the third party identities as well. Not just looking at the enterprise B two E scenario to build all the other capabilities for the employees and enterprise users. We need to consider all the other third party identities also at an enterprise users level to make sure we have the same set of policies, same set of scrutiny with respect to the access that is required in building that least privilege principle itself.
Kyle Benson:
I think Chandra too, it's interesting when we think about the business cycle where we are right now, things like scalability and performance, those outcomes and pricing are very important because we've got to make sure that we're building a great system but we're doing it with a great return on investment and then just the lower total cost of ownership over time. And that's where a lot of people are looking towards an integrated identity platform, a converged identity platform that can touch on multiple parts of the identity security program. So I think that that's really important. Otherwise you end up trying to integrate all of these things together in a piece parts approach. So let's go on and we'll move ahead. Let's just talk about some of the key processes that you see Chandra as important.
Chandra Sekar Rajendrakumar:
Yeah. So see the key processes that is very important when it comes to the third party access governance itself is right. It is slightly different from a typical identity or an enterprise user process. The reason is one, we need to make sure we onboard the entity itself as one of the important element in the third party access governance, for example, a supplier company itself needs to get onboarded and all the employees or part of the employees in the suppliers need to get onboarded as an identities into the enterprise. So we have in entity onboarding, which is basically the actual organization becomes a B2B type for us to get onboarded into the enterprise. Then comes the set of employees that is part of that supplier group enabled as an external identities to have come into the system. Bringing the third party identities has got some processes as well.
There could be a way where we can actually do an invitation based invites, you get their identities into the system. There could be a way that we probably do it as a manual delegated administration activities, which is typically that we have seen is a old scale or old school way of doing it. Now that we bringing identities into the system. There is going to be lot of accounts and lot of access that they would need across the different applications in that enterprise, which is where they're able to perform their day-to-day function for that organization,
and third party identity. How do we drive a set of automation? How do we drive a set of policy based access there based on this supplier coming in from this region needs to have these type of access to these type of applications. So that's another important key process to get defined in the third party governance itself.
Now that we have those identities getting different access then comes to situation for us to make sure we are actually reviewing that access in a periodic fashion. So trying to build in the certification capability that Kyle touched upon in the beginning to make sure the access that is given to set off identities, which is a third party identities is always been reviewed to make sure that they have the right access at the right time. It is also important that we remove the access if it is not even applicable for an identity itself. And then it comes to another important capability and a feature that is required, which is very important to set up is the delegated administration. The delegated administration process is very important in a third party perspective is because lot of these identities are going to be managed by the company's own delegated administrators itself.
For example, I'm a delegated administrator for a particular supplier chain company. I become the responsible person for me to onboard the set of identities that is required from my supplier side into the organization and I have to be the responsible person for the set of access that they have, set of activities that they're doing in the enterprise and all of those things. The delegated administration is a very key important aspect into the third party governance itself. And one of the most key and important factor in the entire life cycle is going to be your offboarding process because an entity or onboarding is there and you have a third party in identities getting onboard and there's different access being given. When an termination process or a lever process is happening, we need to make sure that the entire set of access given to the third party identities is going to be removed at the time that they are terminated.
That's very important because there's a lot of times that you see a lot of these breaches even happening when you see that the employees left the organization. You know what? This third party identity is still having an access to those set of applications because it's not been removed. So it's a very important process in an organization to make sure there's a very clear defined lever process for any third party identities, as well it's equally important for an employee type identities, but it is even more keen and important for a third party identities.
Michael Engle:
Yeah and I'd love to dive into the user onboarding section here. So this blue button on the right, which I'm going to show here on the next video, we already did self-registration and identity verification. I went through that full flow standards based high level of assurance. Now let's use it to get into a Saviynt provision system for example. So at the time of access, you could ask the question, is this Mike Engle? So this is how I would authenticate into a Windows workstation on day one, assuming we want to set up this level of authentication, go ahead and roll the tape. So rather than username, password, which we know can be stolen, we're going to use the same identity that we enrolled a few minutes ago. Simply scan a QR code. The certificate is in my authenticator, I present that along with my biometric. That was a real biometric, which could only be done by me and I'm staring at the desktop.
I cannot give my face to somebody else in that example. So that is again, one of the highest levels of zero trust authentication you can do and it can't be stolen, coerced very easily at all. Now you can do that at certain times, but I experience it with even less friction. So I've already authenticated, I lock my workstation and now I'm going to unlock it. Let's make it less friction. Simply send a push message to the phone or in this case I tap except on my watch and I've unlocked my workstation in about one or two seconds. So applying identity-based controls, not only does it increase the security and the assurance level of what all of the IGA processes are doing, but it's a better user experience and it's really rare to introduce controls that are fun to use and get you a high five from your peers across the enterprise. So thanks for letting me show that. That's the last of my demos and I think we'll get into some best practices next.
Kyle Benson:
Yeah, we certainly will. So Chandra, if we could talk about implementation because we've got the technology, what are the best practices?
Chandra Sekar Rajendrakumar:
Yeah. So see, one of the things to look at is understanding the industry itself is important. The reason is that every different industry has different types of third party identities to be handled compared to a manufacturing industry, to a retailer/ for example, in retailer we will have franchisees, we will have suppliers. In manufacturers, we will have distributors. In hospitals, we will have doctors, even outpatient services and all of those things. So every different industry has different types of third party identities to be handled. So the process definition for all of these different types of third party identities is very important to understand before even we start putting together an implementation for the client. So one is understanding the industry. Second is to make sure that as we know that there's going to be different types of third party identities, different types of handling of third party identities is required.
How do we actually create a standardized process across these things? There's going to be set of global standard process, for example, all the third party identities needs to follow and get these set of access. And then when it comes to the suppliers, they need to get only these set of access. When it comes to distributors, they get only these set of access. So the definition of the processes that is required needs to get pretty much standardized because if we don't standardize it and do it specific to every single entity that we get onboarding it for, it is going to be a nightmare for us to do a maintenance and management services for that later. So as and when we bring more standardization to this, it is going to be more wise for us to onboard more number of identities and also control the identities in a standard scale.
And then the next important aspect is to make sure the technology, for example, Saviynt has got a solid third party governance capability. Utilizing the technology towards less to make sure we are not doing a lot of customizations to it and try to utilize lot of the features that is already enabled in the technology to leverage that for the third party identities. That makes it more viable and also efficient in terms of automation as well. So that is very important to make sure we are trying to use whatever the maximum capacity that the technology is all already offering with respect to all the different set of use cases in implementation that we need to do. And apart from that, just doing the implementation is not the end of it, it is also important for us to make sure we are continuously monitoring the entire program with respect to the third party governance itself.
And from a senior standpoint, we have clearly defined the benchmarking metrics and KPIs that's been established for the third party governance, which enables the organization to understand, okay, are they in stage A? Okay, there is still these three parameters to be fixed wherein they can go to the stage B when that's what the most matured stage from a third party governance itself. So we also take care of that in terms of measuring and monitoring the entire aspect of the third party governance to see how we can actually get to a very matured state of third party access governance itself in the solution that we put together.
Kyle Benson:
Absolutely. Chandra, thank you very much. I think that it's critical. Putting together a third party identity program, it doesn't have to be overwhelming, but it does have to be a structured process and things need to happen at certain times appropriately to get the outcomes that you're really looking for. So just as a reminder, third party access governance from Saviynt, it's part of the end-to-end enterprise identity cloud, which includes privileged access management for just in time rather than just in case access management. We have a module for application access governance. So that allows you to monitor for those separation of duty violations across SaaS and On Premise or multi-cloud applications. And the difference with our solution there is it gives you very fine-grained visibility. So I could be looking across SAP and Oracle or even Salesforce, but I get fine-grained visibility deep down into the security models of those applications where it's just one of those places it's SOD violations, hide away.
So that's only something to consider. And data access governance prevents your sensitive data from being exfiltrated from your systems. And of course we have our flagship identity governance and administration tool that handles all of the employee identity lifecycle management. So the enterprise identity cloud is a single code base. This is a key differentiator. This was born in the cloud, it was designed for the cloud. So it's not a bunch of stitched together solutions from a bunch of companies. You actually do get a single pane of glass into your identity application and data governance. So that was the commercial.
Michael Engle:
No, that's great. And just expanding on that, if the middle box of that was identity, and so you still have the providers do what they do well, so let Microsoft or Okta do their SSO. Let 1Kosmos verify the identities and do all the authentication and the platform, your orchestrator will rely on those to do what they do best. In our case, it may be proving that the user is who they say they are. So I think it's very well said Kyle.
Kyle Benson:
Yep, something that we've released recently and you'll hear more and more about is Saviynt Exchange. And so we do have our integrations online and available now and we will have third party solutions that will be available as well through Saviynt Exchange, just making it easier for our customers to get to the solutions that they need. So in summary, do these things. Inventory your partners, your suppliers, contractors, temps, volunteers, the IOT devices, service accounts, and make sure you have a thorough understanding of what your third party exposure is. Make sure that you go through the steps to have all of your information get clean and stay clean and have it optimized for your third party exposure and work hard to ensure that you've got a great user experience with limited complexity. So that's why a lot of the upfront work is required to make sure that you end up having buy-in both within your organization as well as the third parties as well.
So that's our best advice. Again, I want to thank Mike, I want to thank Chandra for your time and your expertise and everybody that's on the call, I want to thank you for your time. Please feel free to reach out to any of us if you have any additional questions that you might want to have after our session today looking up into the questions. And we did have an attendee who asked the question, how do we implement these practices when our third party users are a small mom and pop shop with whom we may have to do business when we are in an extremely global model?
Michael Engle:
Yeah. So I think making sure you do have global coverage, from my perspective, I could onboard any identity in 200 countries. So if it's important to you, you could have them get a higher level of assurance before they're allowed to access, but then also taken into consideration as the privacy of the platform, your global footprint for privacy varies depending on country and in the US even state to state. So it's really understanding your partners and being able to come up with a business model that handles them, from my perspective. Kyle or Chandra, I don't know if you have any other thoughts on that one.
Kyle Benson:
I actually... Go ahead Chandra.
Chandra Sekar Rajendrakumar:
No, I mean I was just saying yeah, with respect to the third party identities that we have, if we need to do an assurity of an identity to come in because the third party identity governance as in from an onboarding standpoint is a new required even it is a small mom and shop. But if it is another aspect of also verifying or validating the entry of that identity to come in, that's basically depends on the way that we just talked about, based on the countries and the policies that is there and that's how it should be taken for forward for.
Kyle Benson:
I want to take a little bit different slant on it because I want to take the slant of the mom and pop organization. Chances are they are smaller, they may not have a lot of the technical expertise that you might expect, but this is where it's really important to work with your line of business members within your own organization, the people who are starting those relationships and even when you're doing the contractual relationship that you're doing even with a mom and pop organization, to take that time to educate them and make sure that you're putting in place a technology that is going to be able to make both of you much safer.
Because if you're a large global organization, a breach is going to hurt. If you are a small mom and pop organization, a breach could be an existential problem. So I think having that discussion early on is something that would be very important. I had another question that came through and that just had to do with, so what happens if I have delegated administration? So let's say I've got a thousand third party organizations, my supply chain, what if the delegated administrator out at company X, Y, Z leaves, then what happens?
Michael Engle:
Yeah, I guess I imagine that comes down to making sure you have controls in place with them to be notified about that and invoke the property provisioning.
Kyle Benson:
Yeah and-
Chandra Sekar Rajendrakumar:
And defending a so solid legal process with respect to the transfers and all of those things to make sure the responsibility is moved to the other third party delegated administrator.
Kyle Benson:
Yeah, that's right. So that is a key capability that we do have in TPEG is succession management. So you do have somebody who leaves, you automatically have a rollover of those users to a secondary delegated administrator. So just another layer of safety that that's built in there. I think that's all the questions that we had. Again, thank you everybody, and like I said, feel free to reach out to any of us individually if there's anything else that we could do to help.
Michael Engle:
Yeah, I'll just add one thing. I know all three of our companies will be at the upcoming RSA shows at Identiverse, so if anybody wants to meet up there, please just hit us up, LinkedIn or whatever and we'd love to get into the weeds on any of this stuff with you.
Kyle Benson:
Okay.
Michael Engle:
Kyle, thanks so much for having me on. It was a lot of fun.
Kyle Benson:
Yeah, my pleasure.
Chandra Sekar Rajendrakumar:
Thank you.
Kyle Benson:
Thanks everybody. Bye now.
Listen to experts from Saviynt, 1Kosmos, and Simeio as they discuss how to:
- Identify and consolidate your third-party relationships
- Efficiently vet and onboard third parties
- Develop a self-service registration process to quickly onboard users
- Collaborate with delegated third-party administrators for access review and certifications
As more companies move to remote onboarding and face an uptick in data breach and ransomware attacks through 3rd-party credentials, user onboarding and access governance are both growing in importance.
For onboarding and audit recall, government-issued documentation must be collected and verified. But cumbersome processes for identity verification and managing PII data over email can’t scale and offers little information security. Many don’t meet the minimum requirements for proving identity.
Once on-boarded, users must be managed across their identity lifecycle to ensure proper provisioning, prevent orphaned accounts when users leave, and eliminate over-provisioned accounts.
Video Transcript
Kyle Benson:
Hi, good afternoon everybody. My name's Kyle Benson. I'm the director of product marketing at Saviynt, and we will kick off in just a minute or two. We see that we've got quite a few folks that are coming in out of the waiting room, so just going to give it a minute or so as people transition from other meetings perhaps.
Michael Engle:
Yeah, everybody has back to backs today. There's no time in between.
Chandra Sekar Rajendrakumar:
Yeah.
Michael Engle:
Have you guys had any luck setting up 45 or 55 minute meetings and sticking to it? Yeah, you try to give that five minute break. It doesn't seem to be sticking for me.
Kyle Benson:
Okay. Well, I think that it looks like we're getting a pretty good full room here, so we'll go ahead and get started. Thanks for joining us today, everybody. As I said, my name's Kyle Benson. I'm the director of product marketing here at Saviynt and I'll be moderating our discussion today. So I want to say thank you all for joining today's webinar that we've titled Challenges with Third Party Onboarding and Access Governance. And before we jump in, of course, got to go through a few housekeeping items. If you would like you can submit your questions into the Q and A or into the chat box and we'll answer all of the questions at the end of the webinar or get back to you separately. And there is a recording of the webinar that will be going on and that will be delivered to your inbox next week.
So I am very pleased to be joined by a couple of friends that are both experts in the field of identity security today. So joining us today is Mike Engle, and Mike is a proven information technology executive. He's been a company builder and an entrepreneur, and he's an expert in information security, business development and product design and development. His career includes being the head of information security at Lehman Brothers. He was a co-founder of Bastille Networks and the co-founder at 1Kosmos as well as a general manager at 1414 Ventures and a board member at the Kantara Initiative. Also joining me is Chandra Sekar Rajendrakumar, and there I just did the toughest part of my whole pitch today.
I call him Chandra, but Chandra comes with decades of experience in the identity and access management domain with various vendor technologies. So he's been helping to secure client identity all through era. Currently he works as a director of IGA product management and offerings at Simeio. And Simeio of course is a premier partner for Saviynt. So Chandra is responsible for all of the features and offering development that goes on to match the needs of the market. So welcome to both of you and thank you for sharing your expertise today.
Michael Engle:
Yeah, thank you so much for being here. I'm looking forward to the discussion today.
Chandra Sekar Rajendrakumar:
Thank you. Thank you Kyle.
Kyle Benson:
Alrighty, so we'll move on. So why are we talking about this topic? Why are we talking about it now? Well, for those of us who are in the IAM space, we are seeing that the risks that are associated with third parties have been increasing quite a bit over the past few years. It seems hard to believe that it was a target breach that kicked off third party attacks way back in 2013, 10 years ago. But the hackers liked to replicate their successful attack vectors, and what we started to see was significant uptick in ransomware attacks via third parties over the last couple of years. Now, back then was the old double extortion play. I'm going to lock down your systems and I'm going to steal your data, and then you have to pay once to get your systems back and then you have to pay again to get your data back but all comes together.
But more recently the focus seems to be shifting again to a little bit more of an Nth party approach where the hackers are gaining access to a company only so that they can gain further access to their original targets, customers and partners. That way they get exponential return on investment. So let's take a look at a few examples. So back in February of 2022, Toyota completely shut down some of their operations in Japan. You may have heard about this, but it was after one of their major plastic suppliers, a company called Kojima suffered a data breach. Now because Kojima had third party access to Toyota manufacturing plants, they had to shut things down. It was just necessary to protect the data across the entire enterprise, but this breach also affected some of the operations of Toyota's subsidiaries. So you start to see this waterfall effect.
So that halted or at least decreased production and it may have hurt Toyota's bottom line because it really slowed down the car production, reduced the number of cars that Toyota produced by, in this case a few hundred, but it could have been much, much worse. So that brings up a key point about these third party relationships that companies don't normally think about, and that is to reduce your risk of a breach, it's really important to be aware of the security measures that your third party organizations are employing and to negotiate better ones if they're not up to your company's standard. More recently, Morgan Stanley and Upstox have had significant breaches. They were just a couple of hundreds of attacks that have been taking place over the last couple of years and mean that it's been accelerating quite dramatically in the last six months or so. So we want to do a little bit more podcast style here. So at this point, Mike, maybe bring you on, third party breaches definitely on the upswing. What kind of things have you been seeing?
Michael Engle:
Yeah, so these are the ones when they make the news, they're a really big deal and it gets a lot of public attention. It gets maybe regulators thinking about what could we do? But then there's a couple other categories that we're going to touch on here today as well, getting more into the individual third party risk. So how do you know who's joining your company? They are a third party until they get their butt in that seat, and now they're working on your technology and working for you, whatever it is they're doing. And that applies to both new employees, new contractors, and the risks of other third parties getting into that process. So they're both really top of mind and I have some pretty good stories that I can tell around this as we get to some of the material.
Kyle Benson:
Okay, sounds good. So in addition to the compliance drivers that we see out there, the scale of a lot of organizations, utilization of third parties as a part of their regular business practices has been increasing exponentially as well. A lot of that had to do with the pandemic, of course, a lot of it had to do with things like mergers and acquisitions and onboarding of third parties from the acquired companies, business models, et cetera. I mean, if you stop and think about it during a merger or an acquisition, you probably have thousands of employees, but then potentially many thousands of third party users that have to be added in to that parent company's identity management system. And that's a lot of work to do in a very compressed timeframe. So that's really ripe for things like rubber-stamping of approvals over provisioning users, it's a potential for a big mess.
So organizations really need to have this ability to quickly and efficiently onboard people into the new company and still have that auditable trail of what was done and who approved it. Because without automation it can take hundreds of hours to determine which of these employees and the third party users are valid if there are duplicates that exist. And then to do the migration of the workforce records from the acquired organization's systems. Importantly, those companies need the ability to manage the relationships with these identities across their entire lifecycle and then just make sure that they've got timely termination of access when they're just no longer required. Hey Mike, I know that the elephant in the room is here, so how do I even know who these third party people are?
Michael Engle:
Well, yeah, that's one of the key factors is if you know that it's John coming in, then the other parts you mentioned, are they rubber-stamped into something? That's a whole different set of problems with authorizations and deprovisioning, but just knowing who it is that's coming in is getting more and more important for a couple reasons. You got a remote workforce, not only does your company have one, but of course all these third party contractors that you're allowing to come in have a remote workforce as well. So that same problem is extending and growing exponentially. So there's some really innovative and low friction ways now to prove who it is that's accessing the system. And if you can make that one statement, it's sort of a flavor of zero trust, how do you know who's at the door before you open it? It'll make things a lot easier for every other IT function. So that's what I'll be diving into here today.
Kyle Benson:
Okay. Well there's clearly a misalignment between the strategies that organizations are currently using and what's actually required to protect them from their cyber attacks due to those third party vulnerabilities. So I think companies really need to have both the tools and the services like third party identity lifecycle management to make sure that they both improve the operational efficiencies, but then hopefully reduce the cost in all of the risks that are associated with managing this kind of dynamic higher risk relationships with third party individuals. So with that said, I think it's really easy for us to think of third parties as just the contractors and supply chain partners, maybe students or some of the other humans that just don't work for your company but still need access to your systems or your data. It's a mistake to think of third parties as only humans because the non-human identities are posing the same or even greater risks than human identities.
Did some reading, I saw that Forrester estimates that non-human identities including things like your bots and your service accounts, robots, OT and IOT devices are growing up to 10 times as fast as human identities across a lot of different organizations. So another big concern that's out there I think is a percent of global organizations just aren't able to fully discover their service accounts. And about 20% of them have never changed the account passwords on their service accounts. So you've got service account and password admin. So really need a way to create and maintain an authoritative record for all of your non-human workers at the worker level as opposed to just the access level. And then this serves as your unified source for managing and monitoring the identity lifecycle of the non-human worker, and it helps reduce the risk of human errors and security risks and the compliance violations that go on.
So if you do take a proactive approach, you can continuously monitor and manage these non-human worker identities, improve the operational efficiencies, make sure that you can prevent those costly cyber attacks and data breaches before they happen. So with that said, if we go back kind of to our problem statement, it's mainly the companies are playing catch up in the race to secure third parties. Ponemon Institute says 60% of companies just don't know how many third party relationships they have. Not to mention what access those third parties have, and the statistic may surprise you, but if we were to stop right now and just do or something, we're not going to do that. I know those are annoying sometimes, but if we did an honesty poll, chances are many of you could tell us about how many employees you have and what kind of access that they get.
It'd probably get pretty close, but third parties are much more difficult. And what I find astonishing about the 60% figure is that 49% of the companies have already had a third party breach. And the key point here, we brought it up a little bit earlier and that is when we talk about the third parties, we really need to consider the Nth party breaches. So what's an Nth party? Third parties have other third party business to business relationships, of course. So that could be with your competitors, it could be with their supply chain, it could be with contractors that they use. But just like in the Target breach, Target wasn't actually breached by the HVAC refrigeration vendor directly that the breach came through, someone gained access by breaching the HVAC vendor.
So that's why securing third party access is so critical to auditors and regulators, and that's why they're really taking notice now. So it's a big issue, but it is something that has to go all the way back to when you start your third party relationships, the contractual agreements that you have in place, and being able to make sure that you're doing risk analysis upfront and making sure who you're really dealing with. So Mike, I think that the slide that we have here sums up the attack vector of criminals don't hack in, they log in.
Michael Engle:
That's right. When I was growing up in InfoSec land and I was in the 90s and 2000s when I wore that hat and was trying to protect the Wall Street Bank, it was all about just hardening the infrastructure and making sure the bad guys couldn't compromise a web server and then move laterally and get in through your reverse proxy or whatever it is. It was about them hacking in. And all of the breaches today, you don't hear that anymore. It's very uncommon for there to be some massive Java exploit That is the way people get in.
Instead, they just get a credential. They call up the help desk and pretend to be somebody. They send you a thousand push messages until you say yes, and there's no real identity in that process. So they just log in. Imagine if you knew who it was, who's logging in, you could just stop what is now the biggest vector, and I'm sure the Okta breach, the Cisco breaches, they were by somebody getting access to employee or contractor credentials. So again, something I'll be focusing on here in just another slide or two to get into the weeds on how we can mitigate this with today's standards.
Kyle Benson:
Okay, well let's jump ahead and we'll talk a little bit about that.
Michael Engle:
Let's do that. Yeah, so there's two buckets here on the left, which is highlighted now, there's how do you get people into your environment in a modern way? The old way is email them a link and send them a username and password, or they have to call a line manager. You can do all that digitally today. You have billions of smartphones that are now a very effective conduit, and we now have standards that say, here's how you do it in a way that minimizes risk. So the first standard, NIST 800-63-3 is the government standard that says, I'm going to prove this as Kyle Benson and I'm going to ask Kyle to present his government credentials. I'm going to verify them and match a face. That's kind of the gist of it. There's other ways to do it as well. And so if you are looking to onboard identities, this is the golden standard of standards.
And there's a certifying body called Kantara, as Kyle mentioned on my bio. This is an organization that it's nonprofit, I'm on the board of, and their goal is to certify people to say that they do this well. So two important factors there. And then on the other side of the house, if you hit the right arrow for me, Kyle, it's the usage of that credential. So just scanning a driver's license isn't enough. You have to link every activity back to that verified person. And here that same standard says, here's how you do it. You can see the difference on the left and right. It's IAL, identity assurance versus AAL, authentication assurance. So again, just handing somebody a six digit code generator is not assurance because that can be given to somebody else or stolen. So putting these two together, and of course Fido authentication is now a public key cryptography way to use credentials.
You put them together and it really strengthens the entire picture. There's Fido certification. So you're dealing with a vendor that really takes the stuff seriously and you put them together with real biometrics. You have to look Kyle in the face to know that Kyle is the person sitting there or you could use his voice or some other thing. But it has to be something. This is one of the really important factors. Something you have, something you are. So this is really starting to resonate. This middle word iBeta is one of the big certifying bodies that says you do biometrics right. So we call these the identity based standards, and I'm going to show you some examples next of how these standards can get implemented when you're onboarding a new hire or a contractor, if you'll progress forward for me. Perfect.
Kyle Benson:
And we'll get it started for you, Mike.
Michael Engle:
Let's do it. So there's an app involved or we can do it without an app, which sets up a couple of really basic factors. You have a key which was just put into the phone or on the desktop automatically, a pin it's used for recovery. And then your touch ID, face ID. You see I just enrolled three factors in about 20 seconds. Next we can onboard identity verification. And this is where I mentioned scanning a driver's license as an example. Now this live selfie is one of the ways that you verify an identity so you truly know who's logging in. So now on this stage, I just simply prompt the user to scan their government credentials. And you can do this in 200 countries today. The license is verified, the face is matched, and you have a very high level of assurance and you can even do global identities such as a passport, which you see here in this third pane.
So not only can you scan, verify, match but you can read the NFC chip. Now you've got a digital credential that you're onboarding, and again, the face is matched in real time and all this comes together. So you saw how simple we can now use these technologies and these standards. This is the highest level of assurance that you would need to get into your medical services, into government services for KYC, for banking, et cetera. And you have to do this for new hires anyway. You have to verify their face matches a credential before you can pay them because you have to do taxes and so forth. The I9 process here in the US. So thanks for that. So now I have this identity. Let's take a look at how to use this. I'm going through talent acquisition and it says, congratulations Kyle, we just hired you.
Come to the portal. Scan this QR code, give your consent, prove it's you. So here's some real zero trust biometric stuff going on, and my data is decrypted out of my store and transmitted over to the HR department, verified, prefilled, nothing for anybody to really type in. On the next screen, you simply say, all right, where would you like to send the digital credential? Well, let's use the email that we've been corresponding for talent acquisition or send it to their cell phone number, the same number that I've been working with them on.
So this gets sent to them. They now have a digital credential that can get them into the firm and you'll see me accepting this credential here back into my authenticator. Press the red button, do one final form of authentication, and these are customizable layers depending on the risk of what you're trying to do and you're in. All right. And as we talk a little bit more about some of these concepts, I'm going to show you how we can then use that to get into a system in just a couple of minutes. So thanks for letting me show that, Kyle.
Kyle Benson:
All righty. So we've got another big issue and we talked about it for just a second, but that is the fact that third parties are remote as well. And while we know that remote work styles where employees can its own access risks, the risks become a whole lot higher when third parties are using various security technologies. So they may not be using the standard that your company is using. Matter of fact, they could be using conflicting types of technology to secure their environments and to provide access. And the security can be all over the map, multifactor authentication, endpoint security, network security, data security.
And each of these comes with its own risks that's associated with things like patching and update risks. So unless you've got centralized control, what's to say that a rogue third party won't just download data and sell it on the dark web? Also, you've got the insider threats that are a major issue and third parties just became insiders. And Mike, we had talked earlier and I don't think that we picked it up, but I think this is a good place to do it. And that's maybe talking about the proxy environment and what's happening with those guys.
Michael Engle:
So there's two really important third party risks that are now happening. Our clients are seeing that and coming to us and asking for a solution. The one is proxy interviewing. So I am Mike Engle, I interview, I do a crush it, I'm a master developer and now I get the offer and I accept it. On day one. Somebody else shows up at work, somebody else shows up to log in remotely is really more how it's going to be. And a lot of times the people that you're interviewing with are all these experts in the other groups, so they're not going to remember who it really was. So on day one, you could have somebody working there maybe even has four jobs and pretending to work a full day, but you don't even know who it is. So the process of that identity onboarding that I showed you earlier can fix that problem because then on day 1, 2, 10 or a hundred you can say, "Can you just look into the camera again and prove it to you?"
You can do that based on risk or on a programmatic regular basis. The second challenge is, so you have proxy interviewing is a contractor or employee jacking. That is where I'm already in, I'm working and then I go give my seat away to somebody else just so they can do day-to-day work. So I'm still here working, but I'm subbing my seat out maybe to do a developer in Eastern Europe and using old authentication and identity mechanism, user name, password, one time code, I just have to WhatsApp a code to that person in Romania and boom, they're in and they're logging in. So using these identity constructs that I showed earlier, we can mitigate both of those very real and happening now risks.
Kyle Benson:
So that's a big gap.
Michael Engle:
It is, yeah.
Kyle Benson:
So the question is how do we see companies responding to these threats today? And honestly it's not a pretty picture, but here goes, okay. So as I said, oftentimes third party access is an afterthought. And since access is needed really quickly, provisioning access and providing security is often dumped in the lap of the IAM or IT security team. And the trend that we see for solving for third party access is that IT security teams... Look, they're busy too. They're just looking for the most expeditious way to automate mostly manual processes via homegrown applications, or it could be a combination of spreadsheets and collaboration tools, Slack and Teams and phone calls and spreadsheets. But these things are rarely built for purpose and they're really just a bandaid to get the project, this third party management off the ground. And while they may help in terms of doing things like inventorying and maybe provisioning some of the vendors and users, they typically don't do very well for the ongoing governance of things like access reviews, certification, time-based deprovisioning, make sure that you've got your continuous compliance.
Now other companies, and by the way, those homegrown apps from the research that we've looked into, it looks like about 80% of companies are taking that approach. Now, other companies and typically these are your larger enterprise companies, they may outsource to a provider like a global systems integrator for example. These solutions are typically pretty well thought out because they've come from a history of Legacy IAM systems. They may be well thought out from a policy and a process standpoint, but they may not have the flexibility and they probably come at a fairly high cost. And so for those companies that may not have the resources of a large enterprise, they may try to adapt a contractor module of their HRMS system. And again, these help with the onboarding, but they typically don't handle the rest of the governance that's required. And oftentimes this is where you'll find friction going on between the HR team and the IT security teams because HR probably doesn't have the resources to dedicate to administratively managing this huge inflow of third parties as well as all of their users.
And they may not want to assume the risk of maintaining the regulatory compliance that can be a career limiting project in and of its own. So that leaves a focused third party management solution like we're talking about today. And about 10% of organizations that have been surveyed have deployed some version of these. Now these aren't necessarily a panacea either. And since this is a relatively new space compared to the IGA space, there are just a few companies that are offering a purpose-built solution for third party access. And the problem is that this is all that some of these companies offer. So once again, you have a point solution that you as a customer have to deal with and then it keeps you from having that integrated view across your entire workforce. So Chandra, I think it's time we bring you in and be the savior here. Tell us what it is that we should do about this.
Chandra Sekar Rajendrakumar:
Absolutely. I think couple of key items that I just wanted to highlight as well. The type of proxying that we see with aspect interviews, people joining in, that's been something pretty massive in the times after that remote work become a big standard in the industry itself. And also looking at the metrics, which is a very solid insight about the type of breaches that's happening with the third party access as we don't see nowadays people hacking more than people are logging in to get the data itself. I think it's time everyone also realizes that the third party access governance is no more a nice to have type of an element in the organization. It is the most important must have in terms of enabling an organization for its standards. If we have to enable a solid third party access governance in an enterprise, there are key four major pillars to look at it.
One is it's not just about trying to give access to the people, it is also about giving the access only to the right time. Making sure we are able to enable the least privileged principle. Principle itself is very important for us to address. And that's something that's very important to have that as a pillar in third party access governance. Second is to make sure we are going to have lot of external identities. We going to have lot of third party suppliers and users coming into the organization. It's very important to have a very user-friendly mechanism for them to do their own activities, be it from an requesting of an access, be it from an reviewing its access or be it from a delegated administration perspective. So trying to keep that as simple as possible increases a lot of protectivity for the organization.
And the next important aspect is to get the automation enabled using the service and technology that is available in the market today, which ensures you to have a most efficient way of handling the governance that is required for the third party itself. Third party identities, not just human non-human identities too. All of this put together will always give you a solid governance and solid metrics and management that is required for you to handle your compliance needs in the organization. So all these are the standard four pillars to look at if an organization is getting started with a third party governance management to be enabled. We'll also look at what are the critical capabilities of an organization to be addressed in terms of a third party access. Kyle, you want to go to the next slide?
Kyle Benson:
It's interesting, we had a question pop up in the chat and Zade said, "What about shadow it? Especially when they bounce between internal services and client services." I think that leans right into the next slide that we've got because we're looking here at what critical capabilities are important.
Chandra Sekar Rajendrakumar:
Yeah, exactly right. So looking at some of the examples that is here that we might have gone through for a fact like let's say and hospital as in a scenario, looking at, we go interact with the doctors and nurses there who are not generally the employees of that hospital or the systems that is there. Mostly the billing systems are third party owned. You see a lot of other aspects like the suppliers who supplying many indisposable and many other supplies that is required for the hospital's management supply chain, which is another set of third party identities to be handled within the hospital itself. Even if you take a simple example of a hospital, there's going to be multiple different types of third party identities and human and non-human identities to be looked at. And when looking at all these identities, it's also about looking at what are the key capabilities to be addressed on each of these identities.
One, taking care of the entire service of the life cycle for them. And then looking at what type of a request management, what types of an approval management to be handled, how do I actually take the governance capability of that to understand what type of an access has to be reviewed, what type of an access has to be killed in terms of any review that goes off the plate? And also addressing how can I actually create some of the standardized policies in the organization to make sure, okay, the third party identities, this is how they come in, this is how the policies will be defined, this is how the set of access that they will get to all the different systems. Because all of the times that we see in the different organizations, the third party identities do have access to lot of the critical data in the enterprise itself.
It's not that only employees do have access to it, there is also a conduit towards the third parties because they do a lot of other activities that is required for an enterprise to function. In that sense, they will automatically have access to some of these important critical data in the organization. So that's where it's very important to have all these key capabilities enabled for all the third party identities as well. Not just looking at the enterprise B two E scenario to build all the other capabilities for the employees and enterprise users. We need to consider all the other third party identities also at an enterprise users level to make sure we have the same set of policies, same set of scrutiny with respect to the access that is required in building that least privilege principle itself.
Kyle Benson:
I think Chandra too, it's interesting when we think about the business cycle where we are right now, things like scalability and performance, those outcomes and pricing are very important because we've got to make sure that we're building a great system but we're doing it with a great return on investment and then just the lower total cost of ownership over time. And that's where a lot of people are looking towards an integrated identity platform, a converged identity platform that can touch on multiple parts of the identity security program. So I think that that's really important. Otherwise you end up trying to integrate all of these things together in a piece parts approach. So let's go on and we'll move ahead. Let's just talk about some of the key processes that you see Chandra as important.
Chandra Sekar Rajendrakumar:
Yeah. So see the key processes that is very important when it comes to the third party access governance itself is right. It is slightly different from a typical identity or an enterprise user process. The reason is one, we need to make sure we onboard the entity itself as one of the important element in the third party access governance, for example, a supplier company itself needs to get onboarded and all the employees or part of the employees in the suppliers need to get onboarded as an identities into the enterprise. So we have in entity onboarding, which is basically the actual organization becomes a B2B type for us to get onboarded into the enterprise. Then comes the set of employees that is part of that supplier group enabled as an external identities to have come into the system. Bringing the third party identities has got some processes as well.
There could be a way where we can actually do an invitation based invites, you get their identities into the system. There could be a way that we probably do it as a manual delegated administration activities, which is typically that we have seen is a old scale or old school way of doing it. Now that we bringing identities into the system. There is going to be lot of accounts and lot of access that they would need across the different applications in that enterprise, which is where they're able to perform their day-to-day function for that organization,
and third party identity. How do we drive a set of automation? How do we drive a set of policy based access there based on this supplier coming in from this region needs to have these type of access to these type of applications. So that's another important key process to get defined in the third party governance itself.
Now that we have those identities getting different access then comes to situation for us to make sure we are actually reviewing that access in a periodic fashion. So trying to build in the certification capability that Kyle touched upon in the beginning to make sure the access that is given to set off identities, which is a third party identities is always been reviewed to make sure that they have the right access at the right time. It is also important that we remove the access if it is not even applicable for an identity itself. And then it comes to another important capability and a feature that is required, which is very important to set up is the delegated administration. The delegated administration process is very important in a third party perspective is because lot of these identities are going to be managed by the company's own delegated administrators itself.
For example, I'm a delegated administrator for a particular supplier chain company. I become the responsible person for me to onboard the set of identities that is required from my supplier side into the organization and I have to be the responsible person for the set of access that they have, set of activities that they're doing in the enterprise and all of those things. The delegated administration is a very key important aspect into the third party governance itself. And one of the most key and important factor in the entire life cycle is going to be your offboarding process because an entity or onboarding is there and you have a third party in identities getting onboard and there's different access being given. When an termination process or a lever process is happening, we need to make sure that the entire set of access given to the third party identities is going to be removed at the time that they are terminated.
That's very important because there's a lot of times that you see a lot of these breaches even happening when you see that the employees left the organization. You know what? This third party identity is still having an access to those set of applications because it's not been removed. So it's a very important process in an organization to make sure there's a very clear defined lever process for any third party identities, as well it's equally important for an employee type identities, but it is even more keen and important for a third party identities.
Michael Engle:
Yeah and I'd love to dive into the user onboarding section here. So this blue button on the right, which I'm going to show here on the next video, we already did self-registration and identity verification. I went through that full flow standards based high level of assurance. Now let's use it to get into a Saviynt provision system for example. So at the time of access, you could ask the question, is this Mike Engle? So this is how I would authenticate into a Windows workstation on day one, assuming we want to set up this level of authentication, go ahead and roll the tape. So rather than username, password, which we know can be stolen, we're going to use the same identity that we enrolled a few minutes ago. Simply scan a QR code. The certificate is in my authenticator, I present that along with my biometric. That was a real biometric, which could only be done by me and I'm staring at the desktop.
I cannot give my face to somebody else in that example. So that is again, one of the highest levels of zero trust authentication you can do and it can't be stolen, coerced very easily at all. Now you can do that at certain times, but I experience it with even less friction. So I've already authenticated, I lock my workstation and now I'm going to unlock it. Let's make it less friction. Simply send a push message to the phone or in this case I tap except on my watch and I've unlocked my workstation in about one or two seconds. So applying identity-based controls, not only does it increase the security and the assurance level of what all of the IGA processes are doing, but it's a better user experience and it's really rare to introduce controls that are fun to use and get you a high five from your peers across the enterprise. So thanks for letting me show that. That's the last of my demos and I think we'll get into some best practices next.
Kyle Benson:
Yeah, we certainly will. So Chandra, if we could talk about implementation because we've got the technology, what are the best practices?
Chandra Sekar Rajendrakumar:
Yeah. So see, one of the things to look at is understanding the industry itself is important. The reason is that every different industry has different types of third party identities to be handled compared to a manufacturing industry, to a retailer/ for example, in retailer we will have franchisees, we will have suppliers. In manufacturers, we will have distributors. In hospitals, we will have doctors, even outpatient services and all of those things. So every different industry has different types of third party identities to be handled. So the process definition for all of these different types of third party identities is very important to understand before even we start putting together an implementation for the client. So one is understanding the industry. Second is to make sure that as we know that there's going to be different types of third party identities, different types of handling of third party identities is required.
How do we actually create a standardized process across these things? There's going to be set of global standard process, for example, all the third party identities needs to follow and get these set of access. And then when it comes to the suppliers, they need to get only these set of access. When it comes to distributors, they get only these set of access. So the definition of the processes that is required needs to get pretty much standardized because if we don't standardize it and do it specific to every single entity that we get onboarding it for, it is going to be a nightmare for us to do a maintenance and management services for that later. So as and when we bring more standardization to this, it is going to be more wise for us to onboard more number of identities and also control the identities in a standard scale.
And then the next important aspect is to make sure the technology, for example, Saviynt has got a solid third party governance capability. Utilizing the technology towards less to make sure we are not doing a lot of customizations to it and try to utilize lot of the features that is already enabled in the technology to leverage that for the third party identities. That makes it more viable and also efficient in terms of automation as well. So that is very important to make sure we are trying to use whatever the maximum capacity that the technology is all already offering with respect to all the different set of use cases in implementation that we need to do. And apart from that, just doing the implementation is not the end of it, it is also important for us to make sure we are continuously monitoring the entire program with respect to the third party governance itself.
And from a senior standpoint, we have clearly defined the benchmarking metrics and KPIs that's been established for the third party governance, which enables the organization to understand, okay, are they in stage A? Okay, there is still these three parameters to be fixed wherein they can go to the stage B when that's what the most matured stage from a third party governance itself. So we also take care of that in terms of measuring and monitoring the entire aspect of the third party governance to see how we can actually get to a very matured state of third party access governance itself in the solution that we put together.
Kyle Benson:
Absolutely. Chandra, thank you very much. I think that it's critical. Putting together a third party identity program, it doesn't have to be overwhelming, but it does have to be a structured process and things need to happen at certain times appropriately to get the outcomes that you're really looking for. So just as a reminder, third party access governance from Saviynt, it's part of the end-to-end enterprise identity cloud, which includes privileged access management for just in time rather than just in case access management. We have a module for application access governance. So that allows you to monitor for those separation of duty violations across SaaS and On Premise or multi-cloud applications. And the difference with our solution there is it gives you very fine-grained visibility. So I could be looking across SAP and Oracle or even Salesforce, but I get fine-grained visibility deep down into the security models of those applications where it's just one of those places it's SOD violations, hide away.
So that's only something to consider. And data access governance prevents your sensitive data from being exfiltrated from your systems. And of course we have our flagship identity governance and administration tool that handles all of the employee identity lifecycle management. So the enterprise identity cloud is a single code base. This is a key differentiator. This was born in the cloud, it was designed for the cloud. So it's not a bunch of stitched together solutions from a bunch of companies. You actually do get a single pane of glass into your identity application and data governance. So that was the commercial.
Michael Engle:
No, that's great. And just expanding on that, if the middle box of that was identity, and so you still have the providers do what they do well, so let Microsoft or Okta do their SSO. Let 1Kosmos verify the identities and do all the authentication and the platform, your orchestrator will rely on those to do what they do best. In our case, it may be proving that the user is who they say they are. So I think it's very well said Kyle.
Kyle Benson:
Yep, something that we've released recently and you'll hear more and more about is Saviynt Exchange. And so we do have our integrations online and available now and we will have third party solutions that will be available as well through Saviynt Exchange, just making it easier for our customers to get to the solutions that they need. So in summary, do these things. Inventory your partners, your suppliers, contractors, temps, volunteers, the IOT devices, service accounts, and make sure you have a thorough understanding of what your third party exposure is. Make sure that you go through the steps to have all of your information get clean and stay clean and have it optimized for your third party exposure and work hard to ensure that you've got a great user experience with limited complexity. So that's why a lot of the upfront work is required to make sure that you end up having buy-in both within your organization as well as the third parties as well.
So that's our best advice. Again, I want to thank Mike, I want to thank Chandra for your time and your expertise and everybody that's on the call, I want to thank you for your time. Please feel free to reach out to any of us if you have any additional questions that you might want to have after our session today looking up into the questions. And we did have an attendee who asked the question, how do we implement these practices when our third party users are a small mom and pop shop with whom we may have to do business when we are in an extremely global model?
Michael Engle:
Yeah. So I think making sure you do have global coverage, from my perspective, I could onboard any identity in 200 countries. So if it's important to you, you could have them get a higher level of assurance before they're allowed to access, but then also taken into consideration as the privacy of the platform, your global footprint for privacy varies depending on country and in the US even state to state. So it's really understanding your partners and being able to come up with a business model that handles them, from my perspective. Kyle or Chandra, I don't know if you have any other thoughts on that one.
Kyle Benson:
I actually... Go ahead Chandra.
Chandra Sekar Rajendrakumar:
No, I mean I was just saying yeah, with respect to the third party identities that we have, if we need to do an assurity of an identity to come in because the third party identity governance as in from an onboarding standpoint is a new required even it is a small mom and shop. But if it is another aspect of also verifying or validating the entry of that identity to come in, that's basically depends on the way that we just talked about, based on the countries and the policies that is there and that's how it should be taken for forward for.
Kyle Benson:
I want to take a little bit different slant on it because I want to take the slant of the mom and pop organization. Chances are they are smaller, they may not have a lot of the technical expertise that you might expect, but this is where it's really important to work with your line of business members within your own organization, the people who are starting those relationships and even when you're doing the contractual relationship that you're doing even with a mom and pop organization, to take that time to educate them and make sure that you're putting in place a technology that is going to be able to make both of you much safer.
Because if you're a large global organization, a breach is going to hurt. If you are a small mom and pop organization, a breach could be an existential problem. So I think having that discussion early on is something that would be very important. I had another question that came through and that just had to do with, so what happens if I have delegated administration? So let's say I've got a thousand third party organizations, my supply chain, what if the delegated administrator out at company X, Y, Z leaves, then what happens?
Michael Engle:
Yeah, I guess I imagine that comes down to making sure you have controls in place with them to be notified about that and invoke the property provisioning.
Kyle Benson:
Yeah and-
Chandra Sekar Rajendrakumar:
And defending a so solid legal process with respect to the transfers and all of those things to make sure the responsibility is moved to the other third party delegated administrator.
Kyle Benson:
Yeah, that's right. So that is a key capability that we do have in TPEG is succession management. So you do have somebody who leaves, you automatically have a rollover of those users to a secondary delegated administrator. So just another layer of safety that that's built in there. I think that's all the questions that we had. Again, thank you everybody, and like I said, feel free to reach out to any of us individually if there's anything else that we could do to help.
Michael Engle:
Yeah, I'll just add one thing. I know all three of our companies will be at the upcoming RSA shows at Identiverse, so if anybody wants to meet up there, please just hit us up, LinkedIn or whatever and we'd love to get into the weeds on any of this stuff with you.
Kyle Benson:
Okay.
Michael Engle:
Kyle, thanks so much for having me on. It was a lot of fun.
Kyle Benson:
Yeah, my pleasure.
Chandra Sekar Rajendrakumar:
Thank you.
Kyle Benson:
Thanks everybody. Bye now.
Hi, good afternoon everybody. My name's Kyle Benson. I'm the director of product marketing at Saviynt, and we will kick off in just a minute or two. We see that we've got quite a few folks that are coming in out of the waiting room, so just going to give it a minute or so as people transition from other meetings perhaps.
Michael Engle:
Yeah, everybody has back to backs today. There's no time in between.
Chandra Sekar Rajendrakumar:
Yeah.
Michael Engle:
Have you guys had any luck setting up 45 or 55 minute meetings and sticking to it? Yeah, you try to give that five minute break. It doesn't seem to be sticking for me.
Kyle Benson:
Okay. Well, I think that it looks like we're getting a pretty good full room here, so we'll go ahead and get started. Thanks for joining us today, everybody. As I said, my name's Kyle Benson. I'm the director of product marketing here at Saviynt and I'll be moderating our discussion today. So I want to say thank you all for joining today's webinar that we've titled Challenges with Third Party Onboarding and Access Governance. And before we jump in, of course, got to go through a few housekeeping items. If you would like you can submit your questions into the Q and A or into the chat box and we'll answer all of the questions at the end of the webinar or get back to you separately. And there is a recording of the webinar that will be going on and that will be delivered to your inbox next week.
So I am very pleased to be joined by a couple of friends that are both experts in the field of identity security today. So joining us today is Mike Engle, and Mike is a proven information technology executive. He's been a company builder and an entrepreneur, and he's an expert in information security, business development and product design and development. His career includes being the head of information security at Lehman Brothers. He was a co-founder of Bastille Networks and the co-founder at 1Kosmos as well as a general manager at 1414 Ventures and a board member at the Kantara Initiative. Also joining me is Chandra Sekar Rajendrakumar, and there I just did the toughest part of my whole pitch today.
I call him Chandra, but Chandra comes with decades of experience in the identity and access management domain with various vendor technologies. So he's been helping to secure client identity all through era. Currently he works as a director of IGA product management and offerings at Simeio. And Simeio of course is a premier partner for Saviynt. So Chandra is responsible for all of the features and offering development that goes on to match the needs of the market. So welcome to both of you and thank you for sharing your expertise today.
Michael Engle:
Yeah, thank you so much for being here. I'm looking forward to the discussion today.
Chandra Sekar Rajendrakumar:
Thank you. Thank you Kyle.
Kyle Benson:
Alrighty, so we'll move on. So why are we talking about this topic? Why are we talking about it now? Well, for those of us who are in the IAM space, we are seeing that the risks that are associated with third parties have been increasing quite a bit over the past few years. It seems hard to believe that it was a target breach that kicked off third party attacks way back in 2013, 10 years ago. But the hackers liked to replicate their successful attack vectors, and what we started to see was significant uptick in ransomware attacks via third parties over the last couple of years. Now, back then was the old double extortion play. I'm going to lock down your systems and I'm going to steal your data, and then you have to pay once to get your systems back and then you have to pay again to get your data back but all comes together.
But more recently the focus seems to be shifting again to a little bit more of an Nth party approach where the hackers are gaining access to a company only so that they can gain further access to their original targets, customers and partners. That way they get exponential return on investment. So let's take a look at a few examples. So back in February of 2022, Toyota completely shut down some of their operations in Japan. You may have heard about this, but it was after one of their major plastic suppliers, a company called Kojima suffered a data breach. Now because Kojima had third party access to Toyota manufacturing plants, they had to shut things down. It was just necessary to protect the data across the entire enterprise, but this breach also affected some of the operations of Toyota's subsidiaries. So you start to see this waterfall effect.
So that halted or at least decreased production and it may have hurt Toyota's bottom line because it really slowed down the car production, reduced the number of cars that Toyota produced by, in this case a few hundred, but it could have been much, much worse. So that brings up a key point about these third party relationships that companies don't normally think about, and that is to reduce your risk of a breach, it's really important to be aware of the security measures that your third party organizations are employing and to negotiate better ones if they're not up to your company's standard. More recently, Morgan Stanley and Upstox have had significant breaches. They were just a couple of hundreds of attacks that have been taking place over the last couple of years and mean that it's been accelerating quite dramatically in the last six months or so. So we want to do a little bit more podcast style here. So at this point, Mike, maybe bring you on, third party breaches definitely on the upswing. What kind of things have you been seeing?
Michael Engle:
Yeah, so these are the ones when they make the news, they're a really big deal and it gets a lot of public attention. It gets maybe regulators thinking about what could we do? But then there's a couple other categories that we're going to touch on here today as well, getting more into the individual third party risk. So how do you know who's joining your company? They are a third party until they get their butt in that seat, and now they're working on your technology and working for you, whatever it is they're doing. And that applies to both new employees, new contractors, and the risks of other third parties getting into that process. So they're both really top of mind and I have some pretty good stories that I can tell around this as we get to some of the material.
Kyle Benson:
Okay, sounds good. So in addition to the compliance drivers that we see out there, the scale of a lot of organizations, utilization of third parties as a part of their regular business practices has been increasing exponentially as well. A lot of that had to do with the pandemic, of course, a lot of it had to do with things like mergers and acquisitions and onboarding of third parties from the acquired companies, business models, et cetera. I mean, if you stop and think about it during a merger or an acquisition, you probably have thousands of employees, but then potentially many thousands of third party users that have to be added in to that parent company's identity management system. And that's a lot of work to do in a very compressed timeframe. So that's really ripe for things like rubber-stamping of approvals over provisioning users, it's a potential for a big mess.
So organizations really need to have this ability to quickly and efficiently onboard people into the new company and still have that auditable trail of what was done and who approved it. Because without automation it can take hundreds of hours to determine which of these employees and the third party users are valid if there are duplicates that exist. And then to do the migration of the workforce records from the acquired organization's systems. Importantly, those companies need the ability to manage the relationships with these identities across their entire lifecycle and then just make sure that they've got timely termination of access when they're just no longer required. Hey Mike, I know that the elephant in the room is here, so how do I even know who these third party people are?
Michael Engle:
Well, yeah, that's one of the key factors is if you know that it's John coming in, then the other parts you mentioned, are they rubber-stamped into something? That's a whole different set of problems with authorizations and deprovisioning, but just knowing who it is that's coming in is getting more and more important for a couple reasons. You got a remote workforce, not only does your company have one, but of course all these third party contractors that you're allowing to come in have a remote workforce as well. So that same problem is extending and growing exponentially. So there's some really innovative and low friction ways now to prove who it is that's accessing the system. And if you can make that one statement, it's sort of a flavor of zero trust, how do you know who's at the door before you open it? It'll make things a lot easier for every other IT function. So that's what I'll be diving into here today.
Kyle Benson:
Okay. Well there's clearly a misalignment between the strategies that organizations are currently using and what's actually required to protect them from their cyber attacks due to those third party vulnerabilities. So I think companies really need to have both the tools and the services like third party identity lifecycle management to make sure that they both improve the operational efficiencies, but then hopefully reduce the cost in all of the risks that are associated with managing this kind of dynamic higher risk relationships with third party individuals. So with that said, I think it's really easy for us to think of third parties as just the contractors and supply chain partners, maybe students or some of the other humans that just don't work for your company but still need access to your systems or your data. It's a mistake to think of third parties as only humans because the non-human identities are posing the same or even greater risks than human identities.
Did some reading, I saw that Forrester estimates that non-human identities including things like your bots and your service accounts, robots, OT and IOT devices are growing up to 10 times as fast as human identities across a lot of different organizations. So another big concern that's out there I think is a percent of global organizations just aren't able to fully discover their service accounts. And about 20% of them have never changed the account passwords on their service accounts. So you've got service account and password admin. So really need a way to create and maintain an authoritative record for all of your non-human workers at the worker level as opposed to just the access level. And then this serves as your unified source for managing and monitoring the identity lifecycle of the non-human worker, and it helps reduce the risk of human errors and security risks and the compliance violations that go on.
So if you do take a proactive approach, you can continuously monitor and manage these non-human worker identities, improve the operational efficiencies, make sure that you can prevent those costly cyber attacks and data breaches before they happen. So with that said, if we go back kind of to our problem statement, it's mainly the companies are playing catch up in the race to secure third parties. Ponemon Institute says 60% of companies just don't know how many third party relationships they have. Not to mention what access those third parties have, and the statistic may surprise you, but if we were to stop right now and just do or something, we're not going to do that. I know those are annoying sometimes, but if we did an honesty poll, chances are many of you could tell us about how many employees you have and what kind of access that they get.
It'd probably get pretty close, but third parties are much more difficult. And what I find astonishing about the 60% figure is that 49% of the companies have already had a third party breach. And the key point here, we brought it up a little bit earlier and that is when we talk about the third parties, we really need to consider the Nth party breaches. So what's an Nth party? Third parties have other third party business to business relationships, of course. So that could be with your competitors, it could be with their supply chain, it could be with contractors that they use. But just like in the Target breach, Target wasn't actually breached by the HVAC refrigeration vendor directly that the breach came through, someone gained access by breaching the HVAC vendor.
So that's why securing third party access is so critical to auditors and regulators, and that's why they're really taking notice now. So it's a big issue, but it is something that has to go all the way back to when you start your third party relationships, the contractual agreements that you have in place, and being able to make sure that you're doing risk analysis upfront and making sure who you're really dealing with. So Mike, I think that the slide that we have here sums up the attack vector of criminals don't hack in, they log in.
Michael Engle:
That's right. When I was growing up in InfoSec land and I was in the 90s and 2000s when I wore that hat and was trying to protect the Wall Street Bank, it was all about just hardening the infrastructure and making sure the bad guys couldn't compromise a web server and then move laterally and get in through your reverse proxy or whatever it is. It was about them hacking in. And all of the breaches today, you don't hear that anymore. It's very uncommon for there to be some massive Java exploit That is the way people get in.
Instead, they just get a credential. They call up the help desk and pretend to be somebody. They send you a thousand push messages until you say yes, and there's no real identity in that process. So they just log in. Imagine if you knew who it was, who's logging in, you could just stop what is now the biggest vector, and I'm sure the Okta breach, the Cisco breaches, they were by somebody getting access to employee or contractor credentials. So again, something I'll be focusing on here in just another slide or two to get into the weeds on how we can mitigate this with today's standards.
Kyle Benson:
Okay, well let's jump ahead and we'll talk a little bit about that.
Michael Engle:
Let's do that. Yeah, so there's two buckets here on the left, which is highlighted now, there's how do you get people into your environment in a modern way? The old way is email them a link and send them a username and password, or they have to call a line manager. You can do all that digitally today. You have billions of smartphones that are now a very effective conduit, and we now have standards that say, here's how you do it in a way that minimizes risk. So the first standard, NIST 800-63-3 is the government standard that says, I'm going to prove this as Kyle Benson and I'm going to ask Kyle to present his government credentials. I'm going to verify them and match a face. That's kind of the gist of it. There's other ways to do it as well. And so if you are looking to onboard identities, this is the golden standard of standards.
And there's a certifying body called Kantara, as Kyle mentioned on my bio. This is an organization that it's nonprofit, I'm on the board of, and their goal is to certify people to say that they do this well. So two important factors there. And then on the other side of the house, if you hit the right arrow for me, Kyle, it's the usage of that credential. So just scanning a driver's license isn't enough. You have to link every activity back to that verified person. And here that same standard says, here's how you do it. You can see the difference on the left and right. It's IAL, identity assurance versus AAL, authentication assurance. So again, just handing somebody a six digit code generator is not assurance because that can be given to somebody else or stolen. So putting these two together, and of course Fido authentication is now a public key cryptography way to use credentials.
You put them together and it really strengthens the entire picture. There's Fido certification. So you're dealing with a vendor that really takes the stuff seriously and you put them together with real biometrics. You have to look Kyle in the face to know that Kyle is the person sitting there or you could use his voice or some other thing. But it has to be something. This is one of the really important factors. Something you have, something you are. So this is really starting to resonate. This middle word iBeta is one of the big certifying bodies that says you do biometrics right. So we call these the identity based standards, and I'm going to show you some examples next of how these standards can get implemented when you're onboarding a new hire or a contractor, if you'll progress forward for me. Perfect.
Kyle Benson:
And we'll get it started for you, Mike.
Michael Engle:
Let's do it. So there's an app involved or we can do it without an app, which sets up a couple of really basic factors. You have a key which was just put into the phone or on the desktop automatically, a pin it's used for recovery. And then your touch ID, face ID. You see I just enrolled three factors in about 20 seconds. Next we can onboard identity verification. And this is where I mentioned scanning a driver's license as an example. Now this live selfie is one of the ways that you verify an identity so you truly know who's logging in. So now on this stage, I just simply prompt the user to scan their government credentials. And you can do this in 200 countries today. The license is verified, the face is matched, and you have a very high level of assurance and you can even do global identities such as a passport, which you see here in this third pane.
So not only can you scan, verify, match but you can read the NFC chip. Now you've got a digital credential that you're onboarding, and again, the face is matched in real time and all this comes together. So you saw how simple we can now use these technologies and these standards. This is the highest level of assurance that you would need to get into your medical services, into government services for KYC, for banking, et cetera. And you have to do this for new hires anyway. You have to verify their face matches a credential before you can pay them because you have to do taxes and so forth. The I9 process here in the US. So thanks for that. So now I have this identity. Let's take a look at how to use this. I'm going through talent acquisition and it says, congratulations Kyle, we just hired you.
Come to the portal. Scan this QR code, give your consent, prove it's you. So here's some real zero trust biometric stuff going on, and my data is decrypted out of my store and transmitted over to the HR department, verified, prefilled, nothing for anybody to really type in. On the next screen, you simply say, all right, where would you like to send the digital credential? Well, let's use the email that we've been corresponding for talent acquisition or send it to their cell phone number, the same number that I've been working with them on.
So this gets sent to them. They now have a digital credential that can get them into the firm and you'll see me accepting this credential here back into my authenticator. Press the red button, do one final form of authentication, and these are customizable layers depending on the risk of what you're trying to do and you're in. All right. And as we talk a little bit more about some of these concepts, I'm going to show you how we can then use that to get into a system in just a couple of minutes. So thanks for letting me show that, Kyle.
Kyle Benson:
All righty. So we've got another big issue and we talked about it for just a second, but that is the fact that third parties are remote as well. And while we know that remote work styles where employees can its own access risks, the risks become a whole lot higher when third parties are using various security technologies. So they may not be using the standard that your company is using. Matter of fact, they could be using conflicting types of technology to secure their environments and to provide access. And the security can be all over the map, multifactor authentication, endpoint security, network security, data security.
And each of these comes with its own risks that's associated with things like patching and update risks. So unless you've got centralized control, what's to say that a rogue third party won't just download data and sell it on the dark web? Also, you've got the insider threats that are a major issue and third parties just became insiders. And Mike, we had talked earlier and I don't think that we picked it up, but I think this is a good place to do it. And that's maybe talking about the proxy environment and what's happening with those guys.
Michael Engle:
So there's two really important third party risks that are now happening. Our clients are seeing that and coming to us and asking for a solution. The one is proxy interviewing. So I am Mike Engle, I interview, I do a crush it, I'm a master developer and now I get the offer and I accept it. On day one. Somebody else shows up at work, somebody else shows up to log in remotely is really more how it's going to be. And a lot of times the people that you're interviewing with are all these experts in the other groups, so they're not going to remember who it really was. So on day one, you could have somebody working there maybe even has four jobs and pretending to work a full day, but you don't even know who it is. So the process of that identity onboarding that I showed you earlier can fix that problem because then on day 1, 2, 10 or a hundred you can say, "Can you just look into the camera again and prove it to you?"
You can do that based on risk or on a programmatic regular basis. The second challenge is, so you have proxy interviewing is a contractor or employee jacking. That is where I'm already in, I'm working and then I go give my seat away to somebody else just so they can do day-to-day work. So I'm still here working, but I'm subbing my seat out maybe to do a developer in Eastern Europe and using old authentication and identity mechanism, user name, password, one time code, I just have to WhatsApp a code to that person in Romania and boom, they're in and they're logging in. So using these identity constructs that I showed earlier, we can mitigate both of those very real and happening now risks.
Kyle Benson:
So that's a big gap.
Michael Engle:
It is, yeah.
Kyle Benson:
So the question is how do we see companies responding to these threats today? And honestly it's not a pretty picture, but here goes, okay. So as I said, oftentimes third party access is an afterthought. And since access is needed really quickly, provisioning access and providing security is often dumped in the lap of the IAM or IT security team. And the trend that we see for solving for third party access is that IT security teams... Look, they're busy too. They're just looking for the most expeditious way to automate mostly manual processes via homegrown applications, or it could be a combination of spreadsheets and collaboration tools, Slack and Teams and phone calls and spreadsheets. But these things are rarely built for purpose and they're really just a bandaid to get the project, this third party management off the ground. And while they may help in terms of doing things like inventorying and maybe provisioning some of the vendors and users, they typically don't do very well for the ongoing governance of things like access reviews, certification, time-based deprovisioning, make sure that you've got your continuous compliance.
Now other companies, and by the way, those homegrown apps from the research that we've looked into, it looks like about 80% of companies are taking that approach. Now, other companies and typically these are your larger enterprise companies, they may outsource to a provider like a global systems integrator for example. These solutions are typically pretty well thought out because they've come from a history of Legacy IAM systems. They may be well thought out from a policy and a process standpoint, but they may not have the flexibility and they probably come at a fairly high cost. And so for those companies that may not have the resources of a large enterprise, they may try to adapt a contractor module of their HRMS system. And again, these help with the onboarding, but they typically don't handle the rest of the governance that's required. And oftentimes this is where you'll find friction going on between the HR team and the IT security teams because HR probably doesn't have the resources to dedicate to administratively managing this huge inflow of third parties as well as all of their users.
And they may not want to assume the risk of maintaining the regulatory compliance that can be a career limiting project in and of its own. So that leaves a focused third party management solution like we're talking about today. And about 10% of organizations that have been surveyed have deployed some version of these. Now these aren't necessarily a panacea either. And since this is a relatively new space compared to the IGA space, there are just a few companies that are offering a purpose-built solution for third party access. And the problem is that this is all that some of these companies offer. So once again, you have a point solution that you as a customer have to deal with and then it keeps you from having that integrated view across your entire workforce. So Chandra, I think it's time we bring you in and be the savior here. Tell us what it is that we should do about this.
Chandra Sekar Rajendrakumar:
Absolutely. I think couple of key items that I just wanted to highlight as well. The type of proxying that we see with aspect interviews, people joining in, that's been something pretty massive in the times after that remote work become a big standard in the industry itself. And also looking at the metrics, which is a very solid insight about the type of breaches that's happening with the third party access as we don't see nowadays people hacking more than people are logging in to get the data itself. I think it's time everyone also realizes that the third party access governance is no more a nice to have type of an element in the organization. It is the most important must have in terms of enabling an organization for its standards. If we have to enable a solid third party access governance in an enterprise, there are key four major pillars to look at it.
One is it's not just about trying to give access to the people, it is also about giving the access only to the right time. Making sure we are able to enable the least privileged principle. Principle itself is very important for us to address. And that's something that's very important to have that as a pillar in third party access governance. Second is to make sure we are going to have lot of external identities. We going to have lot of third party suppliers and users coming into the organization. It's very important to have a very user-friendly mechanism for them to do their own activities, be it from an requesting of an access, be it from an reviewing its access or be it from a delegated administration perspective. So trying to keep that as simple as possible increases a lot of protectivity for the organization.
And the next important aspect is to get the automation enabled using the service and technology that is available in the market today, which ensures you to have a most efficient way of handling the governance that is required for the third party itself. Third party identities, not just human non-human identities too. All of this put together will always give you a solid governance and solid metrics and management that is required for you to handle your compliance needs in the organization. So all these are the standard four pillars to look at if an organization is getting started with a third party governance management to be enabled. We'll also look at what are the critical capabilities of an organization to be addressed in terms of a third party access. Kyle, you want to go to the next slide?
Kyle Benson:
It's interesting, we had a question pop up in the chat and Zade said, "What about shadow it? Especially when they bounce between internal services and client services." I think that leans right into the next slide that we've got because we're looking here at what critical capabilities are important.
Chandra Sekar Rajendrakumar:
Yeah, exactly right. So looking at some of the examples that is here that we might have gone through for a fact like let's say and hospital as in a scenario, looking at, we go interact with the doctors and nurses there who are not generally the employees of that hospital or the systems that is there. Mostly the billing systems are third party owned. You see a lot of other aspects like the suppliers who supplying many indisposable and many other supplies that is required for the hospital's management supply chain, which is another set of third party identities to be handled within the hospital itself. Even if you take a simple example of a hospital, there's going to be multiple different types of third party identities and human and non-human identities to be looked at. And when looking at all these identities, it's also about looking at what are the key capabilities to be addressed on each of these identities.
One, taking care of the entire service of the life cycle for them. And then looking at what type of a request management, what types of an approval management to be handled, how do I actually take the governance capability of that to understand what type of an access has to be reviewed, what type of an access has to be killed in terms of any review that goes off the plate? And also addressing how can I actually create some of the standardized policies in the organization to make sure, okay, the third party identities, this is how they come in, this is how the policies will be defined, this is how the set of access that they will get to all the different systems. Because all of the times that we see in the different organizations, the third party identities do have access to lot of the critical data in the enterprise itself.
It's not that only employees do have access to it, there is also a conduit towards the third parties because they do a lot of other activities that is required for an enterprise to function. In that sense, they will automatically have access to some of these important critical data in the organization. So that's where it's very important to have all these key capabilities enabled for all the third party identities as well. Not just looking at the enterprise B two E scenario to build all the other capabilities for the employees and enterprise users. We need to consider all the other third party identities also at an enterprise users level to make sure we have the same set of policies, same set of scrutiny with respect to the access that is required in building that least privilege principle itself.
Kyle Benson:
I think Chandra too, it's interesting when we think about the business cycle where we are right now, things like scalability and performance, those outcomes and pricing are very important because we've got to make sure that we're building a great system but we're doing it with a great return on investment and then just the lower total cost of ownership over time. And that's where a lot of people are looking towards an integrated identity platform, a converged identity platform that can touch on multiple parts of the identity security program. So I think that that's really important. Otherwise you end up trying to integrate all of these things together in a piece parts approach. So let's go on and we'll move ahead. Let's just talk about some of the key processes that you see Chandra as important.
Chandra Sekar Rajendrakumar:
Yeah. So see the key processes that is very important when it comes to the third party access governance itself is right. It is slightly different from a typical identity or an enterprise user process. The reason is one, we need to make sure we onboard the entity itself as one of the important element in the third party access governance, for example, a supplier company itself needs to get onboarded and all the employees or part of the employees in the suppliers need to get onboarded as an identities into the enterprise. So we have in entity onboarding, which is basically the actual organization becomes a B2B type for us to get onboarded into the enterprise. Then comes the set of employees that is part of that supplier group enabled as an external identities to have come into the system. Bringing the third party identities has got some processes as well.
There could be a way where we can actually do an invitation based invites, you get their identities into the system. There could be a way that we probably do it as a manual delegated administration activities, which is typically that we have seen is a old scale or old school way of doing it. Now that we bringing identities into the system. There is going to be lot of accounts and lot of access that they would need across the different applications in that enterprise, which is where they're able to perform their day-to-day function for that organization,
and third party identity. How do we drive a set of automation? How do we drive a set of policy based access there based on this supplier coming in from this region needs to have these type of access to these type of applications. So that's another important key process to get defined in the third party governance itself.
Now that we have those identities getting different access then comes to situation for us to make sure we are actually reviewing that access in a periodic fashion. So trying to build in the certification capability that Kyle touched upon in the beginning to make sure the access that is given to set off identities, which is a third party identities is always been reviewed to make sure that they have the right access at the right time. It is also important that we remove the access if it is not even applicable for an identity itself. And then it comes to another important capability and a feature that is required, which is very important to set up is the delegated administration. The delegated administration process is very important in a third party perspective is because lot of these identities are going to be managed by the company's own delegated administrators itself.
For example, I'm a delegated administrator for a particular supplier chain company. I become the responsible person for me to onboard the set of identities that is required from my supplier side into the organization and I have to be the responsible person for the set of access that they have, set of activities that they're doing in the enterprise and all of those things. The delegated administration is a very key important aspect into the third party governance itself. And one of the most key and important factor in the entire life cycle is going to be your offboarding process because an entity or onboarding is there and you have a third party in identities getting onboard and there's different access being given. When an termination process or a lever process is happening, we need to make sure that the entire set of access given to the third party identities is going to be removed at the time that they are terminated.
That's very important because there's a lot of times that you see a lot of these breaches even happening when you see that the employees left the organization. You know what? This third party identity is still having an access to those set of applications because it's not been removed. So it's a very important process in an organization to make sure there's a very clear defined lever process for any third party identities, as well it's equally important for an employee type identities, but it is even more keen and important for a third party identities.
Michael Engle:
Yeah and I'd love to dive into the user onboarding section here. So this blue button on the right, which I'm going to show here on the next video, we already did self-registration and identity verification. I went through that full flow standards based high level of assurance. Now let's use it to get into a Saviynt provision system for example. So at the time of access, you could ask the question, is this Mike Engle? So this is how I would authenticate into a Windows workstation on day one, assuming we want to set up this level of authentication, go ahead and roll the tape. So rather than username, password, which we know can be stolen, we're going to use the same identity that we enrolled a few minutes ago. Simply scan a QR code. The certificate is in my authenticator, I present that along with my biometric. That was a real biometric, which could only be done by me and I'm staring at the desktop.
I cannot give my face to somebody else in that example. So that is again, one of the highest levels of zero trust authentication you can do and it can't be stolen, coerced very easily at all. Now you can do that at certain times, but I experience it with even less friction. So I've already authenticated, I lock my workstation and now I'm going to unlock it. Let's make it less friction. Simply send a push message to the phone or in this case I tap except on my watch and I've unlocked my workstation in about one or two seconds. So applying identity-based controls, not only does it increase the security and the assurance level of what all of the IGA processes are doing, but it's a better user experience and it's really rare to introduce controls that are fun to use and get you a high five from your peers across the enterprise. So thanks for letting me show that. That's the last of my demos and I think we'll get into some best practices next.
Kyle Benson:
Yeah, we certainly will. So Chandra, if we could talk about implementation because we've got the technology, what are the best practices?
Chandra Sekar Rajendrakumar:
Yeah. So see, one of the things to look at is understanding the industry itself is important. The reason is that every different industry has different types of third party identities to be handled compared to a manufacturing industry, to a retailer/ for example, in retailer we will have franchisees, we will have suppliers. In manufacturers, we will have distributors. In hospitals, we will have doctors, even outpatient services and all of those things. So every different industry has different types of third party identities to be handled. So the process definition for all of these different types of third party identities is very important to understand before even we start putting together an implementation for the client. So one is understanding the industry. Second is to make sure that as we know that there's going to be different types of third party identities, different types of handling of third party identities is required.
How do we actually create a standardized process across these things? There's going to be set of global standard process, for example, all the third party identities needs to follow and get these set of access. And then when it comes to the suppliers, they need to get only these set of access. When it comes to distributors, they get only these set of access. So the definition of the processes that is required needs to get pretty much standardized because if we don't standardize it and do it specific to every single entity that we get onboarding it for, it is going to be a nightmare for us to do a maintenance and management services for that later. So as and when we bring more standardization to this, it is going to be more wise for us to onboard more number of identities and also control the identities in a standard scale.
And then the next important aspect is to make sure the technology, for example, Saviynt has got a solid third party governance capability. Utilizing the technology towards less to make sure we are not doing a lot of customizations to it and try to utilize lot of the features that is already enabled in the technology to leverage that for the third party identities. That makes it more viable and also efficient in terms of automation as well. So that is very important to make sure we are trying to use whatever the maximum capacity that the technology is all already offering with respect to all the different set of use cases in implementation that we need to do. And apart from that, just doing the implementation is not the end of it, it is also important for us to make sure we are continuously monitoring the entire program with respect to the third party governance itself.
And from a senior standpoint, we have clearly defined the benchmarking metrics and KPIs that's been established for the third party governance, which enables the organization to understand, okay, are they in stage A? Okay, there is still these three parameters to be fixed wherein they can go to the stage B when that's what the most matured stage from a third party governance itself. So we also take care of that in terms of measuring and monitoring the entire aspect of the third party governance to see how we can actually get to a very matured state of third party access governance itself in the solution that we put together.
Kyle Benson:
Absolutely. Chandra, thank you very much. I think that it's critical. Putting together a third party identity program, it doesn't have to be overwhelming, but it does have to be a structured process and things need to happen at certain times appropriately to get the outcomes that you're really looking for. So just as a reminder, third party access governance from Saviynt, it's part of the end-to-end enterprise identity cloud, which includes privileged access management for just in time rather than just in case access management. We have a module for application access governance. So that allows you to monitor for those separation of duty violations across SaaS and On Premise or multi-cloud applications. And the difference with our solution there is it gives you very fine-grained visibility. So I could be looking across SAP and Oracle or even Salesforce, but I get fine-grained visibility deep down into the security models of those applications where it's just one of those places it's SOD violations, hide away.
So that's only something to consider. And data access governance prevents your sensitive data from being exfiltrated from your systems. And of course we have our flagship identity governance and administration tool that handles all of the employee identity lifecycle management. So the enterprise identity cloud is a single code base. This is a key differentiator. This was born in the cloud, it was designed for the cloud. So it's not a bunch of stitched together solutions from a bunch of companies. You actually do get a single pane of glass into your identity application and data governance. So that was the commercial.
Michael Engle:
No, that's great. And just expanding on that, if the middle box of that was identity, and so you still have the providers do what they do well, so let Microsoft or Okta do their SSO. Let 1Kosmos verify the identities and do all the authentication and the platform, your orchestrator will rely on those to do what they do best. In our case, it may be proving that the user is who they say they are. So I think it's very well said Kyle.
Kyle Benson:
Yep, something that we've released recently and you'll hear more and more about is Saviynt Exchange. And so we do have our integrations online and available now and we will have third party solutions that will be available as well through Saviynt Exchange, just making it easier for our customers to get to the solutions that they need. So in summary, do these things. Inventory your partners, your suppliers, contractors, temps, volunteers, the IOT devices, service accounts, and make sure you have a thorough understanding of what your third party exposure is. Make sure that you go through the steps to have all of your information get clean and stay clean and have it optimized for your third party exposure and work hard to ensure that you've got a great user experience with limited complexity. So that's why a lot of the upfront work is required to make sure that you end up having buy-in both within your organization as well as the third parties as well.
So that's our best advice. Again, I want to thank Mike, I want to thank Chandra for your time and your expertise and everybody that's on the call, I want to thank you for your time. Please feel free to reach out to any of us if you have any additional questions that you might want to have after our session today looking up into the questions. And we did have an attendee who asked the question, how do we implement these practices when our third party users are a small mom and pop shop with whom we may have to do business when we are in an extremely global model?
Michael Engle:
Yeah. So I think making sure you do have global coverage, from my perspective, I could onboard any identity in 200 countries. So if it's important to you, you could have them get a higher level of assurance before they're allowed to access, but then also taken into consideration as the privacy of the platform, your global footprint for privacy varies depending on country and in the US even state to state. So it's really understanding your partners and being able to come up with a business model that handles them, from my perspective. Kyle or Chandra, I don't know if you have any other thoughts on that one.
Kyle Benson:
I actually... Go ahead Chandra.
Chandra Sekar Rajendrakumar:
No, I mean I was just saying yeah, with respect to the third party identities that we have, if we need to do an assurity of an identity to come in because the third party identity governance as in from an onboarding standpoint is a new required even it is a small mom and shop. But if it is another aspect of also verifying or validating the entry of that identity to come in, that's basically depends on the way that we just talked about, based on the countries and the policies that is there and that's how it should be taken for forward for.
Kyle Benson:
I want to take a little bit different slant on it because I want to take the slant of the mom and pop organization. Chances are they are smaller, they may not have a lot of the technical expertise that you might expect, but this is where it's really important to work with your line of business members within your own organization, the people who are starting those relationships and even when you're doing the contractual relationship that you're doing even with a mom and pop organization, to take that time to educate them and make sure that you're putting in place a technology that is going to be able to make both of you much safer.
Because if you're a large global organization, a breach is going to hurt. If you are a small mom and pop organization, a breach could be an existential problem. So I think having that discussion early on is something that would be very important. I had another question that came through and that just had to do with, so what happens if I have delegated administration? So let's say I've got a thousand third party organizations, my supply chain, what if the delegated administrator out at company X, Y, Z leaves, then what happens?
Michael Engle:
Yeah, I guess I imagine that comes down to making sure you have controls in place with them to be notified about that and invoke the property provisioning.
Kyle Benson:
Yeah and-
Chandra Sekar Rajendrakumar:
And defending a so solid legal process with respect to the transfers and all of those things to make sure the responsibility is moved to the other third party delegated administrator.
Kyle Benson:
Yeah, that's right. So that is a key capability that we do have in TPEG is succession management. So you do have somebody who leaves, you automatically have a rollover of those users to a secondary delegated administrator. So just another layer of safety that that's built in there. I think that's all the questions that we had. Again, thank you everybody, and like I said, feel free to reach out to any of us individually if there's anything else that we could do to help.
Michael Engle:
Yeah, I'll just add one thing. I know all three of our companies will be at the upcoming RSA shows at Identiverse, so if anybody wants to meet up there, please just hit us up, LinkedIn or whatever and we'd love to get into the weeds on any of this stuff with you.
Kyle Benson:
Okay.
Michael Engle:
Kyle, thanks so much for having me on. It was a lot of fun.
Kyle Benson:
Yeah, my pleasure.
Chandra Sekar Rajendrakumar:
Thank you.
Kyle Benson:
Thanks everybody. Bye now.