Contractors are a major identity and access management (IAM) blindspot. While absolutely essential to business operations for many enterprises, employing these third parties still introduces a great deal of risk.
Through many discussions with security leaders, we’ve seen firsthand just how often contractors remain unaccounted for in otherwise highly-sophisticated and managed security strategies. To be fair, the technology and processes available to manage this process until now have had their fair share of downsides.
First, let’s understand where today’s IAM challenges with contractors lie:
Let’s start with sensitive data access. From offshore customer support to subcontracting software development, outsourcing to contractors has become a linchpin for business growth. But to succeed, contractors require access to highly sensitive information such as customer data and source code, which raises pretty serious concerns about data security and confidentiality.
Next, the often dynamic nature of contractor work requires constant readjustment of access levels, and that’s both hard to track and cumbersome to manage within standard IAM frameworks. For example, outsourced support teams might need temporary access to specific systems, applications or data sets, often requiring elevated privileges to perform their tasks effectively. However, most security teams lack the business context and bandwidth required to manually grant and promptly revoke access on the adhoc basis contractors require.
Contractors also have fluid employment cycles. The rotation of start and end dates poses significant IAM challenges around onboarding and offboarding, which might purposely not involve IT, HR and security. It’s made more difficult by the absence of a unified best practice for security personnel to follow, and even worse by a lack of ownership over the identity portion of the termination process.
Finally, IAM tools often lack visibility into business process outsourcing (BPO) practices. A lack of visibility into contractor IAM behavior poses significant risks where bad practices are concerned. A lack of supervision can also increase the likelihood of deviations from security standards as well as the possible misuse of access privileges. Although we always believe in affording the benefit of the doubt, sacrificing security protocols for efficiency has become common and expected.
Three IAM approaches to contractors
None of these approaches are panaceas. Each one has distinct and important ramifications on security, operational efficiency, and regulatory compliance:
- Use a local account in the application: This method ensures the quickest provisioning and access tailored to the contracted tasks, and it also contains the blast radius of security events when the account gets compromised. However this approach also offers the least amount of visibility to IT, security, and human resources.
- Deploy a single sign-on (SSO) system: By doing this in an SSO as opposed to a Human Resources Information System (HRIS), teams can streamline access management for contractors by granting access to the required application while keeping the contractor's identity separate from the internal HRIS. While this promotes consistency and ease of management, at best, it’s a semi-unified process that still requires auditing and oversight.
- Consider contractors a regular employee and integrate them into the HRIS and SSO with custom tagging: This method facilitates a comprehensive approach to access management and categorization by aligning contractor identities with standard employee processes. However, this fully-unified process can possibly make the organization legally liable for their contractor’s non-compliance with privacy and security regulations, and enables easy over-expansion of their access.
How to proceed?
Now that we understand the options, how should security teams proceed with managing the identity of contractors? Here are some tips:
- Standardize: It’s critical for security teams to establish clear and standardized IAM processes across their organization for contractors across the enterprise. Where relevant, we recommend creating two-to-three distinct categories of contractors with their own set of policies to maintain flexibility when managing their identities.
- Ongoing validation: Security teams should also consider maintaining ongoing inventories of contractor access to critical systems, their behaviors and the exposure of crown jewels. These inventories do not need to provision for the tasks involved. It’s also important to deploy audits on a continuous basis or, better yet, continuously with automation to identify anomalies as they arise.
- Practice security-by-default: Embrace a security-by-default approach by integrating ongoing password rotations, multi-factor authentication (MFA) utilization, ongoing validation of local accounts in applications and account expiration protocols to fortify system security.
While often overlooked in the jumble of tasks and challenges security teams must manage every day, think of all the major breaches that were caused by a breakdown in third-party security. There’s no getting around it: security teams really need to find ways to more effectively manage the identities of contractors. Failure to do so invites easy picking for hackers and insiders.
Dor Fledel, co-founder and CEO, Spera Security