Identity, Operational Resilience, and the Management of Third-Party Access

As organizations rely more on third parties, they open access to sensitive data and systems. With supply chain cyberattacks on the rise, security professionals are looking for robust techniques and tools to reduce the risks associated with third-party access and protect their assets from compromise.

Although the distributed nature of a supply chain means it may never be fully secure, the right approach to digital identity can make it easier to reduce the risks associated with opening your network to suppliers, business partners and customers. This paper illustrates the role digital identity plays in securing the supply chain and how third-party access governance helps reduce risk and comply with relevant regulation.

THE COST OF DATA BREACH AND IMPACT TO SUPPLY CHAIN

The volume and impact of data breaches is on the rise. Recent research measures the average cost of a data breach has increased to USD 4.45 million in 2023. Research also highlights the top-five most impacted industries (by cost per breach); all represent highly regulated environments (see Figure 1).

Breaches associated with supply chain attacks are also increasing. Supply chain focused attacks now make up more than 15% of malicious attacks and are more expensive and difficult to cure (research highlights supply chain attacks cost 11.8% more and take 12.8% longer to identify and contain).

With greater supply chain risk comes a focus on remediation. Recent regulation provides valuable guidance and new technology (including third-party access governance tools) reduces the risk associated with opening your network for secure collaboration.

Through best practice supply chain access management, organizations can be better prepared and protected against the risk of a supply chain breach.

INTRODUCING SUPPLY CHAIN ACCESS MANAGEMENT

Securely managing digital identities and their access to enterprise applications and data is a critical priority for all organizations in the fight against cyber threats

Modern, collaborative businesses are increasingly reliant on global, multi-tiered ecosystems of suppliers, partners and other third parties to operate (see Figure 2). Supporting these ecosystems requires security teams to facilitate secure and controlled asset access across a complex network of organizations and people. With this increase in collaboration comes complexity and risk, as well as greater compliance challenges.

As organizations look to drive innovation and improve customer experience, it’s critical to ensure that the systems and applications implemented meet a growing number of data protection and cyber security guidelines (for example the Digital Operational Resilience Act (DORA) and Australia’s Prudential Standard CPS 230). Addressing new regulations and standards requires organizations to consider the risk of threat actors taking advantage of vulnerabilities and poorly managed identities throughout their supply chain to gain unauthorized access to sensitive information and intellectual property not only at the point of intrusion, but subsequently at any link in the supply chain.

THE IMPACT OF IDENTITY ON CYBER RISK

Identity-based cyber-attacks (leveraging compromised credentials to access systems and data) continue to be a common threat. A 2023 study found that 67% of enterprises cited that identity-based breaches had a direct impact on business operations.

The same research highlights that over 60% of organizations consider managing and securing digital identities as a top three security priority.

When reviewing your identity strategy, it’s important to consider the continued growth and reliance on third-party relationships, especially as they require secure access to systems and services throughout your organization’s ecosystem.

With the continued growth in the number of identities under management (consider internal, consumer and third-party access) comes an increase in the number of cyber-attacks targeting them. In response to these risks, new regulation is being introduced with a focus on increasing resilience standards (for example, DORA and CPS 230 as mentioned earlier) and securing the supply chain (for example, the US Cybersecurity Maturity Model Certification (CMMC) and the underlying requirements of the NIST SP 800-171 security standard). While these regulations are designed for sectors such as financial services and defense and may only apply to specific geographies, all organizations can benefit from their recommendations as business best practice.

MULTI-ORGANIZATION NETWORKS AND THE REGULATORY LANDSCAPE

The rise of multi-organization networks has meant that collaboration has spread across many different organizations and third-party users (all making up the modern supply chain). Managing access and keeping systems secure in such complex networks is a major challenge, especially in highly regulated industries such as banking, financial services, healthcare, energy, and telecoms (which are amongst those industries with the highest average cost of data breach, as illustrated in Figure 1).

For most organizations, security grows in magnitude and importance, yet becomes more complex when partners, customers and third-party collaborators are involved. Cyber threat actors understand this and often select the most vulnerable targets. After all, a supply chain is only as strong as its weakest link.

As a result, supply chain risk has become a common theme in today’s world and is driving an increasing amount of regulation. Identity and access management (IAM) plays a pivotal role in strengthening supply chain security and supporting organizations looking to protect their interests while addressing regulation that likely will continue to evolve and expand.

With human behavior often being a cause of identity related incidents, organizations must address how to reduce the level of risk associated with digital identities while supporting a growing number of constituents throughout their ecosystems.

HOW IAM PLAYS A PIVOTAL PART IN SUPPLY CHAIN SECURITY AND OPERATIONAL RESILIENCE

A modern IAM solution supports an organization’s need to collaborate, share resources, or integrate systems while maintaining a strong security posture. Looking at supply chain security (and emerging disciplines, including Third-Party Access Governance (TPAG)), IAM becomes a foundational pillar of a security strategy (see Figure 3). With respect to operational resilience and emerging standards, IAM can be applied against several key requirements. These are:

1. ENTERPRISE RISK MANAGEMENT

Standards mandate that organizations adopt information and communications technology (ICT) governance and control frameworks, including an IT risk management framework. IAM supports these requirements by providing visibility and control over access throughout an organization and its wider ecosystem (including supporting third parties spanning multiple tiers). IAM platforms implement a robust governance framework (including automated provisioning, access request, approvals, and access certification) while also delivering strong authentication and authorization capabilities. These capabilities each ensure that an organization has visibility, control, and a strong audit history of who is accessing key systems and protected information.

Another example of where IAM underpins risk management is the implementation of adaptive access controls, allowing an organization to monitor a user’s behavior and automatically block access (or request an alternate level of authentication) when performing high-risk transactions or accessing protected resources from a new location / device.

2. THIRD-PARTY RISK MANAGEMENT

A key aspect of recent regulation is the extension of security controls beyond the traditional organization structure. Regulation now requires organizations to apply controls and monitor third-party access and agreements, with attestation for supplier/subcontractor/partner compliance. This is a key consideration when securing modern organizations due to the continued and increased reliance on cross-organization collaboration, joint ventures, and outsourced suppliers.

In terms of third-party access management, IAM incorporates a wealth of critical services. Key capabilities include federation support (allowing third-party users to authenticate to an enterprise’s applications using their own existing corporate credentials) and passwordless, phishing resistant, multi-factor authentication using external authenticators and passkeys.

As more organizations look towards third-party access governance, IAM provides a robust framework of services for organization onboarding, invitation management, and continuous controls (access requests, approvals, certification, and reporting). This framework includes user lifecycle management, which ensures a remote user’s access remains current and accurate throughout their relationship with an organization (think third-party joiner, mover, and leaver processing alongside role-based access control and certification policies).

3. SECURITY INCIDENT REPORTING AND INFORMATION SHARING

Recent regulation highlights the importance of logging and reporting security incidents as well as encouraging information sharing of security incidents and threats throughout an ecosystem. These audit and reporting requirements have become more aggressive with respect to scope and speed.

Providing a central point of control and visibility, IAM enables organizations to quickly identify and act against security incidents. IAM also supports an organization’s capability to monitor, report, and potentially block suspicious user activity. Extending IAM services to provide secure access to third parties enables an organization to maintain tight control over who has access to what in real time, giving an organization a better understanding of what information has been shared, which systems have been accessed, and how risks are managed.

GUIDANCE FOR SECURING THIRD-PARTY ACCESS

When looking at modern organizations, it’s clear that their success is reliant on their ecosystem (think suppliers, business partners, customers, and other third parties). This said, providing secure (and efficient/productive) access across organization boundaries comes with complexity and risk.

Organizations reviewing operational resilience regulation and best practice have an opportunity to evaluate their security infrastructure and the role it plays in enabling secure collaboration (both inside and outside of their corporate boundaries). Combining this with a review of emerging capabilities for third-party access governance / supply chain security provides a strong foundation on which to define your strategy for collaboration and digital transformation throughout your supply chain.

The Exostar Platform enables organizations to work with partners and customers securely and compliantly. Our platform provides increased visibility and resiliency while facilitating digital transformation across global, multi-tiered communities in highly regulated industries. It delivers orchestrated onboarding, management, and multi-enterprise collaboration.

Our professionals are here to help navigate the complexities of supply chain security and third-party access governance.