Third-Party Identities: The Weakest Link in Your Cybersecurity Supply Chain

Pierluigi Paganini October 28, 2024

A long supply chain adds third-party risks, as each partner’s security affects your own, making identity and access management more challenging.

Identity-related attack vectors are a significant concern, with a substantial percentage of cyberattacks—often cited as over 70%—involving compromised credentials or identity theft. However, this problem primarily stems from a lack of visibility. Do you know how many identities log into your systems daily and where they come from? Interestingly, your employees are not your top performers. A recent report, B2B IAM – The Hidden Value of Third-Party Identities, indicates that external identities outnumber traditional employees by nearly two to one. While conventional “internal” employees account for 29% of identities, non-employees or “external identities” in aggregate (contractors, vendors, etc.) account for nearly half of the total users (48%). And therein lies the problem: Your enterprise could be at risk if their credentials are unsafe.

A good Identity and Access Management (IAM) solution is the solution to this, allowing upstream vendors to expand with ease as their login (and those of anyone else they take on) can be managed securely, centrally, and without additional technical headaches. Many companies may not know that while IAM is a critical security tool for dealing with third-party risk, it is also a technological boon that can help organizations scale, integrate with other systems, and overcome some of the challenges of digitization. It’s a win-win.

Let’s see how.

The Credential-Riddled Danger of Supply Chains

Long supply chains mean many third parties, and many third parties can mean a plethora of problems where identity and access management are concerned. Each company brings its own security (or lack thereof) into the game, so your overall security status is essentially the average of yours, plus anyone else’s to whom you’re connected (i.e., those third parties).

That could be a good thing for the vendor, but more often than not, it’s a liability. No one cares about your security as much as you do, and when taking on other entities, you assume the risk. Opening the door to supply chain vendors means opening the door to many more errors in the credentials department.

So, what’s a bit of increased risk where usernames and passwords are concerned? A lot, it turns out. A recent report from Google reveals that 86% of breaches originate from stolen credentials. If you want a digital presence that will be around for the next ten years, scalability, growth, and digitization need to be tempered with a healthy dose of credential-centered cybersecurity.

And that is where IAM comes in.

Strengthening that Weak Link with IAM

What is digitization without security? It’s a ticking time bomb —and one that’s easier for global cybercriminals to reach than a brick-and-mortar operation. As companies jump online, into the cloud, into SaaS, deeper into cyberspace, and further into third-party dependency, locking down their access points is of critical concern.

Zero Trust is a comprehensive security framework that fundamentally changes how organizations approach cybersecurity. It operates on the principle of “never trust, always verify,” meaning that no user or device is trusted by default, regardless of whether they are inside or outside the network perimeter. This approach is crucial in today’s threat landscape because it minimizes risks by ensuring strict access controls and continuous verification of identities. Anyone who’s even dabbled in digitization knows that adopting a Zero Trust security model is the overarching security goal, but just as many get overwhelmed by that goal. You don’t have to be. Start in chunks. And start by eliminating one of the most egregious attack vectors: user identity and access.

IAM is a foundational pillar of a zero-trust strategy and a perfect place to start. When nearly nine in ten breaches originate from stolen credentials, eliminating this prime point of compromise will give any company the most bang for its buck. Technologically speaking, it’s lightweight and sound, giving organizations an additional infrastructure boost in a complex digital world—made even more complicated by adding additional vendors, partners, B2B and B2B2X relationships, and all their security flaws.

So, let’s see what IAM can really do.

IAM as a Critical Business Proposition

Attackers look for where things fall through the cracks. They understand that when two organizations come together, whether via a merger or simply a B2B partnership, things fall apart. Little things like credential management get swept under the rug in the interest of speed, uptime, and progress.

That’s when attackers sneak under the rug to pick those things up, pilfering passwords, hijacking accounts (cloud and otherwise), escalating privileges, and more – all from a few stolen credentials. Putting a solid IAM solution in place now can cut threat actors off at the pass and undermine their efforts to hide under complexity and bet against us.

Any organization engaged in B2B or B2B2X activity needs an IAM solution – it’s par for the course – to cover its compliance bases, prove its trustworthiness to stakeholders and partners, and maintain the trust of its clients.

IAM as a Technical Boon

Implementing IAM sooner rather than later in the cyber development process is a win in itself. An Identity and Access Management solution can help nascent digital enterprises scale and integrate more easily with existing technologies—and technologies to come.

Integrations

As you’re looking to expand your security influence, it helps to have things under one roof. The correct IAM solution is that roof and can allow you to integrate:

  • Policy configuration
  • Multi-factor authentication (MFA)
  • Single sign-on (SSO)

And more, for all cloud and web-based apps. Plus, you can orchestrate user journey flows, customizing fundamental digital interactions like:

  • Onboarding
  • Logins
  • Self-Service

With IAM, seamless integration is possible across a range of applications, from WhatsApp to Salesforce to Splunk. As Guido Gerrits, EMEA Field Channel Director at IAM vendor Thales, explains,

The progress of IAM has resulted in the inclusion of functionalities like single sign-on, multi-factor authentication, adaptive access controls, and identity governance. Additionally, IAM solutions now integrate with diverse systems and applications, offering organizations the flexibility to manage user identities and access rights across hybrid IT environments.

Scalability

If business success is now dependent on technical success, then this last point is critical to driving the bottom line. As companies grow, they often need to take on new B2B or B2B2X partners at a moment’s notice. A good IAM solution is built to streamline processes such as onboarding and log-in so third parties can easily, flexibly, and securely add or subtract users as the need strikes.

Plus, in an environment where multiple supply chain partners are working closely with each other and the upstream vendor, IAM helps establish curated trust and delineate who has access to what information. This helps when differing access layers must be assigned to differing job descriptions, organizations, and individuals in a complex supply chain. With B2B Identity Management, companies are now prepared to seamlessly and effectively authenticate and authorize external users required to access internal systems, all while maintaining a solid security and compliance posture.

Don’t Give Up Easy Wins

Attackers have enough softballs thrown their way due to human error. Implement an IAM solution and outsmart them by eliminating a vector that lets in 86% of attacks. Protect your organization against inherent third-party risks, leverage IAM’s technical advantages as you grow, and take a giant, secure step towards a zero-trust enterprise by implementing Identity and Access Management.

About the author: Katrina Thompson

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Supply Chain)



you might also like

leave a comment