Security Advisories
6 minutes

You Need More Than Identity Governance to Secure Non-Employee Access

According to the 2019 Verizon Data Breach Investigations Report (DBIR), 34 percent of all breaches in the past year involved an insider threat actor. Companies often need to give the extended workforce of contractors, business partners, temporary workers and interns access to critical business systems and data for them to do their work.

But how do you balance ease of doing business with maintaining robust security? With enterprise data and business processes increasingly moving to the cloud and contractors making up an ever larger portion of the workforce, the challenges around protecting access to digital assets are getting bigger.

Identity Governance is a Start

Identity governance and administration (IGA) can bring rigor to managing the identity lifecycle of non-employees and ensure that contractors and business partners get the right level of access to the resources they need, and for the duration that they need it.

Identity governance can be used to secure some aspects of identity lifecycle management

But IGA products are not enough — the problem with identity management often lies at the intersection of privileges and activity, i.e. what a user has access to and what they are actually doing with the company’s resources.

Cloud Security Challenges Still Remain

Even with an established identity governance and administration discipline in place, maintaining the principle of least privilege on an ongoing basis is still a struggle for cloud applications. Security teams fail to discover threats and risky behavior from non-employees on time. There are several key reasons for this:

  • Identity and security teams lack consolidated visibility into privileges and user activity across cloud applications

What do contractors and business partners have access to across cloud services? What actions can they take in Salesforce or G Suite? And what have they actually done in these cloud services?

  • Noisy environments cause alert fatigue and hide threats in plain sight

Is a contractor downloading large amounts of sensitive data a week before leaving? Which business associates are bypassing SSO to access Box? What happened in the weeks after an intern’s account was compromised?

  • Poor identity hygiene increases security risk

Are there stale accounts lingering after a contractor has left? Does a partner have entitlements that they don’t need any more? Are files or objects shared too widely?

Identity-Driven Security in the Cloud

The Obsidian solution offers a new approach to protecting SaaS and IaaS services built around protecting identity and access in cloud environments. With Obsidian, you get a consolidated view of who has access to what, and what they are doing with the company’s data and services in the cloud on a 24/7 basis. Obsidian analyzes the data to identify patterns of risk and threats and provide early warning when a user behaves in unusual or suspicious ways, or violates policy.

Obsidian helps organizations manage the security of their non-employees better in several ways. The table below maps what Obsidian offers in each stage of the identity lifecycle.

StageHow Obsidian Helps
Account creation and
access provisioning
Confirm that new contractors, interns, business partners, etc. have the right level of access to systems and data
Detect changes in a person’s entitlements, especially for admin access
Access MaintenanceSimplify access reviews with a consolidated view of all accounts and privileges assigned to each user
Identify which accounts and privileges are actually being used, so that security teams can remove unused accounts and right-size privileges
Continuous 
Activity Monitoring
and
incident response
Detect account takeover and compromised credentials
Detect insider threat and inappropriate access
Investigate incidents with user context
Guide remediation to fix misconfigurations, policy violations, and identity drift
Continuously assess risk at the user and service level
Deprovisioning and
deletion
Ensure that accounts are deprovisioned properly
Discover and delete stale accounts

Use Cases in Non-Employee Security

Let us look at a couple of scenarios where Obsidian helped customers deal with identity governance issues and threats involving non-employees.

University System Deals with Account Sprawl and Hijacked Mail Accounts

A large public research university in the Midwest has over 30,000 students enrolled every year, with thousands of students enrolling and graduating every year. While the security team had automation in place to onboard and offboard students onto their cloud services, they still faced the challenge of maintaining identity hygiene and monitoring access. How do you ensure successful onboarding and off-boarding and maintain a robust security posture on an ongoing basis at scale?

Obsidian upgraded the university’s visibility and automation capabilities, allowing security to detect and clean up stale student accounts. By doing this, they could lower their security attack surface while also keeping a tab on cloud expenses. Obsidian provided detection of abused accounts and enabled the security team to show that disabling legacy authentication protocols would improve posture and greatly reduce the frequency of account take-overs. After taking this information to IT, legacy authentication was disabled and the number of average daily account compromises dropped from 30 to 1.

Social Media Company Manages Sensitive Access for Contractors

A leading social media company employs a large team of contractors to review user updates and ensure that they comply with the communication policy. In order to do this, the company needs to provide contractors access to sensitive data, which if shared with government actors could result in human rights abuse.

In addition to having strict policies in place around what the contractors can access and do, the company is using Obsidian to closely monitor activity from the contractors’ accounts. The threat hunting team uses Obsidian and detect threats that fly under the radar of automated detections. Obsidian gives the threat hunting team a consolidated view of activity with context around users, devices, and locations.

Large Healthcare Company Mitigates Identity Creep and Access Threats

A leading international healthcare provider has over 30,000 IT users with access and privileges to its systems. With employees switching roles frequently within the organization, the security team needs to understand who has access to what, and quickly identify when employees switch roles and have privileged access that they no longer need in the new roles.

The security team uses Obsidian to identify and fix instances of identity creep, where employees had access and privileges they no longer needed. In addition, Obsidian enables the threat detection and response teams to identify unwanted behavior and quickly diagnose it as benign or use it to have follow-up conversations with employees and aid in further investigations of potentially malicious behavior.

Conclusion

Contractors, business partners, temporary workers and interns are blurring the human perimeter and redefining what it means to be a trusted user of IT services. Organizations in the cloud can balance business agility and user experience with robust security by embracing an identity-centric approach to security. At the end of the day, identity-driven security is about ensuring the right people have access to data and services at the right time for the right purposes.

To find out how Obsidian can help you with identity governance and how to better manage access for non-employees in your organization better, drop us at note at general@obsidiansecurity.com or sign up for a demo at www.obsidiansecurity.com.