The days when an organization could create a closed internal system to control access to resources are long gone. Enterprises across all industries are increasingly using external resources such as contractors, freelancers, and vendors for work. These ‘non-employees’ often have access to internal systems, including sensitive data. With this access comes greater risk to the organization.
Contractors and freelancers are becoming a normal part of business: The Intuit 2020 report describes the trend for freelance and part-time gig economy workers taking hold, with 80% of companies expanding their use of a flexible workforce. This brings with it the challenge of identifying users outside of corporate control.
Cloud adoption is increasing Shadow IT challenges: Cloud services, according to a Cisco report, were found to be the most prevalent Shadow IT system. These are devices unmanaged by IT staff, and present significant access control challenges. Shadow IT is also compounded by non-employees in home or other office environments, collaborating across multiple cloud infrastructures.
Remote work amidst the COVID-19 pandemic adds complexity: The ‘home-network’ is harder to control. Many companies have placed workers, including non-employees, on semi-permanent home working regimes. Facebook, for example, said they expect their workforce to work remotely until the end of 2020. These arrangements require companies to increase remote access connections to networks, inherently increasing the threat landscape.
This mosaic of non-employees across an organization creates complex access control issues. The old way of using Identify and Access Management (IAM) systems, integrated with HR technologies, to identify and manage employee accounts, was able to standardize access control. Outside of the controlled lifecycle of an employee, non-employee access control and onboarding is not as simple. The issues that are inherent within a non-employee lifecycle management scenario and the associated, often unanswered, questions are multifold:
The use of access control measures that are robust and verified is essential as the employee landscape continually extends. While insider threats were an issue pre-cloud computing and today's extended enterprise, the risk continues to grow at a concerningly rapid pace.
The 2020 Insider Threat Report, offers some stark warnings about the threat from insiders:
These numbers are evidence of the growing threat to data from insiders, including contractors. Now is the time to batten down the identity hatches and develop a strategic approach to third party access management.