Employee engagement is often managed by the human resources department. When a new employee is hired, either the HR system or someone within HR notifies the IAM team so the appropriate accounts can be created for that person. They manage that employee’s lifecycle and notify the IAM team when the person leaves so the appropriate action(s) can be taken on the access that person was granted. Good people management processes for your employees means effective access control.
What about non-employees? Since there is no way to get visibility into the human resources systems at all your partner organizations, how are you managing the movement of the people from within and from those organizations to ensure that actively engaged people are enabled and have active identities and therefore active access?
At SecZetta, we ask that question all the time, and this is what we hear most often.
We set all the contractor accounts to expire in 90, 180, 365 days…
What if the project finishes early, the contractor moves on, or the contractor gets terminated? In most cases, that persons access will be left active until that expiration date which may be anywhere from a few weeks to a few months away, depending on policy. While its nice to have that fallback, that is not a truly effective control and can leave the organization open to unnecessary risk.
We disable them once they show up on a 90-day inactivity report
If an account is being used after the engagement ends, it will not show up on your inactivity report. A worst-case scenario yes, but a person who was terminated from their organization may still be able to access information resources using the accounts that were created and assigned to them. And if you are not managing the person and their identity, there is absolutely no way to guarantee you will know they are gone.
We rely on our business users to tell us when they are no longer there.
Business users are great about telling you when a new non-employee needs access because they need them to be enabled to meet their objectives. Once that project is over and the business user has moved onto their next objective, they are often not as diligent about telling you when non-employees are done. They might let you know during the annual entitlement review, but that could be months away. Again, leaving the organization open to unnecessary risk.
What is the answer to this problem?
How can organizations reduce the risk of accounts belonging to non-employees being left open for long periods after engagements and contracts end?
SecZetta provides tools to create a collaborative people management approach to non-employees. With the SecZetta platform, customers not only improve how they bring non-employees into their organization, manage risk and lifecycle tasks, but also validate which people are still actively engaged. By making partner organizations regularly validate which of their people are still engaged, organizations can eliminate the time between when a person is finished, and when the access granted them is turned off.
Good people management for better access control can happen for non-employees too. Check out our products at www.seczetta.com/products