Episode 123 - GluuFederation/identerati-office-hours GitHub Wiki
Title: Outsiders Within: Managing Access in the Extended Enterprise
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Tuhin Banerjee, Senior Director, Professional Services, Saviynt
- Guest: Michael Freeman, IAM Security Architect
Channels
Description
In today’s hyper-connected business landscape, the lines between internal and external users have all but disappeared. Contractors, third-party vendors, freelancers, offshore teams, and business partners collectively known as the extended workforce, which is nearly 50% of the modern enterprise's operational ecosystem (Gartner, 2024). These “outsiders within” often have privileged access to critical systems, sensitive data, and customer environments, yet remain outside traditional HR and IT controls.
This shift has made third-party access governance (TPAG) a board-level concern, especially as high-profile breaches increasingly trace back to compromised vendor accounts. The 2023 IBM Cost of a Data Breach Report revealed that breaches involving third parties cost 25% more on average than those involving internal actors.
The Challenge: High Access, Low Visibility--managing the extended enterprise introduces complex challenges:
- Fragmented Identity Lifecycle: Unlike employees, external users aren't consistently onboarded through HR systems, resulting in inconsistent identity creation and delayed deprovisioning.
- Over-Provisioned Access: Vendors often retain access long after contracts end. Studies show that 75% of enterprises lack visibility into third-party access beyond initial onboarding (Ponemon Institute, 2023)
- No Unified Governance: External users often span across multiple business units, geographies, and access channels (on-prem, SaaS, IaaS), leading to siloed and ungoverned identities.
- Risk of Compliance Violations: Regulations like GDPR, HIPAA, SOX, and NIST 800-53 require detailed audit trails of “who accessed what and when.” Without centralized access tracking, compliance becomes both expensive and error-prone.
The Solution: Identity-Centric Access Governance
Modern identity platforms are transforming how organizations manage the extended workforce. Leading solutions such as Saviynt, SailPoint, and Okta are tackling the problem head-on by offering:
- Third-Party Identity Lifecycle Management
- Risk-Based Access Certification
- Periodic and event-driven access reviews specific to extended users.
- Integration of risk intelligence (e.g., peer access comparison, usage analytics) to drive smarter decisions.
- Just-in-Time (JIT) Access & Time-Bound Roles
- Support for temporary roles with built-in expiration. "Outsiders Within" are no longer a fringe risk—they are a core operational reality. The enterprises that thrive will be those who govern them well.
Homework
- EXTERNAL IDENTITY MANAGEMENT CAPABILITIES : https://saviynt.com/solutions/third-party-access-governance-capabilities?utm_source=chatgpt.com
- The Critical Need For Auditing Third-Party Access To Organizational Platforms
- 4 Tips for Managing and Governing Third-Parties
- Share resources securely with a third party
Takeaways
-
⚡ What's changed since the 1990's when this identity challenge first presented as "extra-net management"? It's "regulation". Big companies are governed by many more data security laws, especially in the 2000s, says Tuhin.
-
⚡ IGA companies want to create an internal account for each federated user. Like toxic waste, inactive privileged accounts accumulate, and must be culled through access certification campaigns. IGA companies seem to minimize the use of either bi-lateral or multi-party identity federartions, so JWT tokens aren't extensively used as sufficient evidence about the authn event and subject identity.
-
⚡ Data security is still an elusive goal. This aligns with the contention that we need to move to a capabilties based access control model--and away from an identity centric access control model. Instead of governing "which people have access to the data", a capabilities based approach focuses on "what policies control access to the data"--which can include policies that trust JWT tokens issued by third party domains. If we embed tokens in assets, we can also pass along obligations and restrictions apply to data even after access is granted (e.g. "gov't use only").
-
⚡ Enterprises should evolve towards centralized policy management. The application of automated reasoning would enable CISOs to "prove" certain universal statements about security, like "For all access to regulated data, user identity and approval must be provable."