The best way to expand identity and access management (IAM) to third-party service providers is to treat a third party like an extension of your own company.
All staff working for a third-party service provider, who have access to your systems or data, should have a unique user account and password. They should adhere to the same acceptable use policies and desktop security controls as you do. You should also be able to choose who within the third party is granted access to your sensitive data.
The big no-no is assuming that a third-party service provider already has all of this in hand. Security breaches as a result of companies incorrectly engaging third parties are on the rise.
If your company policies say that your staff should all have Disclosure and Barring Service (DBS) and reference checks, and that all machines must have up-to-date anti-malware, then to avoid being the weak link in the security chain your engaged third-party provider should have this too. This should be readily auditable, so at any point in time you know which individual in which company is accessing your data.
Some companies talk about expanding IAM to include third-party providers, but identity and access management is one piece of a much bigger security picture, and easily defeated when third parties start sharing credentials to make supporting your outsourced systems easier.
The golden rule is that you can outsource services, but you cannot outsource security. Do not throw the security baton over the fence and expect it to be caught. Unless you have specifically agreed and contracted your service provider to adhere to your security controls, it is highly unlikely that it will.
The cloud is a bit different. Many cloud platforms will encrypt your company’s data with a unique public encryption key, meaning that only your company, with the private key, can ever decrypt the data and view it. That’s how it is supposed to work, but how do you validate this and check that even basic encryption mechanisms are working? In short, you cannot – unless you start moving to private cloud and getting some auditable controls in place.
If your company is that concerned about security, it should really be in-housing services, not outsourcing. If your company is not concerned about security and is outsourcing, then you have got problems. Doing due diligence after the fact is very difficult, and if the right to audit hasn’t been written into contracts, in some cases due diligence is impossible.