Global supply chains are facing new challenges. But it is not only the shortage of raw materials, trade restrictions and the consequences of Covid that cause interruptions in the supply chain and production downtime. Security incidents and cyber threats are increasing and require holistic supplier risk management, especially against the background of increasingly complex supply chain ecosystems. In addition, the NIS2 directive will come into force on October 17, 2024, so that almost all companies will have to deal with supply chain security in addition to BCM, ISMS and other topics.
The global supply chains are in upheaval. Because many companies have long recognized that agility and resilience are becoming increasingly important – on the one hand, to be able to react faster and better to unforeseeable events; on the other hand, to be able to protect against attacks from outside. Transparency plays a key role here. As a survey by the ifo Institute shows, 65 percent of companies have started looking for new suppliers; 68 percent enlarged their warehouses. The problem: With the increasing complexity of supply chains, it is becoming increasingly difficult to keep track of all players and activities. The identification and consolidation of relationships with third parties alone poses a problem for many providers.
Like a recent study by PwC only 38 percent of German companies show, check and verify the security situation and compliance of third-party providers or suppliers. There is a suspicion that companies rely too heavily on their suppliers. Against the background of a particularly tense cyber security situation, this means that companies must now rely on critical identity controls: Which user has control of what? How did he get this and how long does he need it? Who approved access? What activities did this user emit during this time? Knowing the answers to these questions and being able to make them available to those responsible for IT security is not only important for reputation and the relationship with customers. Many business applications are subject to government regulations.
Streamlining controls while simplifying supplier access
In addition to answering the questions, it is also important to ensure that the controls are actually in place – without causing friction losses in the supply chain and in supplier relationships. If companies make it difficult for third parties to do business with them, it also becomes increasingly difficult to keep reliable suppliers in the network.
These are factors that have proven their worth when introducing controls as part of supplier management processes:
Onboarding new providers and users
Before third parties can enter into business relationships with companies, these and their users must be integrated into the company network so that they have access to the necessary resources. As a rule, these processes were controlled manually, which took days or even weeks and was not very efficient. Today, companies have the option of providing their suppliers with a registration portal, which they can use to quickly create and maintain a profile. New users can be added or removed easily and quickly. In this way, companies always have an overview of supplier relationships and active users.
Delegated administration and access requests
If the identities are registered with the company, the aim is to provide users with functions that allow passwords and user IDs to be reset and allow them to request access to systems. For example, suppliers need access to the ordering system to know how many products need to be shipped where. However, it would be unfavorable if the internal employees of a company create and manage the supplier’s users in different systems. Therefore, good self-service and delegated management capabilities must be provided. The access rights request process should be simple, intuitive and easy to navigate – not least to reduce friction and streamline the whole process. The appointment of a Delegated Admin,
Permissions and manual controls
With the deployment of Delegated Admins, especially outside of one’s own organization, better controls need to be introduced into the new processes. You don’t need an army of employees for that. With the introduction of single or multi-step approval processes, only a few people are needed to make the final decision on who gets access to important applications and sensitive data. If the services are also integrated, additional audit trails can be created.
Roles and Analysis
When an organization can map permissions into roles, it greatly simplifies the access request and access review process. But how can roles be used effectively?
- Using a role modeling solution makes it possible to perform bottom-up modeling of the application and top-down modeling of the organization. As a result, there is a minimal number of roles that cover 80 to 90 percent of access privileges, leaving only the rest treated as exceptions.
- A regular review of role composition and responsibility ensures that the roles continue to be up to date.
- Real-time analytics to assess access and exceptions are used to suggest new roles as requirements or circumstances change. In addition, analytics can ensure that existing roles do not cause unintentional SoD (Segregation of Duties) violations – especially in connection with ad hoc access requests.
Access verification and application control
Just as companies control access for their own employees, so too do they need to control that of their suppliers and partners, especially when they touch systems that are subject to regulations. Depending on the size or number of vendors that have access to enterprise applications, the first step in the review process may be the responsibility of the Delegated Admin. If the provider is given the opportunity to carry out this check himself, the risk that a user from his company poses a threat to the partner company can be reduced. However, the ultimate authority is always the organization itself. Access reviews can determine the ‘who’ and the ‘what’ and even help identify SOD breaches, but they also need to be linked to SIEMs and UEBA solutions, to gain a better understanding of whether access is being used sufficiently to justify it and, if used, whether that access is in accordance with safe and expected behavior. Another key point is remediation of deficiencies – if access review determines that a vendor’s access is no longer needed or desired, the process should include automated access remediation whenever possible to close the loop and prevent manual management errors from putting the organization or vendor at risk. Consistent with safe and expected behavior. Another important point is remediation of deficiencies – if access review determines that a vendor’s access is no longer needed or desired, the process should include automated access remediation whenever possible to close the loop and prevent manual management errors from putting the organization or vendor at risk. Consistent with safe and expected behavior. Another key point is remediation of deficiencies – if access review determines that a vendor’s access is no longer needed or desired, the process should include automated access remediation whenever possible to close the loop and prevent manual management errors from putting the organization or vendor at risk.
Access Revocation and Offboarding
Eventually, there may come a time when either a vendor’s employees change departments, they leave the vendor altogether, or the relationship with a particular vendor is terminated. Timely removal of access for these users is critical. This can be handled in a number of ways: Typically, the vendor’s designated administrator removes or changes access for the user. However, the provider can also send a request to a helpdesk ticketing system to initiate the change request, especially for manually managed systems. It is less pleasant when the staff turnover is discovered during the governance process of a regular access review.
Schlussfolgerung
Companies that take these best practices to heart reap the financial benefits of strong supplier relationships, reduced supplier management friction, and lower economic costs in their supply chain. Most importantly, they are achieving their business goals – complying with regulations and protecting their brand, which ensures customer loyalty.