Closing the Third-Party Identity Gap: Practical Strategies to Reduce Risks and Strengthen Security

Third-party access stopped being a back-office IAM (Identity and Access Management) problem the day it became the front door for attackers. Contractors, vendors, service engineers, and SaaS integrators now outnumber employees in many environments, and they arrive with their own devices, identity providers, and timelines. That mismatch is the gap.

Cyber-attacks are increasingly identity-based, and the extended workforce is accelerating the exposure. Recent analysis puts the contractor ratio up 48% (roughly one contractor for every five employees), with 90% of businesses planning to maintain or increase that mix. In the past 12 months, 59% experienced a data breach caused by a third party.

The mechanics are familiar: a digital identity averages 5 to 15 accounts, and non-employees multiply that with duplicate or temporary accounts. Those accounts often get elevated, untailored privileges because the project needs to move. The result is over-provisioned access that lingers after contracts end. One global financial firm found over 60% of third-party VPN accounts still active months after termination, not from malice but from missing lifecycle signals. 

Legacy models weren’t built for this velocity. Traditional IAM treats third parties like employees with longer onboarding, while the business treats them like temporary collaborators who need access today. That is why 59% of organisations report breaches tied to over-permissioned third-party identities. 

FIVE PRACTICAL CONTROLS TO MANDATE NOW

1. Establish a trusted third-party identity inventory
Create a centralised source that integrates with IAM, PAM, SIEM, and procurement. Define a distinct schema for non-employees with sponsor, contract end date, and risk tier. Prioritise cleansing for high-risk systems first.

2. Bind every session to a verifiable person and eliminate shared accounts
Require individual accounts for all external users. Federate to the vendor’s identity provider where possible. Enforce strong authentication such as passkeys or certificate-based authentication and MFA for every remote session. Remove default and shared credentials completely.

3. Automate least privilege and just-in-time access
Move beyond annual reviews. Monitor actual usage continuously, grant time-bound access linked to a work order or ticket, and revoke automatically on expiry or inactivity. Shift from static roles to attribute-based controls that consider context and risk.

4. Treat lifecycle as a security control
Embed the joiner-mover-leaver for non-employees into procurement and vendor management. Require quarterly attestation by the business owner based on usage data, not spreadsheets. Test your kill switch quarterly and retain evidence.

5. Integrate, do not duplicate

Stop issuing corporate email, VDI, and collaboration licences to vendors by default. Use federation, SSO, and native guest access. Secure the specific applications and data they need, which reduces identity sprawl, cost, and audit complexity.

METRICS CISO SHOULD DEMAND BY NEXT QUARTER

  • Percentage of third-party accounts with a named sponsor and documented end date: target 100%
  • Proportion of external sessions using individual, MFA-protected identities: target 100%
  • Number of active vendor accounts with zero usage in 90 days: target zero
  • Mean time to disable all access for a given third party: target under 10 minutes
  • Third-party access rights reduced through usage-based reviews: track month on month

Closing the gap is not a tool purchase. It is a data-led programme that aligns identity governance, procurement, and security operations around one principle: every external access decision must be visible, attributable to a real person, and reversible on demand.

Share Post