With organizations increasingly relying on third parties to enhance productivity, improve business agility, enable faster time-to-market, and decrease operating costs, it is imperative that the current lack of control and centralized processes around vendor and non-employee risk be addressed as a top priority. David Pignolet, founder and president of SecZetta, a Massachusetts-based provider of a non-employee identity risk and lifecycle management solutions, notes, “The management of identities, accounts, and entitlements of non-employee populations is typically an enterprise-wide blind spot, despite the growing reliance on third-party resources. SecZetta provides solutions for non-employee identity risk and lifecycle management that help organizations manage, identify, and assess relationships and the associated risks of non-employees.” While organizations commonly use expensive homegrown systems, spreadsheets, and sometimes even emails to handle third-party identities, there are critical limitations in these approaches. Moreover, even most industry-leading third-party risk solutions typically only assess risks at an organizational level without thoroughly reviewing the identities of the individuals working for the contracted vendors. “SecZetta’s focus is to help organizations have a more precise understanding of their non-employees—and the risks they pose—by placing identity at the heart of the security model,” explains Pignolet.
To gain a true understanding of the risk of exposure, organizations need to conduct a holistic risk assessment, which enables them to seamlessly determine the type of access that should be granted to an individual. SecZetta’s approach to non-employee access management, which involves assessing the risk of vendors at each individual identity level, is proving to be a boon for companies amidst today’s expanding threat landscape. SecZetta solutions suite takes into consideration multiple factors, such as a non-employee’s personal background, residing location, and current job responsibilities, as well as their work experience, previous employers, and contract extension history. At its core, the solution serves as a single authoritative source of non-employee data—enabling organizations to navigate through a large pool of contractors, suppliers, and the like, and easily track and understand the relationship it has with each.
Perhaps, what speaks volumes about SecZetta’s comprehensive solutions suite is that organizations can maintain a single identity for the many relationships a non-employee might have with them, gain full auditability of identity lifecycles, and achieve compliance goals—all from a single source.
An Integral Three-Pronged Approach
SecZetta provides a suite of third-party identity risk solutions that can be deployed individually or as a single integrated platform. Core to the solutions suite is the ability to manage:
• Identity risk and lifecycle processes for non-employees;
• Collaboration with partners, vendors, and non-employees;
• Unification of identity data from multiple sources in a single, master authoritative source
The SecZetta third-party identity risk solutions suite can be deployed on-premise, through single-tenant managed hosting or through multi-tenant Software-as-a-Service (SaaS) (as of 1H 2020).
SecZetta’s focus is to help organizations precisely understand their non-employee populations—and the risks they pose—by placing identity at the heart of the security model
The solutions suite is easy to configure and manage, without expensive customizations or the need to constantly engage professional services. In fact, the solutions suite easily integrates with existing identity and access management (IAM) systems with built-in restful APIs, enabling users to reap the full benefits of third-party identity lifecycle management. Moreover, SecZetta’s no-code aspect and easy-to-configure workflow engine allows for conditional workflow functions, drag and drop actions for notifications and reviews, and limitless approval steps. Perhaps most importantly, the solution suite’s point-and-click interface is clean and intuitive, requiring little or no training for users.
Identity Risk and Lifecycle Processes for Non-employees
SecZetta’s solution suite addresses the limitations that have long prevailed in homegrown HR and IAM solutions, namely the lack of an authoritative source that is able to manage the level of access granted to each non-employee. “While most organizations evaluate the risk of contractors and external vendors during the onboarding process, it is usually a red light, green light situation—either complete access is granted or none at all,” clarifies Pignolet. This is where SecZetta saw the need for a one-stop solution to both analyze data and provide conditional access. To be truly effective, an authoritative source has to be comprehensive enough to support both business processes and downstream IAM requirements. SecZetta’s robust solution suite is purpose-built to manage the full scope of non-employee relationships such as contractors, students, physicians, and more, unlike HR solutions, which typically have pre-defined and static relationship structure for employees.
At the heart of the solutions suite, is a proprietary risk scoring methodology that enables organizations to rate the risks associated with non-employees before granting them access to the systems and applications. Additionally, organizations can also carry out preemptive evaluations of access risk. This can be done via integration with an IAM system.
Highlighting these features is SecZetta’s work with Geisinger Health System. A physician-led, non-profit organization, Geisinger delivers health services to more than 2.6 million people in 44 counties across Pennsylvania. In 2016, the healthcare provider faced a major challenge when its non-employee identity solution no longer met critical security and audit requirements. Geisinger wanted an out-of-the-box solution that could manage the complex requirements and multiple use cases related to their 20,000 non-employee workforce. SecZetta was able to check all the boxes. With their new SecZetta solution in place in less than 90 days, Geisinger immediately had the ability to efficiently onboard and offboard third-party resources, better manage risks, and store the identities and data pertaining to the lifecycle of their relationship with non-employees in a single repository. Notably, their new SecZetta solution helped reduce Geisinger’s time to onboard new employees from one to three weeks to less than one day.
Most often, non-employees are not vetted into an organization’s systems with the same degree of granularity as an internal employee. The onboarding process is often time-consuming, inconsistent, risk-laden, and manually handled through emails or phone calls. To address this, SecZetta developed a partner portal for third-party vendors to manage identities and seamlessly execute business processes. From onboarding and regular identity validation to offboarding and termination, SecZetta offers partners the ability to self-validate and manage their relationship while adhering to corporate policy and governance. “We include partner organizations in validating the relationships of non-employees so that all access can be appropriately managed,” said Pignolet.
SecZetta also simplifies the access termination of non-employees with the same level of precision. Often, organizations are unaware of when a non-employee access needs have ended, which leads to abandoned access and high risk of exposure. With SecZetta, organizations can automate a more frequent, risk-conditional identity validation process, shrinking the window of opportunity for a non-employee to have inappropriate access.
A Single Master Identity for Each Non-Employee
Within most global organizations, the relationship of a third-party employee changes throughout their lifecycle. Consider the case of medical students who are inducted into university hospitals. When they first enroll, they join as a student, and after graduation, the student becomes a full-time physician at the hospital. Sometimes, after working for a few years, the physician can also set up his/her own clinic. This moves them from being an employee to a non-employee at the hospital. These multiple identities and changing relationships can often be complicated to manage. SecZetta’s identity consolidation tool allows organizations to unify non-employee data to establish and maintain master identities in a centralized repository. Whether an organization has vendor data stored in a single or multiple data sources, SecZetta intelligently analyzes and processes all of the data and streamlines it into one master identity. The solution ensures that an enterprise effectively handles the various changes in its non-employee relationship lifecycle.
Proprietary algorithms enable organizations to define criteria that are most important to them and then create a scoring system to ensure that critical data or records are given priority in the master record. It is now easier for organizations to understand identity status is quickly and easily.
"SecZetta provides organizations with a holistic view of the non-employee risks, empowering them to make accurate contextual decisions about access"
“Overall, SecZetta’s goal is to fill the gaps that exist between third-party risk and non-employee identity lifecycles. We provide organizations with a holistic view of the non-employee risks, empowering them to make accurate contextual decisions about granting access,” adds Pignolet.
‘Good Enough’ Is Just Not Enough Anymore
The leadership team at SecZetta started its journey as an identity and access management systems integrator. With this experience, the company brings the expertise of integrating data across disparate systems and the insight gained from working on client IAM projects. Over the last three years, SecZetta has fully transitioned to a product company, with its focus on designing, developing, and implementing the industry's one-of-a kind solutions suite for third-party identity access and lifecycle management.
Today, SecZetta’s solutions are used by leading global enterprises and Fortune 500 companies across highly-regulated industries such as healthcare, financial services, technology, retail, and education. This includes creating, controlling, and responding to third-party identity requirements and processes, meeting compliance requirements, and ultimately reducing third-party risk and minimizing the potential for data breaches.