Privacy policy

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content.
Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Our website uses cookies to enhance your online experience by; measuring audience engagement, analyzing how our webpage is used, improving website functionality, and delivering relevant, personalized marketing content. Your privacy is important to us. Thus, you have full control over your cookie preferences and can manage which ones to enable. You can find more information about cookies in our Cookie Policy, about the types of cookies we use on Atos Cookie Table, and information on how to withdraw your consent in our Privacy Policy.

Skip to main content

Three steps to managing secure third-party access in your supply chain

 

We are all operating in a connected, digital-first economy, and I know firsthand that no organization truly works in isolation anymore. Partnerships, platforms, and third-party services are critical for driving modern business forward, allowing us to innovate faster, enter new markets, and stay ahead of the competition. But we’ve also learned that each of these powerful connections introduces a new layer of responsibility, especially when it comes to who accesses our systems and data.

The good news is that managing third-party access doesn’t have to be a burden. In fact, I believe it can become one of our most effective strategies for strengthening our security posture and building lasting trust with both, partners and customers. By intentionally focusing on identity in your supply chain security strategy, you not only lower risk but also unlock incredible opportunities for safer, smarter collaboration.

Join me as I explore how we can achieve this, identifying risks related to identity, managing forgotten accounts and permissions (also known as  shadow identities), implementing a least-privilege approach, and ensuring strong governance in all our relationships with third parties.

Understanding identity-based risks in your supply chain

Every identity interacting with your systems — whether human or machine, employee, contractor, or third-party supplier — presents a potential attack vector. Particularly in the context of third-party access, these identities often operate outside the full governance and visibility of your enterprise security team.

We see risks arising not only from malicious actions by authorized users but also from unintentional errors, such as misconfigurations, over-permissioned accounts, or unsecured access tokens.

If a trusted third party is compromised, an attacker could exploit their access privileges, potentially gaining the same level of access to our systems as the third party themselves. This underscores the importance of carefully assessing and limiting the access granted to external partners.

Recent incidents have shown just how impactful identity-based supply chain risks can be:

  • SolarWinds attack (2020): Nation-state threat actors compromised the update mechanism of a trusted software supplier, allowing them to infiltrate thousands of customer networks undetected.
  • Okta Breach (October 2023): A third-party customer support vendor was breached, resulting in unauthorized access to sensitive customer support data.
  • CrowdStrike (July 2024): A configuration error by a third-party platform provider led to widespread outages across global Windows environments, highlighting how unintentional mistakes by suppliers can cause massive operational disruptions.

These examples highlight the diverse nature of identity-based risks, which typically appear in three forms:

Human identities:
This category includes external users like contractors, suppliers, or partner employees, who are accessing your systems.

Non-human identities:
This encompasses OAuth-connected applications, API keys, service accounts, and automated scripts that operate on our behalf.

Shadow identities:
These are untracked or forgotten identities, including old accounts, inactive integrations, or unsanctioned applications, that continue to hold access without oversight.

If not properly managed, we find that each of these identity types can inadvertently provide a pathway for unauthorized access. So, implementing clear governance, access controls, and conducting regular oversight are crucial for securing these identity touchpoints throughout your supply chain.

Step 1: Decoding shadow identities

We’ve seen firsthand how shadow identities emerge when human contractors or OAuth applications create access in uncontrolled ways — unmapped and unmanaged. Consider these statistics that caught my attention:

53%

Over 53% of organizations have experienced a data breach due to compromised API tokens.

900%

Shadow API traffic — requests made to undocumented endpoints — has surged by an astonishing 900%, signaling significant growth often occurring outside standard governance.

87%

87% of local admin accounts are not managed by identity systems.

40%

Around 40% of these accounts can escalate privileges in a single step, while 13% already possess domain admin rights.

For me, shadow identities represent more than just forgotten accounts; they pose a significant threat.

Unseen access creates an open door to potential breaches. Identifying and governing these identities fosters trust and compliance while minimizing unseen exposure.

The most effective transformation begins with a commitment to:

  • Discovery: Scan systems for unused or overly permissioned credentials.
  • Review: Identify old accounts or tokens tied to out-of-date projects.
  • Remediation: Remove or restrict any access that is not actively needed.

This simple, continuous process — discover, review, remediate — leads to measurable improvements in visibility, control, and compliance readiness.

Step 2: Embracing the least-privilege principle

I believe privilege itself isn’t inherently negative — it simply requires boundaries. Implementing the least-privilege principle involves the following steps:

  1. Access modeling: Establish a clear access model that defines what identities can access. Assign permissions based solely on necessity. This model can be developed using a combination of xBAC (x-Based Access Control) models tailored to your organization’s specific requirements.
  2. Just-in-time or time-bound access: Automate the expiration of third-party credentials wherever possible. If someone requires access for a day, ensure it is revoked at the end of that day to minimize lingering permissions.
  3. Access reviews: Conduct regular reviews of third-party access to confirm its continued validity and appropriateness. Remove permissions that are unused or no longer serve a business purpose. While some reviews can be automated, others will require periodic manual oversight — both are essential for maintaining effective access governance.

This approach does not hinder partnerships; instead, it makes them secure and sustainable.

When access is aligned with defined roles, timeframes, and appropriate oversight, you reduce vulnerabilities while enabling fluid and responsive collaboration.

I advocate leveraging automation where it adds value but remember that effective governance ultimately relies on a balance between technology and human judgment.

Step 3: Building shared accountability

From my perspective, identity security is not just a technical issue; it’s a critical business imperative.

Governance must extend beyond internal policies to encompass your third-party agreements, embedding clear legal, operational, and compliance controls into your vendor relationships. This fosters a sense of shared accountability.

To strengthen third-party contracts, I recommend considering the following elements:

  • Defined identity governance standards: Mandate the use of your Identity and Access Management (IAM) standards for all vendor-managed identities. These standards should address identity provisioning and deprovisioning, hygiene, regular testing, validation of controls, least privilege access, configuration management, change control, and incident response processes.
  • Audit and verification rights: Ensure you have contractual rights to review access logs, identity management practices. Monitoring and verification that third parties are actively maintaining, testing, and validating these controls is essential to prevent issues from going undetected for extended periods.
  • Incident notification SLAs: Establish clear, time-bound requirements for vendors to notify you of any identity-related incidents, credential exposures, or control failures.
  • Compliance alignment: Mandate strict adherence to relevant regulations and standards, such as GDPR, PCI DSS, NIS2, and other applicable frameworks.

These measures establish mutual accountability and ensure security expectations are formally set, verifiable, and enforceable from the outset.

Turning risks into opportunities

I firmly believe that securing third-party access moves beyond perimeter defenses; it involves understanding who and what connects to your business and then managing those connections responsibly. By approaching third-party identity management with intention and diligence, and applying the right level of rigor, you foster safer, more resilient, and trusted partnerships.

In a zero-trust environment, trust must always be accompanied by verification. You can protect what matters while ensuring your business thrives by integrating key elements such as good governance, the principle of least privilege, and proactive discovery and management of shadow identities. In today’s digital supply chain, identity has become the new perimeter, making its security essential for building a stronger and safer future for everyone involved.

Share this article

X IconLinked-in Icon

Allen Moffett

Global Head of IAM, Atos

View detailsof Allen Moffett >
  • Follow Allen Moffett on LinkedIn
 

Subscribe for regular insights

Thank you for your interest. You can download the report here.
A member of our team will be in touch with you shortly

More on Digital supply chains

Are you the weakest link? Why the chief product security officer is now your digital bodyguard

How secure digital identities and zero touch onboarding are unlocking the future of OT cybersecurity

The anatomy of modern IT supply chain attacks

The hidden supply chain risks of AI workloads in the cloud

Threat actor playbooks: Who is targeting the IT supply chain & how

Unifying and securing the software supply chain with ASPM

Unleashing the synergy of agentic AI and zero trust to secure the supply chain