Looking for Okta Logos?

You can find all the media assets you need as part of our press room.

Download Media Assets

Secure Partner Onboarding Means Automating User Access

Imagine this: you’re in your house, and you notice some water coming through the ceiling. One of your pipes is leaking. To fix it, you call your plumber to change the pipe, a handyman to patch up the ceiling, and a painter to cover the spackle. Once they’re done with their work and you walk them out of your house, you need to ensure they no longer have access to your property.

A similar premise applies to business resources. When employees—internal and external—depart a company, they must immediately lose access to all systems, files, and folders. Otherwise, companies can experience security vulnerabilities ranging from an employee stealing confidential files to a large-scale data breach with lasting repercussions.

Keep the doors locked

The impact of not properly managing employees’ user privileges can be catastrophic, especially if a resulting breach targets personally identifiable information. In 2018, 14.9 billion raw identity records were circulated around underground web communities—a 71% increase from the previous year. Despite this clear risk to organizations and their users, comprehensive offboarding is a task that’s often overlooked.

To mitigate this risk, enterprises can automate the process of onboarding and offboarding their users. Employing automated lifecycle management processes will also better prepare enterprises for managing users from outside of their organization, which brings a whole host of new challenges.

Secure your house, so you can (safely) welcome visitors

As an organization grows, its need for an extensive network of vendors and partners also grows. As a result, external users from third-party entities require quick and easy access to systems and applications when a project begins—and that access needs to be revoked as soon as the project ends. In practice, this is easier said than done.

At most organizations, internal employee accounts are tightly controlled by their HR teams. When an employee is hired, HR is typically responsible for ensuring the employee is onboarded on the first day, and they oversee any role changes or updates during the rest of the employee’s lifecycle. Meanwhile, it is the IT team that is responsible for enacting any of these changes across the organization’s systems through a combination of manual and automated processes.

Onboarding partners and vendors, however, is often handled not by IT or HR, but by the internal teams working with those contractors (e.g., marketing or engineering). This can pose several problems, including:

  • Multiple exceptions to HR and IT’s tightly controlled onboarding process
  • A heightened possibility of security concerns and overspending 
  • An increased number of credential theft attacks made on remote connectivity methods like VPNs

These concerns make it important for enterprises to develop standard practices for managing partner user access.

Removing former tenants’ access

User experience across the employee lifecycle needs to be seamless for external users, while still mitigating any security vulnerabilities that come with handling external user identities. 

If the partner or vendor is a large organization, they are likely able to handle user lifecycles carefully and deactivate accounts through their own Active Directory or identity provider—and they can be contractually tasked to do so. But not all vendors are this sophisticated, which means organizations need to be able to take on the burden of onboarding and offboarding external users from companies at various stages of identity management maturity. In order to do this effectively, you might need to put partner and contractor accounts into your own Okta tenant, for instance, and manage their termination in a systematic way. This can be done by implementing one of the following techniques: 

Scheduled suspensions: Businesses can automatically develop conditions, evaluate, and revoke user privileges that have been assigned to a specific group or project on a scheduled basis. For example, on December 31, 2019, the business can check if any users remain present within specific contractor groups and, if their projects have ended, suspend their account and remove their access.

Inactivity-based suspension: It’s also possible to identify users that have been inactive within certain timeframes and automatically suspend them. The business can write a condition that checks for inactive users within groups and routinely revoke or suspend their access to applications. 

Companies can also deploy a comprehensive meta-directory that holds both user accounts and groups. Within Okta’s Universal Directory (UD), groups play a big role as they are used to assign access to apps and help differentiate between internal and external users. 

When it comes to handling external users, Okta UD can import user data from various identity systems, even if a partner is using on-premises software like Active Directory. In Okta’s UD, IT admins can create custom attributes and group rules for different user types—or feed them into scheduled or inactivity-based suspension policies—making it easy to set automated deprovisioning policies for partner and contractor resources. As a centralized source of truth, UD can show the status of each user, giving IT the opportunity to evaluate permissions and disable user profiles that no longer need access.

Managing access to internal networks and systems is already difficult, so extending access to outside, third-party users using unfamiliar devices from unknown locations only complicates the task. Enterprises need to make user privileges a top priority and ensure access is always secure, especially when it’s from outside the perimeters of their corporate network.

Maintaining a secure household

When your handyman and plumber finish fixing the leaky pipe, they no longer have access to your house. Automating the onboarding and offboarding of user accounts for external contractors and vendors helps companies follow that same premise. As businesses continue to expand their network of third-party providers, an automated lifecycle management system will help keep them secure.

Want to learn more about what you can do to provide secure access to your vendors and partners? Read our whitepaper on the subject.

Aaron Yee
Aaron Yee
Sr. Technical Product Marketing Manager

Aaron Yee joined Okta in 2012 as the company's first Professional Services consultant. In that role, he implemented Okta for many early customers and saw how they stretched Okta’s capabilities. He subsequently joined the Product Marketing Team to continue shaping the product for modern user lifecycle management requirements. Prior to Okta, Aaron was a consultant for civilian and DoD agencies in DC, where he designed & implemented solutions to manage user lifecycles. Aaron has a BA in Computer Science from Brown University and an MBA from the University of Virginia. He lives in San Francisco and enjoys sailing, snowboarding, tinkering with cars, and rooting for the hopeless 49ers.

Follow Aaron Yee icon LinkedIn
Daniel Lu
Daniel Lu
Product Marketing Manager, Single Sign-On

Daniel Lu is a Product Marketing Manager at Okta focused on Okta’s Single Sign On product. He’s responsible for growing the Single Sign On business and takes every opportunity to discuss why Okta has the best Identity and Access Management platform in the market. Daniel has focused his career on scaling great businesses. Prior to Okta, Daniel was part of business strategy at Adobe and before that, he co-founded a golf company.

Daniel holds an MBA from Northwestern University and a BS in Electrical Engineering from University of California, Davis. He’s a rare Bay Area native and currently lives in San Francisco. When he can, Daniel tries to make time for international travel, new restaurants, and exercise.