Avoiding Identity and Access Risks for Franchisor’s Non-Employees with SailPoint NERM

Identity Access Franchise SecZetta and Extended Enterprise

A robust identity control solution for enterprise franchisors. Reduce the chaos, costs, and risk of providing access to non-employee franchisee, suppliers and vendors.

Introduction The franchise business model appeal is simple. A buyer (franchisee) can purchase the template and branding of a company (franchisor) that is already established; greatly reducing planning, the time before the front doors open, and investment risk. While the franchise model’s unique structure continues to evolve and remains sensitive to local, regional, and global economic swings, statistics prove its success and sustainability. In 2021, the projected number of franchise establishments was expected to grow to a record 780,180, an increase of 3.5%, and add nearly 800,000 new jobs.

Franchisors’ support and control over their franchisees vary greatly, regardless, franchisees are business owners, and they do have choices when it comes to running their business including the employees they hire and how they manage them. Their control is not the same as that of an independent business owner, yet arguably, this is the primary reason why the franchise success rate is approximately 8% higher than independent businesses.

Not All Franchises are Created Equal, but the Identity and Access Challenges They Create Are

Franchise.com describes the five main types of franchises: job, product, business, investment, and conversion. While the risk, investment, complexity, and business goals differ among all these franchise types, the franchisor’s processes and third-party, non-employee risks remain virtually the same.

The franchisor typically provides the franchisee with streamlined management practices and processes that the franchisee and its employees are expected to follow to provide a consistent experience for the consumer and achieve a high level of performance that serves to protect both the brand’s reputation and ensure financial success. Franchisees may also be provided products and services, training, and trademark licensing. In addition, franchisees and their employees are generally granted digital access to the franchisor’s vendor and supply chain management systems, proprietary knowledge, invoicing, customer data, and more.

And while franchisee employees may need similar access as some franchisor employees, they are, in fact, still external and considered extended enterprise employees. This means managing their identity and access is no less challenging – or that they carry less risk – than managing more “traditional” third-party workers such as vendors, suppliers, and contractors.

A Chaotic Process

The franchisor’s business processes for accurately identifying all extended enterprise workers (franchisee employees, suppliers, vendors, contractors, and more) who require access, and provisioning access to their systems, are often chaotic and convoluted. Typically, a franchisee’s identity and subsequent access request is managed and executed by a large, internal team at the corporate level.

This process is known to be highly manual, complex, and time-consuming, even among franchisors who utilize identity governance and administration (IGA) tools or homegrown systems. Because these systems are generally unable to effectively associate the relationship of the individual user requesting access to the organization, the franchisor’s ability to accurately identify and appropriately provision the user’s access is cumbersome at best, and sometimes, nonexistent. This leaves franchisors spending excessive amounts of time and money managing a process that is not only inefficient but exposes them to greater cybersecurity risk.

This white paper explains how SailPoint NERM (Non-Employee Risk Management) is uniquely suited to support the challenges and struggles franchisors face when providing large populations of extended enterprise workers with appropriate and time-specific access to their systems. SailPoint NERM addresses the identity and risk challenges faced by franchisors when managing franchisee employees, vendors, and suppliers. It outlines how SailPoint NERM improves operational efficiency, reduces costs, enhances the user experience, and decreases cyber risks for franchisors and the franchises they support.

The Challenges – Managing Identity and Access Risk of Your Extended Enterprise

Franchisee Employees

The perception that the franchise business model is a less risky venture than traditional independent businesses is mostly true, however, there is one large caveat. The fate of the franchisor and franchisee’s success isn’t entirely in their own control; they’re dependent on the other. While Franchisees benefit from the proven processes and brand recognition of the organization whose franchise they purchased, franchisors are dependent on the franchisees and their employees to abide by the rules and agreements put in place to run their business operations smoothly.

In March 2020, Franchise Local reported, “Across the globe, one in seven businesses is a franchise – which equates to around two million franchised companies, employing 19 million people.” In addition to the franchisor’s employees, that’s an enormous number of external identities (franchisee employees) and system access requests. The sheer volume requires a dedicated team of individuals within the franchisor’s organization to gather, review, and approve the necessary information to fulfil a single access request.

Though franchisee employees may need similar access as the franchisor’s employees, that access is rarely managed by a commercial IGA solution like those often used to manage the franchisor’s employees. This is typically because of the high costs associated with extending licensing to such a large group, the complexity of supporting the business processes, and the cost of customization required to build and sustain their access to an IGA tool.

This means shortcuts are often taken, traditional workflows are skewed, and unfortunately, risk-based due diligence is replaced by the necessity to speed up what has traditionally been a long process involving multiple stakeholders to get business moving along quickly. Further, the tools and processes used by franchisors to onboard franchisee employees and set up their access are often full of friction. This leaves franchise owners frustrated and unhappy. This frustration often precipitates concerted efforts by franchisees to shortcut or circumvent identity security processes, introducing yet another risky consequence.

Many franchisors try to implement a “delegated administration” model that allows their franchisees to manage the identity lifecycle of their own employees. In this case, the responsibility is left to the franchisee to ensure their employees are onboarded and offboarded, and that their access to the franchisor’s systems remains appropriate. Franchisors often struggle with this delegated administration. Most systems do not support appropriate permissions to allow each franchisee visibility and control over only their employees. Further, these systems don’t appropriately define the complex relationships that exist in the franchise business model.

Most Common Mistakes in the Franchisor’s Identity and Access Management Processes for Franchisee Employees

Franchisors face several challenges when provisioning franchisee employee access. The following are the most common missteps that franchisors make that often lead to time lost, excessive spending, and a third-party breach:

  1. They believe the responsibility for onboarding and managing franchisee employees can be centralized to one team, ignoring the collaboration that’s needed among external franchisees and internal franchisor stakeholders.
  2. Franchisors don’t centrally track relationships with their franchisee’s employees. For example, a franchisee employee is terminated from their position for an HR violation but is quickly employed by another franchisee at a different location. The franchisor and the franchisees have no way of viewing or monitoring this.
  3. They rely on undefined and manual processes to manage franchisee employee access to their systems and networks. These process missteps may include:
  • A lack of automated processes for onboarding, compliance audits, and offboarding and instead rely on time-consuming, error-prone manual efforts, often centralized and burdening one team.
  • Neglecting to immediately terminate access when it is no longer needed.
  • Not having an appropriate privileged-access approval process.
  1. The franchisor will manage their franchisee employees’ lifecycles by customizing an IGA system or building a fully custom, highly manual external process.
  2. They ignore the insider risk threat that franchisee employees pose to data security.

Failure to Treat Franchisees as Customers

Franchisors sometimes fail to remember that franchisees are also their customers. The franchisor has obligations to not only protect the franchisee’s interests (including their personal identifiable information (PII) and financial information) but as with any business-customer relationship, they have an obligation to ensure their customer is satisfied. In addition to clear communication, the simplest way to achieve this is through streamlined and secure processes firmly in place at the beginning of the relationship. This includes ensuring efficient onboarding of the franchisee, straightforward onboarding of their employees, regularly validating organizational relationships, identities, and access, as well as the timely termination of access when the time comes. Any chaos or breakdown in these processes can lead to a dissatisfied customer and wreak havoc on the franchisor/franchisee relationship.

Franchise Third-Party Vendors, Suppliers, and Contractors

To succeed, franchisors also rely heavily on a vast network of third-party suppliers, vendors, contractors, and even non-humans. Most franchisors and franchisees utilize the same vendors, suppliers, and support platforms. It’s smart. It leads to deeper discounts, better service, and consolidation of information for everyone involved. However, this requires franchisors to provision access to their systems and data to hundreds – sometimes even tens of thousands – of individual franchisee employees, PLUS, their third-party suppliers, vendors, and contractors.

As the adage goes, time is money. And onboarding third parties is costing franchisors a lot of money. According to Spend Matters, it can take 3-6 months to onboard a new supplier. This is because as each new supplier adds multiple layers of risk (operational, reputational, data security and privacy, compliance, regulatory), several internal functions (e.g., procurement, legal, infosec, compliance) need to get involved to mitigate those risks.

Most Common Mistakes in the Franchisor’s Identity and Access Management Processes for Vendors, Suppliers, Contractors

Franchisors face unique challenges when provisioning their extended enterprise (third parties, vendors, suppliers, contractors, and others) access to their networks, applications, or facilities. The following are the most common missteps that franchisors make that often lead to a third-party breach:

  1. They rely on undefined and manual processes to manage extended enterprise worker access. These process missteps include: o A lack of automated processes for onboarding, compliance audits, and offboarding, instead relying on time-consuming and error-prone manual efforts.
  • Neglecting to immediately terminate access when it is no longer needed by an extended enterprise worker.
  • Evaluating risk at the third-party’s organization level, and NOT at the individual identity level.
  • Failure to regularly revalidate the identity throughout their lifecycle.
  • Not having an appropriate privileged-access approval process.
  • Allowing over-provisioned access and orphaned accounts to exist with little or no transparency surrounding them.
  1. Franchisors don’t centrally track relationships with their numerous third-party users, nor the system access or data points that they require. This leads to an inaccurate user count and a murky understanding of which information third-party users can access, change, or collect.
  2. They believe the responsibility for onboarding and managing this diverse group of external workers belongs solely to an identity team or an HR team, ignoring the collaboration that’s needed among multiple internal and external stakeholders.
  3. They utilize a “green light/red light” approach to managing risk, rather than implementing different risk levels with appropriate security controls designed for each level.
  4. The franchisor tries to manage their extended enterprise worker identity lifecycles by customizing an IGA system.
  5. They ignore the insider risk threat that these external workers pose to their data security.

Overall, many franchisors do not understand that identity management of their extended enterprise is far more chaotic and less linear than it is for employees. Even the largest franchises often lack the thorough and automated processes necessary to manage these user identities accurately and effectively which leads to risky access.

Cyber Risks Increasing for Franchises

Franchisors collect a large amount of contextual and personal data on franchisee employees, their customers, and their customer’s credit card information. In addition, franchisors hold a wealth of business secrets including their successful business models, proprietary knowledge, and intellectual property. To a bad actor, all this information is considered a gold mine rich for the taking, so it’s no surprise that cybersecurity threats are on the rise in franchising.

With many franchises having hundreds (some tens of thousands) of locations worldwide, the franchise system has a substantial attack surface. The technology systems franchisors use are inextricably linked to their franchisees. This means a franchisor’s greatest risk of a breach comes from the “insider threat.”

In fact, according to an Opus and Ponemon study, 59% of companies said they have experienced a data breach caused by one of their vendors or third parties. Alarmingly, these are breaches that have occurred because the company granted privileged access to their sensitive information to someone within the organization, such as a franchisee, vendor, supplier, or contractor. The average total cost of a breach by an insider in 2022? $4.61 million.

Regardless of the size of a franchise, the franchisor, franchisee, and their vendors, suppliers, and contractors share connected domains of trust and risk, both relying on the other to maintain the highest level of protection to ensure data security. A franchise system is only as secure as the users accessing the system. This typically means there are a lot of weak links in even the smallest franchise – every device, every user, and every point of access could be a potential way in. If one party is breached, the entire franchise system’s data, reputation, and revenue are at risk. Identifying who should have access, when they should have access, and why they have access to systems and information is key to mitigating the threat of a breach.

Franchise Compliance, Institutional Mandates, and Reporting

Certain franchise types must navigate different regulatory and reporting requirements. They may be responsible for local, state, federal, or institutional mandates to conduct business. Franchisors working with global franchise locations or even those across state lines may be saddled with a different set of rules (SOX, GDPR, GLBA, FERPA, CCPA, more) associated with managing identities and access permissions to their systems and data.

SailPoint NERM addresses these challenges with a comprehensive solution that provides visibility, automation, and scale for managing the extended enterprise.

To ensure that regulatory and legal requirements are met for compliance requires the franchisor to have complete visibility into all access, both internal and external, at the identity level. This is achieved through:

Consistency

It is necessary to have consistent, updated risk assessments over the lifecycle of the third-party non-employee. Risk is organic, fluid, and relies on numerous factors that can impact a risk score…when something changes, the risk score will move up or down. Identity validation – the process of collecting, validating, and verifying that information about a person is correct – at regular intervals is pivotal to ensure that if access needs to change, it is done so in a timely fashion. For example, a user may still require access to a system, but not the same level of access as he/she had at a previous point in time.

Context and Continuity

Given the natural changes in a business that occur over time, franchisors should periodically re-evaluate each extended enterprise worker. These periodic evaluations should be in the same likeness as the original assessment to ensure continuity in rating/scoring. Yet, it must also be contextual, accounting for changes in services and processes.

Behavioral Analytics

While being vigilant for anomalous human behavior such as access from unexpected locations or at odd times of the day is still considered a best practice, the rapid rise in remote work due to the pandemic has placed even more pressure on ensuring the validity of a user’s identity. Unfortunately, behavioral analytics are not as reliable of a threat indicator as they once were. As a result, the importance of frequent re-validation of identity (not just the account) and access status has become paramount to proactively managing the full identity lifecycle and safeguarding data.

Stacked Verification

Extended enterprise account inactivity and access removal are a cause-and-effect relationship for many franchisors. However, a layered procedure for off-boarding these users allows for proactive maintenance or termination of user access. Regular revalidation also helps franchisors gauge identity-level risk. There are three layers of verification to consider:

  • Layer 1 (Inactivity Reports):If a user has not accessed the franchisor’s system or data for a certain amount of time, access would be deactivated. This level of verification should be considered the last resort for access removal because it leaves an account vulnerable during the inactive period.
  • Layer 2 (Risk-Dependent Validation):Contingent upon the user’s risk level, validation is set to occur automatically on a weekly, monthly, or another predetermined basis. This includes finding out who the user’s sponsor, hiring manager, or external vendor manager is and distributing the responsibility of maintaining the user’s records.
  • Layer 3 (Self-Attestation):Emailing the user on a weekly/monthly/other appropriate time length to confirm their job status is self-attestation confirmation. Attestation email notification may go to the user’s email address, so responding via this process verifies their outside employment status (since the user would still have access to their email account).

Continuous Monitoring

A lot can happen to a third-party between annual control-based risk assessments that can impact compliance posture. That’s why it is important to continuously monitor for:

  • Cybersecurity incidents like an active breach.
  • Cybersecurity vulnerabilities such as exposed credentials for sale on the Dark Web.
  • Adverse media and negative news that may impact reputation.
  • Financial performance to evaluate the health of third parties.

Critical to risk management is incorporating these continuous monitoring insights into regular decision-making, correlating findings with regular controls-based assessments, and mapping the results to compliance frameworks to prove appropriate processes are in place.

The Solution – How SailPoint NERM Solves the Operational and Risk Challenges Caused by Both Franchisee Employees and Extended Enterprise

Franchisors that utilize manual processes or homegrown systems (and/or IGA tools) to administer extended enterprise access face the tough task of accomplishing a time-consuming, expensive, and complex process within a system that isn’t built for the unique needs of the franchise business model.

SailPoint NERM’s Intelligent Identity Authority solves the business problems franchisors face by providing complete identity control of their entire non-employee population.

SailPoint NERM is the only commercial solution on the market that:

  • Natively supports the identity needs of all a franchisor’s extended enterprise (franchisees, vendors, suppliers, contractors, and more) without requiring extensive customization.
  • Grants relationship-based access and/or permission-based access, enabling user-appropriate data visibility and process capabilities so that any external worker can perform his/her tasks within a dedicated portal.
  • Automates identity lifecycle processes based on the identity’s role, as well as segregate’s identity details for each franchise, vendor, and supplier, which ensures swift, accurate onboarding, revalidation, and termination of access.
  • Supports the visibility of every country, state, franchise, and line of business difference by clearly defining the relationships between the franchisor and franchisee, supplier, or other vendors, allowing for easier regulatory compliance.
  • With SecZetta, a franchisor can apply a higher standard of control and care that aligns with their corporate risk strategy across their entire franchise establishment while eliminating the need to try and meet every level of compliance demand separately.

SailPoint NERM provides an intuitive and business-friendly user experience that requires no training or learning curve. A simple drag-and-drop, no-code configuration allows non-technical administrators to quickly build a form to capture all the contextual information the franchisor desires. This information can be specific to a franchisee employee, a particular supplier, or a unique line of business, by demographics, a vendor, or any combination of these.

Leveraging SailPoint NERM to Automate Identity Processes, Reduce Breach Risk, and Streamline Compliance Requirements

SailPoint NERM works to close the critical gaps threatening a franchisor’s assets by eliminating the challenges associated with managing extended enterprise relationships by providing rich, reliable identity data that the franchisor would otherwise be unable to track.

Risk scores can be adjusted in concert with the franchisor’s third-party risk management assessments and continuous threat monitoring data, enabling IT security teams to fine-tune non-employee access as their risk levels change. SailPoint NERM can automatically adjust a non-employee’s status based on security incidents, exposed credentials, compliance violations, and other franchise-level risks identified by the franchisor.

Key security benefits include:

  • The ability for a franchisor to make informed access decisions by correlating risk scores between third-party vendors, suppliers, and their employees.
  • Quick incident response to external threats with continuous risk intelligence.
  • A simplified, unified approach to non-employee identity, lifecycle, and risk management.
  • Substantial reduction in risks associated with third-party breaches.

SailPoint NERM’s Intelligent Identity Authority enables franchisors to execute risk-based identity and access lifecycle strategies. Because the solution suite is purpose-built, it’s uniquely able to manage the complex relationships franchisors have with their franchisees, suppliers, and vendors in a single, easy-to-use application that simultaneously helps facilitate commercial initiatives, support regulatory compliance, and reduce third-party risk.

IDMWORKS Will Meet You at any Point in Your Identity Journey, and Elevate Your IAM Practice with Simplicity, Agility, and Clarity.

IAM sits squarely at the center of a resilient, modern cyber security program. To succeed, security leaders must embrace an integrated, adaptable, and holistic approach. No matter where you are in your identity security journey, you don’t have to make the climb alone. IDMWORKS brings the team of identity and security experts you need paired with a proven approach to deliver a transformative identity security program that will shine in the board’s security spotlight. Here’s How…

Guide

IDMWORKS’ expert advisors are IAM advisory pioneers bringing the “been-there-done-that” wisdom and guidance you need to scale new IAM peaks. We assess your identity landscape and craft the right identity security strategy to elevate your IAM game, improve your cyber security resilience, and deliver against digital customer engagement initiatives.

Launch

For nearly two decades the IDMWORKS delivery dream team have been forging new IAM paths through unimaginably complex identity landscapes. Along the way, they’ve elevated and modernized identity security programs for 1000+ clients, delivering over 2,500 successful identity engagements across everything from internal IAM programs to highly complex integrated workforce and consumer IAM transformations.

Manage

IDMWORKS offers a simplified approach to solving the complex needs of a modern identity security program: Environment and business-specific expertise from within your organization + IAM and security industry knowledge + operational excellence + rapid scalability as your Managed Security Services Partner (MSSP). Legacy MSSPs miss the mark because they do not know identity, and identity consultants are not skilled in delivering managed services.

People, Process, and Technology are the three pillars of all engagements. The IDMWORKS team focuses solely on identity and access management, working with organizations to address their entire cyber risk journey. Our experts have spent decades as IAM thought leaders, successfully delivering over 2500 IAM programs to both businesses and consumers. We have walked a hundred miles in your shoes, now take a break and leave it to your journey partner, IDMWORKS.

Conclusion – The franchise business model is heavily reliant on its franchisees and their extended enterprise to operate, which means increasing numbers of third parties who require access to the franchisor’s systems and valuable data.

These external users often receive access through wasteful, time-consuming processes and without consideration for the individual risks they pose to the franchise. This haphazard approach to extended enterprise identity lifecycle management and company-level risk opens the front door wide to data breaches, operational inefficiencies, excessive spending, compliance violations, poor customer service, and other business disruptions.

IDMWORKS will show you how it integrates SailPoint NERM to makes life easier for CIOs and CISOs tasked with securing an environment populated by non-employee outsiders and third-party users. SecZetta delivers a solution that provides visibility, automation, and scale in reducing the chaos, costs, and risk associated with managing a franchisor’s extended enterprise and is certain to please the franchisee customer.

This blog post was written in collaboration with our partner Sailpoint NERM’s white paper “Reduce the chaos, costs, and risk of providing access to franchisee, suppliers and vendors. A robust identity control solution for franchisors.”