Non-employees are becoming an increasingly essential part of today’s business workforces. High skill resources are harder to find, hire, and retain. Companies look outside of their own organization to find the skills they need to complete projects and business objectives. Managing the Non-Employee Workforce is as crucial as overseeing the internal workforce.
For various reasons, both technical and process-oriented, many companies hesitate to incorporate non-employees into their HR systems. Consequently, finding a suitable repository for these users often falls to the IT Security department. Here’s what to consider when selecting a solution.
Risks in Non-Employee Management
As security professionals, we categorize threats as either internal or external. Surprisingly, a non-employee is viewed as an internal threat. Their access privileges might differ, but they’re still considered insider threats. They’ve been granted access to internal resources and face similar vulnerabilities as regular employees. How does the organization safeguard against potential threats a disgruntled contractor might pose?
Current Organizational Practices. What are Organizations Doing Today?
The classic example seen in the industry for onboarding non-employees is a paper form submitted by a manager to an IT help desk to create an account. This manual process creates data entry errors. It’s not timely, the process is not consistent, difficult to audit, and oftentimes, when asked what privilege a new user should receive, the answer is similar to ‘Make them like Fred’.
If Fred’s account has too many privileges, or more privileges than the new user needs, the new user has too many security rights and too many misunderstood security risks. As an organization, and their identity management program, matures; these paper forms become automated, and workflows are generated to handle them.
However, without refining the underlying procedures, automation can exacerbate issues, leading to over-privileged accounts and data inaccuracies.
Choosing the Right Solution for Non-Employee Lifecycle Management
- When seeking a robust solution, consider options akin to human resources systems. The data model for non-employees should be extensible and account for the individual and their assignment.
- A workflow engine needs to be part of the solution to operate on the data objects. For instance, what changes need to be made when a new assignment is created for a person, or what happens when an assignment ends. What should happen if a contract ends for an entire organization and the assignments of all the non-employees under that organization?
- Workflow engines solve this business requirement. The solution should have an authorization model, it is important to have users of different security levels doing different tasks. Who can onboard a new non-employee? Who can on-board a new organization?
- And in today’s modern IT spaces, it needs to work with remote APIs and have the capability to integrate with cloud services. The solution should be able to allow the non-employee to manipulate their own data. It may be a requirement that all users need to enable SMS notifications for two-factor authentication, but collection of mobile numbers does not occur at intake. Or before assignments and privileges are granted, a user must agree to an acceptable use policy or perform some identity verification process.
- The system should also have integration capabilities such that an identity management system can use it as a source of non-employee data. Policy enforcement is paramount in both the maintenance of the data and the integration with downstream systems.
Conclusion
In today’s dynamic business landscape, non-employee lifecycle management is not just an option but a necessity. Ensuring a seamless, secure, and efficient process for onboarding, managing, and offboarding non-employees can significantly impact an organization’s success. With the right strategies and tools, companies can mitigate risks, enhance productivity, and foster a collaborative environment for all workforce members.
IDMWORKS Expertise
IDMWORKS boasts extensive experience in planning and implementing various technologies for non-employee management. Whether through advisory services or direct implementation, IDMWORKS can guide organizations in managing non-employees efficiently and effectively.
Author: Tim Parker, Practice Director, IDMWORKS