Why legacy access models fail, and how modern identity platforms are redefining third-party risk.
As a long-time CISO and before that having led B2B and Third-Party Connectivity technology service teams, I’ve witnessed firsthand how third-party access remains one of security’s most persistent challenges. Despite advancements in managing employee access, organizations continue to struggle with over-provisioned and under-governed access for vendors, contractors, and partners. This recurring issue demands urgent attention from security leaders.
The Wake-Up Call
Every major breach investigation starts with the same question: “Could a third party have been involved?” This isn’t paranoia – it’s pragmatism. Across the globe, third-party access continues to be one of the most exploited and least governed attack surfaces.
Third-party access has been implicated in countless high-profile breaches, with real-world consequences on both sides of the Atlantic. In North America, Microsoft’s Midnight Blizzard attack in 2024 compromised sensitive U.S. government data through a third-party vulnerability. AT&T suffered a similar fate when a cloud vendor breach exposed millions of customer records. In the EU, regulatory fines under GDPR have been levied following vendors’ mishandling of personal data, reinforcing that organizations are accountable for the access they extend, even when it’s someone else’s mistake.
Alarmingly, 59% of organizations report breaches tied to over-permissioned third-party identities. And yet, effective access controls remain elusive. Why? Because traditional identity & access management models weren’t designed for the scale, diversity, and velocity of today’s third-party relationships.
The reality is stark: most organizations over-provision access to vendors, contractors, and partners. It’s rarely intentional or negligent. More often, it’s a symptom of the complex, fast-moving nature of modern business relationships. When a critical project needs to move forward, the path of least resistance often wins – and with it, excessive permissions that linger long past their expiration date.
The Modern Complexity
Digital transformation and data supply chains have exponentially increased the number and diversity of third-party touchpoints. Enterprises today now manage a growing web of partnerships, each requiring varying levels of identity access. Yet many organizations still rely on the same outdated, one-size-fits-all controls.
Five Common Types of Third-Party Access:
- Outsource partners requiring direct system access
- Hosting partners managing dedicated systems
- Service providers delivering business outcomes
- Data exchange partners integrating supply chains
- Collaboration partners working on joint initiatives
Each relationship demands different access patterns, but traditional tooling often can’t support this nuance. VPNs, shared accounts, or full Virtual Desktop Images (VDI environments) remain the go-to blunt instruments in an era that demands surgical precision..
These approaches are inherently misaligned with Zero Trust principles. They obscure visibility, hinder accountability, and create persistent blind spots.
Consider this: One global financial services firm discovered that over 60% of their third-party users still had active VPN access months after their contracts had ended. Not from negligence or due to any ill intent, but because their identity and access framework didn’t track third-party lifecycle events with enough granularity.
In today’s environment, that level of exposure isn’t just risky — it’s unsustainable.
The Hidden Costs of Over-Provisioning
One often-overlooked aspect of third-party access is the unnecessary provisioning of basic IT services— a quiet, compounding cost that hits both the bottom line and the security posture. In many enterprises, third-party users are automatically granted:
- Corporate email accounts
- Office productivity licenses
- Web conferencing accounts
- Virtual desktop infrastructure (VDI) access
- Collaboration tool licenses
This creates four costly problems:
License Waste and Redundancy
Organizations often pay twice: once through third-party contract overhead (which includes IT services), and again through direct licensing of tools these users already have via their primary employers. VDI environments, in particular, represent 2–3x higher cost per user compared to browser-based or limited-scope alternatives.
Identity Sprawl
Every new account creates another identity to manage, expanding the attack surface and diluting governance clarity. Why issue new email or productivity accounts when the user already has employer-provided credentials?
Security Complexity
Multiple identities and tools obscure the audit trail. Which identity accessed which file? Which platform contains the final version of shared data? The more accounts in play, the harder it becomes to enforce policy or respond to incidents.
Integration Overhead
IT teams burn cycles configuring and maintaining non-essential services — efforts that could be redirected to hardening core business integrations or accelerating time-to-value for critical projects.
Breaking the Cycle
Breaking free from ineffective third-party access practices requires more than a new policy — it demands a fundamental shift in mindset and approach.
Security teams are under pressure to reconcile fast-moving business demands with increasingly stringent control expectations. This isn’t just a tooling issue; it’s an operational challenge. Most organizations lack the unified visibility and behavioural intelligence required to confidently manage third-party identities at scale.
To move forward, modern third-party identity security should include:
Comprehensive Visibility
Start by understanding the current state. This means mapping all relationships between third-party identities, entitlements, and resources across the entire technology stack – cloud platforms, SaaS applications, and data systems. Organizations can’t secure what they can’t see.
Real-Time Intelligence
Move beyond point-in-time access reviews. Modern environments require continuous monitoring of access patterns and usage. This helps identify excessive permissions, dormant accounts, and potential risks before they become incidents.
Automated Governance
Scale your access governance through automation. Use machine learning to understand normal access patterns and flag anomalies. Automate access certifications based on actual usage data rather than manual reviews that often default to “approve all.”
Least Privilege by Default
Implement granular access controls that align with business needs. This means moving away from role-based access control (RBAC) alone and embracing attribute-based access control (ABAC) principles that consider context, behaviour, and risk.
Lifecycle Management
Implement robust lifecycle management processes specific to third parties. This includes automated deprovisioning when projects end and regular validation of access requirements as business relationships evolve.
Smart Service Integration
Rather than duplicating IT services, focus on secure integration with third parties’ existing tools:
- Use federation and SSO capabilities to integrate with their identity providers
- Leverage built-in guest access features in collaboration platforms
- Implement secure file sharing and data exchange protocols
- Focus on securing the specific applications and data they need to access
Bottom line: Third-party identity risk requires both robust security controls and comprehensive governance. Organizations need solutions that unify visibility, context, and automation to protect sensitive data while maintaining compliance and operational efficiency.
The Path Forward
Third-party access isn’t going away—it’s growing in volume, complexity, and strategic importance. Leaders must champion a new model of identity security that balances collaboration with control, enabling the business while safeguarding critical systems and data.
The right platform can unify visibility across hybrid cloud, automate access reviews based on actual usage, and shrink the identity attack surface. But technology alone isn’t enough.
Organizational change is just as critical. Security teams must partner closely with business stakeholders to embed identity-first thinking into everyday operations—from onboarding contractors to granting temporary project access. It’s about creating a culture where visibility, accountability, and least privilege are built into the fabric of third-party collaboration.
The tools to solve this already exist. Modern solutions make it possible to govern access at scale, enforcing least privilege across hybrid environments while eliminating dormant accounts and unnecessary permissions.
It’s time to stop treating third-party access as a side project and start treating it as a core security imperative. Because every unmanaged identity is a door left open.
Whether your organization is just beginning to reevaluate third-party access or is deep into modernizing identity security, there’s a clear path forward:
- Start with the basics. Understand why access governance is foundational to managing risk and enabling secure collaboration.
- Move beyond traditional IGA. Learn the five tenets of next-gen identity governance and how they reshape what effective control looks like across hybrid environments.
- Prepare to take action. When you’re ready to implement change, use this Veza platform migration guide to structure your rollout and bring all stakeholders along for the journey.
The identity perimeter is real—and it’s only as strong as its weakest link. With the right strategy, modern tools, and cross-functional accountability, security teams can bring third-party access out of the shadows and into a governance model that’s built for the way business works today.
