Best Practices for Contractor Access

Contractors and other temporary workers are an integral part of today’s business structure. In many cases it’s easier and more cost-efficient to hire a contractor for a specific position for a period of time rather than take on a permanent employee, especially in government agencies. Providing access to applications and data for contractors can be particularly challenging for large organizations. In many cases, these users fall outside of traditional identity and access management processes. But not proactively addressing access throughout the lifecycle of a temporary user can result in data breaches as contractors can sometimes be an easy way in for hackers. It doesn’t have to be this way.

Organizations can utilize straight-forward best practices to mitigate the risks with temporary employees and their access:

  • Centralize visibility: implementing a system, such as an identity and access management program, that allows for IT and business managers to see all the access a contractor has helps to ensure contractors have only the access they need and nothing more.
  • Execute a risk-based approach: Since contractors pose a higher security risk to the organization because they don’t have the same relationship as a long-term employee, create an identity risk model that highlights contractor access to better understand where the hot spots are. The risk model can even include attributes such as whether a particular contractor is working with a competitor.
  • Automate on- and off-boarding: When a contractor starts with the organization, their access to the appropriate systems should be provisioned automatically based on their job role or specific project. Often, there is a specific end date associated with the contractor, so implementing an expiry date for their access can be enabled to automatically request approval for an extension to their access rights or terminate access all together.
  • Regularly verify access: Entitlement creep is a dangerous thing. If a contractor’s term is extended or their role changed, remember to verify their access on a regular basis to ensure there are no separation-of-duty violations. This is especially true for once a contractor leaves; simply turning off network access is not enough. Focus on the entitlements and application-level access versus just the network. This will also protect the organization in case the contractor returns on a future project.

As today’s workforce becomes even more distributed and transactional, it’s becomes ever more important to always know the answer of “Who has access to what” in your organization.