Third-party access

Third-party access refers to external users or organizations connecting to a company’s systems or data for business purposes. These third parties can include vendors, contractors, partners, suppliers, or service providers who are granted certain privileges within the primary organization’s IT environment. 

For example, an HVAC vendor might have remote access to a retailer’s building management system, or an outsourcing contractor might have an account to log into the company’s network. Third-party access can take many forms: issuing guest user accounts, providing VPN or portal access, API integrations, or federating an external identity (like allowing a partner’s identity provider for SSO). 

How does it affect identity security?

From an identity security standpoint, third-party access means managing identities that are not part of your enterprise’s direct workforce. This typically involves extending your IAM controls to these external identities – ensuring they are onboarded securely, given only necessary permissions, and monitored just as closely as internal accounts.

Third-party accounts often have elevated or broad access to internal systems, but the external users might not be subject to the same security policies or training as employees. This makes third-party access a significant security blind spot if not managed properly. 

Many data breaches originate through third parties because attackers target weaker links – a contractor with a reused password or a vendor with insecure network practices – to gain a foothold into a target organization. Therefore, controlling third-party access is critical: it reduces the expanded attack surface that comes with integrating external users. 

Key practices include enforcing least privilege (only give vendors access to the specific resources they require), using multi-factor authentication for third-party logins, and continuously auditing these connections. Identity security for third parties also means clearly tracking who the external users are and disabling their accounts when they no longer need access. 

In summary, managing third-party access tightly is just as important as managing employee access, since a breach through a vendor account can be just as damaging as one through your own user accounts.

Case study

One of the most notorious breaches caused by third-party access was the Target data breach of 2013. Attackers infiltrated Target’s network by first compromising the network credentials of an HVAC refrigeration contractor that serviced Target stores​.

Target had given this third-party vendor external access for business purposes (monitoring store temperatures and energy usage). Unfortunately, the vendor’s login was stolen and used by hackers as a trojan horse into Target’s internal network. Once inside, the attackers moved on to install malware on point-of-sale systems, ultimately stealing credit card details of approximately 40 million customers. Investigations revealed that the HVAC contractor, Fazio Mechanical Services, had remote network privileges which were not adequately segmented from Target’s payment systems​

This breach vividly demonstrated the risk of third-party access: even a non-IT vendor’s account became the entry point for a massive cyberattack. It underscored the need for retailers (and all companies) to enforce stricter controls on vendor access – such as network segmentation, least privilege for vendor accounts, continuous monitoring, and ensuring that sensitive systems cannot be directly reached by a partner’s credentials.

‍