Tag Archives: tprm

Third/Fourth Party Risk Management and Age Verification

Let’s say a bar wants to check the ages of its patrons, but does not want to use the patron’s physical ID card (in my country, usually a driver’s license).

But a bar cannot perform digital age verification on its own. The bar has to contract with some other entity that knows how to do this.

This freaks some people out…massively.

“New cybersecurity research indicates that one of the world’s leading age verification providers collects and shares highly sensitive personal data—including facial photos and device fingerprints—with third parties.”

The research, conducted by the Georgia Institute of Technology and UC Irvine, focused on one of the big age verification vendors, Yoti.

“The research team determined that the process Yoti uses to verify a person’s age broadcasts the person’s personal information to third- and fourth-party companies….

“According to the researchers, the data is…sent to credit card companies, IP geolocation services, and data brokers. The researchers found that the information being shared can be used to identify and track devices. For example, a single verification attempt may transmit a user’s facial image, IP address, and device fingerprint to credit card companies.”

Yet to my knowledge the researchers did not propose an alternative.

Other than having each entity develop its own age verification system. Perhaps someone like Meta could do that, but Frank’s Bar certainly couldn’t.

Age verification is not unique in terms of data sharing. Third Party and Fourth Party Risk Management vendors encounter these issues all the time. And yes, sometimes companies that have other companies’ data are hacked. That’s why they use TPRM in the first place.

Image source: GET Group NA, https://apps.apple.com/us/app/get-mobile-verify/id1501552424.

And don’t forget that if you don’t use digital age verification, you’re going to use physical age verification, where the guy behind the bar learns EVERYTHING about you. I don’t think that’s necessarily better.

It’s time to think through the consequences of abandoning technology.

Who or What Requires Authorization?

There are many definitions of authorization, but the one in RFC 4949 has the benefit of brevity.

“An approval that is granted to a system entity to access a system resource.”

Non-person Entities Require Authorization

Note that it uses the word “entity.” It does NOT use the word “person.” Because the entity requiring authorization may be a non-person entity.

I made this point in a previous post about attribute-based access control (ABAC), when I quoted from the 2014 version of NIST Special Publication 800-162. Incidentally, if you wonder why I use the acronym NPE (non-person entity) rather than the acronym NHI (non-human identity), this is why.

“A subject is a human user or NPE, such as a device that issues access requests to perform operations on objects. Subjects are assigned one or more attributes.”

If you have a process to authorize people, but don’t have a process to authorize bots, you have a problem. Matthew Romero, formerly of Veza, has written about the lack of authorization for non-human identities.

“Unlike human users, NHIs operate without direct oversight or interactive authentication. Some run continuously, using static credentials without safeguards like multi-factor authentication (MFA). Because most NHIs are assigned elevated permissions automatically, they’re often more vulnerable than human accounts—and more attractive targets for attackers. 

“When organizations fail to monitor or decommission them, however, these identities can linger unnoticed, creating easy entry points for cyber threats.”

Veza recommends that people use a product that monitors authorizations for both human and non-human identities. And by the most amazing coincidence, Veza offers such a product.

People Require Authorization

And of course people require authorization also. They need authorization:

It’s not enough to identify or authenticate a person or NPE. Once that is done, you need to confirm that this particular person has the authorization to…launch a nuclear bomb. Or whatever.

Your Customers Require Information on Your Authorization Solution

If your company offers an authorization solution, and you need Bredemarket’s content, proposal, or analysis consulting help, talk to me.

Do Your Technology Prospects Know the Critical Importance of “Continuous” Access Evaluation?

Today’s word is continuous. A word that your technology solution prospects need to understand.

The problem

The Identity Jedi just shared the dirty little secret that we all know but aren’t willing to admit.

[A]ccess reviews aren’t inherently about security — they’re about satisfying auditors.”

The Jedi’s assumption is that the access review is a periodic one, completely satisfied by manually checking boxes.

Because it’s easier to evaluate whether a box is checked than to evaluate whether the system is truly secure, and people who no longer deserve access don’t have it.

The solution

But companies move beyond check boxes anyway, because they realize the other point that the Identity Jedi made.

“Instead of waiting for quarterly reviews, implement continuous access evaluation that flags high-risk or out-of-policy access the moment it happens — not months later.”

Many cybersecurity and TPRM vendors have implemented continuous access evaluation. Has yours?

For the continued access evaluation vendors

And if you are a vendor of a continued access evaluation solution, do your prospects know about why it’s critically important, and the benefits that such a solution provides?

If you haven’t told your prospects about the benefits of continuous access evaluation, it’s time.

And I can help.

Stop losing prospects! Use Bredemarket content for tech marketers

A Jewelry-related Third-Party Breach: What Could Go Wrong?

Check this article from cyberdaily.au regarding a reported third-party breach. This one is from Danish jewelry brand Pandora.

“The company said that impacted data includes names, birthdates and email addresses, but that financial information, government identifiers and passwords were not accessed by the threat actors.”

So who was the third party? BleepingComputer has that part of the story:

“While Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen from the company’s Salesforce database.”

Not that it’s necessarily Salesforce’s fault. Access could have been granted by a Pandora employee as part of a social engineering attack.

All Salesforce users should read “Protect Your Salesforce Environment from Social Engineering Threats.”

It’s not just a technical issue, but also a business process issue.

Or a user education issue.

Bredemarket can help firms educate their users. Talk to me.

Stop losing prospects! Use Bredemarket content for tech marketers

Is There a Calculator On That Slide Rule?

(Imagen 4)

Once again I’m painting a picture, this time of two people: the IT chick, deftly wielding her slide rule as she sizes up hardware and software, and the finance dude, deftly wielding his calculator as he tabulates profit, loss, and other money stuff. Each of them in their own little worlds.

Despite the thoughts of Norman Marks in his post “Cyber is one of many business risks.”

  • “Many years ago, my friend Ed Hill, a Managing Director with Protiviti at the time, coined the expression ‘there is no such thing as IT risk. There is only business risk.’”
  • “The [Qualsys] report reveals a persistent disconnect between cybersecurity operations and business outcomes. While 49% of respondents reported having formal risk programmes, only 30% link them directly to business objectives. Even fewer (18%) use integrated risk scenarios that consider both business processes and financial exposure.”

I admit that I often draw a clear distinction between technical risk and business risk. For example, the supposedly separate questions regarding whether a third-party risk management (TPRM) algorithm is accurate, and what happens if an end customer sues your company because the end customer’s personally identifiable information was breached on your partner company’s system.

Imagen 4.

So make sure that when your IT chick wields her slide rule, the tool has an embedded calculator on it to quantify the financial effects of her IT decisions.

Is There a Calculator On That Slide Rule?

Are There Really Dead Content Websites?

(Imagen 4)

Do I deserve to be called out for that last post?

As a reminder, I said:

“But if I could offer a marketing word of advice to TPRM firms, the “we are better than legacy TPRM firms” message has jumped the shark. EVERYONE is better than legacy TPRM firms these days; you are nothing new. No one is completely manual any more. It’s like comparing a Tesla to a bicycle. Or any basketball team to the Washington Generals.”

But has my own messaging jumped the shark?

Such as my oft-repeated claim that some firms aren’t creating current content…and therefore need my help?

Who are these mythical companies? 

But then I ran into one (TO) that last blogged on June 18.

And another (AD) that last blogged on June 4.

And another (HM) that last blogged on March 24.

And there are probably others that haven’t blogged in 2025…but I haven’t heard about them.

If you’re a TPRM or other technology firm, Bredemarket can help you generate content. Assuming you want people to know about you. Contact me.

Stop losing prospects! Use Bredemarket content for tech marketers

Is TPRM Agentic AI, um, SAFE?

Third-party risk management (TPRM) tools take varying approaches to automated vs. manual operations.

The company SAFE addressed automation in a July 15 press release. It uses the trendy term “agentic AI” so it must shift paradigms and optimize outcomes.

After stripping out the PR fluff, here’s some of what’s left.

“[SAFE] announced the expansion of its Agentic AI strategy with the release of 12+ new autonomous agents, over the next 3 months, purpose-built for third-party risk. The next two AI agents are SnapShot and BreachWatch which help organizations proactively organize AI summaries and identify third-party breaches respectively….

“‘Legacy solutions weren’t built for risk landscape,’ said Saket Modi, CEO and co-founder of SAFE. ‘SAFE is transforming TPRM….’”

But if I could offer a marketing word of advice to TPRM firms, the “we are better than legacy TPRM firms” message has jumped the shark. EVERYONE is better than legacy TPRM firms these days; you are nothing new. No one is completely manual any more. It’s like comparing a Tesla to a bicycle. Or any basketball team to the Washington Generals.

The real question is HOW you use your automation, and how accurate your automation is. Speed alone is not enough.

It’s All About Me 2: I Ask, Then I Act

Continuing my self-promotion, as opposed to promotion of my Bredemarket marketing and writing consultancy, how do I promote myself to companies outside of identity and biometrics? 

For example, cybersecurity firms, or third-party risk management (TPRM) firms, or content management system (CMS) firms, or healthcare firms (the non-identification biometric)?

By emphasizing that I ask, then I act.

Resonating with both the Simon Sinek devotees, and the bias to action adherents.

Short in duration, heavy on symbolism, and daring to mention “B2G” before “B2B.” That will start a conversation.

And then if someone fixates on the biometric modalities…

…I will redirect the person to Part One.

I ask, then I act.

OneTaste: Know Your (Convicted Forced Labor) Business

If I get my products from my vendor, why do I need to implement Know Your Business (KYB) or Third-Party Risk Management (TPRM)?

Perhaps Compliance Week has a good answer:

“About 27.6 million people around the globe are ensnared by modern slavery, which refers to people being forced to work and losing their freedom due to imprisonment, threats of violence, debt bondage, or retention of their identity papers, according to the United Nations’ International Labor Organization.”

Yeah, but who cares about Third World countries? 

Tell that to the former owners of OneTaste:

“As proven at trial, between 2006 and May 2018, [Nicole] Daedone and [Rachel] Cherwitz obtained the labor and services of multiple young women who had turned to OneTaste for healing and spirituality by coercing them to perform labor, including sexual labor, for the defendants’ benefit.”

Would you want to do business with THAT company?

Although it has undergone an ownership and name change:

“n 2017, Ms. Daedone sold OneTaste for $12 million, prosecutors said. The former OneTaste.us website now directs visitors to The Eros Platform, a community that still promotes it affiliation with Daedone, Cherwitz and and their Orgasmic Meditation practice. The Eros Coaching Collective still advertises a three-session OM training package for $525.”

TPRM: When the Board Gets Involved

As promised, I am going to continue to write about third-party risk management (TPRM).

And as the abstract for a September 9 Gartner roundtable points out, TPRM isn’t just the concern of the Chief Information Security Officer (CISO) any more…

“Third-party networks are expanding, with startups and business model innovators increasingly joining them. The increasing high risk in these networks is prompting boards and senior leaders to enhance and better focus their oversight of TPRM programs.”

Yes…the Board. (Of Directors.)

Now the CISO is sweating bullets.