Last month's Snowflake breach exposed a fundamental flaw in how business process outsourcing (BPO) and managed service providers handle third-party access. Hackers infiltrated customer environments not through sophisticated zero-day exploits, but by purchasing stolen credentials from the dark web. The attack succeeded because users controlled their own passwords—credentials that Snowflake, despite deploying enterprise security tools, could neither see nor revoke until damage was done.
This incident crystallises a regulatory challenge facing BPO and managed service providers operating across multiple jurisdictions. As the Digital Operational Resilience Act (DORA) takes effect in the EU, while OCC/FFIEC guidance tightens in the US and HIPAA Business Associate Agreements demand stronger safeguards, organisations face a common requirement: demonstrable control over third-party access credentials.
The BPO credential control problem
BPO and managed service providers operate in a uniquely exposed position. They require privileged access to client systems containing regulated data—financial records, healthcare information, operational technology—whilst remaining accountable to multiple regulatory frameworks simultaneously.
Traditional approaches leave a critical gap. When a managed service provider's employee creates their own password to access a client's banking system, three parties share responsibility but none maintains complete control. The employee holds the credential, the BPO provider manages the account, and the financial institution owns the system. Under DORA Article 28, OCC 2013-29 guidance, or HIPAA §164.308(b)(1), this distributed control model fails to meet regulatory expectations for third-party risk management.
The problem intensifies across service delivery models. A single BPO provider might simultaneously access EU financial institutions (under DORA), US community banks (under FFIEC guidance), and healthcare systems (under HIPAA), each requiring documented proof of credential governance that existing tools cannot provide.
The scale of third-party access risk
Recent data reveals the extent of credential-based third-party breaches. IBM's 2024 Cost of a Data Breach report found that 16% of breaches involved business partners, with an average cost of $4.88 million per incident. More significantly, Verizon's 2024 Data Breach Investigations Report showed that 68% of breaches involved a human element, primarily through stolen credentials.
For BPO providers, the exposure multiplies. Research from the Ponemon Institute indicates that organisations sharing data with more than 1,000 third parties—common among major BPO providers—face breach costs 51% higher than the average. The same study found that only 35% of organisations can identify all third parties with access to sensitive data.
Regulatory enforcement reflects this risk. The Office of the Comptroller of the Currency issued 847 enforcement actions in 2023, with inadequate third-party risk management featuring in 23% of cases. In healthcare, the Department of Health and Human Services reported that business associate breaches affected 41.4 million individuals in 2023, representing 56% of all reported healthcare data breaches.
Identity and access management (IAM) systems, privileged access management (PAM) platforms, single sign-on (SSO) solutions, multi-factor authentication (MFA), and zero trust architectures all address aspects of access control. Yet the Snowflake breach demonstrates their collective limitation: they assume users will create and control their own credentials.
PAM systems excel at managing privileged accounts but typically rely on password vaults that users access with their own credentials. SSO reduces password proliferation but still requires users to authenticate with self-created passwords. MFA adds security layers but cannot prevent the compromise of underlying credentials that users generate and remember.
Zero trust frameworks demand continuous verification but often implement this through tools that, ultimately, depend on user-controlled authentication factors. When regulators require organisations to demonstrate control over third-party access, these solutions cannot provide the necessary assurance because the fundamental credential—the password itself—remains outside organisational control.
This creates a compliance gap. DORA Article 30 requires financial entities to "identify and assess ICT risk" from third-party arrangements. OCC guidance demands that banks "understand and control the risks" from service providers. HIPAA requires covered entities to "ensure that any agent to whom it provides access… will safeguard the information."
Meeting these requirements demands more than monitoring or managing access—it requires controlling the credentials themselves.
The structural solution: organisational credential ownership
The answer lies in reversing the fundamental assumption about credential ownership. Instead of users creating and controlling their own passwords, organisations must generate, distribute, and revoke every credential used to access their systems or their clients' systems.
This approach treats identity and access as separate concepts. Identity verification confirms who someone is; access control determines what they can do. By maintaining exclusive control over credentials, organisations can provide regulators with demonstrable proof that third-party access remains under direct management.
MyCena's patented technology exemplifies this approach. The platform generates encrypted credentials that organisations distribute directly to users' devices without the users ever seeing or storing them. When access is required, the system authenticates automatically using the encrypted credential. Users cannot screenshot, copy, or otherwise extract the password, making phishing impossible and ensuring complete organisational control.
This model addresses regulatory requirements directly. Under DORA, it provides the "strong authentication mechanisms" required by Article 25. For OCC/FFIEC compliance, it delivers the "strong access controls" demanded by existing guidance. Under HIPAA, it enables business associates to "implement procedures for guarding against… unauthorised access" as required by §164.308(b)(1).
Implementation imperatives for BPO providers
BPO and managed service providers must evaluate their credential governance models against incoming regulatory requirements. DORA compliance becomes mandatory on 17 January 2025, while OCC examination procedures already incorporate third-party credential management assessments.
The evaluation should focus on control rather than monitoring. Can the organisation prove it generates every credential used by its employees to access client systems? Can it demonstrate immediate revocation capabilities independent of user cooperation? Can it provide audit trails showing that credentials were never exposed to users?
Organisations that cannot answer these questions affirmatively face regulatory and commercial risks. Clients increasingly demand proof of credential governance as part of vendor management. Regulators expect demonstrable controls rather than policy statements.
The solution requires moving beyond traditional security tools toward platforms that ensure organisational ownership of credentials. The technical implementation matters less than the fundamental principle: in a properly governed system, users never see, store, or control the credentials that provide access to sensitive systems.
This shift from credential management to credential ownership represents the next evolution in third-party risk management—one that regulatory frameworks increasingly demand and that the threat landscape makes essential.