8 security points of vendor lifecycle management

May 17, 2019//Tony Howlett

Last Updated: November 19, 2020

A security strategy for vendor lifecycle management protects your business

Increasingly, companies are relying on third-party vendors to manage mission-critical business functions. These applications may be cloud-based (SaaS) or deployed on-premises and they are often accessed remotely via different devices. New flexible staffing models use vendors for systems maintenance, support, and other non-core business functions. Our connected, digital world is quickly transforming businesses from 9-to-5 and local to 24/7 and global.

Though using vendors for non-core IT services can reduce costs and increase efficiency, without an adequate security strategy, relying on these third parties makes your business vulnerable to serious security breaches. Recently, Gartner analysts listed the top security projects for CISOs to focus on in 2019. It’s no surprise that several of these projects revolve around mitigating risks from vendors and third parties.

Building a third-party security strategy strengthens vendor relationships

Maintaining the same level of security for vendor users as you do for your own employees can be challenging. Access to a vendor’s user identities is limited, at best, because it is very common for third-party staff to change without you knowing about it. So, it’s important that your company implements a third-party security strategy that includes:

  • Inventorying vendors. List all your vendors and third parties that access any part of your networks or systems. Although it may be time-consuming, this process will allow you to know ALL the vendors accessing your networks, systems, and applications. This is also vital for the next step in the process, the vendor risk assessment, where you rank the risks associated with that access.
  • Vendor security assessment. Existing and new vendors should be transparent about their security and remote access practices. It’s important for them to implement best-in-class security that protects your customer data and other sensitive business information.
  • Vendor contracts. Your vendor contracts should include service level agreements (SLAs) that define the type and level of security the vendor uses enterprise-wide. Also included should be penalties for any outages, breaches, or network misuse.
  • Access management. Vendor technicians should only have access to the networks, servers, and applications they need to support your business. Ensure that you have the ability to restrict access rights at the system or user level. Look for a vendor privileged access management (VPAM) tool that allows you to schedule access for specific times for attended and unattended access.
  • Onboarding. Any software that you use to implement VPAM should have full-service onboarding and implementation services included. Some VPAM solutions validate employment status and provide the necessary access while obfuscating the actual network credentials. This is more efficient and user-friendly for the vendor’s staff.
  • Off-boarding. A VPAM solution should be able to transparently audit and track user activity (or lack of activity). It should also allow you to easily terminate access at the individual level. Your VPAM solution should provide an efficient and secure way for a vendor to de-provision their users that then doesn’t require customer intervention.
  • Monitoring, audit, and compliance. Your VPAM solution must audit and record sessions so any breach can be discovered early and tracked. This also helps to uncover any vulnerabilities as well as keep you compliant with necessary regulations and standards. Since data security and regulatory compliance are imperative for companies in highly regulated industries, your VPAM solution should produce detailed reports of who has accessed sensitive data at any time.
  • Usability. Solutions for third-party access should provide multi-factor vendor user authentication and automated user management that is easy to use. The process should be simple and should smoothly integrate into a normal workflow. The more user-friendly the solution, the more likely users will take advantage of it.

Keep your vendors productive and accountable

Third-party vendor access is a necessary part of doing business, but it’s also a practice that makes businesses most vulnerable. Today, developing a security strategy that addresses third-party vendors is essential for every business and might be the difference between a data breach and just a regular day.

close close