June 15, 2020//Rob PalermoLast Updated: September 08, 2021
In the latest episode of our Behind the Scenes interview series, we’re looking at a crucial question: Why do so many organizations fail at securing third-party remote access?
Our exclusive interview is with Rob Palermo, Vice President of Product Management and Strategy at SecureLink, which specializes in Privileged Access Management (PAM).
You can listen to our complete interview here, or read excerpts below.
[SecureWorld News] You partnered with Hobson and Company to research the topic of third-party remote access. Will you take us behind the scenes and reveal some of your findings?
[Rob Palermo] We recently completed a couple of different research efforts. One was with over 1,100 IT and cybersecurity professionals around third- party access, the risks out there, and best practices.
We also did an exercise to understand the hard costs associated with some of the programs out there. In a nutshell, what it shined a light on was that as a security group, we’re sort of failing at third-party remote access.
Over 60% of breaches today are attributed to third-party access even though organizations on average are spending about a million and a half dollars a year on man hours, as well as technology, to solve the problem.
The good news we found is that IT and security leaders do recognize this problem. So in our survey research, over two thirds of respondents stated that third-party remote access was high risk or very high risk for them.
They actually are prioritizing investing in new technology to secure third-party access as the number one investment they are likely to make over the next three years.
[SWN] You mentioned that it can be expensive. What would you say are the most common costs, but also the risks associated, with most third-party remote access strategies?
[Palermo] I’ll start with the risk. I think the most common risk and what we found in the research is that only 30% of those IT and security leaders we spoke with actually have a standardized strategy, approach, and methodology for allowing third-parties into critical systems and applications.
The other 70% are using a hodgepodge of different solutions; so whatever their vendors might be using, or whatever different business unit stakeholders are dictating. This makes it really, really difficult to manage and very unwieldy and very costly.
In terms of the hard costs, the number one cost is time. So the time that it takes IT and security teams to set up and manage vendor remote access, to troubleshoot issues, to audit their activity, or provide reports to auditors in some industries. This comes through in our research. For an average organization with 25 vendors, that takes about 4,500 hours every year to do that.
The other issue is the downtime and critical systems that are managed by a vendor. So as organizations spend more and more time trying to put in security controls, sometimes the result is they actually have more critical downtime events from vendor managed machines or infrastructure applications.
It could be medical devices, or gaming machines at a casino, or machines on the manufacturing floor. The average organization has one to three critical downtime events, so leaders are finding themselves in a catch-22 where the more time, the more effort they put around controlling vendor access, they’re actually causing business disruption. They are sort of trading off one cost for another.
[SWN] Because your organization, and you, specialize in third-party remote access and securing that, what are you seeing with the shift to remote work. What kind of challenges have popped up for organizations?
[Palermo] I don’t know if the challenges have changed, but they’ve certainly been more pronounced. More work is reliant on remote access with folks working from home and working remotely. But the challenge sort of remains the same, which is to find a solution that is secure and also fits the needs of all of your users.
If you look out at the landscape of remote access solutions, they’re usually pretty good or purpose-built for one specific use case. So they might be designed to provide end-user support. And so they’re built around desktop sharing and they’re built around collaboration. But they can’t do a lot of the more technical sort of direct access that will be required.
You may find other solutions that are very secure. But they’re only really good for standard protocols like RDP or SSH. They don’t fit the needs of vendors that maybe use non-standard or customized protocols.
So the challenge is finding what is that single solution, or at least a manageable handful of solutions, that are going to be secure but also handle the needs of users. With the shift to remote work, more and more solutions are popping up that business users need, to access systems remotely or work remotely. This brings new threat vectors and new things that security teams and IT teams need to consider.
[SWN] What are the most common vulnerabilities in current methods used with third-party remote access? What are you seeing?
[Palermo] The biggest challenge is balancing what is secure and what’s going to work. I would point out that regardless of the tool, probably the biggest vulnerability isn’t really a technical one that we see. When it comes to third parties, it’s really how do you manage all of the identities and all of these users?
Unlike employees, you don’t know when a business partner or vendor has new users that may need access, or you don’t know when somebody is hired or fired. And so managing all these vendors, making sure that the users that need access have it, making sure that users that no longer need access don’t have it, is really, really difficult to track and manage.
Unfortunately, the approach by many companies is they just outsource that to their vendors. And that creates a lot of risk. Because you are relying on your vendor, sending them a shared credential that all their users use, which becomes a vulnerability and a threat vector.
Or you are relying on your vendor to tell you on a weekly basis, “hey, here are all the users that need access and here is what they need access to.” But if they make a mistake, you’re going to end up at risk.
[SWN] Now to a pretty broad question that I think speaks to strategy and perhaps some tools as well. What do you see as the best approach to managing third-party remote access?
[Palermo] Sure, it sounds simple, but the biggest recommendation is just starting with the needs of third-party users and third-party organizations. So taking the third-party lens when you’re crafting your strategy because each business is unique.
They’re all going to have different requirements, but what we see over and over again in organizations is that 60% of breaches come from third parties.
They don’t start with, “hey, what do I need to do to manage this unique use case?” They start with, “what solutions do I have out there, and how do I extend them?” So they look at their privileged access management solution and they say, “Oh, can we extend this to cover third-parties? How do we run access management for employees? How do they get remote access into the system? So can we just extend that to third-parties?”
And that’s a mistake, because third parties are unique. We always recommend they start with the needs and requirements and build a solution around that.
The second recommendation is just to know who your vendors are. When we talk to new customers that are coming on board with SecureLink, only about 10% of them can actually tell us, “here are all the vendors that require secure remote access into critical systems.”
So it begs the question, if you are an IT or security professional, how can you be sure that you have secured that if you are unable to identify the vendors?
Organizations are getting better at this, but making sure you’re taking stock of who they are, how they’re accessing, and then putting in a solution around their unique needs.
And related to my earlier point about managing vendor users, and not letting your vendor manage their own users for you, we really recommend taking that identification and authentication of vendor users in-house. Don’t outsource that to your vendors. It’s too important, it’s too critical. It needs to be under your control.
[SWN] Midway through the last answer, you mentioned that employees and vendors have to be treated differently. Do you find that a lot of organizations are trying to treat their access as almost one and the same
[Palermo] That is what we see. They’re often saying, “hey, we’ll just take these tools and processes and we’ll apply them to vendors.” But, again, you don’t know all of your vendor users.
They are very transient, they may come in and out of the organization. They may need access only for an hour or a week while they’re on a project. And you don’t control their hardware and you don’t control how they necessarily need to support some of the solutions or devices that they’re supporting.
Or if they can’t figure out a solution that they have that works for their employees, they sort of throw up their hands and they say, “vendor, whatever you use to typically support your customers or gain access, just use that. Just use whatever comes out of the box or whatever you use to support your customers.”
And, of course, the trouble with that is you’ve now lost control. Those solutions will vary greatly in terms of effectiveness and security. And then having visibility into all your vendor activity becomes impossible.
So if you need to figure out why your system went down, or worse, there’s a data breach and you’re actually doing the forensics, then pulling together all that information into one place becomes nearly impossible. This is because you’re needing to work with every vendor that may have access to your network or different devices. They may not have the logs of what they did. Both of those scenarios end up being less than ideal.
[SWN] Here is our last question. For organizations who are not familiar with SecureLink, give us a few bullet points. Obviously, we know you are in the space we’ve been talking about today. You are an expert in that, so please give us a few bullet points on how you operate.
[Palermo] Our mission is simple, which is to wipe out the third-party threat. And so what we provide is a purpose-built single solution that’s solely focused on managing vendor access to all of the systems that you deem privileged or sensitive in any way, shape, or form.
At the heart of what we do is a remote access platform and software. Because this is all we do, we also bundle in all of our services to help our customers identify their vendors, onboard their vendors, train their vendors, and set up all of the workflows they need.
They can then have the best of both worlds where they are secure and they have control, but they’re also seeing enormous efficiencies in how their vendors are able to gain access and how business and work gets done with them, within their third-party ecosystem.”
[SWN] Thank you for your time and expertise on secure third-party remote access. •