June 19, 2020//Ellen NeveuxLast Updated: May 28, 2021
Nearly every company enlists the help of vendors (or other third parties like contractors) to be the most efficient they can be. However, it’s been highly reported on the fact that a relationship with a vendor, or vendors, comes with some risk associated. The biggest thing to think of in terms of having a relationship with a vendor is that it only takes one for something to go wrong. A vendor is frequently seen as the path of least resistance for a bad actor to get into a network or multiple networks. Let’s look at the best practices associated with third-party remote vendor access.
We all know that credentials and logins are an essential part of network security. The easiest example that comes to mind, when thinking of remote access, revolves around employees accessing their company’s network remotely (like if you’re working at home during a pandemic). When businesses issue credentials or logins to employees, there are limitations on what they can do – check emails, look at reports, or see a file in a specific place. For example, I’m given very specific access at SecureLink; there are pieces of the server I don’t have access to.
However, the scenario above is specifically for an internal employee– one that your company directly hires (and fires). When credentials and logins are issued to vendors, these have a higher degree of power. Since a vendor is external to a business, you don’t have the same control over who is coming and going and how many times their login is shared. You don’t know if the login to your network is shared in a file, written on a sticky note, or even shared via email. Any company that enlists the expertise of a vendor must be aware that the login types for internal and external employees are very different. Because of this, it’s imperative that businesses have much more control over and manage their third-party remote vendor access.
Beyond that, in order to limit liability, enterprises need a detailed log of exactly what individuals did while they were connected to their network. If you don’t have that, you’re not secure, accountable, or compliant. Credential vaulting, such as that available in vendor privileged access management (VPAM) systems, can provide a key roadblock for users of stolen credentials. These systems basically keep all privilege credentials in an encrypted vault, never allowing users to see the actual login information. It allows them to check out the right to use it, which is logged and then passes the encrypted credential to the appropriate system, initiating the login for the user automatically. This can keep a key credential from being stolen because they never had the login information in the first place. They also provide valuable usage and tracking information for all your privileged logins for use in monitoring and audit efforts.
There are a couple of primary solutions that come to mind when you think about allowing access to a business network – VPNs or desktop sharing. Below, we’ll briefly examine these two methods to see how they differ from a third-party vendor remote access software solution.
While VPNs are ideal for employee remote network access, for a vendor, this type of access can be both limiting and frustrating. When using VPNs to access customer networks, vendors may get dropped off their own network and not be able to access their local knowledge-base or hard drive. VPNs are great for enabling access to local resources, but for third-party vendors, they can pose difficulties when trying to get user accounts authorized and configured. This means vendor technicians often end up sharing credentials and logins, which leads to security and accountability challenges, as well as compliance complications.
Desktop sharing support tools, on the other hand, are designed for remote support of end-user desktops. While desktop sharing is great for desktops, customers often create a bottleneck in the remote vendor access process. The end-user has to surrender control of their machine and allow indirect access, or the customer has to get to the data center and launch a session. Customers also get limited access control or auditing features.
With a vendor privileged access management tool, businesses can authenticate on the vendor side, using the vendor’s Active Directory (AD), LDAP, or email. User accounts aren’t shared and every action is tied to an individual – helping ensure accountability and compliance. The platform restricts access to specific machines and ports on the customer side while leaving the technician connected to their own network. It also gives direct access to servers, even when the customer isn’t there, as well as providing high-definition auditing. In addition, vendors can use tools (like database clients) and more than one technician can connect to a customer at the same time. To learn more about what remote access tool makes the most sense for your company’s needs, download our brochure that highlights the differences between the most common platforms.