July 17, 2019//Tony HowlettLast Updated: November 19, 2020
With the rise of high profile data breaches caused by third parties, many organizations are becoming aware that in order to maintain the security of their network and systems, they need to create and implement a solution for managing access for their vendors. However, this may seem to be an impossible goal due to a large number of vendors, multiple access solutions, and competing constituencies both within the organization and outside (i.e. application owners, IT and network departments, and vendors).
The ultimate goal is to maximize security and reduce risk while allowing vendors access to the resources they need. To achieve this objective, several key elements should be considered when building a vendor access program, and its foundation should be centered around the concept of “least privileged access” – a guiding principle that can help mitigate vendor risk.
For many enterprises, outsourcing non-core functions to third-party vendors is a common and strategically sound practice. Companies can focus on their strengths while letting vendors, as well as cloud-based applications and networks (such as AWS and Salesforce’s Commerce Cloud), manage CRM, back-office, and e-commerce infrastructure tasks.
However, while outsourcing to vendors does have many benefits, such as increased efficiency and lower costs, it also brings the potential for an increased risk. The reason: some solutions for providing remote vendor access allow third parties to access to everything – your entire network or a whole system. With these remote access solutions, it’s all or none – no shades of gray, no granular refinement possible.
In order to achieve these outcomes, let’s look at the three primary pieces that should go into building an organization’s vendor access program.
In general, an optimal vendor access program should allow organizations to receive the secure support they need while maintaining control, minimizing risk, ensuring industry compliance, and creating audit trails.
The first overarching goal is to make sure you always take steps to maintain continuous control. Know your third-party vendors, continuously stay aware of what they are doing, and always utilize the least privileged access principle – limiting access to only those resources a vendor requires.
Second, a vendor remote access program should identify and implement the essential vendor risk management tools – that is, include a set of specific features and tools for authenticating, auditing, and controlling access by employees and third-party vendors. An optimal solution should incorporate tools that will:
To increase the probability that your vendor access program will be met to the fullest degree, reviewing and continually improving workflows and user interfaces is a key element. Usability is an essential element for encouraging compliance with your processes; the easier a process is to carry out, the more vendors will actually do it. To this end, an optimal vendor access program should strive to control remote access for all vendors with easy and intuitive tools, as well as standardize and integrate remote support on a single platform.
Building an optimal vendor access program involves three main steps: maintaining continuous control (using least privileged access as a guiding principle), identifying and implementing the essential vendor risk management tools, and continually improving workflows and user interfaces.
Note that taking these steps is not a temporary task or a periodic, once-in-a-while endeavor. It is an ongoing process, one that must remain active throughout the lifecycle of each vendor an enterprise interacts with. Whether one works with just a few vendors, or vendors that number in the hundreds or thousands, one thing is certain: your network and systems are only as safe as the security practices of your weakest partner. So get to know your third-party vendors, maintain that knowledge over time, and know what they are doing at all times; following these best practices will help ensure that your organization is fully protected from potentially devastating threats.
We have seen that knowing more about your third-party vendors, and maintaining that detailed knowledge, is a good strategy to follow as part of a safe and secure vendor access program. Read this article for ideas on how to truly know your vendors and achieve more effective risk management.