July 03, 2019//Tony Howlett
If a burglar has the key to your house, having a state-of-the-art lock won’t keep them out. That’s exactly what happens when you allow vendors onto your network with privileged credentials without a solution that provides proper identity, access, and audit controls.
When you need to grant privileged access, a new level of credential management is required. Companies that allow vendors to access their network must understand these core credential management best practices. Without following these steps, a vendor data breach is much more likely to occur.
Vendors and privileged users alike should be given single sign-on (SSO) access methods that prevent them from ever knowing the credentials they are using for access. With passwords safely and securely in a credential vault, passwords will never be placed on a spreadsheet, written on a sticky note, or sent company-wide in an email.
When you aren’t circulating credentials to users, you can make them as complicated as you want and change them just as often without disrupting the workflow of your users. Set expirations on accounts using your credentials to expire after a period of inactivity to help prevent misuse of the credential.
Now that your complex credential is tucked safely away in your vault, make sure it is only used by authorized users. Use a multi-factor authentication that verifies the individual. Before you let them use the credential, confirm that the individual still works for the vendor. For privileged access and high-security applications, consider using IP source network controls to manage where they are using your credentials from.
Every time a credential is used you should know who used it, why, what time, for how long, and what was done under the power of that credential. Make sure the power that comes with the credentials is being used appropriately and that no one is misusing your credentials to exploit or damage your network and systems.
VPNs and desktop sharing tools have been the traditional method of remote vendor access. While VPNs work for employee access, they do not provide the required level of access control and audit capabilities necessary for third-party connections.
Review your vendor access procedures and tools to ensure they’re in line with best practices, check out our vendor privileged access management checklist. On the other side, vendors and contractors should make sure to limit their risk exposure by utilizing remote support tools that provide their customers with flexible controls and activity records.