April 09, 2020//Tony HowlettLast Updated: June 13, 2021
Third-party risk management, or TPRM, is becoming a big deal in IT and Information security circles. This is because a large number of breaches and hacks are being connected to insecure or mismanaged third parties such as vendors, supply chain partners, and cloud companies providing infrastructure or software applications. A recent study showed that 59% of recent breaches were related to a third-party. Outsourcing is not going away, so it’s very important that third parties who have access to your networks or systems are managed properly. There are many elements to third-party risk management including doing risk assessments of both new and existing vendors, putting technical controls on their access, and monitoring and auditing their activities. However, one of the most important parts of managing third-party risk is having good vendor onboarding processes when giving these entities access. A vendor that is improperly onboarded may have too much access, not enough access, or may not even be authorized by their employers. Equally important and often overlooked is robust offboarding policies so that dormant or terminated representatives are removed as soon as possible to eliminate any vulnerability from those credentials.
In this article, we will explore best practices for vendor onboarding and offboarding to add to your third-party and vendor management programs so you can keep your vendors in line and online, only when they need to, with the minimum access they need to do their assigned jobs or functions.
The first thing you need for vendor onboarding is a secure process. Document the process with verification checks each step of the way. In order to prevent credential sharing (a no-no for many compliance frameworks such as PCI DSS, CJIS, and others), every vendor rep that needs access needs their own account. Start with the request for access; who approved the access and for what purpose? What level of access is needed? Administrators and other privileged credentials need much more scrutiny. Whenever possible, push the approval process down to the application owners rather than IT. They are the ones who know what kind of access each user needs. Aim for a role-based access control (RBAC) model in order to give the right privileges for the job they need to do. Next, you need a way to verify employment with the vendor. This can be done via forms, email, or other manual ways. Ideally, automate this step by using an online registration process where application owners can approve access as it comes in.
And in terms of the actual credentials, any vendor accessing systems remotely should have to use multi-factor authentication (MFA), especially those using accounts with escalated privileges. MFA is a strong defense against credential theft and is required for compliance under many regulations. When implementing MFA, be sure to use an open standard such as time-based one-time password (TOTP) so that you can support multiple vendors with different authentication systems.
Just as getting your vendor reps in securely and efficiently is important, getting them out of the system when they are no longer employed is also paramount. You should have frequent or automated syncing with vendor employment databases so that any terminated employees are quickly removed from your systems. Federating authentication down to your vendor’s directory processes can make this as close to real-time as possible. The more time that this process takes, the longer the window of vulnerability from either a malicious employee or a stolen credential exists.
Having a centralized single sign on (SSO) system or credential vault as is available in Privileged Access Management (PAM) and Vendor Privileged Access Management (VPAM) systems will greatly expedite this process so you don’t have to go through many systems deactivating accounts. Finally, you will want to have a regular review or audit process in place to catch any accounts that were missed or reactivated, either in error or by a bad actor. Keep your vendor access databases well monitored and well-groomed.
Implementing these vendor onboarding and offboarding best practices will go a long way towards mitigating risk to your network, systems, and data from third parties. Along with other aspects of a full vendor management program such as risk assessments, auditing, and technical controls, they will keep your company from becoming another third party breach statistic. To learn more about how to implement a full vendor management program download our brochure that highlights the importance of having a separate software platform specifically to manage vendors’ privileged access to systems, networks, and applications.