September 06, 2019//Tony Howlett
Managing vendor access into your network and systems is becoming a more critical job as news about third-party breaches seems to break almost daily and regulatory focus on third-party risk is intensifying. Given that enterprises have an average of 67 vendors accessing their systems regularly, this task is not getting any easier. Trying to deal with these vendors via spreadsheets or manual processes is doomed to fail, either in the form of a breach from a vendor account or compliance violation.
Fortunately, there are new technology tools that can help us automate key parts of this process so that we can keep our third-party vendor access secure and compliant while minimizing time and staffing investment.
How many vendors are accessing your network and systems on a regular basis? What accounts are they using? Do these accounts offer privileged access, the holy grail of hackers? Companies frequently underestimate the number of third parties they have in their systems. Shadow IT, distributed operations and cloud applications make the vendor inventory job even more difficult. You can hold meetings or use questionnaires to gather the vendor list, but managers often don’t remember all their vendors. Some also could fear losing access for an unapproved vendor.
Combing through accounts payable records or using network tools to track traffic are other ways of getting an accurate list, but can be time-consuming and you still might not find them all (for instance, if a manager is charging a marketing cloud vendor to their credit card). Fortunately, there are a few vendors out there offering software that can track down vendors and privileged accounts automatically for you. There are excellent automated vendor discovery (AVD) tools that conduct non-intrusive searches for vendors on your network. Some offer automated vendor discovery with additional fourth and Nth-party discovery and geolocation, which can be useful when determining countries where vendors might be storing your data. This is vital if you have to comply with international privacy regulations such as GDPR.
Once you have a complete inventory of vendors, the next step is to risk-assess and rate them against the amount of third-party risk your enterprise is willing to accept in return for each vendor’s services. There are templates available, including several free options offering high levels of detail.
There also are many commercial companies offering risk assessment software solutions. If you have more than 100 vendors to assess, even using a software assessment program may not speed up the process enough. In that case, you may want to consider risk assessment rating agencies or risk assessment exchanges, new entrants to the security market. These are companies that already have done at least part of the process for you and rate vendors by various risk factors. Although it’s a budding field, several vendors have particularly strong options.
Once you have a vendor risk assessed and have approved them for access to your systems, how do you get them in? Grafting them into your employee onboarding processes may seem like an easy option but could be fraught with issues including over-provisioning of resources (employees typically get broad-spectrum network access to access many corporate services) and delays in offboarding.
Ideally, a third-party access solution should have an onboarding process and workflow that is separate from your employee onboarding. Automation of the process is key, too, to lower IT burden and decrease time to effectiveness for the vendors. Look for features such as vendor self-registration and auto-provisioning to grease the rails of your vendor onboarding processes.
Offboarding vendors can be an equally labor-intensive process, particularly if a company tracks its vendor access in some form of a manual process, including in spreadsheets with lists of vendor rep IDs or email reminders. These not only take time to manage but also can lead to significant gaps in an offboarding process.
A common scenario is when a former vendor’s employee retains credentials to your systems until you perform a true-up process, which often is done too infrequently. Similarly to onboarding, the offboarding process should be automated as much as possible and tied to the vendor’s HR processes rather than any manual syncing between vendor and company.
Finally, when it is all said and done and the vendor has been discovered, risk assessed, onboarded and possibly offboarded, you may have to provide reporting on this activity to auditors or regulatory bodies. Most compliance regulations require the ability to track vendor activity.
Complying with regulations and handling audit requests can be some of the most time-consuming tasks that IT and security professionals deal with. In some organizations, it takes a whole department just to compile the information for such requests. To lessen this pain, make sure any vendor you consider for privileged remote access provides this capability, with sufficient detail in the reason for access, activity and, ideally, video recording or keystroke logging.
Vendor management in the modern era can be very challenging and time-consuming. As vendors take on increasingly sophisticated and mission-critical activities, the oversight has now become just as mission-critical. We are also adding more vendors at a time when regulatory requirements are also becoming more stringent. The reality is that doing the required management manually is no longer becoming feasible in most organizations. Automating at least some of the processes discussed here will make your vendor management job much easier and your network and systems more secure and compliant.