September 18, 2019//Tony HowlettLast Updated: April 16, 2021
Many organizations need to provide third-party vendors with remote access to their networks. Several methods have been developed to provide vendors with remote access to company networks, but most of them have major drawbacks or limitations that make them less than ideal from a network security perspective.
In Part 1 of this blog post, we’ll look at the risks inherent in using some remote vendor access software tools, and the potential damage that can occur due to these risks. In Part 2, we’ll explore tools for mitigating vendor-caused network risks and shift to the more positive side of the remote access security equation.
Let’s begin by describing two popular approaches to providing vendor remote access to networks, as well as their main drawbacks, focusing on how they make an organization’s network vulnerable to unwanted access or data breaches.
VPNs are a commonly used tool for providing remote access to company networks. However, they are not the safest choice for granting vendors remote access, for a number of reasons.
The biggest concern: security. For example, VPNs can allow access to people who no longer work for a vendor organization. When an employee exits a vendor company, this person should not have access to customer networks anymore. However, if the vendor is not diligent about notifying the customer, the ex-employee may keep their remote access credentials for a period of time and they (or someone who steals their credentials) could remotely log into your server.
Another drawback: VPNs don’t allow the degree of granular control needed to fully monitor and restrict where a vendor can go and what they can do on an organization’s network. The result, all too often, is that VPNs grant vendors too much access to your network. When vendors have more access than needed, the result is increased risk; either making your organization more vulnerable to outside attack by hackers who steal credential or errors and mistakes from legitimate employees on servers they shouldn’t be on.
With these glaring vulnerabilities, it’s not surprising that VPNs have been a prime target for malicious actors, and have been implicated in several major company data breaches.
A third drawback: audit and compliance risks. As policymaking groups have imposed tougher standards on auditing processes, remote access tools such as VPNs may not be capable of providing the degree of audit detail that is now required by many regulatory and compliance regimens. Result: failure to meet today’s higher security standards for vendor network access.
In short, VPNs are not an optimal choice when an organization wants to give secure remote access to its vendors without leaving the organization vulnerable to unwanted access or outside attack.
Desktop sharing tools also have a number of issues that keep them from being the best choice for remote vendor access.
One drawback is authentication risk: anyone who can log into a desktop sharing tool gets the same network access that physical workstation or server has. If it’s a bad actor, either an insider threat or bad actor with stolen credentials, they have carte blanche access to an organization’s network once they get their foot in the door. This means they can broadly scan the network for vulnerable servers or peep into shares and files intended for internal viewing only.
Imagine what a vendor support rep helping the CFO or CEO could see if they went looking around when the user being helped was away from their desk. In addition, desktop sharing tools are not optimal for enterprise environments, since these tools typically do not have the level of built-in security and features needed for complex enterprise remote support such as server or application maintenance.
Similar to VPNs, they often lack the strict security controls (logging and audit) required by enterprises in highly-regulated industries.
Other drawbacks to desktop sharing:
According to best practices in regulated industries, all vendor access sessions should be recorded in order to make them truly secure, and include a complete list of activities of each participant.
Suppose an enterprise or other organization is using one of the above tools for vendor access. What’s the worst that could happen? Answer: a number of potentially damaging scenarios.
Using VPNs or desktop sharing can open up networks to potential intrusion by bad actors. Even organizations that have robust data security systems are susceptible to breaches due to weaknesses in the systems employed by their vendors. Note that even when a data breach is caused by a vendor, the organization using that vendor is still responsible for reporting and ultimately resolving the issues caused by any breach under most compliance frameworks.
In today’s interconnected, outsourcing world, vendors are often managing mission-critical systems for enterprises. And sophisticated hacking groups are no longer interested in just stealing data or defacing a website. They often take entire systems or networks down via ransomware and demand payment for recovery of those systems. Even when a hack doesn’t directly result in an outage, companies will often have to take systems offline to restore them to a pre-hack state or do forensic work. And downtime can cost millions or more to businesses that depend on an online presence, not to mention regulatory fines and customer confidence lost due to an extended outage (see below).
Organizations are found liable for illegal or negligent actions taken by their vendors under many new regulatory protocols such as GDPR, CCPA, and others. These findings can result in significant fines or limitations in operational approvals or even revocation of a government charter. For example, fines issued under HIPAA have ranged into the millions and the new GDPR regulation calls for penalties for as much as 4% of a company’s worldwide revenue. This can cause serious impairment of operating capital and have a significant impact on earnings and stock prices. Even if guilt is not proven in court, an audit or investigation could result in a significant financial cost, not to mention a cost in terms of time spent on resolving the matter. Total costs have run into the hundreds of millions for larger concerns with the average being $3.8 million. This is money that comes straight out of the bottom line for breach enterprises.
Reputation is the lifeblood of brands, but even the most beloved brands can suffer severe reputation hits due to breaches caused by vendor negligence. One study gave evidence for a sobering statistic: organizations experiencing an “extreme reputation event” (a.k.a. bad PR) have an 80% chance of losing 20% or more of their value in any month, during a given five-year period. Target stores will forever be known for being one of the largest third-party breach victims and their brand and sales suffered for years.
Let’s face facts: many organizations really don’t know what their vendors are doing on their network. The primary reason is that the tools they use for remote access don’t include the proper monitoring features. When using certain types of remote access software, you never know who is actually logging onto your network, and what they’re viewing while there. Vendors often get free reign, able to get into virtually everything; the scope of their network access is not limited in any way.
We’ll answer this question in Part 2 of this blog post, where we’ll explore some tools that IT admins have at their disposal to address the risks described above. Using one or more of these tools can form the basis of a solution for assessing, managing, and reducing vendor-caused network risks.
Part 2 has the rest of the story in detail, but those who want to skip ahead to the exciting conclusion can click here to see what the ultimate solution is for managing and monitoring remote vendor access while mitigating the risks.