January 20, 2021//Ellen NeveuxLast Updated: January 27, 2021
We’re all well aware that most companies use external resources, like vendors, third parties, and contractors in order to be as efficient as possible. But, that needed efficiency comes with added risks if not handled properly. And, the biggest risk associated with vendors’ accessing your network is the level of access given and how that access is managed. Let’s look into the importance of securing credentials in relation to vendor access.
If you want to reduce vendor risks – start by taking back the keys to your network. Let’s think about this in terms of your internal employees. You don’t even give the same level of access to every single employee (who, remember, your company hired personally!), why are you allowing a vendor rep (who you didn’t personally hire, you just hired the company that they work for!) more access than they need? Another way to think about this is: vendors can’t compromise credentials they don’t have.
Let’s think about this and relate it to something we’re all familiar with: codes and passwords. Whether it’s the code to your garage, the password to a social media platform, a spare key to your house, or the PIN to your debit card, every time you share that with someone it becomes less effective. Suddenly your neighbor has the key to your house, your spouse knows the PIN to your debit card, and all your vendors know the credentials to get into all the servers on your network. This might seem dramatic, but it’s not– it happens all the time (both in our personal and professional lives). Every time you hand someone the code to your alarm system it becomes less effective.
Too many companies to even name at this point learned this lesson the hard way. Remember way back in 2013 when Target made headlines (during the holiday season) for all the wrong reasons? It seems that we still haven’t learned since companies like SolarWinds is also making headlines for a similar situation over 7 years later. But, 2021 can be the year we all make the change– together.
Here’s the thing: everyone wants to be secure, efficient, and have only good PR happen to them, right? So this conversation shouldn’t revolve around vendors and their customers being on opposite pages, pointing fingers at each other, or anything in between when privileged credentials are at the root of a security issue. Regularly the conversation talks about only the company that receives remote support from vendors, that they’re the ones at fault for “giving out” privileged credentials. But, unsurprisingly, vendors don’t want this liability either.
From an operational perspective, managing credentials for every customer is tedious and can delay support efforts. And if you don’t know already, remote support and collaboration are essential to any enterprise. Vendors need access to your systems for maintenance, upgrades, and monitoring. However, they don’t need unfettered access.
The first issue that most companies continue to use the wrong tools for the job. Relying on tools that you use for access for internal employees, like VPNs and desktop sharing tools, limits your ability to control and monitor access. Third-party remote access solutions should hide your network credentials and provide single sign-on (SSO) for vendors– so vendors never need to know their credentials.
Without these capabilities, security is weakened. Vendors could share or store privileged credentials insecurely. This feature also helps to prevent “leapfrogging”, or the process of a technician launching additional connections from within the initial target host. If the technician is never aware of their password, they are prevented from trying to log into other systems with the same account.
Understanding best practices for managing network credentials is a critical element to the health of your company. You spend time, money, and resources to protect your network– don’t hand out the keys to the backdoor!
To learn more about third-party remote access network threats and to see how vulnerable your network is to a third-party data breach, download our interactive checklist to learn more about how to maintain controls and implement least privileged access.