July 15, 2020//Tony HowlettLast Updated: November 24, 2020
If you’re in the cybersecurity world, you’ve probably come across the acronym PAM, or Privileged Access Management. This technology adds additional controls and processes to coveted privileged credentials in order to prevent them from being compromised while also limiting the damage if they ever are compromised. We’re not breaking headlines when we tell you that hackers need privileged credentials in order to do real damage in networks. By tightening these controls, you are adding an important layer of protection in any defense-in-depth design.
Gartner and other industry analysts agree, ranking PAM implementation as one of their top recommended projects for the coming year. Third-party risk management is also a hot topic, given that 59% of all data breaches involve a third-party, and many compliance frameworks require special management of vendor access into regulated networks. This is where a specialty PAM technology, known as Vendor Privileged Access Management, or VPAM, comes into play.
This PAM subset is specially designed to handle privileged access by third parties such as vendors or contractors. These entities must be treated differently since you won’t have the same control over them when compared to an internal employee.
Of course, this is similar to what PAM has to offer, but the key distinction is that VPAM is a vendor management solution that will separate internal employee access from external access from vendors, third parties, and contractors. Below are the aspects to consider in any vendor management implementation.
Like its software “cousin”, VPAM uses sophisticated password management to protect the privileged credentials for your network and systems that vendors need access to with additional layers of control. A credential vault is typical, where high-end users have to “check out” power logins from a central bank in order to use them. This allows administrators to see what privileged passwords are being used across their whole infrastructure rather than having to check multiple log files. It also allows you to put limitations of your vendors’ use by time, user groups, and other criteria.
Other features might trigger alarms when certain user behaviors are exhibited or thresholds are reached. And password obfuscation is key so that the end-user never actually sees the password. This means that the password is passed directly to the system and then are automatically logged in. This protocol keeps a user from saving the credential insecurely (like when someone writes their password on a sticky note) or using it later without going through the vendor access management system.
Privileged Session Management, or PSM as it is sometimes called, helps track the activities that a vendor does on your system. Merely recording login times, usernames, and IP addresses like you might for internal users isn’t enough. For vendors with privileged account access, you will want to record contextual data such as reasons for access, ticket numbers, approvers of access, and other data for each session in order to tie that login to a specific business purpose.
Ideally, best-in-breed solutions will allow for full-HD monitoring that would include videos of GUI sessions and keystroke logs of command-line sessions. This is important to keep for your records, and for auditing reasons.
Finally, vendor privileged access management and application management should be a part of any full-fledged implementation. Some solutions will offer the password and session management pieces but leave out the all-important access management. This then requires an additional non-vendor management access piece, which if implemented with a weak method like VPN, can leave a hole in your vendor management protections.
Other important features include workflow processes specific to vendors. This would involve onboarding automation like self-service so that the administration of vendor access is not onerous. Quick off-boarding of vendor reps is also important to keep unauthorized techs out of your systems. Multi-factor support including SMS and TOTP may be required to comply with various standards and protect the end-users from credential theft.
We have talked about the triad of features that makes up a good vendor management (or VPAM) system: privileged password management, session management, and access management.
If you’re using a VPN, a vendor-supplied support tool, or a PAM solution to manage your vendors’ network access, the limitations of those tools leave you vulnerable to breaches. To learn more, download our infographic that highlights the top six reasons why you should prioritize implementing a tailored software platform to manage vendors’ privileged access to systems, networks, and applications.