March 24, 2020//JoelLast Updated: July 29, 2022
The success of business projects and the associated technology solutions to implement them are almost always graded on how much return on investment (ROI) they deliver back to the business for the investment required. And information security projects have always been notoriously difficult to propose in these terms. Many managers and executive-level managers see InfoSec projects in black and white terms; as a binary outcome of either hacked or not hacked. This ends up with the project or implementation being seen as an insurance program of sorts that delivers very little day-to-day operational benefit.
Speaking of security solutions in pure dollar ROI can be difficult when trying to promote InfoSec initiatives but fortunately, one hot topic these days third-party risk management and vendor management solutions can deliver tangible ROI benefits as well as security improvements, especially when it comes to the area of remote access. Finding a solution that implements your security goals when it comes to managing third-party vendors’ access but is also more efficient than your current solution, or lack thereof, can be a route to showing real ROI from your project and even paying for itself over the long-run.
If you’re looking to improve your vendor remote access security while reducing third-party risk AND reducing costs, look for systems with one or more of these features.
This is because most companies implement a third-party access solution both insecurely AND inefficiently. All while costing IT workers productivity and creating security vulnerabilities. However, there are several areas that efficiencies can be wrung out of these processes at the various stages by choosing the right vendor management solution.
A vendor management platform should be a specific, and purpose-built platform that was made only to manage vendor access to networks and applications. You wouldn’t want to use a knife as a spoon, would you? So, you should use the right tool for the right job.
One of the most prominent vendor management tools is called vendor privileged access management, or VPAM. This technology does one thing only– it helps enterprise organizations identify, audit, and control all of their third-party vendors on a single platform. It helps ensure industry compliance while making sure that the platform itself is easy to use. If someone has privileged access to your network, they should be easily identifiable. Vendor privileged access management does that. Gone are the days when a whole vendor company would be given a username and password. Today, each and every vendor rep has their own username and password.
If your company has vendors, contractors, or business associates who need to access your network, servers, or applications from an external location, you should be developing a vendor management program. No matter how many have access to your network, it only takes one vendor to abuse it. Especially for companies with hundreds of contractors who each employ their own teams, hundreds or even thousands of unknown people could be accessing your network at any given time.
First of all, having a secure and efficient onboarding process for providing vendors with remote access can save a lot of staff time as well as minimizing the human error which can lead to misconfigurations and security vulnerabilities. When giving remote access to third parties, companies often rely on manual forms and other methods of verification that can be very time-consuming. Using third-party vendor management software allows for vendors to self-register and automating the verification of these registrations with emails to the application owners can take IT out of the loop and still assure validation of the login.
We all know that VPNs are often used to give third parties remote access. This is both insecure as VPNs are huge vectors for attacks with the broad network access they provide and inefficient as it requires another step to provide access to the individual hosts. A vendor management system that eliminates the VPN and provides an encrypted tunnel to only the servers and ports required in one step can eliminate a lot of extra work and chance for error. If you have a lot of vendors being onboarded, these savings can add up quickly.
The inefficiencies and insecurities of an unmanaged onboarding process for vendors will also manifest similar issues when trying to offboard vendor reps after they either quit or are terminated by your vendor. Syncing with vendors on who has left their workforce and therefore needs to be removed from your system and network is a manual and cumbersome process. And depending on how often you do it, there can be a long window of vulnerability where former vendor employees still have access to your systems.
Implementing a modern vendor management system allows you to federate credentials from your vendor’s directory. This allows for automated syncing of user bases as the users will be removed from access as soon as the credential is revoked by the vendor, which is usually immediately upon termination. This combines cost savings in the time and effort to manually remove vendor reps from your own directory services with a near real-time removal of former third-party employees. Security plus operational savings can be achieved this way.
On the compliance side, enterprises in regulated spaces such as healthcare, finance, and gaming often have to provide detailed audit logs of all remote access by third parties. Compiling these reports for auditors can be very time-consuming. A study showed that the average organization spends over 17,000 hours annually compiling reports and investigating incidents. A vendor management solution that aggregates these access logs can make these tasks much easier. By providing a Single Source of Truth (SSOT) for vendor access information, you can easily report on all vendor access, as well as catch any security issues sooner than you could by sorting through multiple log files from different sources.
The cost of not implementing a vendor management platform can be measured in more than just dollar amounts. For example, the average company spends 17,000 hours annually – amounting to over nine full-time employees – compiling compliance reports and investigating security anomalies. That’s a lot of hours, which equals a lot of payroll expenses. Other costs include:
If you’re looking to improve your vendor remote access security while reducing third-party vendor risk AND reducing costs, look for systems with one or more of these features. Then you’ll be able to show both operational efficiencies and increased security in your project ROI analysis. And that is a rare combination in InfoSec these days.
An emerging technology, Vendor Privileged Access Management (VPAM) can provide all these benefits in a single solution. Armed with new data and knowledge on ROI, approving your vendor management project should be as simple as ABC.
Learn more about how to properly manage vendor access with our Secure Connection checklist.