March 24, 2020//Tony HowlettLast Updated: April 30, 2021
The success of business projects and the associated technology solutions to implement them are almost always graded on how much return on investment (ROI) they deliver back to the business for the investment required. And information security projects have always been notoriously difficult to propose in these terms. Many managers and executive-level managers see InfoSec projects in black and white terms; as a binary outcome of either hacked or not hacked. This ends up with the project or implementation being seen as an insurance program of sorts that delivers very little day-to-day operational benefit.
Speaking of security solutions in pure dollar ROI can be difficult when trying to promote InfoSec initiatives but fortunately, one hot topic these days third-party risk management and vendor management solutions can deliver tangible ROI benefits as well as security improvements, especially when it comes to the area of remote access. Finding a solution that implements your security goals when it comes to managing third-party vendors’ access but is also more efficient than your current solution, or lack thereof, can be a route to showing real ROI from your project and even paying for itself over the long-run.
If you’re looking to improve your vendor remote access security while reducing third-party risk AND reducing costs, look for systems with one or more of these features.
This is because most companies implement a third-party access solution both insecurely AND inefficiently. All while costing IT workers productivity and creating security vulnerabilities. However, there are several areas that efficiencies can be wrung out of these processes at the various stages by choosing the right vendor management solution.
First of all, having a secure and efficient onboarding process for providing vendors with remote access can save a lot of staff time as well as minimizing the human error which can lead to misconfigurations and security vulnerabilities. When giving remote access to third parties, companies often rely on manual forms and other methods of verification that can be very time-consuming. Using a vendor management system allows for vendors to self-register and automating the verification of these registrations with emails to the application owners can take IT out of the loop and still assure validation of the login.
We all know that VPNs are often used to give third parties remote access. This is both insecure as VPNs are huge vectors for attacks with the broad network access they provide and inefficient as it requires another step to provide access to the individual hosts. A vendor management system that eliminates the VPN and provides an encrypted tunnel to only the servers and ports required in one step can eliminate a lot of extra work and chance for error. If you have a lot of vendors being onboarded, these savings can add up quickly.
The inefficiencies and insecurities of an unmanaged onboarding process for vendors will also manifest similar issues when trying to offboard vendor reps after they either quit or are terminated by your vendor. Syncing with vendors on who has left their workforce and therefore needs to be removed from your system and network is a manual and cumbersome process. And depending on how often you do it, there can be a long window of vulnerability where former vendor employees still have access to your systems.
Implementing a modern vendor management system allows you to federate credentials from your vendor’s directory. This allows for automated syncing of user bases as the users will be removed from access as soon as their credential is revoked by the vendor, which is usually immediately upon termination. This combines cost savings in the time and effort to manually remove vendor reps from your own directory services with a near real-time removal of former third-party employees. Security plus operational savings can be achieved this way.
On the compliance side, enterprises in regulated spaces such as healthcare, finance, and gaming often have to provide detailed audit logs of all remote access by third parties. Compiling these reports for auditors can be very time-consuming. A study showed that the average organization spends over 17,000 hours annually compiling reports and investigating incidents. A vendor management solution that aggregates these access logs can make these tasks much easier. By providing a Single Source of Truth (SSOT) for vendor access information, you can easily report on all vendor access as well as catch any security issues sooner than you could by sorting through multiple log files from different sources.
If you’re looking to improve your vendor remote access security while reducing third-party risk AND reducing costs, look for systems with one or more of these features. Then you’ll be able to show both operational efficiencies and increased security in your project ROI analysis. And that is a rare combination in InfoSec these days.
An emerging technology, Vendor Privileged Access Management (VPAM) can provide all these benefits in a single solution. Armed with new data and knowledge on ROI, approving your vendor management project should be as simple as ABC.