November 02, 2020//Tony HowlettLast Updated: January 25, 2021
We’re not going to be dropping new information when we say that security is important when allowing network access to external parties like vendors and contractors. Along the same lines, breaches coming from third-party access are increasing as vendors often offer an easier way into your network than a full-frontal assault on your defenses. On top of what’s “regular” and “normal”, the COVID-19 pandemic has added another layer with threat actors upping the ante with increased attacks on critical infrastructure such as healthcare, government, power facilities, and education at all levels.
This comes at the same time as an increased need for remote access by both employees and outside vendors due to safety and work from home mandates. No longer is only security at the forefront of this situation, but this makes the efficiency of your vendor access platform just as important. If external parties can’t access your network quickly during an outage or issue, critical services could be down when they are most needed. This is especially true in the healthcare industry where they depend heavily on technology vendors to provide services to patients. Technology such as MRI machines, drug dispensing cabinets, and Electronic Healthcare Records (EHR) systems must be up and accessible by service technicians who will likely be off-site.
Let’s explore how to balance these two vital needs and get the best of both worlds to get your vendor’s access securely AND efficiently.
This is the set of processes by which a vendor or third party would gain access to your systems to provide support. And you want to get this just right, too much red tape or complicated procedures or too little security can mean trouble for your end-users or trouble for you in the form of a third-party breach. The key to success is automation. You want to make sure you have a process that verifies their identity AND employment. The coronavirus pandemic has also highlighted this you often can’t do that in-person with government-issued IDs and other documentation.
So, you will want a process that is as self-service as possible. The internal application owner can approve the vendor, the vendors can enter their reps needing access, and then they can be approved by the appropriate person at the company. Ideally, this can all be accomplished electronically and documented in a system that keeps records of each step in the process with multiple checks to verify. Eliminating paperwork and manual processes will get your vendors online and assisting your users in record time while making sure they are properly vetted.
Having good IAM processes is important for your employees and it’s doubly important for your vendors and third parties that are accessing your systems remotely. You don’t have a lot of the same protections that we count on when granting access to insiders like internal vetting processes, internal endpoint and IDS protection, and so more. Therefore, these users’ identities need to be positively verified and authorized for the proper resources with more rigor. In other words, we need to make sure they are the right person, still employed at the vendor company, and then give them very granular least privileges.
Another big increase in security and protection specifically from threats like ransomware can be achieved by implementing multi-factor authentication (MFA) for third-party remote access. However, this is often a heavy lift, even for internal users. To avoid this, strive to use app or SMS based MFA so that specialized hardware isn’t required. Also, use standards like Time-Based One-Time Password (TOTP) so that vendors that use different solutions can be supported more easily. And a caveat to using SMS based MFA: Some companies won’t accept that method as full MFA so you may have to resort to an app or token-based system.
You will also want to be very careful about the level of access you grant to outside users. Don’t use general remote access technology like VPNs since that gives them network access where a bad actor could roam around and use scanners or sniffers. Ideally, provide proxied connections to only those servers and specific protocols they need to do their work. Also, consider using Privileged Access Management (PAM) or Vendor Privileged Access Management (VPAM) technology for administrator credentials to provide additional protection for those valuable logins. These are the most sought after credentials because of their ability to gain deeper access and control over hacked systems.
Again, automation is your friend here. You want a system that processes third party users offboarding as near to real-time as possible. Quarterly or even monthly synchronization with user databases is too long a time to allow a fired employee to retain access to your network. Federating the user authentication process down to the vendor so that it happens via their IAM process is one way to achieve this as the former employee will lose access to your system at the same time they are terminated from their employer’s systems. However you do it, make sure your processes sync up often (daily or weekly) so that you get invalid logins out of your system as soon as possible.
Having an integrated system that includes all these features will give you the holy grail of vendor security AND efficiency and keep your security people and your application owners happy. To learn more about the importance of a well-rounded cybersecurity strategy that includes onboarding, offboarding, and IAM processes, download our new eBook that highlights the importance of a vendor access management platform.