Current methods fail to properly secure third party remote access by identifying each individual, controlling their access, and auditing their activity.
With SecureLink, you have a single platform for all third party access, with individual credentials, control over access, and audit of all activity.
In today’s business environment, remote access to systems, data, and servers is a common and necessary occurrence. This remote access can be for employees, who are working from home or distributed remotely, and it can also be for third parties, such as contractors, technology vendors, business partners, and consultants.
While remote access can be provided in a variety of ways, the most common method is via VPNs or virtual private networks. This method works particularly well for employees, known and trusted, who need access to the corporate network to perform their job.
However, while that may be somewhat efficient, the security of this method, and many others, starts to weaken when it comes to third parties. They often fail to provide secure authentication, full control, complete visibility. To fully secure the remote access of third parties, additional measures are needed. Specifically, a secure remote access method should:
If you’re realising you don’t have all of those 4 key elements in place, but are wondering if it’s worth the effort and investment to make those changes, consider the potential costs of failing to do so. From reputational damage to regulatory fines to loss of customer trust, future business, and intellectual property – the costs can be widespread and high. In fact, the average cost of a data breach is $3.92M. If that weren’t enough, a data breach originating from a third party is both more likely and costly: 63% of data breaches come from a third party, and a data breach that originated via a third party costs an organization an additional $370,000. In short, you can’t afford not to secure the remote access of your third parties.
|Identify||Often individual identification is a key element to meet regulatory requirements and general security best practices. You need to know who is in your network, and ensure that the person with access is who they say they are, and that they should even have access (unlike, a bad actor or external hacker). At minimum, this should include:
- Individually identified accounts
- Multi-factor authentication
- Current employment verification
|Support||The traffic and access of your third parties should be secure and encrypted (typically 128 or 256 AES).
Your method of remote access should support the tools and protocols that your third parties need! RDP, SSH and VNC are a great start, though organizations may have technology vendors who need to provide complex support. Ideally your method will support any TCP or UDP based protocol, as well as supporting the use of vendors own native tools.
|Control||Even if you know the individual who is in your network, if you can’t control and enforce their access, you’re using an insecure method. You need to be able to control what they’re accessing and when they have access. This ensures they can’t access information they shouldn’t, like PHI, PII, or proprietary IP, and is a necessary component in meeting many regulatory requirements. Look for:
- Source IP control
- Assess schedules, connection notifications, and approval before access workflows
- Host- and port-level control over access, by individual and third party
- Time-based access and automatic account de-provisioning
|Audit||The final element in secure remote access for third parties is visibility into exactly what they are doing in your network. Ideally, you can review audit logs that give you immediate visibility, in the event that something should break due to a third party, or you have to demonstrate compliance with regulatory requirements. Your method should provide:
- Basic logs of all access
- Video of graphical protocols
- Keystroke logs
- Exportable and accessible reports