Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Five Tips for Reducing 'Trusted' Third-Party Risk

DZone's Guide to

Five Tips for Reducing 'Trusted' Third-Party Risk

Around two-thirds and three-quarters of data breaches can be traced back to third-party network users, according to studies and forensics examinations of high-profile breaches.

· Mobile Zone
Free Resource

Get gorgeous, multi-touch charts for your iOS application with just a few lines of code.

Whether it’s Target, Epic Systems, or pick-your-favorite third-party breach, they all have suffered damage from data loss, legal fees, and in their trust and reputation.

Opening systems and networks to third-parties provides benefit.  It enables the execution of transactions critical to commerce, speeds information sharing among business partners, and provides the ability to outsource less strategic business activities.  But it also increases risk.

Such third-party access, typically wide-ranging and haphazardly managed, offers hackers an easily exploited avenue for attacks. Around two-thirds and three-quarters of data breaches — including some of the most devastating incidents of the last few years — can be traced back to third-party network users, according to studies and forensics examinations of high-profile breaches.

Controlling the Uncontrollable

It’s impractical to eliminate third-party access, yet you can’t have 100% insight and control into a third-party’s security systems or practices.

But you can improve your security and reduce the risk posed by third-party collaboration. Here are five considerations for mitigating third-party risk.

Implement Supporting Processes and Controls

Begin by examining the processes associated with providing third-parties access to your networks:

  • When you provide a third party with access to your network, their’s becomes a de facto extension of your own. Ask — and if necessary audit — those networks to ensure their security posture and controls are adequate.
  • Understand the processes your organization follows when granting others access. Who is notified, and when? How are users provisioned? More importantly, how are they de-provisioned when access is no longer required? Who is responsible for managing relationships and addressing issues?
  • To get complete visibility — at a point early enough in the process to help measure and manage risk — it’s necessary to get inserted into procurement and contracting processes.

Strong Authentication of Third-party Users

Examination of high-profile breaches involving third parties shows that virtually all can be traced to stolen or compromised credentials. Unfortunately, phishing attacks and key logging malware are highly effective. For that reason, it’s extremely important to implement multi-factor authentication for external users (as well as internal privileged users). Such technology has become increasingly simple to implement and administer, as well as more cost-effective. And it goes a long way in preventing use of stolen credentials.

Separate Authentication From Access Control

Many networks are poorly segmented and provide unfettered access to network resources once a user has logged in. Privileged access management systems can provide secure single sign-on access to only those systems and resources authorized by policy. That means third-party users see only those systems needed to perform their responsibilities.

Prevent Unauthorized Commands and Avoid Mistakes

It’s frequently the case that privileged users of all kinds are over-privileged. It might be convenient to allow someone to use a powerful administrative account like root, but it’s rarely a good idea. Instead, provide brokered or proxied access using accounts with only the level of rights needed to carry out the assigned job. Privileged access management systems can add an extra level of security by proactively enforcing policy limits that control users trying to exceed their authority — or shut them down completely.

Monitor and Investigate

Privileged access management systems can also offer the benefit of enhanced visibility into third-party activity. That might range from comprehensive logs to full-screen video recordings. Sessions marked with policy violations or other issues are obvious candidates for review. But also consider random spot checks of sessions to look for activity that’s inappropriate or risky, but doesn’t quite rise to the level of a policy violation.

Following these tips will give you additional peace of mind when establishing the third-party access that is increasingly expected and depended on in today’s application economy.

To learn more, register and attend our May 25 webcast, Closing Network Backdoors: Best Practices to Control Third-Party Risks.

.Net developers: use Highcharts, the industry's leading interactive charting library, without writing a single line of JavaScript.

Topics:
security ,integration ,third party

Published at DZone with permission of Dale Gardner, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}