Opening systems and networks to third-parties provides benefit. It enables the execution of transactions critical to commerce, speeds information sharing among business partners, and provides the ability to outsource less strategic business activities. But it also increases risk.
Such third-party access, typically wide-ranging and haphazardly managed, offers hackers an easily exploited avenue for attacks. Around two-thirds and three-quarters of data breaches — including some of the most devastating incidents of the last few years — can be traced back to third-party network users, according to studies and forensics examinations of high-profile breaches.
Controlling the Uncontrollable
It’s impractical to eliminate third-party access, yet you can’t have 100% insight and control into a third-party’s security systems or practices.
But you can improve your security and reduce the risk posed by third-party collaboration. Here are five considerations for mitigating third-party risk.
Implement Supporting Processes and Controls
Begin by examining the processes associated with providing third-parties access to your networks:
- When you provide a third party with access to your network, their’s becomes a de facto extension of your own. Ask — and if necessary audit — those networks to ensure their security posture and controls are adequate.
- Understand the processes your organization follows when granting others access. Who is notified, and when? How are users provisioned? More importantly, how are they de-provisioned when access is no longer required? Who is responsible for managing relationships and addressing issues?
- To get complete visibility — at a point early enough in the process to help measure and manage risk — it’s necessary to get inserted into procurement and contracting processes.
Strong Authentication of Third-party Users
Examination of high-profile breaches involving third parties shows that virtually all can be traced to stolen or compromised credentials. Unfortunately, phishing attacks and key logging malware are highly effective. For that reason, it’s extremely important to implement multi-factor authentication for external users (as well as internal privileged users). Such technology has become increasingly simple to implement and administer, as well as more cost-effective. And it goes a long way in preventing use of stolen credentials.
Separate Authentication From Access Control
Many networks are poorly segmented and provide unfettered access to network resources once a user has logged in. Privileged access management systems can provide secure single sign-on access to only those systems and resources authorized by policy. That means third-party users see only those systems needed to perform their responsibilities.
Prevent Unauthorized Commands and Avoid Mistakes
It’s frequently the case that privileged users of all kinds are over-privileged. It might be convenient to allow someone to use a powerful administrative account like root, but it’s rarely a good idea. Instead, provide brokered or proxied access using accounts with only the level of rights needed to carry out the assigned job. Privileged access management systems can add an extra level of security by proactively enforcing policy limits that control users trying to exceed their authority — or shut them down completely.
Monitor and Investigate
Privileged access management systems can also offer the benefit of enhanced visibility into third-party activity. That might range from comprehensive logs to full-screen video recordings. Sessions marked with policy violations or other issues are obvious candidates for review. But also consider random spot checks of sessions to look for activity that’s inappropriate or risky, but doesn’t quite rise to the level of a policy violation.
Following these tips will give you additional peace of mind when establishing the third-party access that is increasingly expected and depended on in today’s application economy.
To learn more, register and attend our May 25 webcast, Closing Network Backdoors: Best Practices to Control Third-Party Risks.