Controlling the Risks of Third-Party Access

Can you account for every user who’s currently connected to your corporate network? If you are like most organizations, you can account for most, if not all, internal traffic and have VPN access secured with multi-factor authentication. And although you might feel reasonably comfortable you have a pretty secure wall around your network, can you be sure there are no cracks?

The Risk from Outside

Contractors, HVAC companies, building maintenance, managed service providers for routers, and firewalls— the list of third parties that may have access to your network at any given time is endless. Many of these vendors/workers connect to these systems remotely to go about their daily business in supporting your organization. The problem is that many of the systems they interact with are also connected to your corporate network. It has been shown by numerous high-profile breaches that vendor networks can be leveraged to gain access into customer environments.

Typical Attack Vectors

Hackers can steal credentials to gain access to vendor-controlled systems, and then exploit vulnerabilities and/or poorly managed privileges to move throughout the organization, sometimes machine by machine. You are only as secure as your weakest link – the security of your environment may rest on the security practices, and controls of a third party.

The Challenge of Security

The big issue with adhering to policy, and maintaining security across two companies is that often the credentials used by the remote vendor are not under the direct control of the customer. Two different networks with two different user directories, and perhaps two different security policies make the job of security compliance a challenge. Even if you had a way to ensure security best practices were being followed, you still have no visibility into what activity is being performed on equipment that is connected to your network.

Controlled Network Separation and Activity Monitoring

Let’s break down the problems:

• Vendor Credentials – We need a method of making sure that a) passwords are regularly rotated, and b) they have not been compromised. Certainly a privileged password management system would assist here.
• Network Access – There needs to be controlled inbound access. A VPN, gateway proxy, or preferably both. If we can limit access according to incoming network address, that’s gravy.
• Monitoring – What are users doing when they are connected. There needs to be a tool to be alerted when sessions start, and then ‘look over their shoulder’.
• Control – So what happens if you see something happening that shouldn’t? A mechanism to sever the connection is crucial
• Forensics – A breach happened, and you suspect the attack came from outside. The ability to search and replay user activity quickly is crucial to identifying what happened, where, and by whom.

What’s the Solution?

BeyondTrust’s PowerBroker Password Safe provides a secure connection gateway, with the ability to proxy access to RDP, SSH and Windows applications. Passwords can be regularly changed using strong and complex policies to ensure that any credential breach, whether directly by the user or indirectly via malware, has a limited window of exploitation. Several capabilities in the product help to mitigate the risks of third-party access:

• Advanced workflow control can restrict access to resources based on the date, time, day, and the user’s location. This control mechanism also provides a means to alert you when access policies are invoked, as well as route workflow to different groups according to runtime parameters.
• Password Safe’s Application Proxy can automatically log users onto resources using managed credentials with zero exposure. Passwords may be securely passed to any Windows, Unix, or Linux application.
• All user activity may be recorded for later playback, and real-time monitoring capabilities allow sessions to be monitored with an option to remotely terminate or pause (lock) active sessions.

Closing the gaps in your security process isn’t an easy task. If you would like to explore other use cases and solutions for privileged password management, download “A Technical Solutions Guide for Privileged Password and Session Management Use Cases”.

Martin Cannard

Martin has been helping organizations solve challenges in the privileged account management and identity and access management space for over 24 years. At Dell Software, Martin managed a team of Solution Architects, focused on designing and implementing solutions in the Privileged Account Management (PAM) space. Prior to joining Dell, Martin was Sr. Product Manager for Novell Privileged User Manager, a privilege management application acquired from Fortefi, an organization where he served as Vice President, Corporate Development. Prior to this, he was Program Manager of Client Technologies at Symantec where he was responsible for many ground-breaking field and channel enablement applications. Additionally, Martin managed the European QA group at Axent Technologies and has held various management positions in consulting, systems development, and operations. Martin is a regular speaker for security events, and webinars.