Can you account for every user who’s currently connected to your corporate network? If you are like most organizations, you can account for most, if not all, internal traffic and have VPN access secured with multi-factor authentication. And although you might feel reasonably comfortable you have a pretty secure wall around your network, can you be sure there are no cracks?

The Risk from Outside

Contractors, HVAC companies, building maintenance, managed service providers for routers, and firewalls— the list of third parties that may have access to your network at any given time is endless. Many of these vendors/workers connect to these systems remotely to go about their daily business in supporting your organization. The problem is that many of the systems they interact with are also connected to your corporate network. It has been shown by numerous high-profile breaches that vendor networks can be leveraged to gain access into customer environments.

Typical Attack Vectors

Hackers can steal credentials to gain access to vendor-controlled systems, and then exploit vulnerabilities and/or poorly managed privileges to move throughout the organization, sometimes machine by machine. You are only as secure as your weakest link – the security of your environment may rest on the security practices, and controls of a third party.

The Challenge of Security

The big issue with adhering to policy, and maintaining security across two companies is that often the credentials used by the remote vendor are not under the direct control of the customer. Two different networks with two different user directories, and perhaps two different security policies make the job of security compliance a challenge. Even if you had a way to ensure security best practices were being followed, you still have no visibility into what activity is being performed on equipment that is connected to your network.

Controlled Network Separation and Activity Monitoring

Let’s break down the problems:

What’s the Solution?

BeyondTrust’s PowerBroker Password Safe provides a secure connection gateway, with the ability to proxy access to RDP, SSH and Windows applications. Passwords can be regularly changed using strong and complex policies to ensure that any credential breach, whether directly by the user or indirectly via malware, has a limited window of exploitation. Several capabilities in the product help to mitigate the risks of third-party access:

Closing the gaps in your security process isn’t an easy task. If you would like to explore other use cases and solutions for privileged password management, download “A Technical Solutions Guide for Privileged Password and Session Management Use Cases”.