Controlling Third-Party Access Risk

Securely Enabling Third-Party Connections to your IT Environment & Assets

Can you account for every user who’s currently connected to your corporate network? If you are like most organizations, you can account for most, if not all, of your internal traffic. But what about your vendors? Do you know when they are connecting to your organization and what they are doing with that access?

Likewise, you know, to a large degree, the health and hardening status of corporate-owned endpoints that connect to your network, but what about your vendors’ endpoints? Are they patched? Are they adhering to password management security best practices when connecting to your systems?

Your organization’s vendor access rationale needs to be based on more than just blind faith. You must not only understand what technology and tools vendors are using to access your network, but you also need to monitor and know when they are accessing your systems and all activities they are performing.

You are only as secure as your weakest link. Increasingly, the security of your environment relies on the security practices and controls of a vendor.

This blog will cover some key vendor access risks before explaining some best practices, which also align with zero trust principles, for empowering your third-party partners to perform their roles, while ensuring they and your organization are robustly protected.

Understand & Assess Vendor Access Risk

Contractors, HVAC companies, building maintenance, consultants, suppliers, contingent staff, IT services providers—the list of third parties that may have access to your network at any given time is lengthy. In fact, BeyondTrust research found that, on average, 182 vendors log into the systems of the typical enterprise each week.

In supporting your organization, vendors routinely connect to your systems remotely. The problem is that many of the systems they interact with are also connected to your corporate network. Numerous high-profile breaches over the past decade have demonstrated that vendor networks can be leveraged to gain access into customer environments. A few common ways vendor access can increase risk include:

• Introducing malware
• Leaving credentials inadequately protected so that they may be intercepted and/or reused
• Poorly restricted access, allowing for lateral movement and access to more resources/systems than are required by their role
• Orphaned accounts that remain active after a vendor user leaves the company
• Inadequate auditing, making it difficult to track changes and fix errors.

Common Attack Vectors for Third-Party Access

Hackers can steal credentials to gain access to vendor-controlled systems, and then exploit vulnerabilities and/or poorly managed privileges to move throughout the organization, sometimes machine by machine. Insufficient access management can allow attackers to gain broad control over assets and move unrestricted throughout the environment as an “insider”, which ranks as one of the more damaging scenarios any organization can experience.

Organizations commonly implement VPNs to enable vendor access and mistakenly think this “solves” the security problem. However, while VPNs are enabling access, what they are more specifically doing is creating a full tunnel to corporate assets.

VPN access lacks granular controls. Malware could still piggyback on vendor access to infiltrate your systems. The VPN’s lack of granular controls also means that the vendor account may have far more access to systems than is needed, increasing risk of misuse—especially if the account is compromised by a threat actor.

Some vendor threats are not malicious in nature. For instance, vendor errors could result in outages, open up security holes, or create compliance issues. This risk increases in proportion to the their access and privileges. The impact of these errors is compounded when there is a lack of oversight of vendor remote sessions, which can make it difficult to pinpoint and reverse, or otherwise remediate, an unwanted change.

You absolutely need to apply granular access controls around vendor access to enforce least privilege and meet many compliance requirements. You absolutely need to ensure best practices like password management and session auditing are implemented. These security controls are essential to mitigating the most common and dangerous vendor access attack vectors.

The Challenge of Securing Vendor Access

Adhering to policy and maintaining security across two or more companies is no simple feat. Often, the credentials used by the remote vendor are not under the direct control of the customer. Two different networks with two different user directories, and perhaps two different security policies, make the job of security compliance a challenge. Even if you had a way to ensure security best practices were being followed, you may lack visibility into what activity is being performed on equipment that is connected to your network.

Closing the gaps in your vendor access security process isn’t an easy task. Let’s break down the key security requirements:

• Vendor credentials – We need a method to ensure that a) passwords are regularly rotated, and b) they have not been compromised. A privileged password management system would assist here.
• Multi-Factor Authentication (MFA) – To ensure a higher degree of identity security for vendor and employee remote access, implement an extra factor for authentication. This is an authentication must for any sensitive access to servers, apps, and data. MFA authentication can serve as your second line of defense, if credentials have been stolen.
• Network access – There needs to be controlled inbound access, with full visibility into the access.
• Least privilege – All access should be restricted to the least amount needed for a user to perform their role. Also, as much as possible, vendor access should adhere to a just-in-time model, meaning it is provisioned only when certain contextual parameters are met, and it is removed when the work is complete, the context changes, or after a certain amount of time has elapsed. No access should be open-ended and persistent.
• Monitoring – What are users doing when they are connected? Initiation of a session by a vendor should create an alert, and all session activities should be closely recorded and catalogued.
• Control – So, what if you see something happening that shouldn’t be occurring? A mechanism to pause or sever the connection is crucial.
• Forensics – What if a breach occurs and you suspect the attack came from outside? The ability to search and replay user activity quickly is essential to identifying what happened, where, and by whom.

If your IT strategy is reliant upon partners and you view them as an extension of your workforce, then those external users should abide by the same security practices as your ‘internal’ workforce.

What’s the Solution for Controlling Third-Party Access?

BeyondTrust provides the only Secure Remote Access solution (comprised of our Privileged Remote Access and Remote Support products) that meets the rigorous requirements of Federal Information Processing Standards Publication (FIPS) 140-2 Level 1. Our Privileged Remote Access product empowers IT teams to control, manage, and audit remote privileged access by authorized employees, contractors, and vendors—without compromising on security.

Our customers rely on Privileged Remote Access to secure vendor access via the following key security measures:

1. Least privilege: Enforces a policy of least privilege in adherence to a just-in-time model by giving specific users precisely the right level of access to applications, sessions, and protocols—and only for the duration it is needed. The product can define what endpoints and server(s) vendors and remote employees can access, when the users can access them, and what applications or actions they can use during those sessions. Advanced workflow controls can restrict access to resources based on the date, time, day, and the user’s location. This control mechanism also provides a means to alert you when access policies are invoked, as well as route workflows to different groups according to runtime parameters.

2. Secure authentication & password management: Bolsters identity security with built-in MFA and also manages vendor and remote employee passwords. The product injects credentials directly into remote access sessions without ever revealing them to the user. Applying robust password policies, Privileged Remote Access can regularly change credentials (user passwords, SSH keys, etc.) for Windows platforms and Active Directory to prevent or mitigate attacks based on stolen credentials, credential re-use, or brute-forcing. The solution can also integrate with BeyondTrust Password Safe and other privileged password management and MFA products.

3. Session monitoring, control, & forensics: Records all user activity, which can be played back on-demand. Real-time monitoring capabilities allow sessions to be monitored with an option to remotely terminate or pause (lock) active sessions in order to protect against malicious or suspicious in-progress activity. These session monitoring and management capabilities can be leveraged via a secure agent, or by using standard protocols for RDP, VNC, Web, and SSH connections.

Beyond Trust Privileged Remote Access enables your organization to drive productivity while mitigating the risks of third-party access by eliminating remote access blind spots, protecting vendor credentials, and granularly controlling access.

Take the Remote Access Test to assess if your team has the appropriate secure tools in place to handle a large volume of privileged users connecting remotely into your network.