Free Privileged Account Discovery Tool: Identify & secure credentials to stop lateral movement. Download Free

BeyondTrust
  • Products
    Privileged Password Management
    Discover, manage, audit, and monitor privileged accounts
    Password Safe DevOps Secrets Safe
    Endpoint Privilege Management
    Manage privileges on Windows, Mac, Linux, and Unix endpoints
    Windows and Mac Unix and Linux Active Directory Bridge
    Secure Remote Access
    Centrally manage and secure remote access for service desks and vendors
    Remote Support Privileged Remote Access
    BeyondInsight Analytics
    See All Solutions
  • Resources

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

    Watch Video

    Learn

    Case Studies
    Competitor Comparisons
    Datasheets
    Glossary
    Product Demos
    Whitepapers

    Attend

    Events
    Go Beyond
    Training
    Webinars

    Support

    Changelog
    Professional Services
    Technical Documentation
  • Blog
  • Partners
  • Contact
  • Support
  • Services
  • Training
  • Events
  • Company

Controlling the Risks of Third-Party Access

April 26, 2017

  • Blog
  • Archive

blog-cracked-green-wall

Can you account for every user who’s currently connected to your corporate network? If you are like most organizations, you can account for most, if not all, internal traffic and have VPN access secured with multi-factor authentication. And although you might feel reasonably comfortable you have a pretty secure wall around your network, can you be sure there are no cracks?

The Risk from Outside

Contractors, HVAC companies, building maintenance, managed service providers for routers, and firewalls— the list of third parties that may have access to your network at any given time is endless. Many of these vendors/workers connect to these systems remotely to go about their daily business in supporting your organization. The problem is that many of the systems they interact with are also connected to your corporate network. It has been shown by numerous high-profile breaches that vendor networks can be leveraged to gain access into customer environments.

Typical Attack Vectors

Hackers can steal credentials to gain access to vendor-controlled systems, and then exploit vulnerabilities and/or poorly managed privileges to move throughout the organization, sometimes machine by machine. You are only as secure as your weakest link – the security of your environment may rest on the security practices, and controls of a third party.

The Challenge of Security

The big issue with adhering to policy, and maintaining security across two companies is that often the credentials used by the remote vendor are not under the direct control of the customer. Two different networks with two different user directories, and perhaps two different security policies make the job of security compliance a challenge. Even if you had a way to ensure security best practices were being followed, you still have no visibility into what activity is being performed on equipment that is connected to your network.

Controlled Network Separation and Activity Monitoring

Let’s break down the problems:

  • Vendor Credentials – We need a method of making sure that a) passwords are regularly rotated, and b) they have not been compromised. Certainly a privileged password management system would assist here.
  • Network Access – There needs to be controlled inbound access. A VPN, gateway proxy, or preferably both. If we can limit access according to incoming network address, that’s gravy.
  • Monitoring – What are users doing when they are connected. There needs to be a tool to be alerted when sessions start, and then ‘look over their shoulder’.
  • Control – So what happens if you see something happening that shouldn’t? A mechanism to sever the connection is crucial
  • Forensics – A breach happened, and you suspect the attack came from outside. The ability to search and replay user activity quickly is crucial to identifying what happened, where, and by whom.

What’s the Solution?

BeyondTrust’s PowerBroker Password Safe provides a secure connection gateway, with the ability to proxy access to RDP, SSH and Windows applications. Passwords can be regularly changed using strong and complex policies to ensure that any credential breach, whether directly by the user or indirectly via malware, has a limited window of exploitation. Several capabilities in the product help to mitigate the risks of third-party access:

  • Advanced workflow control can restrict access to resources based on the date, time, day, and the user’s location. This control mechanism also provides a means to alert you when access policies are invoked, as well as route workflow to different groups according to runtime parameters.
  • Password Safe’s Application Proxy can automatically log users onto resources using managed credentials with zero exposure. Passwords may be securely passed to any Windows, Unix, or Linux application.
  • All user activity may be recorded for later playback, and real-time monitoring capabilities allow sessions to be monitored with an option to remotely terminate or pause (lock) active sessions.

Closing the gaps in your security process isn’t an easy task. If you would like to explore other use cases and solutions for privileged password management, download “A Technical Solutions Guide for Privileged Password and Session Management Use Cases”.

Photograph of Martin Cannard

Martin Cannard,

Martin has been helping organizations solve challenges in the privileged account management and identity and access management space for over 24 years. At Dell Software, Martin managed a team of Solution Architects, focused on designing and implementing solutions in the Privileged Account Management (PAM) space. Prior to joining Dell, Martin was Sr. Product Manager for Novell Privileged User Manager, a privilege management application acquired from Fortefi, an organization where he served as Vice President, Corporate Development. Prior to this, he was Program Manager of Client Technologies at Symantec where he was responsible for many ground-breaking field and channel enablement applications. Additionally, Martin managed the European QA group at Axent Technologies and has held various management positions in consulting, systems development, and operations. Martin is a regular speaker for security events, and webinars.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

KuppingerCole Executive Review - BeyondTrust Endpoint Privilege Management

Webcasts

Tech Talk Tuesday: Managing Vendor Access

Webcasts

Ransomware in 2021: How to Strengthen and Fund Your Cyber Protection Measures

BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press

Languages

  • English
  • German
  • French
  • Spanish
  • Korean
  • Portuguese
  • Japanese
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2020 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.