Securing Vendor Identities & Access
Vendor Privileged Access Management (VPAM) enables vendor identities to securely access an organization’s assets. The role of VPAM is to extend privileged access security best practices beyond the perimeter, to all vendor access that touches the enterprise. This means VPAM applies the principle of least privilege (PoLP) to vendor remote access, while also enforcing password security best practices, such as rotation and credential injection to obfuscate secrets from the end user. Vendor privileged access management should also apply other zero trust controls to vendor access, including continuous authentication, just-in-time access, and behavioral session monitoring and management.
Read on to learn:
- Vendor identity and access-related risks
- The building blocks of VPAM
- Why VPAM is more than the sum of its parts
- Core capabilities that differentiate VPAM from traditional PAM (Privileged Access Management),
- What a holistic vendor remote access solution should look like
Vendor Access Risks
Vendors routinely connect remotely to your systems. The typical methodologies used for vendor access mean organizations must live with a lack of visibility and granular control over that access. Sometimes, vendors use technologies, such as VPNs (Virtual Private Networks), providing a full tunnel through your network to access assets.
How do you ensure vendors are not bringing malware into your environment, using their access inappropriately, or making errors that could introduce excessive risk?
Amongst the dozens, hundreds, or even thousands of vendors that connect into your environment, some of them will have security hygiene practices that would make you shudder. Credentials may be weak, access may be shared amongst vendors and their employees, and passwords may be reused and/or stale. In addition, former employees may retain access through orphaned accounts since you are probably not even notified of their departure. These risks are all compounded when the user has privileged access into your environment to perform vendor or contractor functions.
If you could measure this risk, it is highly likely one of your vendors represents the weakest link to your entire enterprise security. Extending access to valued vendors (and contractors) should not mean watering down your own network, access, and identity security.
The goal of vendor privileged access management is to securely and seamlessly enable vendor access, while also mitigating the risks by extending privileged access management best practices beyond the perimeter.
VPAM Building Blocks
Most often, the path to IT security technology evolution takes the path of “standing on the shoulders of giants”. Rarely are truly original ideas game changers for cybersecurity. In other words, new, “hot” solutions are built on top of security ideas and best practices we have been engaging with for years. One could argue that most modern cybersecurity solutions are simply derivations of previous solutions, with incremental improvements in detection, runtime, installation, usage, etc. to solve the same problems plaguing organizations for years.
While some new products may have innovative approaches that are even patentable, in the end, they are not breaking any significant new ground. This is true for antivirus, vulnerability management, intrusion detection, log monitoring, etc.
So, when we have a newer term like vendor privileged access management (VPAM), it’s helpful to look at the root definitions. Then, we can better understand what the combination and derivative solution looks like, how it is different—and why it matters for securing your organization.
Here are some basic definitions relevant to VPAM:
Vendor: A person or company offering something for sale, services, software, or tangible product, to another person or entity. In many cases, the offering requires installation, maintenance, or other services to ensure success of the offering. A vendor does not need to be the manufacturer of the offering. However, the vendor is the entity actually performing the sale of the solution. Warranties and liability can vary based on terms and conditions from the vendor and manufacturer. When applied to cybersecurity, the manufacturer typically supplies updates, while the vendor may assist with the installation. This definition of vendor can also include contractors that provide remote services to perform any number of functions to support your business.
Privileged Access Management (PAM): PAM consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access (local or remote) and permissions for Identities, users, accounts, processes, and systems across an environment—whether on premise or in the cloud. By moderating the appropriate level of privileged access controls, PAM helps entities reduce the privileged attack surface.
Remote Access: Remote access enables access to an asset, such as a computer, network device, or infrastructure for a cloud solution, from a remote location. Remote access capabilities enable an identity to seamlessly complete designated tasks while operating remotely, such as at home, a coffeeshop, a hotel, etc. An asset can also imply an application where only the user interface or a browser session is exposed, to shield the underlining infrastructure from access.
Zero Trust: A security concept and framework centered around the mantras “never trust, always verify” and “assume breach.” In a zero trust framework identities and assets should never allow authentication unless the context of the request is verified, and actively monitored during a session for appropriate behavior. This entails implementing zero trust security controls—even if access is connected via a trusted network segment or originating from an untrusted environment. The management of policies governing access and the monitoring of behavior are performed in a secure control plane. Access itself is performed in the data plane.
How is Vendor Privileged Access Management Different?
What makes VPAM unique is the way it is built upon existing technology. It takes the identity of vendors (including identities managed externally) and successfully unifies the best practices for secure remote access, privileged access management, and zero trust into a single solution.
VPAM leverages the best attributes of the cloud to provide the control plane for privileged remote access and allows the implementation to occur in the data plane, wherever the organization has assets that need vendor remote access or management. The illustration below highlights this using a standard reference architecture. This model applies regardless of whether access is needed to the operating system, infrastructure, or an application.
When using VPAM, organizations do not need to bolt together multiple solution providers to address the vendor access risks. VPAM vendors can manage vendor privileged remote access out-of-the-box as a SaaS solution (control plane). Thus, the VPAM model can offer a rapid-time-for-deployment (data plane), much quicker return on investment, and markedly better security than other approaches. Vendors that need access on premise, to cloud-based assets, and even hybrid environments, can all be better secured by using a dedicated VPAM solution.
The 5 Core VPAM Capabilities
Vendor privileged access management solutions raise the bar on the security hygiene of your vendors, relentlessly protecting your organization from unwanted lateral movement, account hijacking, privilege escalation, malware infection, and other threats. VPAM security features can even protect your organization from innocent vendor errors that could potentially have big implications. Moreover, many of the VPAM security controls—such as least privilege, continuous authentication, etc.—are must-haves for those organizations seeking to implement a zero trust security architecture (ZTA) from remote access.
Here are the 5 key best practices VPAM solutions can help implement to control and protect vendor identities and access:
1. Gain visibility and oversight: As a security best practice, an organization should continuously inventory, onboard, and account for all vendors with access to their systems. Monitor and granularly record all vendor session activities, including keystrokes, commands entered, and video recording, with playback and searchable indexing. Session monitoring and management tools help identify compromise of a vendor’s access, request additional validation or approvals, and even completely revoke access for the compromised identity, or for all associated accounts
2. Control network access – All inbound access should always be monitored and logged, with full visibility into the transactions performed once an authorized session has been established.
3. Manage and secure privileged credentials: Vendors should never receive passwords to access your internal systems. With this in mind, inject managed credentials directly to initiate remote sessions, without ever revealing them to the end user. After use, these credentials should be centrally vaulted--or potentially changed after each use, in the case of highly sensitive access. VPAM solutions should also ensure every password is unique, strong, secured from malicious activity, and never re-used.
4. Implement multi-factor authentication (MFA): As a security best practice, remote access should always require multiple authentication factors. Consider additional workflows and gated access for the most sensitive assets, applications, and data. MFA can provide an extra layer of protection, preventing system compromise even if valid credentials have been stolen. Bundling MFA into VPAM helps ensure a high confidence in an identity.
5. Enforcement of least privilege: All access should be restricted to the least amount needed for a third-party user to perform their role. Ideally, all vendor access should adhere to a just-in-time access model, meaning it is provisioned only when certain contextual parameters are met, and promptly deprovisioned when the work is complete, the context changes, or after a certain amount of time has elapsed. User access should never be open-ended or persistent and a goal should be to attain a state of zero standing privileges (ZSP).
The BeyondTrust VPAM Solution
BeyondTrust Privileged Remote Access provides a holistic set of VPAM capabilities to secure vendor identities and remote access. Our solution is the only remote access or VPAM solution that meets the rigorous requirements of Federal Information Processing Standard Publication (FIPS) 140-2 Level 1 validation.
Our customers use Privileged Remote Access to:
1. Secure remote connections and network access: Every remote connection is outbound through Port 443, requiring no firewall changes. You can define permissions for every session, whether for attended or unattended access. The solution also provides the ability to proxy access to RDP, SSH, cloud instances, and Windows/Unix/Linux applications.
2. Implement authentication and password management: Built-in MFA helps validate the identity, while password vaulting and management capabilities protect the account against hijacking attempts. The product injects credentials directly into remote access sessions—always obfuscating them from the user. Privileged Remote Access can regularly change credentials (user passwords, SSH keys, etc.) for Windows platforms and Active Directory to prevent or mitigate attacks based on stolen credentials, credential re-use, or brute-forcing. The solution can also integrate with BeyondTrust Password Safe and other privileged password management and MFA products.
3. Apply granular least privilege: Enforces a least privilege policy by giving specific users precisely the right level of access to applications, sessions, and protocols—and only for the finite moments needed. The product can define what endpoint(s) and server(s) vendors and remote employees can access, when the users can access them, and what applications or actions they can execute within those sessions. Advanced workflow controls can restrict access to resources based on the date, time, day, and the user’s location.
4. Overlay session monitoring, control, and forensics: Monitors and records all user activity. The recordings can be played back on-demand, and also be used for auditing and forensics. The ability to zero-in on suspicious sessions and remotely terminate or pause (lock) active sessions provides an extra later of real-time response and protection. Our customers leverage these session monitoring and management capabilities via a secure agent, or by using standard protocols for RDP, VNC, Web, and SSH connections.
Contact BeyondTrust today to see how you can better manage and control vendor identities.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.