infoTECH Feature

October 23, 2015

Best Practices for Controlling Third-Party Access

By Special Guest
Matthew McKenna, Chief Commercial Officer, SSH Communications Security

Who has access to your critical enterprise assets? This has become one of the most important questions in cybersecurity today. Beyond who has access, enterprises today must understand what those people are accessing, why they are accessing it and from where they are accessing that information.  The answers to these questions can spell the difference between data security and a data breach.

Access is about much more than who is logging into your network. Global supply chains are increasingly complex.  As highlighted this year at RSA by Josh Douglas, CTO at Raytheon (News - Alert), the global supply chain is comprised of shared processes and shared technology that distributes products used in creating, sharing and distributing information. The global supply chain has many closely intertwined parts, and it doesn’t seem it will unravel itself anytime soon.

The increasing complexity of the global supply chain means that more third parties, like contractors and partners, may require access to your network. Managing access to clouds, network infrastructure, applications and data is already a challenge for enterprises. And in doing so, third parties become more and more critical to help deploy, control and maintain this transforming and fluid IT landscape.

These days, that third-party access doesn’t just come in the form of people accessing machines; it’s also machines talking to other machines in an automated fashion and the underlying content of those interactions. These connections are proliferating rapidly and must be properly secured to prevent risk.

Though third-party access is a vital reality within the enterprise, managing this access often comes as an afterthought in the industry’s overall security strategies and postures. However, the data would suggest that this topic warrants more attention:

  • 92 percent of enterprises don’t have any supply chain risk management abilities in place
  • 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks
  • 44 percent this year—compared to 54 percent last year—put forth the effort to vet the security of third-party providers and others in their IT supply chain
  • 58 percent of organizations have no confidence that their third-party vendors are securing and monitoring privileged access to their network
  • 60 percent of organizations grant third-party vendors remote access to internal networks
  • 63 percent of data breaches are caused by security vulnerabilities introduced by third parties

What often happens in a third-party relationship is the “It’s not my job” syndrome, in which each party expects the other to take the primary responsibility for ensuring the security of the access. In reality, like any healthy relationship, security results from the equal, continuous, committed effort of both parties.

Fortunately, answers to this problem are not as complex as they may at first appear. Basic best practices put in place around people, processes and technology can help organizations decrease their risk exposure significantly.

Best practices include:

  • Restrict access to on-premises and cloud infrastructures and performing inspection of encrypted traffic for both interactive and machine-to-machine connections in tandem with existing AV, DLP, IPS and IDS toolsets. An identifiable bridge between privileged access and data loss prevention should be traceable.
  • Channel privileged access to critical infrastructure through gateway or chokepoint structures. VPN access followed by a jump server is not a sufficient control channel. Again: auditing, monitoring and control of privileged encrypted sessions and data transfers should be supported in tandem with two-factor authentication mechanisms.
  • Make sure key-based authentication for third parties is controlled on a time basis, that key usage can be monitored and—for longer-term engagements—keys can be rotated on a periodic basis. Be able to identify through IP source restrictions whether a key is accessing infrastructure from a non-authorized location. Furthermore, command restrictions should be used on the keys supporting automated processes to limit how the key may be used.
  • Work with vendors, service providers and suppliers to create contractual obligations that ensure the vendor can control, monitor and audit their third-party access and verify why the access is required. Taking this one step further, enterprises should be able to enforce the same upon their own third-party access to their own IT ecosystem.

In an environment where 70 percent of enterprises enter into contracts with external vendors without having conducted any security checks, yet 60 percent of enterprises allow their vendors to have remote access, policies and procedures to regulate this access must be put in place. These policies and procedures must extend across all people, processes and technologies. Supply chains have become global and complex, and the need for vendor access will continue to grow; this further necessitates that the control of this access to these critical systems be treated with heightened vigilance and awareness.

Matthew McKenna, CCO of SSH Communications (News - Alert) Security

Edited by Kyle Piscioniere

Subscribe to InfoTECH Spotlight eNews

InfoTECH Spotlight eNews delivers the latest news impacting technology in the IT industry each week. Sign up to receive FREE breaking news today!
FREE eNewsletter

infoTECH Whitepapers