“No man is an island,” said John Donne, and that would also be true of every modern business. Somewhere, for some reason, every organisation must work with suppliers or partners – the “third parties” in the title.
There’s a lot of good that can be achieved when working closely with third parties, but there are also a lot of risks. Perhaps the most infamous example of third-party access going bad is Target stores in the US which lost private data on 70 million customers related to data shared with their HVAC supplier.
Trust and Verify
That’s not a reason to prevent all close working with partners. With the right controls and monitoring in place, access not only becomes secure but easier to manage. In the latest episode of the Osirium PAM Express Tutorials series, we take on the weighty issues of allowing third-party access whilst maintaining high security.
Essentially this breaks down into six steps:
Separate the third parties from your credentials. With Privileged Access Management (PAM) there really is no need for any Third Party to have knowledge of any credentials.
Don’t give third parties VPN Access. This is a major contribution to data breaches. Again, the Target example showed where poor security at a sub-contractor allowed attackers to hijack VPN Access granted to the sub-contractor. Always remember that VPN access allows for lateral movement, and that’s not good for security!
Grant Just enough Privilege, Just in Time. This means using PAM Profiles to define which Third Party Identities are granted access to which roles and at what time.
Know Who has access and when. This comes down to the quality of knowing the identities of the third-party users and good use of time windows. Generic accounts are often used – but remember these don’t have the granularity needed for individual accountability needed for PCI and other regulatory frameworks.
Record third-party sessions. There are two benefits here, first, you know what’s been changed on your systems. Secondly, it’s a great deterrent against wandering off track.
Be certain that access has been Revoked. This is almost impossible if you’re sharing passwords on VPN access. With Osirium PAM (and the free version, PAM Express) it’s simple to either disable the relevant profile or the relevant user. The access is revoked in real time.
Third-Party Access Architecture
In this new video in the PAM Express Tutorials series, you see the user experience through the Remote Web Gateway, this is useful when your third parties cannot install software on their own workstations. It gives RDP, SSH, Web and MAP Server access along with all the defined tasks in Osirium PAM.