What is Third Party Access?
Third party access is when organisations grant external vendors and service providers secure access to their corporate IT assets for maintenance, administration and management purposes.
Many organisations cannot entirely manage these systems independently and therefore rely on third parties in order to support their internal IT systems, applications and infrastructure. The benefits of outsourcing IT or business services to third-party providers include cost reduction, service flexibility, specific knowledge or expertise and much more.
The Challenges of Third Party and Vendor Management
While third party access can be an incredible solution to support business systems, it's not without its issues. Most importantly, giving access to an external party opens up your business to a significant security risk because of lack of control over the partner's systems or users and they’re often given more access to systems than they really need.
Privileged Access Management is the solution for secure, productive work with partners and vendors.
Vendors and partners are often given full VPN access to corporate systems as if they were members of staff working in the corporate office. But it’s almost impossible to ensure the systems being used for that access comply with the organisation’s security policies and processes. It’s also hard to ensure that your third party access credentials are not shared with other staff at the vendor or even outside their business. One report says that over half of organisations don’t assess the security and privacy policies of third parties before granting them third party access to sensitive and confidential information. The report also shows that most organisations can’t even be sure which vendors and partners have access to which systems and what data.
More than half of organisations in a recent survey experienced a data breach caused by a third party, and 74% said it was the result of granting too much privileged access to third parties.
Privileged Access Management (PAM) solves the problems of ensuring partners only have the minimum level of access they need for their work and that their sessions can be managed and audited to ensure compliance and protection.
Managing third party access to IT systems at the University of Reading was a high priority. Learn how they use Osirium PAM in this case study.
Key Benefits of Osirium PAM for Third Party Access
Audit and Logging
PAM is a central point of control for all third party access into corporate IT systems, including security systems, connected infrastructure (e.g., heating and ventilation), networking devices, Windows, Unix and web-based applications.
Osirium PAM includes time-based one-time passwords (TOTP) for multi-factor authentication (MFA) and also supports external authentication through RADIUS with major IAM solutions to reduce the risk of third-party accounts being shared.
Single Sign On (SSO) is performed by injecting the required admin credentials for the target system by PAM. This means passwords are never sent down to the client, thereby removing the possibility that sniffing memory, or looking at command strings within the process tree, will ever reveal a password.
Simple Management of Partner Access
All access to target systems via Osirium PAM can be via a browser-based client. There is no need to install and keep up to date a desktop client. The client is easy to use and only shows the systems and devices that the user can access. Metadata on the devices make it easy for them to find the relevant systems for their work.
Third party access can be restricted to specific time windows, so whether overnight, at weekends or during routine daily maintenance, specific change windows can restrict write permissions to certain times. Read-only access control can be also used to complement the restricted write access, allowing for in-house diagnostics and troubleshooting.
Session Monitoring and Recording
Third party access sessions can also be viewed in real-time, enabling access to be monitored while it happens. If there’s any suspicious behaviour, the session can be immediately terminated.
A clear warning and visible recording icon dissuade remote users from using the sessions for anything they shouldn’t.
All third party access can be recorded, providing a video-style playback of each session (including a fast-play mode) along with a thumbnail view for rapid review of sessions. Keystrokes are also captured to help locate where specific commands were typed to make it easier to investigate incidents.
A full record of sessions includes when the session happened, how long, with what level of access and the activity performed on that device.
Automate Tasks for Security and Productivity
Many third party tasks are very routine, such as “is the server running ok?”, “is there enough disk space?”, “download the logs” or “restart the server.”
All these operations, and many more, can be automated using Osirium Automation (included with Osirium PAM). When using automated playbooks, the third party can only run those tasks they have been delegated. This ensures that not only are the admin credentials protected, the third party can’t access any systems or options they shouldn’t. All sessions are fully logged, even if an operation needs access to multiple systems and devices. These logs can be integrated with the corporate SIEM tools.
If you'd like to learn more about how vendors and third parties can securely access corporate IT systems, please use the form to get in touch.