Most organizations outsource at least some IT or business services to third-party providers. There are many potential benefits including cost reduction, service flexibility, and specific knowledge or expertise.
But they’re also a significant security risk because of the lack of control over the partner systems or users and they’re often given more access to systems than they really need.
Privileged Access Management is the solution for secure, productive work with partners and vendors.
Vendors and partners are often given full VPN access to corporate systems as if they were members of staff working in the corporate office. But it’s almost impossible to ensure the systems being used for that access systems comply with the organization’s security policies. It’s also hard to ensure that access credentials are not shared. One report says that over half of organizations don’t assess the security and privacy policies of third-parties before granting them access to sensitive and confidential information. The report also shows that most organizations can’t even be sure which vendors and partners have access to which systems and what data.
More than half of organizations in a recent survey experienced a data breach caused by a third-party, and 74% said it was the result of granting too much privileged access to third-parties.
Privileged Access Management (PAM) solves the problems of ensuring partners only have the minimum level of access their need for their work and that their sessions can be managed and audited.
PAM is a central point of control for all third-party access into corporate IT systems including security systems, connected infrastructure(e.g., heating and ventilation), networking devices, Windows, Unix and web-based applications.
Osirium PAM supports external authentication through RADIUS with major IAM solutions for multi-factor authentication to reduce the risk of third-party accounts being shared.
Single Sign On is performed by injecting the required admin credentials for the target system by PAM. This means passwords are never sent down to the client, thereby removing the possibility that sniffing memory, or looking at command strings within the process tree, will ever reveal a password.
All access to target systems via Osirium PAM can be via a browser-based client. There is no need to install, and keep up to date, a desktop client. The client is easy to use and only shows the systems and devices that the user has can access. Metadata on the devices makes it easy for them to find the relevant systems for their work.
3rd party access can be restricted to specific time windows, so whether overnight, at weekends or during routine daily maintenance, specific change windows can restrict write permissions to certain times. Read-only access control can be also used to complement the restricted write access, allowing for in-house diagnostics and troubleshooting.
Third-party access sessions can also be viewed in real-time enabling third-party access to be monitored while it happens, without the need to give up a workstation in a remote-control session. If there’s any suspicious behaviour, the session can be immediately terminated.
A clear warning and visible recording icon dissuade remote users from using the sessions for anything they shouldn’t.
All third-party access can be recorded, providing a video-style playback of each session (including a fast-play mode) along with a thumbnail view for rapid review of sessions. Keystrokes are also captured to help locate where specific commands were typed, to make it easier to investigate incidents.
A full record of sessions includes when the session happened, how long, with what level of access and the activity performed on that device.
Many third-party tasks are very routine, such as “is the server running ok?”, “is there enough disk space?”, “download the logs” or “restart the server.”
All these operations, and many more, can be automated using Osirium Automation (included with Osirium PAM). When using automated playbooks, the third-party can only run those tasks they have been delegated. This ensures that not only are the admin credentials protected, the third-party can’t access any systems or options they shouldn’t. All sessions are fully logged, even if an operation needs access to multiple systems and devices. These logs can be integrated with the corporate SIEM tools.