Third-Party Access Vulnerabilties—Security's Weakest Link
The Gist of It
High-profile security breaches caused by third-party access vulnerabilities have led to increased scrutinizing of internal access controls by IT leadership and executives. The risks associated with data leakage can extend far beyond the value of the compromised data, and can lead to include financial penalties and even long-term damage to a brand (e.g. Target breach). The cost of managing these risks continues to rise in the form of personnel, consulting, compliance and technology. Businesses need to take a comprehensive approach to third-party access and management that includes process planning, policy setting and enforcement, and deploying appropriate technologies and best practices, such as segmentation of the wide-area network using virtual overlay networking.
Your Weakest Link May Not Be Yours
Growth within the cybersecurity industry is on fire with an increasing number of high-profile breaches fanning the flames, and the consequential losses are staggering. A recent CSO Online report cites Lloyd’s of London estimates that cybercrime costs businesses a total $400 billion each year. A primary source of ignition is weak remote access security which was linked to 56% of the the 574 data breaches analyzed in the 2015 Trustwave Global Security Report.
As businesses become more interconnected with their customers, employees, partners and service and supply chains, third-party access management has become a huge source of fear for many CSOs. The old adage of “your only as strong as your weakest link” hits painfully close to home in light of the fact that the exfiltration of data affecting over 70 million Target customers was tied to a phishing attack on one of their HVAC vendors. While there is no silver bullet to protect infrastructure from motivated attackers, a good offense provides the best defense.
When it comes to third-party access security, one size does not fit all. The right approach will likely depend on the risk profile of the third-party involved. James Christiansen, Vice President of Information Risk Management at Optiv (formerly Accuvant), provides a great rubric for how to assess risk exposure for third parties.
When assessing the risks associated with third-party access, it is important to consider that most vulnerabilities stem from one or more of the following conditions:
- IT has limited or no visibility, monitoring and control of external users
- Relationship necessitates that internal systems or resource are exposed to third parties
- Lack of standardized procedures for managing third-party access
Mitigating these risk requires both a well defined process for vetting and managing third-party partner and vendor organizations and the leveraging of both time-tested and emerging IT technology.
Process Makes Perfect
- Determine the level of network access required by the third party organizations.
- Implement a third party security assessment questionnaire to determine the risk profile of organization. Typical questions probe the following areas: record of security incidents over the last several years; identity management and password expiry policy; any recent penetration testing and results; end user security training policy; HR process regarding revocation and former employees of IT access and removal of permission and data on BYOD devices; and device inventory and management process.
- If an organization requires access to internal servers and applications, develop and implement a detailed policy for controlling permissions, management, monitoring, logging and auditing.
- Use a standardized architecture for providing access to network and other resources.
- Perform regular compliance audits of third-party organizations and require notification when changes in personnel occur.
There are several traditional ways to provide third party personnel with secure remote access to IT resources. The right choice depends on the IT resources that needs to be accessed and the capabilities of the third party organization. Here’s a run-down of traditional approaches:
Dedicated Remote Desktop Solutions
Pros: Ease of use, end-to-end encryption, attended vs. unattended options, centralized deployment, some include auditing and tracking capabilities, most offer integration with Active Directory (AD) and GPO policies.
Cons: Most have web-based access that can be shared, may not work well for server access, unable to establish persistent connections (if required), managing user permissions and resource isolation.
Pros: Ease of use, varied amounts of security, auditing, and management, cross platform.
Cons: Limited to files, security strength highly dependent on configuration and vendor options, may introduce additional liabilities associated with data residing in the cloud, shared files needing to be segregated, potential DLP issues associated with on-device sync’ing.
Pros: Secure, transparent network or device-level access options, supports remote file and application access, two-factor authentication, multiple encryption levels, PKI support.
Cons: Complex to setup and management, encryption and segregation provided only up to the VPN gateway, multi-vendor interoperability challenges, configuration-intensive security model (e.g. ACL, PKI, etc.), requires external systems for authentication (e.g. Radius, LDAP or AD), and support intensive.
New Approach Simplifies Third-Party Access Security
The confluence of cloud, software-defined networking (SDN) and network and service virtualization has made it possible to deliver VPN connectivity as a cost-effective and simple to deploy service. Unlike traditional, hardware-based VPNs, SD-WAN solutions—like Pertino—enable the deployment of virtual overlay networks that provide end-to-end encryption, segmentation and isolation of third-party traffic across the Internet and datacenter using an obfuscated private IP address space. Since management and security functions are integrated into the service, the process of configuring network access and security policies, such as ACLs, firewall rules and PKI authentication, is dramatically simplified.
If you want to learn more about how Pertino and SD-WAN technology can provide simple and secure third-party access management, go to pertino.com or contact me at 408-502-5401.