dale.gardner avatar image
dale.gardner posted

Five Tips for Reducing 'Trusted' Third-Party Risk

Whether it?s Target, Epic Systems, or pick-your-favorite third-party breach, they all have suffered damage from data loss, legal fees, and in their trust and reputation.

Opening systems and networks to third-parties provides benefit.  It enables the execution of transactions critical to commerce, speeds information sharing among business partners, and provides the ability to outsource less strategic business activities.  But it also increases risk.

Such third-party access, typically wide-ranging and haphazardly managed, offers hackers an easily exploited avenue for attacks. Around two-thirds and three-quarters of data breaches ? including some of the most devastating incidents of the last few years ? can be traced back to third-party network users, according to studies and forensics examinations of high-profile breaches.

Controlling the Uncontrollable

It?s impractical to eliminate third-party access, yet you can?t have 100% insight and control into a third-party?s security systems or practices.

But you can improve your security and reduce the risk posed by third-party collaboration. Here are five considerations for mitigating third-party risk.

Implement Supporting Processes and Controls

Begin by examining the processes associated with providing third-parties access to your networks:

  • When you provide a third party with access to your network, their?s becomes a de facto extension of your own. Ask ? and if necessary audit ? those networks to ensure their security posture and controls are adequate.
  • Understand the processes your organization follows when granting others access. Who is notified, and when? How are users provisioned? More importantly, how are they de-provisioned when access is no longer required? Who is responsible for managing relationships and addressing issues?
  • To get complete visibility ? at a point early enough in the process to help measure and manage risk ? it?s necessary to get inserted into procurement and contracting processes.

Strong Authentication of Third-party Users

Examination of high-profile breaches involving third parties shows that virtually all can be traced to stolen or compromised credentials. Unfortunately, phishing attacks and key logging malware are highly effective. For that reason, it?s extremely important to implement multi-factor authentication for external users (as well as internal privileged users). Such technology has become increasingly simple to implement and administer, as well as more cost-effective. And it goes a long way in preventing use of stolen credentials.

Separate Authentication From Access Control

Many networks are poorly segmented and provide unfettered access to network resources once a user has logged in. Privileged access management systems can provide secure single sign-on access to only those systems and resources authorized by policy. That means third-party users see only those systems needed to perform their responsibilities.

Prevent Unauthorized Commands and Avoid Mistakes

It?s frequently the case that privileged users of all kinds are over-privileged. It might be convenient to allow someone to use a powerful administrative account like root, but it?s rarely a good idea. Instead, provide brokered or proxied access using accounts with only the level of rights needed to carry out the assigned job. Privileged access management systems can add an extra level of security by proactively enforcing policy limits that control users trying to exceed their authority ? or shut them down completely.

Monitor and Investigate

Privileged access management systems can also offer the benefit of enhanced visibility into third-party activity. That might range from comprehensive logs to full-screen video recordings. Sessions marked with policy violations or other issues are obvious candidates for review. But also consider random spot checks of sessions to look for activity that?s inappropriate or risky, but doesn?t quite rise to the level of a policy violation.

Following these tips will give you additional peace of mind when establishing the third-party access that is increasingly expected and depended on in today?s application economy.

To learn more, register and attend our May 25 webcast, Closing Network Backdoors: Best Practices to Control Third-Party Risks.

10 |600

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.



dale.gardner contributed to this article