The resource structure of an organization is comprised of many elements. These elements work together coherently to drive the productivity of an organization and are comprised of employees, customers, consultants, partners, and third-party vendors. These elements also require different levels of access to the company’s facilities and assets based on their specific roles. Consider the case of third-party vendors. Because they aren’t direct employees, a company cannot give them free access to all facilities and assets. If the access is too restricted then it would hamper the work to which they have been assigned. There must be a balance between permission and security posture. In this blog we will explore the many attributes of a vendor access management solution.
As illustrated above, the key idea is to walk the line in such a way that you can protect your critical assets while the vendor can do his job well.
Scenarios Related to External User Access
Suppose you hire an external user to perform specific market research on a contract established for a limited time. This user will be working both from the office and at home and will require access to the knowledge database, shared drives, communication tools, visual interface kits, presentation templates, etc. within your organization. This user will be using his/her laptop or other devices not associated with your company.
Your firm’s IT support team hires customer service support personnel for a long-term contract. This person will work alongside the full-time employees and would use a computer, assigned by your company, and will be based out of your facility.
Your company has outsourced all software development of your organization to a third-party firm (many companies are following this trend as it is not always possible to develop and test all software in-house). The third-party vendors you have hired will need access to all your internal tools, platforms, privileged accounts, etc. This third party may shuffle personnel while working on the project which means that designated access must be allocated accordingly. The vendor’s team would ideally be based off premises and will need appropriate access to sandbox equipment and corporate systems.
As these scenarios make clear, it is not just important to have a proper onboarding of vendors but a thorough off-boarding procedure for all third-party vendors. A company must protect their IP while ensuring that the job assigned to the vendor is performed properly. This can be complex as the scope, timeline, and nature of the work are different for each project and each requires a different approach. This means the state of access will be different and security measures will change among other variables. This brings us to the next important point: how to manage the access.
Key challenges in managing Vendor Access
» Every system has a basic access mechanisms wherein anyone accessing the company’s portal gains access to core corporate infrastructure portals, browser-based applications, etc. This is known as the unified employee portal. Tweaking this basic access setup to suit vendor requirements can pose a challenge to IT departments.
» Vendors may have an agreement that allows them the flexibility to perform their work from a specific location along with the ability to direct the technology that will be used. This means they may use their own devices such as laptops, mobile devices, etc. Facilitating specific access to all these devices can pose another challenge.
» The third-party vendors might not feature in your Active Directory and they might not have company’s domain email addresses. Because of this, securely setting these credentials may take up a lot of time and resources.
» The next challenge is in the compliance space as your company must collate all the data to ensure that the vendors are following all-access policies and to protect your systems from any breach.
» Typically, third party vendors report to a specific team created by your company who also works alongside the third-party. This allows your company to limit the amount of staff available to securely onboard and off-board the vendors and ensure that all policies are duly followed.
The cornerstone of all policies should be vendor security, especially when the engagement is over and the vendor disengages from your firm.
Key challenges in managing vendor access security
» Occasionally vendor access isn’t revoked. This can be due to human error or the revoking might be postponed because of the belief that it would require the services of the vendor in near future . In either case, this is an unsafe practice that could lead to the breach of your sensitive information.
» There is also a possibility that the vendor might have shared the client account access among themselves. This could indicate that several people from the vendor side might be using one account. This again can present a security risk.
Without appropriate security procedures, it is easy to overlook vendor activities and risk the privacy of your company. In addition, you also must ensure that all the privileged information downloaded on the vendor systems is securely and permanently deleted. If not done properly, this can lead to unauthorized access and can cause a compromise of your sensitive information. Additionally, if proper antivirus and firewall systems are not installed on the vendor’s side, it too is vulnerable to hackers. For this reason your company must perform adequate checks to ensure that your information remains protected throughout the vendor’s life-cycle.
Luckily, there are many privileged access solutions in the market that can manage the vendor activity for you and mitigate the illustrated risks. In addition, they can streamline the vendor activity workflow and help you manage their services in a better way.
Vendor access management Tools
Workflow tools: The life-cycle when working with a vendor follows the following path- authorize, enable, reclassify, and de-authorize. At the end of the lifecycle, you have the option to recycle or renew this access. With a holistic privilege access solution, your team can create a custom yet automated workflow which can govern all these elements. This workflow can be used by the third-party whenever it wants to access specific organizational assets. The workflow also ensures that before entering the system, vendors must enter all the requisite information in order to be verified. They can be then asked to give their consent to all the policies which they will be bound to for the duration of their tenure. It will then generate a request to the management team who will assign the vendors’ designated access A central portal will govern all these activities and will also keep track of vendor usage of the company’s assets.
Policy tools: When granting access, it is important to clearly state and define the level of access. To do that, you can leverage RBAC (role-based access control) to draw default access and rights within each system. This also involves determining the access on the minutest of levels. For example, which texts the vendors can read, which buttons they can click, etc. It also involves setting up appropriate time frames for each action so that at the end of the life-cycle the access can be automatically revoked.
Monitoring tools: Privileged access management can help you track all vendor account activities, including the systems they are accessing and the actions they have taken in those systems. PAM can perform a risk-based score to determine the sensitivity of access based on the vendor’s work and create a risk profile for all third-party vendors. This can be done by evaluating the work they are doing and by monitoring their log-in sessions, and browser activities.
Behavior detection tools: Along with monitoring user vendor sessions, your team can also perform behavior detection. This involves looking for incidents where vendors may have accessed systems that are beyond their authorization. This tool can also see if the activity monitor has suddenly jumped, meaning you are seeing abnormal traffic coming from a vendor system. Also, the tool can follow IP addresses closely and see if the account is being accessed from random locations. It is also important to ensure that one user access remains with one user and is not interchanged between many users from the vendor side.
Discovery tools: PAM also provides discovery tools that regularly check for vendor accounts and ensures that every authorized account is listed in the central portal. If for any reason the access needs to be revoked it can be done via the central portal.
Vendor access management policies
Along with technology-focused approaches, consider aspects related to processes and policies specific to access permissions for vendors.
This includes documenting a policy that provides answers to the below use cases/questions:
» How the vendors get access to internal resources?
» Do the access policies follow the guidelines set up by external bodies such as NIST, GDPR, etc?
» Do the vendors follow multi-factor authentication?
» Is the access policy illustrated enough so that it can be duly implemented?
» Do the policies allow enough flexibilities to accommodate different usage scenarios?
» Do the policies include risk profiles of each of the personnel from the vendor side who is working on the project?
» How do you handle exceptions?
» Have you created a version of the policies which can be accessed by the vendors and other third parties? Have you clearly illustrated the consequences of any breach of compliance?
» Last but not the least, are the policies easily accessible to all relevant people within the organization?
Structure processes related to Vendor access policies
» Have you established a thorough process on how the vendors are granted this privileged
» Does the process incorporate sufficient rights and authorities, based on seniority level?
» Have you automated the processes so that you can track all actions and use them in audits?
» Have you ensured a minimum level of access to vendors? Just enough for them to do their jobs efficiently.
» Have you included periodic audits in the process?
» How do you handle the onboarding and offboarding of the vendors?
ISSQUARED’s Vendor access offer
ISSQUARED, a premier IT infrastructure, cybersecurity, and managed services firm offers a structured approach to manage your vendor’s identity and access services. With ISSQUARED, you can eliminate the security risks related to vendor access while effectively monitoring and auditing all the activities of the third-party vendor.
ISSQUARED offers a dedicated External Identity Access and Governance platform (EIAG) which streamlines vendor onboarding and offboarding. The platform also automates the IAM space to efficiently manage external user identities, and security and governance controls. Its innovative vendor digital interface ensures seamless transactions between your firm and the third party, thus increasing the process efficiency and giving you the flexibility to govern external identities.
ISSQUARED’s vendor access management services are tailormade to meet your every need. For any query, please reach out one of our experts. We would be delighted to showcase our services. You can reach out to us at email@example.com or call us at +1 (805) 480-9300.