One outcome of the COVID-19 pandemic is third parties are increasingly being allowed to access corporate networks and systems. A lot has been written about employees who are working remotely and need system access, which must be provided securely. But many organizations are also allowing access to vendors and services providers because offices remain closed or they are restricting physical access to the office. Additionally, this third-party remote access is happening through organizations outsourcing specific tasks so that they can focus on their core business functions.
Third parties provide services like IT/IS, HR, software support, sales, and other related support and business operations services depending on the type of organization. Nonetheless, it does not matter the type of access it is; what matters is how the third-party access is managed, and how the business assures the access is secure. The organization must manage the risk from third-party activity.
Five steps to control remote access and manage the risk
Step 1: Map the remote access
What, who, from where, when, and why — all these aspects should be considered.
Start with what the third parties have access to. This could be a system like a cloud or an internal platform. It could be an application or even some data that the organization has granted access to. This list forms the Map of Access (MoA). It does not have to be complicated, but rather, something that is easily understood, and that can be worked on and adapted as needed going forward.
Next, look at who has access, knowing who has access to what is essential as it helps when defining the rules of who can continue to have access. It also gives an understanding of how access should look. Through doing this, the organization has a reference point that can be used to audit. Making this start is vital to getting third-party access under control.
Then, continue to consider where from and when the access will take place. Followed by why (for what reasons) the access is required.
Once the full picture is visible and understood, controls can be put in place to manage the access accordingly.
The table below is a general example of a matrix that can be evolved. It provides a simple way to start the process.
|What||Who||From where||When||Reason (Why)|
|1||Cloud office system||Third-party A||Public||24X7||To operate business|
|2||Internal file server||Internal staff||Internal||24X7||To operate business|
|3||CRM system||Sales and IT||Remote||9-17:00||To operate business|
|4||Sales leads||Internal Sales||Internal||9-17:00||To operate business|
|5||File server||Internal Staff||Internal||9-17:00||For file access|
|6||IT systems||Third-Party B||External Provider||At specific times||Support|
Step 2: Know who is explicitly accessing what and for what reason
This should tie back to either firewall rules, privileged access management (PAM) rules, data access rules, or application permissions.
Step 3: Monitor and audit the remote access
Once the access has been mapped, a matrix can be created of who is accessing what from where and when (then links can be defined). At this point, consideration of systems that monitor access is undertaken to decide on an effective system to implement.
Monitoring should focus on a grouping of rules. These rules can be simple and then evolve over time, for example, an audit log of who accesses, to what, when, and from where. This audit log should be kept so that the organization knows when the third-party accessed the system, from where it was accessed, and what action was performed.
Step 4: Report the third-party access
By reporting the access, the organization has visibility and can determine if the access is still required. For instance, if there has been no access for several months, an informed decision can be made regarding if the third-party access is still required going forward. Some organizations have policies in place to shut the access if it’s not used for 60 days, and this is made visible through reporting. The access can be reapproved when it’s requested again. By doing this, the attack surface area is reduced.
Step 5: Review the third-party access
Having a rigorous and scheduled third-party access review system is essential. This means that access is reviewed. A small committee, namely the stakeholder of the system and authority, should take responsibility for this process. Together, the committee with the stakeholder, decides if the access is still required. This is then documented, and an instruction is sent to IT/IS to allow the continued access or to deny the access. The next step involves informing the third party of whether their access to the system has been removed or if it will continue to be allowed. This doubles up as an excellent opportunity to remind the third party of its obligations to the organization regarding security.
Technical controls to manage the risk
After following the process outlined above, the organization should know who is accessing what, from where, and when. Additionally, why — for what reasons. The organization has visibility of the reasons and metrics, which enables it to better manage the risk. Technical controls can be implemented to help manage risk. Technical controls include:
Multifactor authentication (MFA)
When accessing systems, there is no reason not to use MFA. It’s vital as it’s a tough hurdle for attackers to overcome. This should be used as the first line of defense and mandatory third-party access control.
Centralized access management
Managing the access centrally helps with the technical and administrative actions that need to be performed. If access can be seen and controlled centrally, it is easier to manage. In the absence of a central system, the organization should consider implementing one so that the management is simple. Simple and secure often go hand in hand.
Centralized access gateway
A gateway that is used for third parties to access systems is useful. This helps in managing the access as it provides a central point of focus. It’s equivalent to the gate to a castle where the guards are stationed. It’s not to say that with the control in place that other areas won’t need to be monitored; however, having it creates a focal point of security.
Virtual private networks (VPN)
Ensuring access to systems is secure from a network perspective is also essential. Using a VPN or SSL/TLS level security to the central point is a more secure way than not having this protection. Third parties do not always have the equivalent or better level of security that an organization may have, and by protecting the access through encrypted networks adds assurance. It’s not the only control needed; a combination of controls should be implemented to effectively mitigate the risk. Some organizations tend to go with one control or another; a combination is necessary.
Recorded access is a great control to have. It protects both the organization and the third party. Moreover, it helps in regression if required. If the organization has a recording of what has happened, it can trace the steps and reverse the problem or at least troubleshoot. Also, with recorded access, there should be no question of what has happened. It’s all recorded in the digital record. At first, some people may push back at the idea, but once used, the value of the control is quickly demonstrated — it becomes a powerful tool.
The above technical controls are only effective if used correctly, and if actually used. Without the resources to implement, operate, monitor, and manage the defenses, their benefits will not be realized. If an organization presents a soft target, the likelihood of a breach increases. So, it is vital to ensure the controls implemented are adequate to shepherd the organization’s staff and trusted third parties to the level required for them to operate in a way that limits the risk.
Featured image: Shutterstock