May 29th, 2020
Written by: Dawn Mallyon
IT work doesn’t wait for a virus, and with some of your vendors working remotely both now and for the foreseeable future, reviewing how they access your systems is critical to ensuring timely IT work without opening yourself to any security risks. Now is a good time to check up on your vendor security.
These guidelines should sound familiar, since they’re basic features of a modern privileged access management (PAM) system. But they bear repeating:
- Use multifactor authentication
- Implement robust authorization models
- Perform detailed forensic audits
- Use static passwords
- Lose track of shared passwords
Beyond these points, there are seven steps to securing vendor access, especially when they’re working remotely:
Choose a trusted individual at each vendor to manage the users from their organization. For example, if you work with Dell, Hitachi Vantara, Oracle, and Microsoft, you should have four people—one from each—managing the access for their organization.
Make sure the list of users with access remains small at each organization, but otherwise delegate the responsibility for who deserves a place on that list.
Don’t just use passwords. Make sure vendor logins are securely authenticated using multiple factors. Your preference should be for app-based multi-factor authentication (MFA). That way, any turnover at the vendor is less disruptive than if users have a physical token they need to return or hand off to another user.
Another option to authenticate users is to make sure a given user still works for your vendor when they sign in. Send a PIN to the user’s work email, and if they no longer work for the vendor, they won’t be able to access the email, the PIN, or your systems.
4. Request and approve
Vendor users should connect only when you request specific work to be done. Set up a request and approval workflow before allowing vendors to sign in to your systems to ensure you’re aware of every login.
5. Do Not Disclose
Best practice is not to disclose the password unless necessary. Instead, launch the vendor user directly into SSH, RDP, SQL Studio, etc.
Record all vendor activity in your systems, and if you think it’s necessary, watch in real time. This way you not only have a record of the work completed, you also discourage—or quickly catch—any unauthorized activity.
Don’t let vendors connect their devices to your VPN. Use a proxy, like virtual desktop infrastructure (VDI) or a web browser login. That way you don’t have to vet every device for security because those devices stay outside your network perimeter.
All of these steps are best practices for granting elevated access to third parties and should be in place for all of your vendors. Of course, managing privileged access, especially across potentially dozens of vendors, can be time consuming and difficult. This is where a PAM system can help you simplify the process and ensure security while giving your vendors access to the systems they need to deliver quick and effective service.
Learn more about how PAM systems can support your business.