Third-party vendor remote access best practices

March 29, 2022

Relationships between organizations and third-party vendors are complicated. More businesses are outsourcing functions to third parties, and those third parties are seen as “business partners.” These “business partners” are responsible for doing a specific job and to do that job, they’re given remote access into an organization’s network. And for whatever reason, whether it’s contractual obligations, reputation, or convenience, third-party reps are given many of the same access rights and permissions as employees. This is where the relationship gets really complicated. And this is where vendor remote access best practices should be implemented — but this is often not the case.

Why vendor remote access is so important

Third parties, business partners, and vendors continue to be the biggest risks to an organization’s cybersecurity framework. Third-party remote access creates a unique opportunity for hackers to infiltrate a system or network under the disguise of a trusted third-party user. And third parties are prime targets for cyber criminals; the “hack one, breach many” hacking trend has put third-party remote access on the map, and not for good reason. Once hacked, a third-party connection could lead to dozens, hundreds, or thousands of businesses that use that said third party—which means dozens, hundreds, or thousands of businesses are at risk.  Third parties are real causes for concern. The stats speak for themselves. 

  • Over 50% of data breaches have been caused by third parties according to the SecureLink and Ponemon Report on third-party security.
  • According to Gartner, by 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements. 
  • The cost of a cyber attack increases by an average of $370,000 when caused by a third party.
  • It would take 210 days to identify a breach caused by vulnerabilities in third-party software, then an additional 76 days to contain the breach. 

And if these stats aren’t convincing enough, just take a look at the recent Okta breach. Okta experienced a cyber attack through one of their third-party customer support engineers. The hackers were hoping to then use Okta as a third party to connect to their customers and attack their systems.  These are just a few key findings and stories on third parties and security, meaning there’s even more reason third parties are considered to be the biggest liability to your security structure. Their remote access to mission critical systems and assets needs to be treated differently. 

Best practices for third-party vendor remote access

Third-party vendor threats are pervasive. But they’re not unconquerable. Being proactive and using these vendor remote access best practices can help mitigate the threat posed by third parties.

  1. Identify users
  2. Audit all high-risk access points
  3. Implement and enforce vendor remote access policies
  4. Apply access controls
  5. Monitor user access
  6. Automate vendor remote access

Step 1: Identify users

An organization typically uses between 250-500 third-party vendors. When you account for how many reps are logging into your network from each of those vendors, the number of external parties accessing your internal systems could reach in the thousands. Inventorying every vendor rep helps keep track of the individuals accessing your sensitive data and assets as well as which users have the credentials leading to critical access points. Complete visibility into access provides accountability and knowledge of who is accessing your system, why they’re accessing it, and how they’re accessing it.

Step 2: Audit all high-risk access points

Identifying which assets are most at risk and the access points that lead to those assets gives insight into the security measures that need to be taken around those access points. The amount of security should correspond with how high risk the asset is. Let’s take PII for example; personal information is some of the most valuable on the black market, thus most targeted by hackers. If your organization stores PII of customers, the access points that lead to that data need extra security. Once you’ve identified these access points, you can put controls in place to mitigate unauthorized user access, and you can assign specific privileges and permissions needed to access those critical assets.  Though this is reminiscent of a more traditional “protect the perimeter” approach to cybersecurity, auditing your access points gives you more visibility into all access points that need protecting — not just the ones that lead external parties in. Organizations often trust third parties as if they’re employees and already within the perimeter. Identifying access points can help find security gaps that might be missed when just focusing on external access threats.

Step 3: Implement and enforce vendor remote access policies

Access policies are rules that establish who should have access to what assets and what privileges are needed to access the asset. This element of access governance is crucial for protecting private information because it provides a baseline security standard for all users. It’s likely that you already have access policies that are managed for your users in your HR systems; HR systems are able to recognize an employee title and assign the access permissions that are needed for the corresponding role. But this becomes a challenge with third parties, as their identities are outside of your organization’s control, so traditional role-based methods fall short.  Instead, the best practice is to define a vendor remote access policy based on which assets third-party users need access to and what associated privileges or rights are needed. Then, make sure this vendor access policy is enforced with highly detailed systems or processes to grant access. This system should be based on the principle of least privileged access, ensuring that third-party vendors have the minimum access needed to do their job and nothing more.

Step 4: Apply access controls

Applying access controls is like hitting the brakes on a car. It adds friction to the movement a user is making through access points. Controls are what authenticate and restrict user access. It looks at a third-party rep requesting access, vets their identity to make sure the person who owns the account matches the identity logging in, restricts their access to a granular level, and prevents unnecessary exposure to other parts of an organization’s network. The most useful framework you can use to control access is the zero trust framework. This model is based on the notion of “never trust, always verify.” Traditional cybersecurity methods have been based on castle-and-moat architecture where security is built around a network perimeter, protecting anything from the outside from getting access to internal networks, systems, and data. However, the threat landscape is changing; hacks are originating from all sources, whether that’s externally through third parties or internally. Access that was once entrusted to loyal employees or reputable third parties has been exploited, and security measures are evolving to meet those threats.  When building your security framework on zero trust principles, no user is trusted and must always be verified before being granted access to critical assets. This is done through a variety of security controls:

  • Zero Trust Network Access — ZTNA is the actual access method that embodies the zero trust architecture. Once a user is granted access, ZTNA routes users directly to the application needed so the rest of the network is invisible except for anything specifically assigned to the user. It takes them exactly to where they need to go rather than granting broad access, which limits visibility and prevents lateral movement throughout a company’s network. 
  • Multi-factor authentication — Use multiple forms of authentication to validate that the identity accessing an asset is the person assigned to the account being used. Multi-factor authentication is made up of three common credentials: What the user knows (a password), what the user has (a security token), and who the user is (a secure biometric verification). While at least two of these credentials need to be employed for multi-factor authentication, which ones and the breadth of access for both parties can be adjusted to meet logistical and security needs of a company. 
  • Credential management — Compromised passwords account for over 60% of data breaches. Credential vaulting, such as that available in vendor privileged access management (VPAM) systems, can provide a key roadblock for users of stolen credentials. These systems basically keep all privilege credentials in an encrypted vault, never allowing users to see the actual login information. It allows them to check out the right to use it, which is logged and then passes the encrypted credential to the appropriate system, initiating the login for the user automatically. This can keep a key credential from being stolen because they never had the login information in the first place. Vendor access management also provides valuable usage and tracking information for all your privileged logins for use in monitoring and audit efforts.
  • Fine-grained access controls — These types of access control methods provide an additional layer of security over vendor access rights to fully secure high-risk access points. While these don’t change a user’s rights and privileges, they put more control on how a user is able to use these rights and limit how much access they’re actually granted: 
  • Access schedules/time-based access: Third-party users can only access during a specific time period.
  • Access notifications: Network or system administrators will be notified when a third-party vendor accesses networks and systems.
  • Access approvals: Third parties have to request approval before being granted access.

These vendor access controls are most powerful and most effective when used in combination with each other rather than used independently. A system that is utilizing ZTNA, MFA, and fine-grained access controls is much more protected than one that only requires validation from MFA alone. 

Step 5: Monitor user access

Security doesn’t stop once a user has been vetted, authenticated, and granted access. Their activity needs to be watched and recorded to ensure no nefarious behavior is happening while a third party is behind the scenes of your network. Access monitoring includes the proactive monitoring of a user while in session and reactive observation and analysis of network activity.  Proactive monitoring watches vendor behavior in real-time so any suspicious or inappropriate activity can be detected. When in combination with machine learning, user behavior can be observed so any anomalous activity can create alerts and inform administrators of at-risk activity.  Reactive monitoring happens after a session (hence, reactive) when there’s a specific reason to look into third-party activity. It requires systems and tools to be in place to record sessions and is critical for investigation if a data or privacy breach occurs. Not to mention it saves time on providing incident reports that are now mandated by Executive Order and meeting audit or compliance requirements that require reports on remote access activity. Access monitoring is particularly important for the healthcare industry. Hospital staff members need open-ended access to systems and databases to quickly access information that’s critical to patient care. Access controls aren’t ideal in a healthcare cyber infrastructure; a nurse who needs to know the specific prescription or allergies of a patient shouldn’t have to wait for access approval or authentication before accessing her patient information. The situations hospital staff face could sometimes be a matter of life and death — and access controls cannot get in the way. To keep patient data secure, healthcare organizations look to patient privacy monitoring (PPM) tools to monitor user access into patient files and electronic medical records (EMR). PPM tools monitor and track all accesses into EMR databases so hospital privacy and compliance teams can see the “who, what, when, where, and why” of EMR access. These tools also detect access threats and flag any access that’s anomalous or inappropriate to shore up the security gaps where access controls would usually be used. 

Step 6: Automate vendor remote access

While this technically isn’t a “next step,” it’s the best “best practice” you can implement to fully secure vendor remote access into your high-risk access points. Automating third-party remote access allows your organization to have a streamlined process to connect third parties to your critical systems. This automation comes in the form of third-party remote access platforms that provide a secure remote connection between vendors and organizational networks. These solutions are designed specifically for third-party remote access and are built to cover all of these steps, from vendor identity management to ZTNA and authentication tools. When looking at these solutions for your organization, make sure there are also access monitoring capabilities in place to audit and record all vendor activity to meet the needs your cybersecurity strategy demands.

Shortcuts to implementing vendor remote access best practices

74% of organizations said they believe a data breach was caused by giving too much privileged access to third parties. Privileged access provides third parties with keys that open up several doors that should otherwise be locked and sealed. How you handle those keys and manage vendor remote access is critical to your organization’s security structure.  SecureLink Enterprise Access gives organizations the power to control their vendor’s remote access. And for third-party vendors who serve a variety of customers, you can secure your connectivity to all your customers via one secure platform with SecureLink Customer Connect. Prioritizing security doesn’t mean you have to sacrifice efficiency; these solutions are evidence that meeting both standards are possible.