How to avoid a third-party breach in 5 simple steps
If a burglar has the key to your house, having a state-of-the-art lock won't keep them out. That's exactly what happens when you allow third parties onto your network with privileged credentials without a solution that provides proper identity, access, and audit controls. When you need to grant privileged access, a new level of credential management is required. Companies that allow third parties to access their network must understand these core credential management best practices. Without following these steps, a third-party data breach is much more likely to occur.
1. Lock your credentials in a vault and never share them with anyone – that's right – anyone
Third parties and privileged users alike should be given single sign-on (SSO) access methods that prevent them from ever knowing the credentials they are using for access. With passwords safely and securely in a credential vault, passwords will never be placed on a spreadsheet, written on a sticky note, or sent company-wide in an email.
2. Enforce best practices for strong passwords and password expiration in your vault
When you aren't circulating credentials to users, you can make them as complicated as you want and change them just as often without disrupting the workflow of your users. Set expirations on accounts using your credentials to expire after a period of inactivity to help prevent misuse of the credential.
3. Authenticate individual user's credentials every time
Now that your complex credential is tucked safely away in your vault, make sure it is only used by authorized users. Use a multi-factor authentication that verifies the individual. Before you let them use the credential, confirm that the individual still works for the third party. For privileged access and high-security applications, consider using IP source network controls to manage where they are using your credentials from.
4. Audit the use of your credentials
Every time a credential is used you should know who used it, why, what time, for how long, and what was done under the power of that credential. Make sure the power that comes with the credentials is being used appropriately and that no one is misusing your credentials to exploit or damage your network and systems.
5. Choose the right solution for access
VPNs and desktop sharing tools have been the traditional method of remote third-party access. While VPNs work for employee access, they do not provide the required level of access control and audit capabilities necessary for third-party connections. Review your third-party access procedures and tools to ensure they're in line with best practices, check out our vendor privileged access management checklist. On the other side, vendors and contractors should make sure to limit their risk exposure by utilizing remote support tools that provide their customers with flexible controls and activity records.