What is vendor privileged access management (VPAM)?
If you’re in the cybersecurity world, you’ve probably come across the acronym PAM, or Privileged Access Management. This technology adds additional access controls and processes to coveted privileged credentials in order to prevent them from being compromised, while also limiting the damage if they ever are compromised. We’re not breaking headlines when we tell you that hackers need privileged credentials in order to do real damage in networks. By employing vendor access management, you are adding an important layer of protection in any defense-in-depth design.
PAM for vendor access
Gartner and other industry analysts agree, ranking PAM implementation as one of their top recommended projects for the coming year. Third-party risk management is also a hot topic, given that 59% of all data breaches involve a third-party, and many compliance frameworks require special management of vendor access into regulated networks. This is where a specialty PAM technology, known as Vendor Privileged Access Management, or VPAM, comes into play. VPAM software is specially designed to handle privileged access by third parties, such as vendors or contractors. These entities must be treated differently since you won’t have the same control over them when compared to an internal employee.
Features that need to be included in a complete vendor access management solution include:
- Privileged password management
- Privileged session management
- Vendor access management
Of course, this is similar to what PAM has to offer, but the key distinction is that VPAM solutions are a vendor management option that will separate internal employee access from external access from vendors, third parties, and contractors. Below are the aspects to consider in any vendor access management implementation.
Privileged password management
Like its software “cousin”, a VPAM platform uses sophisticated password management to protect the privileged credentials for your network and systems that third parties need access to with additional layers of vendor access control. A credential vault is typical with VPAM systems, where high-end users have to “check out” power logins from a central bank in order to use them. This allows administrators to see what privileged passwords are being used across their whole infrastructure rather than having to check multiple log files. It also allows you to put limitations on your vendors’ access by time, user groups, and other criteria. Other VPAM features might trigger alarms when certain user behaviors are exhibited or thresholds are reached. And password obfuscation is key so that the end-user never actually sees the password. This means that the password is passed directly to the system and then are automatically logged in. This protocol keeps a user from saving the credential insecurely (like when someone writes their password on a sticky note) or using it later without going through the vendor access management system.
Privileged session management
Privileged session management, or PSM as it is sometimes called, helps track the activities that a vendor does while accessing your system. Merely recording login times, usernames, and IP addresses like you might for internal users isn't enough. For vendors with privileged account access, you will want to record contextual data such as reasons for access, ticket numbers, approvers of access, and other data for each session in order to tie that login to a specific business purpose. Ideally, best-in-breed vendor privileged access management solutions will allow for full-HD monitoring that would include videos of GUI sessions and keystroke logs of command-line sessions. This is important to keep for your records, and for auditing reasons.
Vendor privileged access management (VPAM)
Finally, vendor privileged access management software should be a part of any full-fledged implementation. Some VPAM solutions will offer the password and session management pieces but leave out the all-important access management that VPAM offers. This then requires an additional non-vendor management access piece, which if implemented with a weak method like VPN, can leave a hole in your vendor access management protections. Other critical features of VPAM tools include workflow processes specific to vendor access. This would involve onboarding automation like self-service so that the administration and control of vendor access is not onerous. Quick off-boarding of vendor reps is also essential to keep unauthorized techs out of your systems. Multi-factor authentication support including SMS and TOTP may be required to comply with various standards and protect the end-users from credential theft.
Implement vendor access management to protect your critical assets
We have talked about the triad of features that makes up a good vendor management (or VPAM) system: privileged password management, session management, and vendor access management controls. If you’re using a VPN, a vendor-supplied support tool, or a PAM solution to manage your vendors’ network access, the limitations of those tools leave you vulnerable to breaches. To better protect your most critical assets and access points, download our secure connection checklist or read our report on third-party security.