Privileged access management (PAM) has always been a challenge, and even more so now that government agencies are turning with greater frequency to cloud-based business services and outsourced IT. PAM must be in place in order to help prevent data loss and theft, but not only is it a smart idea—it’s the law. Compliance regulations are in place to ensure that agencies do everything on their part to control access.
Thanks to many high-profile breaches, managing third party access—a sub-component of privileged access—is gaining increasing. An agency’s cybersecurity defenses are only as strong as the defenses of those contractors or partners who have access to the agency’s network. As a result, hackers are often using vulnerabilities in the defenses of these third parties in order to gain access to victims’ data assets. As a result, many security teams are scrutinizing third-party access as a critical element of their PAM game plans.
Government agencies have multiple concerns regarding tracking third party access, including:
- Introduction of cyber vulnerabilities
- The risk of intellectual property theft
- The risk of losing or exposing critical data
- The risk that the supplier cannot deliver the needed services on time
Consequently, it’s clear that what needs to be done is to establish the link between third parties’ encrypted sessions—regardless of whether they are interactive in nature or simply data transfers—and link that privileged access to data loss prevention (DLP) capabilities. Government agencies need to be able to intelligently inspect their encrypted traffic and file transfers and detect and respond to anomalies and trigger preventative actions on it. This is a challenge for traditional PAM where control is primarily role-based driven. To be able to effectively create the linkage between PAM and DLP, it is necessary to be able to manage, audit and control the encrypted session itself and create data tagging and classification techniques to link with the policy controls of the DLP.
All this may cause one to point the finger at encryption, but rest assured that encryption is not the problem. It is more precise to say that the layered defenses currently available on the market are blind to what is going on within the encryption, and this allows malicious insiders to hide their activities—and for third parties to unwittingly introduce vulnerabilities into their customers’ network.
Best Practices in Third-Party Access
Managing third party access has its challenges, and they fall into three familiar categories: people, processes and technology.
People: What typically happens is that third parties enter their customers’ networks through VPNs (often without two-factor authentication) and from there will access the network—perhaps through a jump server—where they may then access the needed infrastructure, whether it be virtualization, application, networking or storage layers. Third parties often access the environment through some protocol-based encryption (such as Secure Shell, RDP, HTTPS or Citrix). Sometimes these jump host architectures may have some form of monitoring; however, they frequently don’t. The potential entry points for vendors into the network are often distributed in nature, meaning there are usually not single choke points for all third party access to go through in order to enter the network.
In order to provide the strongest security possible, IT teams must enact strict controls regarding what can and cannot be done once the third party has entered the network. One of the concerns with traditional jump host architectures is that third parties, if not controlled through which actions and commands they can run, may be able to drop SSH user keys into development, production environments. From there, they can also drop these keys onto network devices such as routers or switches, enabling them to later bypass the jump hosts that are intended to control their access points.
Processes: The processes related to third party access touch not only at an operational level, but also at the legal level where vendors are vetted prior to contractual engagements—and are thus a great source of concern. Let’s explore this briefly.
As our supply chains have become intertwined, our networks have become only as secure as those of the supply chain. As Joshua Douglas, CTO of Raytheon, says, “We share business processes, develop technology, as well as distribute products used in creating, sharing and distributing information.” Vulnerabilities in the supply chain can come from almost anywhere now and, therefore, you are only as strong as the weakest link in the chain.
More robust screening is in order, from a legal and process perspective, to ensure that third parties’ security standards are meeting an agreed benchmark level for security controls, which agencies should work on in partnership with their vendors.
Here are recommended questions for the legal department to ask:
- How is the supply chain for delivery of products and services secured on the vendor side, as well as on the customer side? What type of integrity testing is done on those delivered products, and how is that delivery zoned on the customer side?
- Do suppliers have direct access to IP?
- Are they required to report to the customer when they have been breached?
Technology: Third party access challenges will not magically disappear in the presence of technology. However, it can help to continuously mitigate the level of risk customers are exposing themselves to. Some of the basic controls whereby technology, together with process, can help third party access concerns include:
- Being able to connect what is going on in the encrypted session with behavior analytics is an essential piece needed to gain a full understanding of third party access.
- Limit direct vendor access via the introduction of monitored choke points where vendors may enter the network infrastructure. This is the point where the encrypted session must be decrypted, monitored and controlled, and coupled with the capabilities of DLP, IDS, AV and other layered defense technologies.
- Agencies should be zoning the receipt of data from the outside. Often the challenge here is that this data is received encrypted, and the existing AV technologies cannot detect the potentially introduced malware.
- Continuous monitoring of endpoints is important. However, agent-based technology is often difficult to deploy everywhere across the infrastructure (imagine deploying an agent on all network devices, switches and routers in the network – this is largely infeasible). Requiring third parties to deploy agents on their devices accessing the customer infrastructure brings with it a myriad of practical challenges, both legally and process-wise. Ideally, the continuous monitoring needs to happen at the network level, from the entrance choke point onwards. Protocol subchannels must also be set under control from this point forward.
Compliance and Security
Regulation will be a driving force behind the creation of and adherence to best practices for third party access going forward. Regulatory compliance does not always ease the way that we operate. However, with the combined aspects of people, process and technology and the overall complexities of the intertwined supply chain, strong recommendations around compliance best practices will be driven by bodies such as NIST.
A survey by CyberArk revealed that fifty-eight percent of organizations do not believe their vendors are securing and monitoring privileged access to their networks. Knowing what can go wrong if third party access isn’t managed, this is definite cause for concern. However, government agencies can be proactive in addressing this issue by working with vendors to clearly define access controls and responsibilities.
Matthew McKenna brings over 10 years of high technology sales, marketing and management experience to SSH Communications Security and is responsible for all revenue-generating operations. His expertise in strategically delivering technology solutions that anticipate the marketplace has helped the company become a market leader.