Third-party access creates huge security risks

While most modern organisations have recognised the security threat posed by third-party vendors who support critical internal systems, far fewer have overcome the associated security challenges.

Johannesburg, 26 May 2020
David Higgins, Technical Director - EMEA, CyberArk
David Higgins, Technical Director - EMEA, CyberArk

The nature of the modern business world is such that virtually every company at some point relies on remote third-party vendors to access, maintain and support critical internal systems and resources, a scenario inevitably accompanied by risk. The real challenge here is that even when extensive security measures are put in place, the security of third-party vendors with access to internal systems is often overlooked.

A good example, explains David Higgins, EMEA Technical Director at CyberArk, is a recent local breach that made headlines. Here, highly sensitive employee performance details were published online, as a direct result of third-party access insecurities.

“In today’s connected world, the level of third-party use is significant and extensive, and yet despite the clear threat this poses to organisations, it has not yet been given the kind of priority it should by those in charge of corporate cyber security. This, of course, means it remains high on the list of likely targets for cyber attackers,” he says.

“And the criminals have plenty to choose from – the extent of third-party use today is massive, as companies increasingly seek to outsource internal functions and operations and external services. In fact, a recent CyberArk study has indicated that around one in four enterprises is believed to make use of over 100 third-party vendors.”

What is especially worrying about these figures, continues Higgins, is that these external vendors generally require access to internal assets, data and applications, if they are to be able to honour their contracts. Moreover, nine in 10 actually demand access to critical internal assets.

“This, in turn, is cause for major concern because when it comes to security, it is only as good as the weakest link. Your company may have instituted excellent cyber security measures, but if the external vendor has not been as astute and their access controls are insecure, you have placed your entire business in danger.

“Securing third-party access therefore needs to be a top priority for organisations if they wish to avoid the reputational and financial losses that inevitably accompany a data breach. However, securing access for remote vendors is no simple matter.”

For one thing, he says, provisioning and de-provisioning access can be problematic. Too much access and vendors can see things they don’t need to, or for longer than required; too little and vendors are forced to create unsafe back-door routes to critical resources. In other words, it could be described as a ‘Goldilocks’ scenario: the struggle to find a balance that is ‘just right’.

“Furthermore, companies often do not have a holistic view of what such parties are doing once they authenticate, which is obviously a serious issue. Best practice is to record, log and monitor privileged activities, and this is not merely a good tactic, but one which is a requirement for audit and compliance purposes,” he adds.

“The question, then, is how should enterprises go about remedying this problem? For one thing, the CIO or IT manager should ensure the rapid implementation of secure, structured and multi-levelled privileged access controls. A protocol to govern the types of data and assets that can be accessed by third parties – one that runs on a case-by-case basis – will be a huge step towards building a more effective defence against third-party vulnerabilities.”

Another option, suggests Higgins, is one of the ‘all-in-one’, software as a service (SaaS) based subscriptions to security, which offer a combined approach to this challenge. These solutions integrate standard security tools and services, including privileged access management, in a manner that delivers an easy-to-implement solution for the securing of third-party access.

“This creates a much more digestible approach for businesses that don’t want to deal with the complexity of a tangled web of security measures. Instead, they can access, through a single package, all the tools they need to comfortably deal with what was once a complex and high security risk.

“In the end, the availability of these SaaS solutions means that there is no real excuse for third-party access not to be secured in a manner that allows your business to still function freely,” he concludes.