August 24th, 2016 by Mark Carrizosa
In a connected world, a business cannot function without multiple relationships with third parties – outside vendors, contractors, affiliates, partners and others. While the careless insider still tends to be viewed by experts as the weakest link in the security chain, the third-party contractor (with its own group of potentially careless insiders) is creating what is somewhat euphemistically called a major “pain point.”
In order to determine some of the key third-party-access industry trends, I had the pleasure of sitting down with few members of Soha Systems’ Third-Party Advisory Group for a candid interview. I asked group members, who are security professionals, analysts and industry influencers, a number of questions about how they viewed third-party access security, what IT professionals should be doing to secure their networks, and what they are doing within their own organizations to secure third-party access.
Advisory Group members who participated in this interview included myself; Derek Brink, vice president and research fellow, Aberdeen Group; Slava Kavsan, founder and CEO, CKURE Consulting; Mike Kotnour, senior information security advisor, Assurant; Ajay Nigam, senior vice president of products, Accellion; Steve Hunt, principal consultant, Hunt Business Intelligence, and Jim Rutt, CTO, The Dana Foundation.
What follows are a few of the key takeaways from advisory-board interviews:
Third-party access is a trend that’s growing, said Derek Brink, because it’s ultimately helpful for business. It’s one of the many types of the positive, “rewarded” risks that are associated with enabling assets, creating value, and maximizing upside. Paying attention that this third-party access is secure is simply the other, very natural side of that coin: defending assets, protecting value, and minimizing downside. To get the good, we also have to think through how to deal with the bad.
Slava Kavsan suggests that as more organizations move their digital assets to public clouds, there is a need to better understand the security and privacy implications of third-party access within this environment, especially when the cloud provider itself is acting as the third party. Operators and cloud service providers often need to have high-level access privileges to their customers’ data and to the applications they host in order to configure and secure the resources in their custody.
And Jim Rutt sees greater adoption in a number vertical-specific industries, such as the healthcare sector. Healthcare solutions in particular, he says, have been built with the underlying assumption that third-party access relationships have to be explicitly defined and implemented rather than be based on a more generic private-cloud approach. The rise of standards such as FIDO will provide momentum towards a more universal approach to this problem. However, different business models will need their own implementations and abstractions for third-party access, as the regulatory and governance requirements are too specific to apply to disparate industries.
Third-party access is complex because third parties are so diverse, observed Steve Hunt. As a result, third parties are given priority only when absolutely necessary. He finds that organizations too often seek a one-size-fits-all solution. Those given third-party access today range from deeply embedded joint-venture partners who function almost as employees to alarm monitoring or HVAC service providers who connect only occasionally.
Mike Kotnour says that understanding and being able to quantify the cost helps secure more budget to resolve issues such as third-party access. He adds that it’s important to understand that passwords, which are and have been the weakest link in any security program, are still the primary method of access control. While multi-factor authentication systems are available, many companies do not implement them because of their cost, complexity and perceived difficulty in use. This challenge has led IT teams to resort to simpler measures, such as providing third-party vendors with the same access as employees. While this method of access does follow IT resource internal regulations, it also poses a greater, and unnoticed, risk to the organization.
Ajay Nigam believes the issue comes down to organizational responsibility. He says that vendor risk-management teams rely on IT to recommend third-party access solutions, and an easy-to-use solution will likely see greater adoption. In addition, solution providers need to pay more attention to user experience and understand that IT resource constraints drive a different operational priority for organizations.
Rutt has created a vendor management plan in conjunction with his business units and developed a solid communications plan. This allows him to firm up his internal disaster-recovery plans, review third-party direct-report plans on a regular basis and enforce testing. In addition, he does a yearly insurance risk-review to ensure that carry the correct amount of insurance.
Asset inventory is an often-forgotten and highly useful tool for getting a grip on many security challenges, access among them, said Hunt. He works hard to continually improve asset inventory and tracking so he can reduce the risk of network-connected assets being out of compliance with policy.
And here at Soha, we incorporate concepts such as zero-trust, network abstraction, extended identity validation and full-session recording to effectively reduce overall risk and isolate any potential impact caused by third parties or any remote users.
Drop me an email at email@example.com
Mark Carrizosa, is the director of information security for the enterprise access division at Akamai Technologies. Previously, he was chief information security officer (CISO) and vice president of security for Soha Systems.