Background on the paradigm shift in securing vendor remote access
A prominent security company was hacked earlier this year. The hacker was able to get access to at least a spreadsheet that included domain administrator account information. It is unclear if passwords associated with those accounts were part of the compromise. The delay in disclosure of the incident and results of the investigation and has caused a public outcry.
It is interesting to note that the company itself was not breached. It was an outsourced vendor whose systems were compromised. But the responsibility for data security and system integrity lay squarely on the company whose customer data was compromised.
This blog is not intended to analyze the specific security incident. It discusses the shift in customer expectation of secure vendor remote access and incident response.
Customer Experience Ownership: The Cost Benefit Calculus
The biggest learning from the compromise is not that outsourcing is commonplace. Nor is it that outsourced vendors have access to critical resources and sensitive data. It is that outsourcing functions does not equate to outsourcing responsibility for security.
Most companies need to provide secure vendor remote access to more than one vendor. Each vendor requires a different level of access. Often the vendor manages the endpoints used to access resources at the parent company. The parent company is blind to the device and security posture of the endpoint.
When there is a compromise, the parent company must rely on the vendor and their vendors for the forensics. This limits the parent company’s ability to provide timely disclosures and details on the compromise. Customers demand faster disclosure and have shown little tolerance for the delays caused by the chain of dependencies.
The incident proves that security is the responsibility of the company, even if even a business function is outsourced. Indemnification clauses in the vendor contracts provide legal protections, but don’t do anything to protect the reputation and brand. Enterprises do not have the luxury to outsource responsibility for security. Nor can they outsource ownership of customer expectations.
Owning Customer Experience: Insourcing Security Without the Operational Overhead
This incident shows that organizations must own end-to-end customer experience. They must own the security and all access to resources, infrastructure, and data. In this case the compromised vendor outlined specific actions to achieve this goal. They included
- Direct control and management of all vendors secure remote access
- Management ownership of all vendor devices
- Applying zero trust to all customer support activities
This approach introduces operational overhead costs and complexity. Companies, big and small, outsource functions. They must manage security risk associated with vendor remote access, without the overhead.
Here are three secure vendor remote access best practices that can provide security without the cost and complexity.
1. Direct visibility and control over third party and vendor secure remote accessControlling access to infrastructure is the lynchpin to security. It is also the corner stone of a zero-trust architecture. The approach used to limit access to infrastructure, data and applications should have all the following elements
- Provide secure zero trust access that leverage identity to control access to internal applications and SaaS applications. This makes identity the new perimeter.
- Ensure adaptive and context-based access to infrastructure, applications and data. The control should monitor identity usage to detect shared account and prevent impersonated account usage.
- Control data access for each application to limit the risk of data breaches. They should also limit file download in application to a select group of users. In addition, they should be able to detect sensitive data (like PII) involved in data access.
The approach above does not mandate direct control over devices used to access the infrastructure and applications. It gives organizations an unprecedented level of flexibility to control access from any device, an end user chooses, without compromising security. It allows organizations to control cost and limit operational complexity of deploying MDM (or similar) solutions to encompass every device.
Appaegis provide a unique solution that continuously monitors every interaction between users and applications. The continuous monitoring delivers visibility that encompasses networking, identity, devices, and data to the enterprises. Each access and the associated context should be logged to provide full visibility and control over third party or vendor access.
This allows organizations to have immediate access to the data and information about all access activities. It eliminates the chain of dependencies and therefore the delay which is likely to impact customer satisfaction.
It also allows organizations to eliminate the need for manual audits to meet compliance mandates. Importantly it provides the required details to identify root causes. Since this data would be always available, communication related to compromises can be timely and comprehensive.
2. Apply zero-trust to everything
Zero trust has been recognized as the key approach to provide robust security. So let me define what it means in the context of securing access. Zero Trust is about enforcing least privileged access by allowing access based on user identity, application and context. It also means that the approach of “authenticate then hand-off” is not enough.
Implementing Zero Trust requires applying “never trust, always verify”. For secure third party or secure vendor remote access it means verifying network authorization, identity, context associated with data access. It also means establishing a trust radius over the device.
For network authorization, we need to control and verify that users can only reach allowed applications. Identities must always be monitored and authenticated at the network layer. Identity must be verified every time internal resources are accessed.
That process must remain inline. It should evaluate the context of every access request. Context should be considered before granting access to resources. It must include applications, identity, and files. Context considered might also include time, geography, and other factors to which the organization assigns risk.
Establishing a trust radius around the device does not mean that all devices need to be managed. It means that the level of access can be controlled whether the device is managed or unmanaged. It ensures that malicious devices cannot infect or impact the organization's infrastructure or become agents for the lateral movement of malware.
All the above means that the security solution must enforce secure access based on the continuous runtime data. Of course, this can only be enforced if the security solution has such visibility into context. It is important to realize that traditional network-centric tools like ZTNA and VPN solutions are blind to this context.
3. Implement solutions to limit the exposure, risk and damage.
Whether the damage is associated with data or spread of malware, organizations should assume the possibility of a compromise. It is important to have a robust response plan and incident response solutions in place. it is just as important to ensure that the secure access solution limit potential exposure at to begin with. Applying principles of least privileged access, limiting access to specific applications (instead of a broad network) are essential elements.
One of the technologies that enables secure access is browser isolation. Browser isolation provides isolation between the endpoint and cloud infrastructure. It limits the endpoints’ ability to directly access the cloud infrastructure or applications. It stops lateral movement of malware and prevents compromise of enterprise environments. Even if the endpoint is compromised, the exposure is limited to that endpoint.
This approach provides detailed visibility and control of identity and data access of each application. It prevents privilege escalation, vulnerability exploits, and lateral movement.
Browser isolation serves a dual purpose. It reduces operational complexity associated with direct control over the device and limits the spread of malware. It eliminates the need for complete control over the endpoint with MDM like solutions.
The challenges with ensuring end-to-end security in any organization are not trivial. Security must account for all the dynamics discussed above. The rapid shift to the cloud, rapid transition to a hybrid workforce and need for third parties, vendors and contractors to access applications and infrastructure. Trends in outsourcing have only exacerbated the challenge.
A zero-trust approach to securing cloud access mandates that security is the responsibility of the enterprise. Even if business processes and functions are outsourced, the responsibility for securing remote access cannot be outsourced. The good news is that there are solutions that can address the challenge listed above. And they can do so without the onerous cost, operational complexity or compromised user experience.
Does the above narrative secure vendor remote access best practices resonate with you? Reach out to me to share your perspective. Or talk to one of our security experts about implementing secure vendor remote access solutions.
