Privileged access management (PAM) has, by and large, always been a difficult topic for the enterprise. Now that cloud and IT services are being outsourced more often, PAM challenges are taking center stage.
Done well, PAM protects organizations from data loss and theft and denial of service. PAM done poorly—or not at all—is often a compliance violation, opening the door to fines, as well as data exposure.
Guest article by Matthew McKenna, chief strategy officer, SSH Communications Security
Access management must extend across the enterprise, and that includes third parties. Managing this privileged access is gaining increasing attention due to high-profile breaches. Likewise, an organization’s cybersecurity defenses are only as strong as the defenses of those contractors, partners, or customers who have access to the organization’s network. As a result, hackers are often using vulnerabilities in the defenses of these third parties in order to gain access to victims’ data assets. As a result, many security teams are scrutinizing third-party access as a critical element of their PAM game plans.
Trustwave reports that 63 percent of data breaches are caused by security vulnerabilities introduced by third parties. The greatest concerns enterprises face in tracking third-party access include the introduction of cyber vulnerabilities and these risks:
- Losing or exposing critical data
- Intellectual property theft
- The supplier’s inability to deliver the needed services on time
The need of the hour is to establish the link between third parties’ encrypted sessions—regardless of whether they are interactive in nature or simply data transfers—and link that privileged access to data loss prevention (DLP) capabilities. Organizations need to be able to intelligently inspect their encrypted traffic and file transfers, and detect and respond to anomalies and trigger preventative actions on them.
This is a challenge for traditional PAM, where control is primarily role-based-driven. To be able to effectively create the linkage between PAM and DLP, it is necessary to be able to manage, audit, and control the encrypted session itself, and create data tagging and classification techniques to link with the policy controls of the DLP.
It would be easy to blame encryption. However, it is more precise to say that the layered defenses currently available on the market are blind to what is going on within the encryption. This allows malicious insiders to hide their activities, and for third parties to unwittingly introduce vulnerabilities into their customers’ network.
Tactics for Overcoming Common Challenges
Controlling third-party access faces challenges in three realms: people, processes, and technology.
Customer networks are frequently accessed via VPNs (often without two-factor authentication). From there, third parties will access the network—perhaps through a jump server—where they may then access the needed infrastructure, whether it be virtualization, application, networking, or storage layers.
Third parties often access the environment through some protocol-based encryption (such as Secure Shell, RDP, HTTPS, or Citrix). Sometimes these jump host architectures may have some form of monitoring; however, they frequently don’t. The potential entry points for vendors into the network are often distributed in nature, meaning there are usually not single choke points for all third-party access to go through, in order to enter the network.
The customer company, in order to create the safest environment possible, needs to enact strict controls regarding what can and cannot be done once the third party has entered the network. One of the concerns with traditional jump host architectures is that third parties, if not controlled through which actions and commands they can run, may be able to drop SSH user keys into development or production environments. From there, they can also drop these keys onto network devices such as routers or switches, enabling them to later bypass the jump hosts intended to control their access points.
In terms of third-party access, processes are a critical factor. The processes touch not only at an operational level, but also at the legal level where vendors are vetted prior to contractual engagements. Let’s explore this briefly.
As Joshua Douglas, CTO of Raytheon, says, “We share business processes, develop technology, as well as distribute products used in creating, sharing, and distributing information.” Networks are only as secure as those of the supply chain. And our supply chains are intertwined now. Vulnerabilities in the supply chain can come from almost anywhere now, and, therefore, you are only as strong as the weakest link in the chain.
Enterprises should work in partnership with their vendors on an agreed benchmark level for security controls. From the legal and process perspective, stronger vetting procedures should be adopted to ensure that third parties’ security standards are meeting that agreed benchmark.
Questions for the legal department to consider include:
- How is the supply chain for delivery of products and services secured on the vendor and customer side? What type of integrity testing is done on those delivered products, and how is that delivery zoned on the customer side?
- Do suppliers have direct access to IP?
- Are they required to report to the customer when they have been breached?
The role of technology related to third-party access is not all-encompassing. However, it can help to continuously mitigate the level of risk customers expose themselves to. Some of the basic controls whereby technology, together with process, can help third-party access concerns include:
- Use monitored choke points anywhere that vendors may enter the network infrastructure. This is the point where the encrypted session must be decrypted, monitored, and controlled, and coupled with the capabilities of DLP, IDS, AV, and other layered defense technologies.
- Though it is important to continuously monitor endpoints, agent-based technology is often difficult to deploy everywhere across the infrastructure (imagine deploying an agent on all network devices, switches, and routers in the network – this is largely infeasible). Requiring third parties to deploy agents on their devices accessing the customer infrastructure brings with it myriad of practical challenges, both legally and process-wise. Ideally, the continuous monitoring needs to happen at the network level, from the entrance choke point onwards. Protocol subchannels must also be set under control from this point forward.
- Zone the receipt of data from the outside. Often the challenge here is that this data is received encrypted, and the existing AV technologies cannot detect the potentially introduced malware.
- A critical piece in getting complete understanding of third-party access is being able to connect what is going on in the encrypted session by using behavior analytics.
Clarity in Privileged Access Management
Best practices for third-party access will be enforced in part by regulatory compliance going forward. Regulatory compliance does not always ease the way that we do business. However, with the combined aspects of people, process, and technology, and the overall complexities of the intertwined supply chain, strong recommendations around compliance best practices will be driven by bodies such as the NIST.
When the majority of data breaches are caused by security vulnerabilities introduced by third parties, it’s time to take a hard look at privileged access management, and stop passing the security buck on to third parties, who usually (and silently) pass it right back. Instead, enterprises can map out vendor relationships so that all these concerns regarding PAM are clearly addressed. Then no one will be left in the dark about who is responsible for what – or about who or what has access to your digital assets.
Matthew McKenna brings over 10 years of high technology sales, marketing, and management experience to SSH Communications Security and is responsible for all revenue-generating operations. His expertise in strategically delivering technology solutions that anticipate the marketplace has helped the company become a market leader. Matthew has also served as a member of the executive management team of Automaster Oyj, which was successfully acquired by ADP Dealer Services Nordic. Before this, Matthew played professional soccer in Germany and Finland. Matthew holds a BA in German from the University of South Carolina and an MBA from the Helsinki School of Economics and Business Administration.