www.securelink.com

BEST PRACTICES GUIDE

Best Practices for Managing 3rd Party Vendor Remote Access

www.securelink.com

Best Practices for Managing 3rd Party Vendor Remote Access

Your business depends on enterprise software and the 3rd party vendors who maintain it. Balancing the needs of vendors with the security and compliance demands of your organization can be a difficult task.

Best practices for managing 3rd party vendor remote access require a clear understanding of the issue from the vendor’s perspective as well as your own.

Giving support – analysis from the vendor perspective

Your vendors and their technicians are smart, capable individuals that have your best interests in mind. They want to get your problem fixed or your upgrade completed with as little friction as possible. You pay them well to do this.

Vendors face challenges that can put their interest at odds with yours. For starters, the market is competitive, with several providers that would be happy to steal business from your incumbent. What’s most likely to make your company switch? Any survey will prove that the top reason for switching vendors is bad service, specifically delays in time to resolve issues.

Time to resolution is a key metric for vendors, so getting access quickly is critical, even if your security and compliance become secondary.

Next, software is getting more complex and integrated with other platforms. A new patch from Microsoft or an upgrade to another vendor’s product can cause problems, even if the software was working perfectly yesterday.

Finally, vendors are becoming subject to regulations, especially if they require access to regulated data, such as patient information or credit cards.

BEST PRACTICES GUIDE

“A problem well stated is a problem half-solved.”-Charles Kettering

www.securelink.com

Vendors are asked to do a difficult job in an increasingly complex and regulated environment against a backdrop of unlimited liability.

Seeing things from your vendor’s perspective is important. If a system is down and your bonus (or your boss’ bonus) is tied to customer satisfaction, how strongly would you object to sharing a login that belongs to someone else? Would you decline a desktop sharing link if it helped you fix a problem?

Receiving support – analysis from the customer’s perspective

From your perspective, it’s all about balance. You must allow access to keep your systems running and your business users happy. At the same time, you must protect your organization from the evolving threat of increasingly sophisticated hackers while remaining compliant with a growing list of regulations. Tough job.

The first step is to differentiate a vendor from your typical employee remote user. There are many differences, but the two most important are the realization that a vendor has many technicians and acknowledgement of the powerful access they require to support you.

A single vendor may have thousands of individual technicians. The login you provide to Tom on Tuesday may be used by Wendy on Wednesday. Credentials are not only stored in the vendor’s CRM system, they’re written on sticky notes affixed to monitors around the world. Whether by best practice or legal mandate, you need to know what individuals are accessing your systems.

Second, vendors require admin rights to their systems. These elevated privileges can be extremely powerful. While your employees can check e-mail or view a sales report, your vendors can delete a database, or transfer one overseas.

Worried?

You may be tempted to eliminate remote access for non-employees or implement a policy that requires vendors to fill out access request forms or provide detailed information about their users. While perhaps more secure, it’s not realistic.

Your business users may gather outside your office with pitchforks and burning brooms if you disabled access for their vendors or made it time consuming for them to get access to fix a critical system issue.

www.securelink.com

More likely, someone would let the vendor sneak in a side-door that’s all too easy to open. “No access? No problem. We use (insert desktop sharing tool name here) and I can easily fix this without involving those pesky IT/InfoSec people. Just click on this link I’m about to e-mail you, I’ll take over your machine and get the job done. Go to lunch, I’ve got this.”

Finding the correct balance between the needs of the business and the requirements of security and compliance is difficult, but it can be done.

Five keys to managing 3rd party vendor access to your network:

1) Be aware. Vendors are not typical users and should be treated as such.2) Have a realistic policy. Insist on individual logins, demand accountability, but don’t expect a

technician to send you a copy of her passport. It’s not going to happen.3) Integrate policy in your purchasing process. Remote access should be negotiated before

the vendor needs it. If your POS system is down, your IT staff (or someone else) is going to open a door that may be left open. The best time to negotiate access methodology is when the software is being purchased (amazing how accommodating the salespeople are at that time) or when your maintenance / subscription agreement is being renewed.

4) Control the platform. If left to their own devices, a vendor may choose a remote support method (often a simple screen-sharing tool) that meets their needs more than yours. Your platform should support multi-factor authentication, provision granular access privileges, keep credentials private and audit all activity at the individual user level.

5) Monitor vendor activity. Ongoing audit of vendor remote access ensures accountability and compliance. More importantly, a proper audit trail and access notifications should create alarms when unusual activity takes place.

Your organization’s specific solution will involve identifying current and desired workflows, along with technical and business considerations.

Technical considerations include multi-factor authentication, credential management, network segmentation and access provisioning.

Business considerations include identifying vendors and current support methodologies, service level agreements, audit, communication and negotiation with your internal stakeholders and the vendors themselves.

Managing vendor access is a critical component of any network security strategy. With awareness, proper policy and the right platform, it’s possible to bridge the gap between the needs of your vendors and your organization.