The Unintended Consequence of Outsourcing, Contracting and Cloud Services: Increased Cyber Risk
By: Shrey Fadia
Originally published on Cloud Computing Magazine
Gartner and other industry analysts agree that implementing Vendor Risk Management (VRM) has grown in importance as a sub-set of Privileged Access Management (PAM).
Research shows that nearly 60% of all data breaches involve a third-party, and an increasing number of regulations require management of vendor access into regulated networks.
PAM applies controls, policies, and processes to privileged credential users to prevent them from being compromised, while also limiting the damage if they are compromised. With the dramatic growth of adversaries using privileged credentials to tunnel into networks, applications, storage, and clouds, software that can help IT teams automate and manage privileged accounts has become a must have, given evidence of major damage to reputations and finances.
Most recently we have seen many of the most famous twitter accounts in the world compromised by a single privileged user posting bogus blockchain messages, followed a few days later with new attacks on COVID-19 vaccine research and pharmaceutical organizations, in an attempt to steal intellectual property – or worse.
By tightening these controls and making sure third-party contractors and organizations are not permitted to access resources without secure credentials, organizations are adding an important layer of protection.
Like internal PAM solutions, vendor management uses sophisticated password management to protect privileged credentials for networks and systems that vendors need access to, with various levels of control. Administrators must have visibility and control what privileged passwords are used across their entire architecture and infrastructure.
We caught up with Orhan Yildirim, CTO of Ironsphere, a PAM innovator serving many of the world’s largest banks, communications service providers, government agencies and more, and learned about the increased levels of awareness that have resulted due to the COVID-19 crisis, which overnight changed the way people worked (remotely), adding layers of additional complexity for IT teams.
“The need to secure access to critical enterprises by third parties will only grow, as the digital transformation of how businesses and organizations advance,” Orhan Yildirim said. “This is impossible to manage without advanced software; PAM is the foundation, and with added features, already stressed-out IT teams can manage both internal and external privileged accounts on the same cloud-based system.”
Yildirim said the right approach it to trigger alarms when certain user behaviors are exhibited, or thresholds are reached and shut accounts down quickly based on policies. “When dealing with third parties, eliminating password exposure is key so that the end-user is not privy to that information. The system automatically logs them in and keeps the user from saving the credentials insecurely. This is one example of how we can protect valuable assets from unintentional configurations or intentional attacks. Zero trust is key – as is zero touch.”
Privileged Session Management helps track the activities that an employee or third-party vendor engages in. One cannot simply record traditional actions, such as logins, times, IP addresses, and such. Contextual data, especially when we have a chaotic work environment today, and so many people working from home, is increasingly important.
Yildirim said vendor privileged access management, session management, and application management should be a part of any modern security posture.
“Outsourcing or the use of third parties inherently comes with risk, operational risk, compliance risk, financial risk, reputational risk” Orhan Yildirim explained. “Can we ameliorate every risk? Probably not. But with a solid software platform in place, the odds of reducing these risks can be dramatically lowered.
We have all found ourselves in a different world of work given the events that have defined 2020, and few professionals are feeling the pressure more than IT and OT teams.
Just as cyber risks evolve, the evolution of risk appetite frameworks is more active than ever. With more sophisticated adversaries, more digital transformation initiatives, more mobile works, ecosystem partnerships and connectivity to multiple clouds and services, enlightened management teams and their boards are updating their levels of “risk tolerance.”
Two-factor authentication has been around for decades – requiring an additional step between entering a username and password, for example, then entering a one-time security code sent to a mobile device – to access applications, systems and data.