Issuing one-time password (OTP) tokens to third-party organizations to provide privileged remote access to your network can lead to a data security disaster, warned research director Felix Gaehtgens at the Gartner Identity and Access Management (IAM) Conference in London earlier this month.
“For employees or contractors working internally who need privileged access, having OTP is great. But not for external third party workers,” he said. “Why? Because third parties leave OTPs on their desks; when they go on holiday they leave them for other people to use. It happens all the time.”
Some third-party organizations even hang one-time password tokens on a wall with the name of the companies they belong to, facing a webcam. That way staff can connect to the webcam from their homes and use the OTP token, Gaehtgens warned.
Aside from these kinds of obvious data security risks, a big problem with shared password tokens is accountability. There is no way of telling exactly who accessed your systems remotely and no way of limiting the remote access granted to particular individuals to the specific systems that they need.
What can companies do to address these kinds of identity and access management issues?
Try IAM by Phone
A partial solution to this problem, Gaehtgens suggested, is to replace OTP tokens with something more personal.
“What you need to do is choose something that is hideous to share, like something linked to a particular mobile phone,” he said. “That’s because a worker isn’t going to leave his phone behind when he goes away on holiday.”
Phone-based authentication systems are provided by vendors including SecurEnvoy, Duo Security, Gemalto, Google Authenticator and others.
Appoint IAM ‘Sponsors’ and ‘Delegates’
Keeping track of external third-party workers who need privileged access to your systems can be extremely difficult, not least because you never get to meet them face-to-face. For that reason, Gaehtgens recommended using one of two systems to manage them.
With smaller external companies he recommends a “sponsor” approach, where internal employees act as sponsors for external workers and keeps track of them, ensuring they get the access and privileges they need, when they need them.
The sponsorship approach may not be practical, however, if the external third-party organization is large, with high staff turnover. For those organizations, Gaehtgens recommends a “delegate” approach where responsibility for external staff is delegated to a suitable manager at the third-party organization.
“When I suggest this people say ‘Ooh, are you going to delegate third-party privileged access to a third party?’ said Gaehtgens. “The answer is ‘no.’ They have to make a request to your organization for access for a particular employee. But they can de-authorize their own people (for example when they leave the organization).”
Limit Third Party Access
Authentication systems are often used to provide long-term access to network resources, but short-term access is typically more appropriate for third parties like vendors who may need access to a system for a specific purpose.
“So you need to be able to say ‘You can access this system for four hours’ and give out privileges in small chunks,” Gaehtgens said. “Instead of the general sys admin model, you need to give them just what they need.”
Inevitably you’ll find that the same people will require access to the same systems for related purposes again in the future, so it’s important to make sure that you can re-use privilege grants easily, Gaehtgens pointed out. “That ensures you don’t have to go through all the bureaucratic hoops to get it all over again.”
Use PAM and SAPM Tools
A good way to manage third-party access privileges is by using privilege access management (PAM) and shared account password management (SAPM) tools. These identity access management tools can be used to create accounts with limited privileges that are suited to different specific activities. The accounts can be shared and used by anyone who needs to carry out a specific activity.
The idea of shared accounts sounds anathema to data security, but Gaehtgens said there is nothing wrong with account sharing as long as you have a control platform that keeps track of who is logged in to a given account at any time, and which keeps the account passwords in a vault so that individual users of an account never get access to the passwords themselves. Instead the SAPM tool checks out a password and enters it without the user ever seeing it.
Vendors of these types of IAM tools include Lieberman Software, CyberArk and BeyondTrust.
Address IAM and the Endpoint
An important part of the puzzle is providing a secure way for external third-party workers to access your systems from the endpoint that they are using remotely. Some organizations ship out company-owned laptops to external workers, but Gaehtgens said this is a bad idea as there is no way to ensure that they remain free of malware.
Instead he recommends an identity and access management setup that requires third-party workers to connect from their client machine through a corporate firewall to a secure Jump Server, and then on to a PAM server. From there they can connect to data center resources directly, or via a VDI client running “fat” client software.
Get IAM on the Record
When third parties have privileged access to your systems, Gaehtgens said it’s important to record at least some of their sessions. “You should let everyone know they are being recorded; at the very least this should make people less sloppy,” he advised.
As well as recording sessions, Gaehtgens said it is vital that you view them from time to time. That may sound time consuming, but there are intelligent tools that can help you zoom in on the important parts of recordings. Some even capture the text on screens into text files so you can search a session and move straight to a part you want to scrutinize.
Vendors of these types of identity and access management tools include BalaBit, Wallix Group, Bomgar and SecureLink.
Viewing these sessions can yield valuable information, Gaehtgens concludes.
“Every so often you will see a complete idiot who you never want on your systems again, as they clearly don’t know what they are doing,” he said. “But you may also learn something. Third parties may do something better than you, so you can watch what they do and use it to build up your best practices.”
Want more advice? Check out our five best practices for reducing third-party security risks, with tips from experts like Joe Schorr, Bomgar’s director of Advanced Security Solutions and Veracode co-founder and CTO Chris Wysopal.