Vendor Privileged Access Management
Why is it necessary to deploy a vendor Privileged Access Management (vPAM) solution?
Every IT manager has had to open access to their critical systems for one of their vendors at least once.
You are regularly confronted with connections from vendors or service providers in charge of deploying, maintaining, or fixing a part of your information system. This may be in your data center or in the cloud services you may already use for your business or office applications. These accesses can involve several dozens of different providers, even hundreds in some cases.
Several dozen people have privileged accounts, under conditions that you do not control, which is critical for the security of your information system (IS). Moreover, you cannot be sure that the person who has access to these privileged accounts is still working for your vendor.
These accounts can be a real Achilles heel for the security of your IS, as shown by the latest CESIN – Opinionway study of January 2022, which highlights that one attack in five goes through the supply chain.
These attacks on the IT supply chain are exploiting the relationships you may have with your suppliers, their products, or the services you use. In other words, it is certainly easier to attack one of your poorly equipped vendors than directly your network protected by your firewalls, your xDRs or any detection probes. The multiplication of security tools (10 on average) has pushed cyber hackers towards other vectors such as these indirect or rebound attacks. In 2021, for example, the compromise of the SociĂ©tĂ© Internationale de TĂ©lĂ©communication AĂ©ronautique – SITA, created an attack vector on several aviation companies working with it, including some members of the Star Alliance.
This combined with the fact that in 100% of the attacks analyzed by Wavestone in 2021, the attackers had a domain account, i.e. with the highest privilege level.
To protect yourself from these attack scenarios, you can impose a certain level of security on your vendors’ own systems, but you can also simply not give them custody of your privileged accounts.
This is where a vendor Privileged Access Management (vPAM) solution can help.
What is Vendor Privileged Management solution?
vPAM is a combination of the benefits of PAM – Privileged Access Management – for managing privileged accounts and ZTNA – Zero Trust Network Access – for secure access to resources.
PAM will thus allow you to:
- Monitor Privileged Sessions
It is possible to know at any time exactly who is connected to what, and even to know precisely the actions carried out via a video recording of privileged sessions, and thus to quickly find the origin of a suspicious modification on a server or an application.
- Secure privileged accounts
Privileged accounts are automatically injected when the vendor logs in, so he does not have the associated credentials. There is therefore no risk of these being stolen from your vendor’s network.
- Control authorizations
Access rights to privileged resources and access conditions are explicitly given to the various vendors. It is therefore easy to identify who has the right to connect to what, and to ensure that a provider cannot connect in the middle of the night if it is not necessary.
- Provide Just-in-Time access
Access to resources is enabled only as long as necessary and can be protected by an approval workflow mechanism. This gives you precise control over access approvals, without requiring time-consuming manipulation of your equipment.
And the ZTNA allows you to:
- Secure network access
The vendor only accesses the resource he needs without having access to the entire network, and only during the time of his administration action in compliance with the principle of least privilege (Zero Trust).
This connection is only established when accessing the resource and cannot be used to override the accesses initially granted. The potential attack surface is therefore drastically reduced.
- Implement MFA
Since the identity of the vendor wishing to connect is at the heart of access policies, it is essential to obtain a high level of trust in it. It is therefore necessary to reinforce authentication with a mobile application or a FIDO2 USB key.
vPAM is therefore the best approach to limit risks and prevent your regular provider’s access from becoming a cybersecurity incident that jeopardizes your business.
vPAM, an easy-to-use solution
In practice, vPAM is very simple to use, and could even make your provider’s life easier.
He simply connects to a web interface with the credentials you provided. These credentials do not exist elsewhere on your IS, they can only be used to connect to the vPAM. The authentication will then be reinforced with a random code generated by a mobile application, a physical USB key (FIDO2 standard), or a temporary code sent by e-mail.
Once this step is completed, the provider accesses the list of servers and applications available. This list is dynamically built according to who he is and his connection conditions. Perhaps he will not have access to the most sensitive servers if he is not in his usual premises, or if he connects at unusual hours?
Finally, access is done with one click on the right server in the list. The session opens directly in his browser, without having to install anything on his computer. The administration accounts are automatically injected at login without being known by anyone. Your vendor can begin his intervention.
He didn’t have to install anything, didn’t know the connection accounts and couldn’t connect to resources he wasn’t supposed to connect to.
You have an alert of this connection, a complete traceability of the actions carried out, and the serenity of knowing that this action will not jeopardize the security of your IS.
What are the benefits of a vendor access management solution?
vPAM is not a cybersecurity “tax”. It brings real operational gains for the daily life of the IT department:
- Accelerate and streamline your vendors’ connections
You provide access quickly and securely, without having to create accounts on the AD, verify access rights, and change passwords regularly. Your providers gain a form of autonomy in their connections without the need to heavily solicit the IT teams.
- Control and master the actions performed
You identify the recurring actions carried out by your vendors in order to internalize them if possible. You also check the consistency of the invoicing of the interventions carried out.
- Protect your information system
Prevent malicious or clumsy actions on a critical application or server from paralyzing your business by blocking unexpected actions in real time, or by recovering changes made quickly after the fact.
- Simplify business continuity
You replace several of your current vendor access tools with a single, fully integrated solution.
behind the elements
Join Matt & Jonathan on our Youtube channel to discover all the best features of the cyberelements platform and get useful insights on cybersecurity topics