6 expert tips to better secure third-party network access

Survey shows that enterprises are not worrying enough about outside access to their networks.

Third-party access
Credit: Harris & Ewing Collection (Library of Congress)
Third-party access

Earlier this year, the Soha Third-Party Advisory Group conducted a study that surveyed more than 200 enterprise IT and security C-Level executives, directors and managers about the daily challenges they face providing fast and secure third-party application access to their contractors and suppliers. The survey revealed that 98 percent of respondents do not consider third-party access a top priority in terms of IT initiatives and budget allocation. This is a huge concern, considering that third parties cause or are implicated in 63 percent of all data breaches.

Based on the survey findings, the Advisory Group, consisting of security and IT experts from Aberdeen Group; Accellion; Assurant; CKURE Consulting; the Dana Foundation; Hunt Business Intelligence; and Soha Systems, developed the following six tips to help enterprises better secure third-party access to their applications and networks.

1 risk
Credit: John Vachon (Library of Congress)
Determining risk

Ajay Nigam, senior vice president products, Accellion: Organizations must define metrics to objectively determine risk, have an inherent risk (IR) plan in place to address compliance variances and risks, and build an end-to-end security and risk view for the entire enterprise. Additionally, enterprises need to enable secure collaboration across their eco system, particularly in the context of digital transformation where system of records (e.g. content stores) are being accessed by outside entities to improve productivity. Protecting confidential information while enabling collaboration is crucial.

Access requirements
Credit: Detroit Publishing Company (Library of Congress)
Access requirements

Mike Kotnour, senior information security adviser, Assurant: Effectively securing third-party access depends on the use case and the particular access requirements. External contractors, employees, and B2B entities should be granted access using the appropriate level of controls commensurate with their given risk profiles, to include: isolation/segmentation, encryption, and federation integrations. A “one size fits all” approach — while often a quick fix — can lead to an unnecessary over-grant of access. Taking the time to determine an appropriate level of access can save numerous headaches.

Asset inventory
Credit: Detroit Publishing Company (Library of Congress)
Asset inventory

Steve Hunt, principal consultant, Hunt Business Intelligence: Asset inventory is the often-forgotten, highly useful tool for getting a grip on many security challenges, access among them. Organizations must continually improve asset inventory and tracking to reduce the risk of network-connected assets being out of compliance with policy.

Vendor management plan
Credit: Carl Mydans (Library of Congress)
Vendor management plan

Jim Rutt, CTO, the Dana Foundation: Organizations should create a vendor management plan in conjunction with their business units and develop a solid communications plan. This allows an organization to firm up its internal disaster-recovery plans, review third-party direct-report plans on a regular basis and enforce testing. In addition, it’s important to do a yearly insurance risk-review to ensure the organization is carrying the correct amount of insurance.

Remote access
Credit: Harris & Ewing Collection (Library of Congress)
Remote access

Mark Carrizosa, CISO and vice president security, Soha Systems: In cloud-based working environments, all users are considered remote, and organizations should apply controls similar to how they have historically provided access to third parties. Organizations must make fundamental changes in how they manage and control these increasingly risky user-types by incorporating concepts such as zero-trust, network abstraction, extended identity validation and full-session recording to effectively reduce the overall risk and isolate any potential impact caused by third parties or remote user actions.

6 authentication
Credit: Jack E. Boucher (Library of Congress)
Authentication

Derek Brink, vice president and research fellow, Aberdeen Group: Organizations should strategically invest in stronger ways to authenticate third-party users beyond simple username and password. In the private sector (across all industries), our models show that the median annualized business impact of data breaches as a consequence of weak user authentication is about $370,000, based on a compromise of 100,000 to 1,000,000 records. Our extended analysis shows that an investment in stronger user authentication results in a median reduction in the risk of data breaches of about 90 percent and also cuts off the long tail of risk by more than 50 percent.