A new approach to authentication
3 May 2018
TEISS guest blogger Mike Hanley, Vice President of Security at Duo Security, discusses how the rise in contract workers is driving a new approach to authentication.
Third-party contractors have become increasingly popular in recent years, with the Information Services Group (ISG) reporting that the annual value of outsourcing contracts in the UK reached a record high of €1.4 billion in the first quarter of 2017.
Contracting out work to third parties carries a number of benefits, such as lower short-term costs and increased flexibility for scaling resources up or down as needed. However, it also brings increased risks for an organisation. Every third party that is allowed access to enterprise applications means loss of control over access to potentially sensitive and mission critical data.
It’s much more difficult to enforce security standards with a third party than it is with in-house employees, and failure to put sufficient controls and safeguards in place can open the door for a major security incident. Cyber criminals often target third parties as a way of sidestepping a company’s security measures, and there have been a number of prominent data breaches in recent years which have been the direct result of an external contractor’s network access.
Allowing third parties to access the network also introduces the potential for unscrupulous individuals to abuse their privileges and access restricted data. This kind of insider data theft is already a common problem with in-house employees and becomes even harder to control with external contractors.
Also of interest: 5 ways to reduce third party risk in the supply chain
Minimising third-party risks
Fortunately, there are a few different routes organisations can take to address the increased cyber risks introduced by contractors.
As a standard, all companies should invest in properly vetting any personnel that will have access to their applications. The level of vetting required varies depending on the role with, for example an IT contractor with access to critical systems requiring a much higher level than someone with minimal system access.
On the technical side, access control and authentication measures are indispensable for keeping a network secure. All external workers need to have their access right-sized for their role, with scope for essential files and applications and nothing more. A payments contractor for example should be restricted to applications and resources directly related to dealing with accounts.
Alongside this, the company needs to be able to authenticate the identity of the user and determine that it isn’t an imposter that has hijacked their login details as per the Target incident in 2013.
Finally, it’s important to set out rules and expectations in the employment contract with the third-party organisation or individual. The company needs to make it clear what level of access is acceptable and clarify a base level of security best practice the contractor must follow.
Also of interest: What really happened in the Panera breach?
Access and authentication are essential
One of the biggest issues is that many companies don’t factor in how to appropriately scale access and permission for different personnel, which means employees of any level are able to roam the network almost unrestricted.
Emblematic of this is the widespread use of virtual private networks (VPNs) to facilitate off-site network access. A poorly configured VPN will essentially let the user do whatever they like, which creates huge scope for abuse if the user is compromised or unscrupulous. It can also be challenging to establish the desired level of granularity for network control with a VPN, and the process creates several administrative overheads.
Instead, the best strategy is to take a per-application approach to access controls. This allows for the creation of customised rules reducing access to specific applications for each individual or user group that are relevant to their job role. Limiting the scope of access will enable an organisation to severely reduce lateral movement through the network, greatly reducing the potential impact of a malicious or compromised user.
Additionally, organisations should conduct health checks to verify that the user is logging in from an endpoint that is fully patched and has not been compromised by malware. This check can be carried out each time network access is requested, ensuring all devices on the network are always healthy.
Implementing these controls as part of the standard access process also solves some of the legal headaches of trying to maintain third-party security. Contractually obliging a contractor to keep their system patched can be legally complicated and is likely to get stuck with the lawyers, whereas making it an automatic process for each login is fairly straightforward.
By taking firm control of how their networks and applications are accessed by third parties, organisations can reap all the benefits of taking on contractors without opening the door for a serious security incident.
For more information, visit Duo Security