In May 2016, the Soha Third-Party Advisory Group conducted a study that surveyed over 200 enterprise IT and security C-Level executives, directors and managers to determine the daily challenges and risks IT faces due to third-party access. The survey found that 98 percent of respondents do not consider third-party access a top priority in terms of IT initiatives and budget allocation.
Most respondents confirmed that providing third-party access is a complex and tedious process. The level of complexity needed to provide secure third-party access to applications requires IT to touch an average of 4.6 devices such as VPNs, firewalls, directories and more. This becomes problematic from a security perspective; research has revealed that third parties cause or are implicated in 63 percent of all data breaches. Third-party vendors should only have access to the applications necessary to support the business.
Based on the survey’s results, members of the Advisory Group, which includes security professionals, analysts and industry influencers, were asked about trends in third-party access security, what IT professionals should be doing to secure their networks and what they are doing within their own organizations to secure third-party access.
Advisory Group members who participated in this discussion included Mike Kotnour, senior information security advisor, Assurant; Ajay Nigam, senior vice president, products, Accellion; and Steve Hunt, principal consultant, Hunt Business Intelligence.
Today’s Most Significant Secure Third-Party Access Trends
Kotnour said the two biggest third-party access trends he sees today are related to the expanding workplace and increased regulatory requirements. Outsourcing is playing a large role in the expanded workplace. While outsourcing has been growing for years, the problems it presents – especially with regards to today’s increasing security threats – have brought a new layer of complexity and challenges to access requirements and provisioning.
“Market demands on businesses in many IT-enabled arenas rely heavily on B2B access not only for backend services but also for direct access to applications,” Kotnour noted. “Cloud capabilities and implementation have caused these market demands to increase exponentially.”
Regulatory requirements are increasing in businesses and organizations that host data susceptible to a breach (i.e., PII with financial or health information). Governments across the globe are increasing their security requirements regarding where consumer information may be handled, processed or stored.
Hunt believes the two most common access improvements being made today are in the areas of multifactor authentication and policy, but the biggest trend he sees is related to how organizations are assessing the quality and performance of security overall among third parties. Specifically, by evaluating how well a third party manages its own security, its partners can better assess the risks associated with permitting access.
From the perspective of a supply-chain partner, Nigam said that many organizations now require compliance with third-party security guidelines. “Organizations are deploying solutions that provide assessments of the security posture of the supply chain vendors. This information is then leveraged for assessing vendor risk to trigger access decisions.”
The State of Secure Third-Party Access, and Why Security Pros Should Pay Attention
Third-party access is so complex because third parties are so diverse. As a result, third parties are given priority only when absolutely necessary.
“I find that organizations too often seek a one-size-fits-all solution,” said Hunt. “After all, those given third-party access range from deeply embedded joint-venture partners who function almost as employees to alarm monitoring or HVAC service providers who connect only occasionally.”
What’s more, IT and security professionals are not accurately communicating, or do not know, the cost or risk associated with data breaches involving a third party. According to the Ponemon study “2015 Cost of Data Breach Study; Global Analysis,” the domestic cost per record of breachable data is $217. When third parties are involved, that cost rises to $233 per record.
“Understanding and being able to quantify the cost helps secure more budget to resolve issues such as third-party access,” said Kotnour. “And it’s important to understand that passwords, which are and have been the weakest link in any security program, are still the primary method of access control. While multi-factor authentication systems are available, many companies do not implement them because of cost, complexity and perceived difficulty in use.”
This challenge has led IT teams to resort to simpler measures, such as providing third-party vendors with the same access as employees. While this method of access does follow IT resource internal regulations, it also poses a greater, and unnoticed, risk to the organization.
Nigam believes the issue comes down to organizational responsibility. “Vendor risk-management teams rely on IT to recommend third-party access solutions, and an easy-to-use solution will likely see greater adoption. In addition, solution providers need to pay more attention to user experience and understand that IT resource constraints drive a different operational priority for organizations.”
How Organizations Can Prepare to Secure Third-Party Access
Hunt says asset inventory is an often-forgotten and highly useful tool for getting a grip on many security challenges, access among them. “We work hard to continually improve asset inventory and tracking so we can reduce the risk of network-connected assets being out of compliance with policy.”
For Kotnour, securing third-party access depends on the use case. External Contractors, Employees, and B2B entities are granted access using the appropriate level of controls commensurate with their given risk profiles, to include: isolation, encryption, and federation integrations.
Nigam observes that many organizations are in the process of implementing security policies for third-party vendors; defining risk metrics to objectively determine risk, putting an inherent risk (IR) plan in place to address compliance variances and risks, and building an end-to-end security and risk view for the entire enterprise.