Share this article on:
Australian organisations have to police privileged access to their environments to a greater extent than ever before.
There is a lot more cognisance among organisations today about the security risks posed by their extended supply chains.
Third-party risk management (TPRM) is considered a strategic priority by 85 per cent of businesses, up from 77 per cent pre-pandemic, according to research by KPMG International.
The growth in strategic prioritisation is partially driven by the frequency with which security lapses or weak controls at third parties are being exploited to gain access to a target organisation’s systems and data.
Organisations today work with service providers that remotely access their environments for any number of reasons: to perform updates, upgrades or other maintenance works, or to assist in the management of a particular asset.
The Australian Strategic Policy Institute (ASPI) noted: “Almost all end users of ICT systems rely on hardware, software, or services built or delivered by someone else … We rely on suppliers exercising due diligence in their development, management, and operational activities to avoid deliberate or accidental compromise.”
Recently, the Australian Prudential Regulation Authority (APRA), which oversees many parts of the financial services industry in Australia, called out the lack of visibility that organisations that fall under its remit have when it comes to the security control of third-party service providers. It highlighted the concern as “more and more entities are relying on service providers to manage critical systems”.
KPMG added, however, that to date, many organisations believe good fortune, rather than good planning and practices, has enabled them to avoid a third-party-related incident.
This is clearly not a sustainable approach to addressing TPRM, and businesses recognise this as the case.
Actions speak louder than words
Assurance is one area where more rigidity and focus around TPRM is necessary.
In recent years, the focus on TPRM has shifted away from accepting third-party security assurances at face value. Doing one’s own due diligence is simply good practice.
But another driver for extra assurance is the emergence of specific regulations and rules that require organisations to exhibit a greater degree of control over their end-to-end supply chain, ensuring that downstream providers, contractors and other third parties they work with are on the same page cyber security-wise and hitting the same high standard when it comes to security hygiene and best practices.
Regulations such as CPS 234 in the financial services sector impose requirements on banks and similar organisations to enforce standards with respect to third parties. While the bank or other organisation relies on the third party to store or process data, it has to critically assess that the third party’s security controls meet its own standards, in order to then meet its regulatory obligations.
Procurement is another area where supply chain risks are under the microscope. There have long been calls, particularly for governments, to make supply chain security a condition of being able to bid for government work, and there is some evidence – largely anecdotal – that TPRM is becoming a feature of request for proposal (RFP) processes.
For many organisations, this has become a trigger to review and strengthen their TPRM. It’s important not only for their own peace of mind but also increasingly for their ability to do business.
This work naturally lends itself to a review of how third parties access the IT or OT environments of businesses to perform contracted work, and in particular, into a discussion of privileged access management or PAM.
Managing privileged access
Third-party remote access is often enabled today through the use of VPNs, which may provide users with “all or nothing access” to an environment unless diligence has been undertaken to provision granular networking access.
Commonly, however, these networking controls aren’t granular, and as a result, third parties often gain a level of access that is excessive for the job at hand. It can also be difficult to capture detailed session data for all remote sessions via VPN to check what third parties did once remotely connected, and there is complete reliance on the third party practising good security hygiene when it comes to protecting the VPN credentials. In addition, it is often difficult to manage the credentials used on systems within the network.
While there are a number of possible alternatives to VPNs for managing TPRM, it is PAM that is gaining the most traction among Australian organisations. PAM tools can be used for exploration or discovery of an environment, uncovering privileged accounts and credentials, and also identifying account misconfigurations, overprivileged accounts, unused accounts, old passwords, and so on. Work can then be undertaken to manage and change those credentials – for example, by ensuring they are regularly rotated to protect sensitive assets and meet compliance requirements – or to obfuscate them as a way to further increase security.
Taking a specific TPRM lens to PAM, the third party or contractor may need access to a particular machine to update or restart a service. The business creates a policy and workflow in PAM to grant specific access to just this machine as long as the third party meets certain conditions. These conditions may include successful multifactor authentication (MFA) or be based on the time of day that they’re requesting access.
Once authenticated, the third party may be given a standard user account with locked-down permissions. These permissions can be granularly set, such that if the third party does need to escalate access to another system as part of their work, that access can also be specifically provisioned and managed as well.
Throughout this workflow, the third party may never see the specific credentials being used to grant them access, and once they exit, the credentials can be changed in the background for added security.
Additionally, third-party accounts can be de-provisioned when the user leaves that organisation if the account is connected to the third-party identity solution. This has the potential to reduce the window where access can still be gained even after the user leaves the supplier.
This is the kind of best-practice set-up that can give organisations an edge in bringing their TPRM under control, meeting increased regulatory requirements, as well as their own need for enhanced security assurance.
Scott Hesford is the director of solutions engineering, Asia-Pacific and Japan, at BeyondTrust.