“Edward Snowden, an American computer professional, former Central Intelligence Agency (CIA) employee, and former contractor for the United States government copied and leaked classified information from the National Security Agency (NSA) without authorization.” — Wikipedia
Today, enterprise IT functions often are outsourced to contractors, managed- and cloud services providers. Third parties might provide essential IT operations functions – they can maintain your network infrastructure, run your email service or host your CRM applications. Your organization must trust its third-party administrators with its data and the operation of business-critical systems. While most administrators are trustworthy, the headlines about privileged “insider” misuse indicate there are always a few that abuse the trust placed in them. This post is about the security risks related to IT providers and a potential solution to control them.
Risks Related to IT Contractors
Third party IT providers are powerful users in your IT environment. Although not your employees, they have elevated or even unrestricted access to your IT devices, databases or applications. Powerful privileged accounts allow contracted staff anonymously access sensitive assets throughout the network, and potentially extract customer data, or modify system configurations. Cyber criminals are also aware of this: in the Target breach, attackers compromised Target’s HVAC contractor to gain entry into Target’s POS environment and steal the credit card details of millions of customers.
Human error often plays a part in incidents. A misconfigured database containing the personal details of over 198 million American voters was left exposed to the internet by a firm working for the Republican National Committee (RNC). IT staff often uses shared accounts such as “administrator” or “root”, making it extremely difficult to determine who did what. And this can easily start the blame game between the parties reducing the chance of a quick resolution.
So, giving responsibility to an IT provider always involves a risk. Clients expect their IT providers to be accountable and make IT management transparent. Clients expect the auditability of their contractors to ensure both the reliability of the service and protect their IT assets. Therefore clients try to manage the relationship through a contract. However, despite the contractual obligations, monitoring third-party employees cannot be done with a Service Level Agreement (SLA). There are few reliable and easy-to-use solutions for validating SLAs and verifying billable activities. Measuring Key Performance Indicators (KPI) such as the Mean-Time-to-Restore-Service (MTRS) is also challenging. Typical methods for providing third party access include VPN or jump hosts. Although these solutions provide firewall rules, they lack granular access control.
The Solution – Privileged Access Management (PAM)
In such situations, it is reassuring to have an independent solution that can control, actively monitor and analyze all system administration activity. Privileged Access Management solutions can control administrators’ access to IT systems, record activities in searchable video recordings, detect risky behavior and prevent malicious actions. It gives organizations the ability to supervise and audit external IT staff. For example, PAM records system administrators when they update your database server or configure your firewall. The recorded session can be replayed like a movie to review the events exactly as they occurred. The content of the recordings can be indexed to make searching for events possible.
Keeping a record of work done, secured in this way, makes individual contractors accountable for their actions. The external IT team can be sure that it won’t be held responsible for the actions of an individual. The recorded audit trails can also be used to settle any misconfiguration issues with remotely administered systems.
If you want to learn more, download our white paper about managing third party system administrators here.