The growth of mobile devices, social media and big data have resulted in companies relying heavily on outsourced IT and cloud services. Thereby, the focus towards privileged access for third-parties is also gaining prominence, helping companies to minimize risks of data theft and violation of compliance regulations.
Traditionally, most of the systems were on-premises, and secure access was provided to the data center. With companies moving to the cloud, broader access is required and the chances of people with malicious intent gaining access is also increasing.
Take for example, any e-commerce company. For these businesses to grow there is a heavy reliance on various partners. To connect stakeholders, companies are giving access to vendors, customers, partners etc., resulting in third-parties having privileged access to their main systems, creating data vulnerability.
Granting system access to third-parties is a potential threat. It has been observed that often this access is configured and managed by the third-party and not by the organization that owns the systems. Unless privileged access is controlled, the risk of data theft could be significant. Also, without appropriate access controls, companies may be out of compliance with government regulations. Therefore, the question that a company should be asking is not only ‘Who has access to what?’ but ‘What did they do with that access?
Lack of third-party access controls are resulting in high-profile breaches. And, in the spotlight are breaches at some of the largest chain of retail stores in the country. Along with breach of credit card and personal information details, these companies are also battling with loss of reputation.
- Hackers used a third-party vendor’s user name and password and acquired elevated rights to breach the network of a construction products retailer.
- Criminals obtained the login credentials of a sandwich restaurant chain’s point-of-sale system from the chain’s payment technology vendor and hacked the network.
- Attackers gained access to a large retailer’s network by compromising a heating, ventilation and air conditioning subcontractor’s system.
Despite such breaches staring us in the face, many companies are still complacent, believing it may hit them years later. But, the fact is, it is happening now, and companies need to be proactive, rather than firefighting later. This is why companies need to integrate third-party access as an important element in their overall privileged access management (PAM) strategy.
No shared accounts. Sharing of accounts is a major challenge that companies providing third-party access face. With true PAM, shared accounts are minimized. Every user has personalized access as per their needs. For instance, Centrify enables organizations to establish individual accountability by having all users log-in as themselves instead of relying on shared accounts. Elevated privileges are assigned in a granular fashion to allow third-parties to perform their duties without requiring shared accounts.
Time-bounded access to the system. Access is based on time-of-day for certain activities. For instance, a company’s annual report is required to be released at a specific time. Releasing it before the allotted timeframe may result in anomalies in stock prices and violation of regulations. That’s where PAM comes in handy, wherein the access is valid only during the designated times, and then, only to a particular system. This removes the old school issue — “I have a root password which makes me super user, but I only needed access to a specific area.”
All user activities are audited. Everything is logged in and can be viewed. All users are audited, and one can easily find out who has what access. In case of a breach, it becomes easier to find out the culprit. This helps an organization with an answer to — “Who accessed what, and when” to prove compliance with government regulations and industry mandates.
Privileged sessions are recorded for complete visibility and control. Detailed recording of each activity is undertaken. One can record and see who is doing what, creating transparency in the system, and providing more control to the organization to handle access. This creates accountability and speeds up investigation process — “IT teams can pinpoint suspicious activity, troubleshoot system failures, and perform forensic investigations into breaches.”
With Centrify’s Privilege Service, and especially its tailor-made PAM for cloud environments, companies are able to reduce the risk of security breach, simplify compliance effort and manage vendor access in a better manner. Avancer, in close collaboration with Centrify, has the expertise to integrate these solutions in various business environments, safeguarding sensitive data, while complying with policy and regulatory requirements.
Learn more about Centrify Privilege Service and PAM for cloud environments with these best practices.
This article was originally posted on Centrify Blog