Organizations outsource a part or whole of their IT services to third-party service providers for various reasons such as cost savings, leveraging outside expertise, need to meet business demands quickly, and other critical aspects. Usually, tasks such as software development, network management, customer support, and data center management are outsourced.
Engineers and technicians working with service providers would require remote privileged access to servers, databases, network devices, and other IT applications to discharge their contractual duties. Typically, in outsourced IT environments, the technicians working with the service provider will be located at a faraway place and will access the IT resources of your organization remotely through VPN.
Uncontrolled administrative access—a potential security threat
With remote privileged access that grants virtually unlimited access privileges and full controls to physical and virtual resources, the outsiders virtually become insiders and, in some cases, much more powerful than the real insiders of the organization. Uncontrolled administrative access is a potential security threat, which can jeopardize your business.
A disgruntled technician could plant a logic bomb on your network, create a sabotage, or steal customer information, and cause irreparable damage to your business and reputation. In fact, analysis of many cyber incidents reported in the past has revealed that misuse of privileged access had been the root cause.
So, in outsourced IT environments, controlling privileged access and keeping an eye on the actions on critical IT resources are absolutely essential, both as protective and detective security control against cyber attacks.
Essential security measures for uutsourced environments
- An inventory of resources/IT assets accessed by the third-party technicians should be kept up to date.
- Third-party technicians should get access only to the resources that are necessary to perform their work. The access should be time-limited.
- Access should be granted without revealing the underlying passwords. That means the third-party technicians should be able to access the resources without seeing the passwords in plain text.
- The remote access enabling mechanism should be highly secure.
- All activities done by them should be video-recorded and monitored. Any suspicious activity should be terminated.
- Comprehensive, tamper-proof audit records should be maintained on ‘who’, ‘what’ and ‘when’ of access.
- Password management best practices, like usage of strong passwords, frequent rotation, etc. should be strictly enforced.
- Normally, cyber incidents do not take place suddenly; they are the result of meticulous planning for several months. Logs from critical systems carry vital information that could prove effective in preventing such ‘planned’ attacks by malicious technicians. For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records, and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations, and other incidents. Monitoring network activity and establishing real-time situational awareness is essential to enterprise security.
These simple security aspects would be difficult to implement without the aid of a proper software solution. Manual approach to consolidating, securing, controlling, managing, and monitoring privileged accounts is not only cumbersome and time-consuming, but also highly insecure.
Preventive & detective security controls through an automated approach
Essentially, you need an automated approach to both privileged access management and privileged session management. You need to consolidate and control all the privileged accounts centrally in a fully automated fashion, ending convoluted manual password management practices. The automated approach should be capable of delivering the essentials as outlined above.
Of course, not all security incidents can be prevented or avoided. However, by taking proper preventive and detective security controls as explained above, you can ensure information security while outsourcing IT.