Today, it is almost impossible to imagine a company that does not use third-party contractors to meet some of its operational needs. No one would be surprised to learn that a company uses an external cleaning service to take care of its premises or outsources a portion of its accounting operations to third parties.
Outsourcers are often responsible for routine tasks such as deployment and configuration of components in a corporate IT infrastructure. In some cases, third-party contractors take care of a whole set of operational tasks.
After purchasing an IT product, your company may also need to grant follow-up access to the developer’s team as part of technical support.
Sometimes you may need to provide prompt remote access to a remote site for your vendor, while on other occasions you only allow on-site works. This may happen in the event of a serious failure, and the company simply does not have time to wait until a vendor’s representative arrives (not to mention the sophisticated logistical arrangements that may be required so that your vendor can visit your company at a geographically hard-to-reach location).
Companies also hire auditors who can, for example, assess the status and performance of their financial applications (including related financial statements). Auditors may also be put in charge of evaluating the performance of the company’s IT components.
All these arrangements can introduce various security threats to your organization:
- Your company will have limited options in terms of monitoring of privileged user (vendor) activity, even if vendors work on site (you need to designate a staff member who will be responsible for controlling vendor activity throughout the duration of their work on your premises).
- Your company will have limited options in terms of tools that can be used to record external user activity on your computers (because of the special features of target resources).
- You will need to grant access (local and remote) to your company’s critical resources to third-party contractors.
- If your company is large, it can also have a large number of uncontrolled third-party contractors working with your IT components at the same time.
- You may not be able to assess the potential impact of the changes made by your vendors.
- You may not be able to assess whether the factual changes that are critical in terms of information security meet the ones that had been declared.
- You may lack understanding of the operations performed by auditors of the IT infrastructure and app performance.
- Third-party vendors may insert logic bombs and other malicious pieces of code into your apps and web applications.
- There is always a risk that contractors with admin rights may gain unauthorized access to your target servers and applications.
- The privileged users at your company who are not in charge of network or information security may grant unauthorized remote access to third parties.
- Privileged authentication data allowing remote access to critical resources may be subject to theft or unauthorized disclosure.
- The IT environment of your third-party contractor who has privileged access rights to your company’s infrastructure cannot be controlled, and may, therefore, pose security threats.
In addition, your company may have to face other types of risks:
- Your company may not be able to objectively determine whether or not the factual works comply with the stated scope of work and related requirements.
- You need to spend additional time and money to cover the travel costs associated with the contractor’s visits to your company’s local sites.
- In the event of failure, there may be conflicts between the third-party contractors and your IT/IS department.
- You may face additional losses in terms of time and funding in the event of failure at a remote site in a hard-to-reach area.
When third-party personnel are granted privileged access rights to your company’s resources, it is bound to face escalated risks and vulnerabilities. The best solution would be to use specialized software suites for Privileged Access Management (a.k.a. Privileged User Management, Privileged Identity Management, Privileged Account Management).
These software solutions will allow you to streamline the user activity monitoring for your contractors and employees of third-party organizations while they deal with your company’s IT resources.
If you want to improve the quality of user activity monitoring and management for your third-party contractors, reduce information security threats, and save time and financial resources, you can use the administrator activity monitoring system. This system allows to control access privileges and track the contractor’s user activity.
The Indeed PAM platform offers a single connection point with additional features for all third-party employees:
- Video records and text logs of the contractors’ activity
- Control of file transfer and command inputs
- Tools for real-time monitoring of the contractors’ activity
- Password management and secure storage of privileged accounts for target resources
- A single “user-resource" tool for managing access rules
- Supported protocols: RDP, SSH, and HTTP(S)
- Launch support for published apps via the RemoteApp protocol (Microsoft RDS)
- End-to-end authentication in published apps
- Two-factor authentication for enhanced security
- Scheduled access and access upon approval
For example, you can use Indeed PAM to oversee the work of the following third-party user categories:
- ● Contractors
- ● Technical support personnel
- ● Outsourcers
- ● Auditors
- ● Developers
- ● Etc.
By using Indeed PAM to monitor the external personnel activity, you can shrink the attack surface associated with their work in your company’s IT infrastructure. A single tool for managing privileged access rights will also allow you to reduce the workload for your own employees. Furthermore, the Indeed PAM functionality designed for recording the contractors’ activity can empower an objective assessment of their performance and compliance with the stated requirements (in line with the service level agreement (SLA)).
Recording user activity and assessing the quality of work
The PAM system supports recording of the contractor’s operations for subsequent use during the user activity audits. The basic functional principles of the system are designed to rule out the possibility for the privileged users (contractors) to bypass the established protocols when connecting to the system.
In addition, the Indeed PAM platform can use published apps to support other proprietary protocols.
Indeed PAM offers the following session recording functionality:
- Text log
- Video records
- File transfer control
- Command input control
- Connection metadata
You can use the session records to form an objective opinion about the quality of actual services rendered by the contractor vis-a-vis the requirements with respect to the quality and scope of work stated in the SLA. This way you will only pay for the services that have been provided to you and get a clear idea about the professional capability of your third-party contractors.
Limited scheduled access and limited access upon approval
It’s no secret that the requirements governing third-party contractor access to any components of your IT infrastructure must be stricter than those than apply to your in-house personnel.
Indeed PAM in-built mechanisms offer multiple options for managing privileged user access to target resources. We can name a few key rules that are commonly used for managing privileged access rights of third-party contractors:
- Scheduled access
- Temporary access
- Access upon approval
You can use these settings to preconfigure user access rights and maximize user restrictions, which will rule out the possibility of any operational disruptions initiated by your vendors.
Ensuring secure remote access to critical resources
Sometimes companies are reluctant to provide external remote access to their most critical IT infrastructure, and they have a good reason to do so. First and foremost, they do this for security reasons since it is almost impossible to control such connections.
Indeed PAM functionality will allow you to monitor vendor activity at all times, including real-time monitoring.
Along with remote access security tools relying on two-factor authentication and filtration of commands, this mechanism will maximize the security of remote access to your critical resources for your external personnel.
All user activity will be recorded, which will allow you to perform expert audits of vendor activity at any time, not only when their work is in progress. Furthermore, in some cases you will no longer need to have the contractor’s specialists physically visit your premises to do their job.
Monitoring auditor operations
The Indeed PAM platform allows you to monitor any user category, including special categories like auditors. Auditors are external experts hired to perform the following tasks:
- Analyze financial statements and transactions in financial apps
- Control the functionality of information security tools and run internal penetration tests
- Monitor the functionality of other IT tools
- Analyze organizational, administrative and other documents
The auditor’s key task is analysis rather than active manipulation of any components of your IT infrastructure (except for scenarios involving penetration testing). However, it may still be useful to understand what the auditors actually check and how they do it. You will find this information especially relevant if your company has failed an audit and needs to correct errors and address implicit concerns.
Monitoring developer operations
The PAM system enables activity monitoring for third-party developers of your internal software and web resources.
Malicious users often see code as their first priority for breaching security. Due to large volumes of written code and lack of specialized internal tools for code analysis and version control, an intruder can easily insert malicious or dangerous pieces of code into a corporate application.
However, the PAM tools designed for recording and subsequent analysis of changes will allow you to test all new changes for malicious activity and take timely measures to mitigate their impact.
Saving your financial resources
The key advantage of the Indeed PAM system is that it can help you save both your time and money while dealing with your third-party contractors.
First, the system’s broad functionality designed for user session recording will allow you to determine whether the actual scope and quality of work meet the requirements stated in the SLA. You can download session details from the PAM system and use them to pay only for the works that have been actually performed. Furthermore, you can send these records to third-party experts and ask them to assess the professional capability of your contractor. If your contractor is incompetent, this will inevitably affect the stable operation of your resource and the actual workload of your contractor.
The PMA tools designed for remote access security and user activity monitoring will also allow you to minimize the potential damage from uncontrolled remote operations. And this, in turn, means that the vendor’s personnel will no longer need to visit your premises to do their job (their activity can be controlled online, both manually and automatically). This way, you can save money, since you no longer need to cover the contractor’s travel costs.
- Any other proprietary protocols by publishing relevant applications
Activity recording functionality:
- Video records of sessions (video quality can be adjusted)
- Text logs of sessions
- Periodical screenshots of sessions (image quality can be adjusted)
- Supported protocols: RDP, SSH, published web, and fat clients
- Shadow file copies
Supported user directories:
- Active Directory.
Two-factor authentication technologies:
- Password + TOTP (one-time password − password generation algorithm)
Remote access technologies:
- RemoteApp (Microsoft Remote Desktop Server);
- SSH Proxy.