Today, it is almost impossible to imagine a company that does not use third-party contractors to meet some of its operational needs. No one would be surprised to learn that a company uses an external cleaning service to take care of its premises or outsources a portion of its accounting operations to third parties.
Outsourcers are often responsible for routine tasks such as deployment and configuration of components in a corporate IT infrastructure. In some cases, third-party contractors take care of a whole set of operational tasks.
After purchasing an IT product, your company may also need to grant follow-up access to the developer’s team as part of technical support.
Sometimes you may need to provide prompt remote access to a remote site for your vendor, while on other occasions you only allow on-site works. This may happen in the event of a serious failure, and the company simply does not have time to wait until a vendor’s representative arrives (not to mention the sophisticated logistical arrangements that may be required so that your vendor can visit your company at a geographically hard-to-reach location).
Companies also hire auditors who can, for example, assess the status and performance of their financial applications (including related financial statements). Auditors may also be put in charge of evaluating the performance of the company’s IT components.
All these arrangements can introduce various security threats to your organization:
- Your company will have limited options in terms of monitoring of privileged user (vendor) activity, even if vendors work on site (you need to designate a staff member who will be responsible for controlling vendor activity throughout the duration of their work on your premises).
- Your company will have limited options in terms of tools that can be used to record external user activity on your computers (because of the special features of target resources).
- You will need to grant access (local and remote) to your company’s critical resources to third-party contractors.
- If your company is large, it can also have a large number of uncontrolled third-party contractors working with your IT components at the same time.
- You may not be able to assess the potential impact of the changes made by your vendors.
- You may not be able to assess whether the factual changes that are critical in terms of information security meet the ones that had been declared.
- You may lack understanding of the operations performed by auditors of the IT infrastructure and app performance.
- Third-party vendors may insert logic bombs and other malicious pieces of code into your apps and web applications.
- There is always a risk that contractors with admin rights may gain unauthorized access to your target servers and applications.
- The privileged users at your company who are not in charge of network or information security may grant unauthorized remote access to third parties.
- Privileged authentication data allowing remote access to critical resources may be subject to theft or unauthorized disclosure.
- The IT environment of your third-party contractor who has privileged access rights to your company’s infrastructure cannot be controlled, and may, therefore, pose security threats.
In addition, your company may have to face other types of risks:
- Your company may not be able to objectively determine whether or not the factual works comply with the stated scope of work and related requirements.
- You need to spend additional time and money to cover the travel costs associated with the contractor’s visits to your company’s local sites.
- In the event of failure, there may be conflicts between the third-party contractors and your IT/IS department.
- You may face additional losses in terms of time and funding in the event of failure at a remote site in a hard-to-reach area.
When third-party personnel are granted privileged access rights to your company’s resources, it is bound to face escalated risks and vulnerabilities. The best solution would be to use specialized software suites for Privileged Access Management (a.k.a. Privileged User Management, Privileged Identity Management, Privileged Account Management).
These software solutions will allow you to streamline the user activity monitoring for your contractors and employees of third-party organizations while they deal with your company’s IT resources.