Organizations outsource a part or whole of their IT services to third-party service providers for various reasons, such as cost savings, leveraging outside expertise, need to meet business demands quickly, and other critical aspects. Usually, tasks such as software development, network management, customer support, and data center management are outsourced.
Engineers and technicians working with service providers would require remote privileged access to servers, databases, network devices, and other IT applications to discharge their contractual duties. Typically, in outsourced IT environments, the technicians working with the service provider will be located at a faraway place and will access the IT resources of your organization remotely through VPN.
Uncontrolled Administrative Access – A Potential Security Threat
With remote privileged access that grants virtually unlimited access privileges and full controls to physical and virtual resources, the outsiders virtually become insiders and in some cases, much more powerful than the real insiders of the organization. Uncontrolled administrative access is a potential security threat, which can jeopardize your business.
A disgruntled technician could plant a logic bomb on your network, create a sabotage, or steal customer information, and cause irreparable damage to your business and reputation. In fact, analysis of many cyber incidents reported in the past has revealed that misuse of privileged access had been the root cause.
So, in outsourced IT environments, controlling privileged access and keeping an eye on the actions on critical IT resources are absolutely essential, both as protective and detective security control against cyber attacks.
Essential Security Measures for Outsourced Environments
- An inventory of resources/IT assets accessed by the third-party technicians should be kept up to date.
- Third-party technicians should get access only to the resources that are necessary to perform their work.
- Access should be granted without revealing the underlying passwords. That means, the third-party technicians should be able to access the resources without seeing the passwords in plain text.
- The remote access enabling mechanism should be highly secure.
- All activities done by them should be video-recorded and monitored. Any suspicious activity should be terminated.
- Comprehensive, tamper-proof audit records should be maintained on ‘who’, ‘what’ and ‘when’ of access.
- Password management best practices like usage of strong passwords, frequent rotation, etc. should be strictly enforced.
These simple security aspects would be difficult to implement without the aid of a proper software solution. Manual approach to consolidating, securing, controlling, managing, and monitoring privileged accounts is not only cumbersome and time-consuming, but also highly insecure.
Preventive & Detective Security Controls Through an Automated Approach
To overcome the security threats arising out of outsourcing, organizations need to follow an automated approach to control, monitor, and manage privileged access. ManageEngine Password Manager Pro is a solution that offers such an automated approach. It delivers both privileged access management and privileged session management in a single unified solution. It helps enterprises consolidate and control all the privileged accounts centrally in a fully automated fashion, ending convoluted manual password management practices.
- You can selectively share credentials with third-party technicians on need basis. Even time-limited, temporary access could be granted without exposing the credentials in plain text.
- In the central GUI of Password Manager Pro, the technicians get to see only the resources allotted to them. This restricts their remote access only to the required assets.
- As and when needed, you can take a report on the privileged access scenario – ‘who’ has access to ‘what’ resources. And, the audit trails will tell you ‘who’ actually accessed ‘what’ and ‘when’. You will also receive alerts and notifications when someone accesses a sensitive resource.
- User activities during privileged sessions are video-recorded and archived for forensic audits. Password Manager Pro employs first-in-class, remote login mechanism to deliver on both ease of use and security. From any HTML5-compatible browser, users can launch highly secure, reliable, and completely emulated Windows RDP, SSH, and Telnet sessions with a single click, without the need for additional plug-in or agent software. The session recording capability is an extension of the robust remote login mechanism in which the remote connections are tunneled through the Password Manager Pro server, requiring no direct connectivity between the user device and the remote host.
- Normally, cyber incidents do not take place suddenly; they are the result of meticulous planning for several months. Logs from critical systems carry vital information that could prove effective in preventing such ‘planned’ attacks by malicious technicians. For instance, monitoring activities like user logons, failed logins, password access, password changes, attempts to delete records, and other suspicious activities could help identify hacking attempts, malicious attacks, DoS attacks, policy violations, and other incidents. Monitoring network activity to establish real-time situational awareness is essential to enterprise security. ManageEngine’s log analytics and SIEM solutions EventLog Analyzer and Firewall Analyzer would be immensely helpful in achieving real-time situational awareness.
Of course, not all security incidents can be prevented or avoided. However, by taking proper preventive and detective security controls as explained above, you can ensure information security while outsourcing IT.
The original article/video can be found at IT outsourcing: When outsiders become insiders, how do you ensure information security?