Setting up a vendor management program

Vendor management is a process or solution that allows organizations to optimize and secure the introduction and ongoing operations of third-party service providers into their business operations. An ideal platform provides centralized management of all third-party user authorizations, access controls, and activity monitoring. Along with that, it should provide for an efficient offboarding process of vendor reps to secure the network from former vendor employees.

Remote access is a common and integral component of the relationship between technology providers and their enterprise customers. The challenge with this dynamic is that it introduces significant security risks. Plus, allowing vendor support technicians onto a network can pose threats if there are not tight restrictions and safety nets in place.

Vendor maintenance on company networks necessitates a level of vendor access that must be controlled and contained, and there are significant security implications if remote connections are not managed properly. Here are the areas to focus on for proper vendor management.

Most important aspects of proper vendor management

Authentication

Vendor management starts with inventorying the companies and users that will be working on company networks and systems. While most vendor management systems will provide an inventory of vendor companies, it is nearly impossible to thoroughly review access requests for every potential support rep at a vendor company. Vendor access solutions can be used to coordinate the assignment of unique credentials and incorporate options, such as multi-factor authentication methods. This way you know who is on your network and can track them at the individual level. Multi-factor support is a must to reduce the risk of shared logins and meet many compliance standards.

Access control

Depending on the vendor account, support representatives require different privileges. IT managers should be able to assign permissions at the target host and port level. This granular control allows for a least privileged access policy while maintaining a streamlined support process. In addition, enterprises in highly regulated industries can adhere to industry compliance standards.

Monitoring and audit capabilities

Security is not just about knowing who is on your network; it’s also about understanding what they’ve done. Vendor management is about auditing as well as efficiency and protection. Managers need to identify threats quickly. Real-time monitoring with access notifications allows for fast response and comprehensive audits deliver effective investigations.

What’s the difference between PAM and VPAM?

In any organization, there are some individuals who require elevated access permissions to perform critical tasks. These user types are also known as “privileged accounts.” Traditionally, privileged accounts were treated equally and weren’t tracked separately from regular, internal user accounts. However, the needs and risks associated with internal and external users are not the same and two technologies, Privileged access management (PAM) and vendor privileged access management (VPAM) can help protect these credentials better.

What is Privileged Access Management (PAM)?

Privileged access management (PAM) technology came along to offer a central vault for all privileged credentials (internal and vendor) and perform actions such as frequent password rotation, credential obfuscation and usage auditing.

PAM solutions are designed to manage and monitor the user activity of privileged accounts, regardless of the owner and use case. PAM solutions address the risks that may arise as a result of high-level access to critical systems such as accidental abuse (working on a server they shouldn’t be), intentional abuse (insider threats) and stolen accounts by outsider hackers.

What is Vendor Privileged Access Management (VPAM)?

Since privileged accounts provide high-level permissions, the potential of a bad actor being able to go “lateral” or pivot to other systems is much higher than with a normal credential. They also vastly increase the data and information a hacker has access to, making breaches much larger and more costly.

While traditional PAM solutions are effective for managing internal users, vendor privileged access management (VPAM) adds additional protections for vendors and is the best solution for third-party connections. VPAM helps overcome the efficiency issues and security threats unique to external users.

Key Takeaways

To set up the best vendor management program, it’s important to think about these key aspects of a program while also thinking about what your company specifically needs. Many companies find success when they implement a PAM and VPAM solution together.

This article originally ran on Security Boulevard.

The post Setting up a vendor management program appeared first on SecureLink.


*** This is a Security Bloggers Network syndicated blog from SecureLink authored by Tony Howlett. Read the original post at: https://www.securelink.com/blog/setting-up-a-vendor-management-program/

Tony Howlett

Tony Howlett

Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Tony is currently the CISO of SecureLink, a vendor privileged access management company based in Austin.

tony-howlett has 57 posts and counting.See all posts by tony-howlett