You know the scene: a business outsources its IT services to a third-party provider. That company then outsources the management of the anti-malware components to a specialist outsourcer. They, in turn, outsource the repetitive tasks to the cheapest labour source they can find. Each outsourcer is typically given full VPN and unlimited privileged access, well in excess of that required for them to do their jobs, even though they are essentially new and untrusted. As a result, these third-party ‘outsiders’ actually become ‘trusted insiders’, often more powerful than the authentic insiders of the home organisation. Suddenly, you’ve not only outsourced your IT services, but your trust too. How can you manage this outsourced outsourcer?
Misuse of privilege
The misuse of privilege in the hybrid-cloud world has become one of the most critical security challenges currently faced. Uncontrolled access to Privileged Accounts opens a door through which untrusted third-parties can compromise data and inflict cyber-attacks, ultimately causing irreparable damage to the business and its corporate reputation.
Working with outsourcers generally means that you are expected to hand over the credentials to a set of privileged accounts on your systems. These are then built in to ‘run-books’ that the outsourced SysAdmins use to ensure that they deal with your systems in a consistent way. This poses a problem: they need to carefully control who can see those run-books, and they need to trust that the run-books they outsource themselves are treated with respect. There is a case of what the contract states and what actually gets done.
Step 1. Separate people from passwords
The first part of the solution to controlling the outsourced outsourcer is to separate the people from the passwords used on systems, devices and applications – never allowing the passwords to enter the SysAdmin’s domain. This stops the diffuse proliferation of privileged credentials and removes the possibility of them getting intercepted or RAM scraped.
Completing this stage means that you’ll no longer need to share passwords to admin, root and maintenance accounts. Using Enterprise Class Password Lifecycle Management means that all passwords will be long, strong and regularly changed.
Step 2. Map identities to roles
The next stage is to verify the identity of the people wanting to connect to your systems. This identity needs to be mapped onto a profile of the roles on systems they should be allowed to use. With the user’s identity confirmed, connections can be established for the user using Single Sign On, ensuring that the SysAdmin never has to know any credentials.
In our experience, people will protect their personal identities far more than they’ll protect a set of credentials from an organisation. Two factor authentication takes this a stage further. It makes sharing identity more difficult since both parties would need access to the token.
Step 3. Record sessions
To complete the control you need to make it clear that you’ll record all sessions that third parties have with your systems. This is the ultimate deterrent for those that don’t want to be caught and the ultimate forensics resource for reversing wrong doings.
By following these three simple steps, you can prevent granting third-parties excessive privileges without compromising their ability to get the job done.