Consider a familiar scene for office goers. Upon entering the building, employees, long-term contractors, and building staff typically swipe a key fob or a mobile key to gain access to the company office space. They are free to come and go at will.
Visitors have a different set of access protocols. They enter the lobby, validate their identity with a receptionist, sign into a visitor’s log, and finally have an employee escort them to a specific destination like a meeting room or office. They may wear a visitors badge to differentiate them from employees.
These access control measures are meant to ensure the safety of the people, equipment, and confidential information in the workplace by preventing intruders with malicious intent. The protocols are tailored to meet different standards for employees, contractors. and visitors. Employees are able to enter as long as their badges are valid. Contractors may have a badge with a different color. They may access the space, but are probably not allowed access after business hours or the weekends. Visitors, on the other hand, require a chaperone and are not allowed to access facilities independently.
Today, organizations often rely on third-party vendors for critical services. While these partnerships are crucial for operational success, they also introduce significant security risks. A majority of companies still treat third-parties as employees for remote access for the sake of uniformity and simplicity. Third-party identities are provisioned using the same identity provider (IdP) as employees, typically in different identity groups with access reduced to a subset of resources.
This method, I would argue, is akin to allowing unescorted visitors to roam your premises. As long as their access is valid, these third-parties have unfettered access to your resources. They can log in and access resources without real-time oversight. In the physical workplace, there is scarcely any difference between these individuals and full-time employees.
Security executives must strike a balance between enabling efficient third-party access and ensuring that their organization’s assets remain protected. Treating third-parties as employees is fraught with risk. And yet, organizations must enable these employees to the degree that they can serve the business without undue burdens when it comes to logging on, accessing resources, or communicating with individuals in their home offices.
Security executives should prioritize the visitor access mechanism, a.k.a ushered access, for third-party vendors. Here’s why:
1. Enhanced control and oversight
With ushered access, every step a third party takes is monitored and controlled by an internal party, usually an employee from the organization’s IT or security team. This supervision ensures that vendors are limited in their activities and only access authorized systems or data. In contrast, unattended access leaves room for unauthorized activities—conducted intentionally or not.
Security executives understand the potential damage an unintended data breach or accidental system misconfiguration can cause. Ushered access minimizes these risks by ensuring that a trusted party remains in control of vendor interactions at all times.
2. Mitigation of insider threats
Third-party vendors can, intentionally or inadvertently, introduce insider threats to an organization. Unattended access amplifies this risk, as vendors may inadvertently create vulnerabilities, such as misconfigurations, or engage in unauthorized activities. For instance, many threat actors today use trusted sites as a means of exfiltrating data from target organizations.
By ushering third-party access, organizations can mitigate insider threat risks. When a vendor’s actions are continually overseen, there is little room for unapproved behavior, reducing the risk of data leaks, system disruptions, or malware installation.
3. Compliance with regulatory standards
Many industries like finance, healthcare, and governmental organizations are governed by strict regulatory standards. Security executives in these sectors must ensure their organizations are compliant with regulations like GDPR, HIPAA, or PCI DSS, which often mandate stringent access controls.
Ushered access aligns well with these regulatory requirements, providing a clear audit trail of third-party activity. This not only demonstrates compliance during audits but also ensures that the organization’s sensitive data remains protected at all times.
4. Reduced attack surface
Cybercriminals are continuously evolving their tactics, and third-party vendors can be a weak link if not managed correctly. Unattended access can widen the organization’s attack surface, providing more opportunities for malicious actors to exploit vulnerabilities. If a third-party’s system is compromised, cybercriminals may use their credentials to infiltrate other organizations along the chain.
Ushered access reduces this risk by ensuring that vendors are not left alone to access critical systems. Continuous monitoring allows organizations to detect and respond to suspicious activities quickly, preventing potential breaches before they cause significant damage.
5. Customization and granular control
Ushered access allows for a higher level of customization and granular control over vendor permissions. Security teams can define exactly which systems and data third parties can access, how long they can have access, and what actions they can perform.
This level of customization is much more difficult to enforce with unattended access, where broad permissions are often granted to simplify the process. Security executives who prioritize reducing the risk of lateral movement or privilege escalation will find ushered access a more secure and flexible option.
6. Stronger incident response capabilities
When third-party access is ushered, any unusual behavior can be immediately flagged and addressed. If a vendor accidentally accesses the wrong system or triggers a security alert, the internal usher can intervene in real time, reducing the potential impact of an incident.
For security executives responsible for protecting their organizations assets, ushered access should be the clear choice when managing third-party vendors. While unattended access may offer convenience, the security risks far outweigh the benefits. Ushered access provides enhanced oversight, reduces insider threats, ensures regulatory compliance, and strengthens overall security posture.
What to read next
Zero trust element #1: Who’s connecting?
The visitor and the phonebook: Metaphors for attack surface and lateral movement