I talk to Fortune 100 companies every day in Cyolo. Unsurprisingly, they are each facing a range of challenges enforcing strong cybersecurity measures while also maintaining productivity and enabling operational agility. But of all the many concerns that business leaders and security professionals express, there is one refrain I hear most often: “I am looking to secure third-party users within my OT environment.”
As other recent blogs have described, organizations today are highly dependent on third-party vendors, partners, and contractors. These individuals provide specialized skills and offer a certain value that, for various reasons, internal employees cannot match. Third-party contributors have become indispensable to modern business operations, but this does not mean there are no downsides to relying on an external workforce not bound by corporate policies and best practices.
The main problem, as conveyed by the assertion I hear so frequently (“I am looking to secure third-party users within my OT environment”), is that allowing external vendors and contractors to access sensitive internal systems and critical infrastructure, creates serious security and safety risks for an organization.
So, how can companies mitigate the added risk posed by the third parties they count on to help enable their business success? By implementing a Secure Remote Access (SRA) solution that controls both the access and connectivity of every third-party user and device.
While there is a large market for SRA tools, many do not provide the capabilities needed to ensure secure third-party access into OT environments, which have a variety of distinctive technical and practical requirements. To ensure they are choosing a solution that will meet their needs, organizations looking to secure OT systems access for third-party vendors should pose the following questions to every SRA vendor they evaluate:
Can the SRA solution function fully in every type of environment (cloud-connected, cloud-averse, and offline)?
Can the solution integrate easily with existing security tools, access management platforms, and identity providers?
Is access granted at the application level or the network level?
Is the principle of least privilege enforced at all times, including for third-party users and devices?
Can multi-factor authentication (MFA) be extended to legacy systems without major infrastructure changes?
Can administrators monitor and control ongoing sessions in real-time?
Is there a session recording capability for auditing, compliance and forensic purposes?
Does the solution provide comprehensive logging of all activities?
Does the solution have built-in redundancy and failover mechanisms to ensure continuous availability
Does the solution comply with relevant industry standards and regulations?
How much time does deployment take and what does the process look like? Ask for a reference or use your network.
What is the process for configuring access permissions for third-party users?
Does operating the solution require significant training or manpower?
Does the vendor provide ongoing support following the initial deployment?
Does the SRA vendor at any point have access to unencrypted customer data or to the customer’s encryption keys?
If the vendor is targeted in a cyberattack, is there a risk that customer data will be exposed?
This list is not exhaustive, but it covers many of the key areas that should be considered before selecting a secure remote access solution. And given just how important it is that industrial enterprises choose a solution that will fully meet their needs, it is very much worth doing a bit of additional research at the outset. Getting to know potential vendors and exactly what they offer will at the very least save the significant frustration of dealing with an ineffective tool and, quite possibly, help prevent a damaging security incident or even worse.