Events of the past several years have plainly demonstrated the extent to which modern businesses depend on other businesses. More than ever before, organizations rely heavily on third-party vendors and partners to provide services and perform tasks that are too specialized or costly to complete in-house. This is the case across industries and sectors but is especially true for industrial enterprises, where third-party technicians and contractors fill a significant skills gap.
Organizations gain substantial advantages by collaborating with outside experts, and in some cases they are actually required to do so. For instance, the support contracts on very expensive and productive equipment often require connectivity for an external technician to maintain and repair the machine. The dilemma is that third-party contractors, vendors, and technicians also introduce a range of serious security risks. In this blog, we will delve into the major risks associated with third-party access and then examine how gaining better control over such access is the key to mitigating potential threats.
Why Third-Party Access is High-Risk Access
At Cyolo, our mission is to provide safe and secure access to critical infrastructure and other sensitive systems. When customers turn to us for support implementing secure access, our recommendation is to address the users who pose the highest risk first. Because third-party vendors and contractors frequently work on unmanaged devices and likely do not adhere to (or even know about) corporate security policies, they present a higher risk to organizational security than employees or internal users. Let’s look now at some of the additional security challenges of third-party access.
1. Increased Attack Surface
The benefits of collaborating with third parties can only be achieved if they are granted access to at least certain parts of the organization’s systems and applications. The problem is that this (often unmonitored and uncontrolled) access creates an expanded attack surface that in turn gives cybercriminals more opportunities to exploit potential vulnerabilities. In addition, a security gap or vulnerability within the third party's systems could serve as a gateway to infiltrate all partnering networks.
2. Data Breaches and Privacy Concerns
Third parties often handle sensitive data and proprietary information, which makes them attractive targets for cybercriminals. A data breach within a third-party's infrastructure can have severe consequences, leading to data exposure, financial losses, and reputational damage. Moreover, privacy regulations, such as GDPR and CCPA, hold organizations accountable for any mishandling of customer data by third-party vendors.
According to 2021 research from the Ponemon Institute, 59% of organizations suffered a breach caused by a third party, while 54% suffered a breach due to the breach of a third party.
3. Supply Chain Attacks
As we’ve seen in a wave of recent security incidents, bad actors may target third-party vendors as a means to launch crippling supply chain attacks. By compromising a vendor's systems, attackers can introduce malicious code or tampered products into your supply chain, leading to widespread damage (potentially including physical damage and threats to human life in the case of industrial enterprises) and disruption of operations.
4. Insider Threats
While collaboration with third parties is at least theoretically based on trust, insider threats still pose a significant risk. A malicious insider within a vendor's organization may intentionally leak sensitive information or sabotage systems, directly impacting your organization's security and stability. And even well-meaning vendors or contractors can cause serious harm while working on unmanaged devices with little to no supervision.
Is Zero Trust Access the Key to Securing Third-Party Access?
According to its newly published 2023 Market Guide for Zero Trust Network Access, analyst firm Gartner® is “seeing increased demand for agentless-based [ZTNA] deployments in the case of unmanaged devices and/or third-party access.” The report also states, “clientless ZTNA continues to support third-party and bring-your-own-device (BYOD) use cases.”1
Why does Gartner emphasize “agentless-based” and “clientless” when discussing the third-party access use case? Likely because it is impossible to force external vendors or technicians to download an agent. This is one of the reasons why virtual private networks (VPNs) are an inadequate solution for third-party access. Organizations that want their vendors to behave in a secure way must make it as easy as possible for them to do so. By providing a clientless secure access solution that has little impact on user experience, organizations can boost security while also keeping their vendors and contractors happy. Win-win.
The Cyolo team believes strongly that clientless zero-trust access is indeed the answer to reducing the risks of third-party collaboration. Based on the premise “never trust, always verify,” the zero-trust security model removes inherent trust from the user authentication process. In effect, this leaves internal employees and external third-party users on level footing – none are trusted automatically, and all must have their identities authenticated each time they seek access to a system or application.
Beyond ensuring that all access is verified and then continuously authorized, the Cyolo zero-trust access solution includes a variety of controls that give organizations greater visibility and more constraints over third-party activity, effectively counteracting the risks outlined above.
How Access Control Mitigates Security Risks
1. Limit Access Rights According to the Principle of Least Privilege
When onboarding a new third-party vendor, organizations may be tempted to grant them broad access rights, perhaps under the assumption that this will get them up and working more quickly. However, under the zero-trust framework, all users—including third-party vendors—should be assigned access rights according to the principle of least privilege. This means that users have access (following a successful authentication, of course) to the applications they need to perform their designated tasks—and nothing more.
With user access is restricted in this way, it is much harder for any cybercriminals who do enter the system to move laterally and cause catastrophic damage. Enforcing the principle of least privilege also reduces the threat of human error, which continues to be a factor in many data breaches.
2. Require Multi-Factor Authentication
In the zero-trust model, access is tied to identity-based parameters. Multi-factor authentication (MFA) strengthens the user verification process by requiring users provide multiple forms of identification. This makes it more difficult for unauthorized individuals to gain access even if login credentials are compromised.
MFA is fairly easy to enforce for cloud-based applications, but most legacy systems do not support modern identity and authentication protocols. This poses a problem for many ZTNA solutions, which require that systems be upgraded or replaced in order to accommodate the latest authentication technologies. With Cyolo, there’s no need for complicated and expensive upgrades, as our solution can be overlaid on existing legacy infrastructure to enable MFA as well as single sign-on (SSO). This capability makes the Cyolo solution perfectly suited for OT environments, which typically include many legacy and offline systems. But whatever your systems architecture, third-party users should always be required to use MFA.
3. Enable Session Recording and Supervised Access
The Cyolo zero-trust access solution continues to provide security measures even after users are positively verified. Additional oversight controls include session recording, which helps detect anomalous activity, aids in post-incident forensics, and is very useful for auditing purposes, as well as supervised access. With supervised access, users must explicitly request access from an administrator for applications deemed particularly sensitive. The admin is alerted to this request and can monitor the session in real-time to ensure the user is behaving as expected. If they see anything unusual, the admin can immediately revoke the user’s access to the given application and terminate the session.
Figure 1. The Cyolo solution includes a variety of access, connectivity, and oversight controls that together mitigate the risks of third-party access.
The Future of Third-Party Collaboration is Bright
The collaborative nature of modern business inevitably involves working with third-party vendors and partners. However, it is essential to recognize the cyber risks associated with such activity and to safeguard your organization's data and networks accordingly. Exercising stringent control over third-party access is paramount to maintaining a strong security posture and also helps guarantee that your external partners are behaving as expected.
Your organization’s security is only as strong as the weakest link in your supply chain. For this reason, comprehensive control over third-party access must be an indispensable part of your cybersecurity strategy.
1Gartner, Market Guide for Zero Trust Network Access, Aaron McQuaid, Neil MacDonald, John Watts, Rajpreet Kaur, 14 August 2023.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
Jake Alosco is VP of Global Partnerships at Cyolo, working closely with partners to help business leaders drive secure connectivity and Zero Trust Access within their organization. Prior to Cyolo, Jake held various global channel specific roles for ImmersiveLabs, Contrast Security, Avecto, and Veracode. Jake specializes in taking startup organizations to the channel and helping them build relationships, sales, and brand recognition on a global level.
