Secure Third Party Access

Hello All,

I was interested to see how you manage your company's third party remote access securely? Our third party access is managed as below:

Third Party Signs Non Disclosure Agreement
Third Party RSA token assigned to the helpdesk
Process explained to Third Party (They must call the helpdesk with a change or incident number to validate them and they are then give a token number which is held by the helpdesk. Once validated there AD account which is generic is enabled and then disabled after use)
Third party server is built (including Logging, File integrity monitoring, Anti Virus) to only permit the specific access they need (Source destination and ports)
They use their own laptops or desktop which are out of our control to connect via the Cisco VPN.

The problem with this set up is that a third party server needs to be set up every time. Do you guys do something similar, or can you make any suggestions for this to be more secure and perhaps negate the need for a new server to be created each time?

Find more posts tagged with

Comments

GarudaMin

What are they accessing (applications, data, other systems)? Where does the VPN terminate? Does their activity need to be recorded? Without knowing business requirements or case, it's not easy to give an efficient and accurate recommendation.

lsud00d

cjthedj45 wrote: »

Third party server is built (including Logging, File integrity monitoring, Anti Virus) to only permit the specific access they need (Source destination and ports)

Are you saying this is essentially their non-persistent jumpbox?

cjthedj45

GarudaMin wrote: »

What are they accessing (applications, data, other systems)? Where does the VPN terminate? Does their activity need to be recorded? Without knowing business requirements or case, it's not easy to give an efficient and accurate recommendation.

Hi each Third Party will have different access and they connect in mainly for support purposes. A few examples are a Linux provider will connect into manage the Linux servers and fix issues. Some of these servers will have applications on that process very confidential data and due to the nature of what this provider does they have quite a lot of access. Another Example is for another third party requires access to manage an application but no confidential data and they will have specific rdp access to that server. I think recording the sessions is not a bad idea. I was looking at a solution that Bomgar do. Its a central appliance that handles the third party connections, you can apply 2factor authentication, its encrypted, records and I would probably set up an isolated vlan behind a firewall interface to control the traffic. The VPN also terminate to a Cisco ASA.

cjthedj45

lsud00d wrote: »

Are you saying this is essentially their non-persistent jumpbox?

The jumpbox is a virtual server that they connect to. Its not a VDI where they get a new profile each time they log on. The server would be built with the current build standard settings and they logon to it by first connecting to VPN putting in their 2 factor details and they directly connecting its IP address over RDP. The issue we have it we have to maintain a lot more boxes in the environment for each 3rd party because everytime a new 3rd party needs access we have to create them a separate terminal server. I just wondered how other people managed this. Bomgar looks pretty good for providing a central solution. Once a user connects to your bomgar appliance you can apply granular access permissions. Its harder to manage this with lots of dedicated terminal servers just for 3rd parttys.

GarudaMin

You might be better off using a vendor access management solution/product that uses a gatekeeper type jumpbox method. You don't need to create a server for each vendor access. You define who from what vendor will have access to which system/application. Vendors remote in (two channel authentication) via gatekeeper to their assigned system/application, their activity is recorded and they also won't know what password is being used. I don't use Bomgar so I can't say anything about it. But if you look for "vendor access management" solutions, there are a lot out there.

But you can also take it one step further and look into products/solutions for "privilege session management". You have more granular control in that you can assign only certain applications on a system for vendor use (they won't see anything else). Privilege session management is also good for managing your privileged accounts (domain accounts). You can also management automatic password management of service accounts as well.

lsud00d

@cjthedj45, thanks for the clarification, your initial description on the process was kinda murky for the last few steps. I was unsure why you'd be spinning up a server for each vendor vs. managing a layer in between.

To add to @GarudaMin, CA has a suite of products/technologies for this:

CA Privileged Identity Manager - CA Technologies

cjthedj45

lsud00d wrote: »

@cjthedj45, thanks for the clarification, your initial description on the process was kinda murky for the last few steps. I was unsure why you'd be spinning up a server for each vendor vs. managing a layer in between.

To add to @GarudaMin, CA has a suite of products/technologies for this:

CA Privileged Identity Manager - CA Technologies

Thanks very much Isud00d. I have been on the CA website and watched a few of their videos this could be what we need. I have just emailed them with the requirements to see if they can help. Do you use any of their products and in what context? Do you know if they are pricey as well?

cjthedj45

GarudaMin wrote: »

You might be better off using a vendor access management solution/product that uses a gatekeeper type jumpbox method. You don't need to create a server for each vendor access. You define who from what vendor will have access to which system/application. Vendors remote in (two channel authentication) via gatekeeper to their assigned system/application, their activity is recorded and they also won't know what password is being used. I don't use Bomgar so I can't say anything about it. But if you look for "vendor access management" solutions, there are a lot out there.

But you can also take it one step further and look into products/solutions for "privilege session management". You have more granular control in that you can assign only certain applications on a system for vendor use (they won't see anything else). Privilege session management is also good for managing your privileged accounts (domain accounts). You can also management automatic password management of service accounts as well.

Thanks Garuda the product that Isud00d recommended has privilege management built it. This is exactly what we need, for example a server could contain credit card data an being sitting on the file directory, but the vendor does not need to see the file directory just manage the application they support. If we could get it this granular then it could solve a lot of issues.