Vendors and network vulnerability, part 2: Tools to reduce risk in vendor remote access

In Part 1 of this blog post, we examined the risks inherent in using certain types of vendor remote access software, and the potential damage that can occur due to vendor caused network risks. In Part 2, we’ll explore the tools that IT admins can use to address these issues, which can form the basis of a solution for assessing, managing, and reducing vendor caused network risks. Then, we'll examine the limitations of these tools, like still providing too much network access. Finally, we will discuss a technology solution, Vendor Privileged Access Management (VPAM) that combines advanced auditing and monitoring with granular control over vendor remote access.

Active directory auditing

One way IT admins can keep an eye on their networks is to use Active directory auditing. Active Directory (AD) is an identity and directory service that Microsoft developed for Windows networks but can be used for just about any OS. Its widespread use and cross-platform compatibility make it an ideal choice to monitor user activity, including vendors. By auditing certain network events via AD, admins can record which users are logging onto their networks and to which host, which can give them a read on which vendors are accessing server resources. Several auditing options in AD are available to admins related to user activity. Using domain security policies, you can set AD to record the following:

  • Account logon events (generated when validating account credentials)
  • Account management (user account created/changed/deleted; password set/changed)
  • Directory service access (user attempts to access Active Directory objects)
  • Logon events
  • Object access
  • Policy change
  • Process tracking
  • System events
  • Privileged use (decide whether to audit each time a vendor exercises a user right)

These tools enable IT admins to stay on top of potential problems and threats in their organization’s network. Note, however, these settings can cause log sizes to get quite large, so proper allocations should be made for disk storage and archiving so that you don’t lose history by logs being overwritten. And analyzing these logs can require additional software to make sense out of the daily noise of user activity (see next point below). Also, these benefits are only for organizations that are using Active Directory for authentication and have all or a significant portion of their servers using it. Servers, computers, and appliances such as routers and firewalls using alternative directory services such as TACACS, RADIUS or Unix/Linux password files would need their own (non-Windows-based) auditing solutions to capture that activity.

Building on Active directory auditing

Another option is to use software that builds upon Microsoft’s own auditing tools. For example, admins could utilize tools to provide intelligence about what’s going on in Active Directory and Group Policies. Group Policy monitoring enables network admins to see reports on changes to audit policy settings and other potential modifications in great detail. Other tools for Active directory auditing can help locate insider threats, monitor user logins, create audit reports, and even take advantage of user-behavior analytics to monitor systems as part of Active directory auditing. Artificial Intelligence (AI) and Machine Learning (ML) can use cloud computing power to make sense of these often vast data files. All this helps IT admins better understand the behavior of the vendors in their networks and discover unusual behavior or risk alarms. Some tools provide more detailed vendor monitoring and granular auditing than others, but the upshot is this: the ability to audit Active Directory changes and logins, as well as monitor Group Policy changes, can help reduce vendor risk of privilege abuse, prove IT compliance, and streamline troubleshooting when needed. However, once again, bear in mind that these tools are only for networks using Active Directory for most of their network and system authentication and authorization tasks.

PAM and VPAM

When users with high-level permissions request (and get) access to critical systems, that account becomes more high risk and valuable to hackers because of the embedded permissions of privileged (administrative) accounts. Thus, managing privileged access is of paramount importance. The tools presented earlier are good for low-level or average vendor users such as desktop support reps, but an additional layer of security is recommended for privileged accounts. It should include auditing, tracking, and account management features while also restricting access (like not letting vendors go anywhere they want on the network). It should also support multiple platforms, since many servers run non-Windows OSs and may not use AD for authentication. Enter Privileged Access Management (PAM). A hallmark of PAM protection is its credential storage (password management) system, which helps prevent theft or mismanagement. Credentials are stored in a “vault”; privileged users must go through their PAM tool for authentication, and a record of this process is logged. Centralized storage also allows resetting credentials after each use, achieving advanced security protection and more detailed auditing. Vendor users never see the actual credential, so it cannot be shared or recorded in an insecure manner (sticky notes on monitors or scrawls on whiteboards). Auditing and monitoring is a major element of PAM. Every time a privileged credential is used, that session can be logged. A complete report can be generated with vendor name, time a session began, duration, and what was done. This detailed activity monitoring ensures privileged credentials are used properly, and vendor behavior is not enabling potential harm to the network. Vendor privileged access management (VPAM) goes even further, to account for situations and risks specific to remote vendor access. Since IT admins may not know the identity of every third-party vendor accessing the network, proper onboarding and off-boarding protocols should be supported.  Workflows must support approvals for account creation and individual sessions in an automated and efficient manner. IT managers must be able to identify and authenticate users through advanced methods that tie them to active vendor accounts. A truly robust VPAM solution will monitor vendor activity at all times while supporting video recording and keystroke logging. Network managers can’t control the security practices of their vendor partners, they can only protect against risky behavior, so detailed tracking and auditing is a key element to protect against unauthorized network use.

The takeaway

In Part 1 of this blog post, we saw that some organizations don't know what their vendors are doing on their network, because the software they use for remote access doesn't include the degree of user monitoring they need. The good news described here in Part 2 is that there are tools and methods that do include more advanced options for vendor auditing, tracking, and account management, such as Active directory auditing and other tools built on this foundation. However, Active directory auditing and related tools don't address vendors getting too much access to an organization’s network. They only record this activity after the fact. Without limiting the areas of access in a controlled, logical manner, you might be closing the door, after your data “horse” has left the server “barn.” Fortunately, Pam and vpam methods can help solve this issue, empowering IT admins with granular control over vendor access to networks and allowing for detailed monitoring, auditing, logging, and reporting for the valuable privileged accounts used by vendors.

One solution to rule them all

You may wonder whether there exists a platform that addresses vendor-caused network vulnerabilities by applying all the smartest features and policies for vendor privileged access management, all in one place. A solution that combines detailed auditing and monitoring capabilities with granular control over vendor network access. Our platform gives organizations a single place to manage all of their vendors with a greater degree of control. When using this platform, admins always know who is logging onto their network, and what they're viewing, because the platform includes advanced features for vendor monitoring such as HD audit and keystroke logs. For many organizations, this detailed vendor monitoring plus the ability to restrict access to limited isolated areas of your network (rather than enabling entry into the whole enchilada) is an unbeatable (and way less vulnerable) combination.