Topics In Demand
Notification
New

No notification found.

Protect your business against threats originating at vendors’ ends
Protect your business against threats originating at vendors’ ends

August 9, 2021

69

0

For many organizations today, working with third-party vendors for non-critical or specialized functions is essential to achieve strategic goals, increase efficiency, reduce costs, or accelerate growth. However, the rise in outsourcing and surge in third-party providers have increased the threat landscape. As such, supply chain vulnerabilities are proving to be an Achilles’ heel in the overall ecosystem.

Risks associated with vendor access:

Malicious forces typically try to take advantage of the trust a business has placed in its third-party vendors and target a weak point in the supply chain.

Some common security concerns around vendor access are as following:

  • The exploitation of privileged access: – Vendor users are often given privileged access as they work on critical functions. But poorly managed privileged access often poses serious security risks for organizations.
  • Breach of data privacy-related regulations – Data protection and privacy regulations that an enterprise works with, extend to its vendors too. So, working with multiple vendors increases the risk of non-compliance significantly.
  • Identity-related cyberattacks – Malicious forces targeting a business often go after the identities of vendor users. They steal vendor user credentials and use them to connect to the corporate networks, posing as legitimate users.
  • Leakage of intellectual property and critical data – Vendor users may inadvertently download or copy critical corporate data and intellectual property to their own systems, which may leak and end up in the hands of malicious forces.

Insider attacks, credential sharing, unauthorized access by fourth-party vendors (a vendor’s vendor) are also among the security concerns posed by vendors.

Despite these concerns, the dependency on third-party vendors is projected to increase in the foreseeable future, given the financial and productivity benefits. Therefore, organizations must revisit their third-party control and monitoring strategies in keeping with the ever-evolving challenges. They must ensure that their vendors perform in compliance with all regulatory guidelines, securing critical business data and proprietary information and preventing potential damages caused by loss of reputation.

Best practices to secure vendor access:

Enterprises should be proactive and make concerted efforts to fix vulnerabilities to mitigate the risks posed by vendor access. Here are some of the best practices that organizations can adopt to keep security issues related to vendor access at bay.

  1. Convert endpoints into dummy access terminals
    Never allow corporate data to enter endpoint terminals of vendors. Virtualize desktops and applications and provide remote access to vendors. By doing so, vendor endpoints are converted from execution platforms to dummy access terminals with no critical data.
     
  2. Enforce zero-trust at the device level
    Trust no resource at any time and assume every user or device trying to enter the network is a potential threat. Treat every access request individually, leaving no scope for any lateral movement of an end-device or end-user within the network. Secure, manage and monitor every device, app, and network used to access business data.
     
  3. Secure user identities
    Go beyond conventional password-based authentication. Implement strict multi-factor authentication and use two or more identifying credentials like biometrics, OTPs, or push notifications to carry out the authentication process. This strategy provides strong protection to user identities and an added layer of security on top of conventional passwords.
     
  4. Define role-based access policies
    Provide access to corporate applications and data based on each of the vendor user’s roles. Users shall be provided access only to those resources which are essential – nothing more or nothing less - to perform their duties.
     
  5. Provide contextual access
    Each access request has to be evaluated based on multiple factors like the device used, the security posture of the device, geolocation, data sensitivity levels, time, etc. Based on the evaluation, access shall be denied or granted with appropriate rights and privileges.
     
  6. Implement data leakage prevention
    Enterprises should be able to control user activities like copy-pasting, data downloading, taking screenshots, or screen recording. There should not be any room for intentional or unintentional data leakage from any of the user endpoints.

That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


We enable secure efficient and scalable enterprise desktop computing

© Copyright nasscom. All Rights Reserved.