Defense in Depth Is Necessary, But Not Sufficient: Five Best Practices for Managing and Controlling Third-Party Risk


Posted on by RSAC Contributor

This post was written by Mordecai Rosen, ‎General Manager, Security, CA Technologies.

If data breaches such as those experienced by Home Depot, Target and Anthem taught us anything, it is that defense in depth needs a boost to include defense in breadth

Nearly two-thirds of companies extensively or significantly use third-party solutions in their organizations. Relying on a partner’s security and its employees to exercise good security practices is a recipe for disaster. Even if they meet various mandates such as the Payment Card Industry Data Security Standard (PCI DSS) or Health Insurance Portability and Accountability Act (HIPAA), it’s no guarantee. Companies that have been deemed compliant have been breached.

For example, Version 3.0 of the PCI DSS introduced new controls aimed at addressing these third-party risks. And it’s not just efforts by the PCI or Congress. Other groups see the need to address these concerns. In 2015, former New York State Superintendent of Financial Services Benjamin Lawsky, noted:

“A bank’s cybersecurity is often only as good as the cybersecurity of its vendors. Unfortunately, those third-party firms can provide a backdoor entrance to hackers who are seeking to steal sensitive bank customer data.”

In 2015, according to the Risk Management Association, 35 percent of vendor risk management programs in the financial industry were fully mature, compared to zero percent in 2014. This tells us that the need and awareness is there, although it’s not at the level it needs to be. In many industries, the time is now to go beyond the customary level of compliance, and consider how this effects organizational operations from a security and risk perspective. Solutions such as Identity and access management (IAM) and privileged access management (PAM), help to establish a new level of control that mitigates risk and introduces order within the network. 

It is important that organizations have a better understanding of the various approaches to third-party risk management and access. Here are some best practices to consider when controlling third-party risks: 

1.   Implement Supporting Processes and Controls 

  • Security needs a seat at the table when negotiating terms with third parties; your security is only as strong as your weakest link. This requires:Performing external security and risk assessments;
  • Ensuring compliance with mandates;
  • Ensuring control is part of the contracting process and language;  
  • Interacting and engaging across the organization, and;
  • Including essential elements such as third-party warranties and provisions for validating compliance.

 2.   Enable Positive User Identification and Authentication

  • By implementing a process to positively identify users, administrators can:Take control of the credentials used to access their systems;
  • Apply multifactor authentication;
  • Control shared accounts;
  • Enhance the onboarding and offboarding process, and;
  • Use background checks and identity proofing.

 3.   Separate Authentication from Access Control

  • With the “zero trust approach,” a typical network is well segmented and attackers can’t gain broad access to resources. Physical or logical segmentation helps to: Limit access;
  •  Prevent lateral movement, and;
  •  Identify and block unauthorized remote access tools.

 4.   Prevent Unauthorized Commands—And Inadvertent Mistakes—That Threaten Your Network

  • Networks have enough challenges without additional, unnecessary factors to consider. Administrators should consider:Establishing primary controls, which apply rights and permissions granted to the user;
  • Implementing more refined controls through command filters;
  • Enabling safe use of shared administrative accounts, and;
  • Customizing responses to alerts such as termination of a session or disablement of a user’s account. 

5.   Establishing Monitoring Procedures

  • It is important to implement a basic, but essential, level and scope of security that is driven by risk management. As mandates such as PCI are implemented, monitoring and a greater level of control become more critical. Control helps reduce risk and instill a sense of transparency by enabling efficient, secure operations. Moreover, we see a cultural shift within organizations from just IT security to a more holistic IT management approach. Greater control can be applied in the following ways:
    • Basic logging of activity;
    • Session recording;
    • “Over the shoulder” and two-party access, and;
    • Behavioral monitoring. 

In the end, controlling and managing third-party access to your networks and systems is an important requirement from both a security and compliance perspective. We’ve found that even trusted partners and vendors could be the weakest link in the security chain and it’s critical to define and implement methods that help protect a business from security vulnerabilities.

Today, we offered five best practices that an organization should consider when managing third-party risks. It’s up to each organization to initiate the conversation to change their security culture; however, a sense of urgency to strengthen security layers should impel them to act quickly, both in the private and public sectors.

Contributors
RSAC Contributor

, RSAC

security operations

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs