28
November 2018

Sharing Privileged Accounts With Third Parties

Andy Harris

In this article, we’ll look at customer, MSP and contractor sides of this issue. Outsourcing work to a third-party is a frequent occurrence. It’s done for many business reasons:

  • It’s not the customer’s core business
  • The system vendor needs to make diagnostic work or upgrades
  • The third party has a specialisation or particular efficiency for the type of work
  • To take advantage of cloud infrastructure and applications
  • To save on costs
  • The customer perceives that the outsourcer will be more secure than their own IT department

The customer may be confident of security in their corporate account access. But how can they see into the security of the outsourcer and, how can the outsourcer demonstrate that they have the levels of security that will win them business?

Legal fees, brand damage, industry fines and customer churn that often follow a data breach can be avoided if firms take a more proactive stance on auditing the security of their partners. Here are some of the issues that arise:

  • What happens if / when an outsourcer outsources?
    When it comes to Privileged Accounts, the customer knows that handing over credentials to Privileged Accounts results in a loss of control. If the credentials handed over are handed over to someone further down the supply line, control becomes both challenging and a concern to the customer.As an outsourcer, if you ask your customer for generic accounts (provider1, provider2 etc), this is a break in the chain of identity. Now you have the extra work of being able to track who did what on your customer’s systems. With a PAM solution that delivers an ID IN – ROLE OUT platform not only do you have the audit trail, but you have it available as a report to your customer. This is a real mutual confidence builder.
  • Outsourcers outsource, and the more the steps in the supply chain, the less the guarantee of digital hygiene.
    Customers will know that outsourcers use other specialist companies and contractors. It’s part of the value proposition. The trouble is, the further the work is away from the customer’s systems, the less accountable it becomes. This because a specialist contractor may be working across many systems at a Managed Services Provider. Here’s where the identity mapping and access audits help again.It’s also important to remember that as an MSP you must protect digital hygiene and the possibilities of data breaches through subcontractors. You’ll also be aware that many breaches occur this way. Using a PAM product that separates people from passwords by providing pre-authenticated sessions means that your subcontractors aren’t arriving at your systems using VPNs. This means there is no chance of lateral movement within your infrastructure – and that means that customer data is protected.
  • How does a customer best manage contractors and MSPs who share roles or access to the same systems?
    This is a frequent scenario, especially where credentials are shared for quick convenience The customer might be confident that their policies are watertight, but will be nervous about account sharing. The MSP’s system administrators may act responsibly, but what about other users such as contractors who have access to privileged accounts?This is where opening up PAM systems to use multiple identity and authentication services helps. The key to both customer and MSP security is that the identity chain is not broken. Or course the linkage between people and privileged credentials has to be brokered on a policy basis by the PAM system. This means there are no shared passwords in the first place. There is a degree of protection for everyone involved, the customer, MSP and contractor. This because there is an irrefutable audit of who did what to which systems. This helps with best practice, human error and it’s a great deterrent against data breach.
  • How do both customer and MSP ensure best practice is followed?
    Even if staff are trained to follow best practice it can be difficult to verify whether these policies are being followed faithfully. Run books or OpSheets (operations sheets) are a goldmine for hackers as they often contain privileged credentials for key client systems. Such is the sensitivity surrounding run books that some firms even go so far as to take them offline completely and store them as physical copies in secure operations centres.Run books represent risky data, PAM solutions solve the credential side of the problem. Privileged Task Automation is the dream tool for MSPs. It locks in best practice and almost eliminates human error by predefining and sanitising inputs. For changes to simple devices such as switches it can take configuration backups before and after each operation allowing for easy role-back. From the MSP view-point its all about getting more work done with less people. This is a competitive advantage that can be passed on to the customer.

There’s an interesting dichotomy that exists when customer takes on an outsourcer. Essentially, the outsourcer or MSP will want the customer to adopt changes and practices that best suit their work-flow. This will allow the MSP to service the customer at the least cost and maximum profit. Equally the customer will be thinking that they need have choice and room to negotiate at the end of the contract.

There’ll be issues around Active Directory, and how much access and change the MSP is expected to have. Here, it can be useful to place a PAM solution at the customer’s network so that it is directly connected to their AD. In the PxM Platform there are Shadow Authentication Services for the MSP. This means they can run their own PAM without direct access to a customer AD but still be able to manage the privileged credentials that they need across multiple customer systems.

For the MSP, a good PAM solution is again of help. Look for good on and off-boarding facilities. What a comfort for both the MSP and Customer to know that all privileged credentials can be reset to a known state and then refreshed to long, strong high-entropy (i.e. brute force-secure) values. There is no chance that the MSP can be accused of retaining access to customer systems, or even creating unnecessary friction at the end of a contract. For the MSP it becomes cheaper to say “hello” and “goodbye” to customers.

So there you are. Using our PxM Platform can provide both customer and MSP value at the same time. It can lead to better relationships between customers and suppliers throughout the chain and provides a great buffer for lapses in digital hygiene.