Business partners, outsourcers, service providers or consultants -- companies regularly make use of outside resources to handle business functions. In our 24/7, always-online business environment, these outside resources are often granted access to internal IT, whether through minimal access via an externally-available email account, though a vendor portal, or via a VPN tunnel. Such access granted to outsiders effectively extend an organization's security "attack surface." How well is that external access managed, audited, and maintained?
An analysis of the expensive Target breach indicates an external vendor's credentials were likely stolen and abused in the initial stages of the attack. The vendor in question, an HVAC contractor, would seemingly be low-risk for an IT intrusion. However, a determined attacker can often leverage seemingly innocuous access into successively higher levels of access, and that seems to have been the case here.
Some regulations explicitly reference external access to an entity's data. The US Health Information Portability and Accountability Act (HIPAA), for example, terms these external relationships with a "covered entity" as "business associates", and extends the privacy rule's data protection & breach notification requirements to the business associates.
Access to internal systems from outsider partners is undoubtedly necessary to conduct business efficiently. So, how should these IT connections with external partners be controlled?
Harden access: Ensure access to internal systems requires strong authentication, and apply strict limits on information available to the outsider. Experts recommend two-factor authentication techniques, such as a combination of a token and a password, for external access.
Isolate access: Cordon off externally-accessed systems and networks from the rest of the internal network using internal firewalls (similar to a network DMZ used to isolate sacrificial servers). Log and review traffic that traverses the internal firewalls to the externally-accessed systems.
Log and audit: Maintain and review logs of external access. Unexpected access may turn out to be a false alarm, but check and verify.
Regularly review: Business partners come and go, and their IT needs may change over time. Restrict or revoke access as necessary.
What thoughts do you have regarding access to IT systems by external partners?