According to Deloitte, 80% of UK companies use contractors to a significant extent. Whilst there are considerable financial benefits to bringing in skills ‘on-demand’, organizations lose an element of control when it comes to ensuring that security best practices are adhered to.
Providing contractors with full access to the corporate network poses some serious security questions to ensure they are compliant with your security policies. Some of these questions include: how do you know the user is trusted? How do you authenticate their identity? How do you ensure their devices are up-to-date?
Losing access control
The very nature of the work contractors are hired to do often requires access to the organization’s most sensitive and high value data. One of the biggest risks is that the organization loses control of all the systems and personnel accessing its data.
For example, at NHS Wales hackers gained access to IT systems belonging to the company handling data on behalf of the Trust, leading to stolen personal information as well as access to information on radiation doses. Organizations need to ensure that they have control over the access permitted to their contractors, just as much as for their own employees.
The VPN alone means risky business
Many organizations use the traditional VPN to allow both their employees and temporary contractors access to their network and all the data that comes with it. The traditional setup of a VPN network is to securely connect networks together. Once this connection is made, individuals are given broad access to the network as a whole.
Although this makes it easy for trusted employees to gain access to their company’s assets and applications, providing an ‘outsider’ with full network access (for sometimes just one application) can be dangerous and insufficiently granular to reflect actual job responsibilities. That kind of exposure is simply unnecessary.
Organizations often fail to scope permissions and access to their networks adequately - traditional implementations of VPNs compound this problem by simply interconnecting networks without more granular controls. Contractors are brought in to do one particular job, and therefore only need access to specific data or a particular application - so why give them keys to the whole castle?
Consequently, authenticating that a user is who they say they are is critical. However, this alone is not enough. Organizations should ensure that, in terms of network access and data, the contractor has exactly what they need to get the job done, nothing more, nothing less.
To ensure they can trust any users accessing their networks, organizations will need to implement a combination of the following three approaches: personnel vetting; authentication/access control; and setting rules and expectations for the contractor. Depending on an organization’s risk tolerance, they may do more or less of any of these three things. However, at a minimum, these are the properties all organizations want to have some level of insurance on.
Per-application access policy
In order to protect against the misuse, loss, or theft of data, the best solution is to adopt per-application access controls. This adds a second level of assurance to the security and authentication policies an organization implements by only allowing access to specific applications rather than letting someone run wild across the network. This also protects against inadvertent activity, such as a contractor with malicious software on their device that they are unaware of.
Limiting scope of access means organizations can control both damage and lateral movement through the network, limiting the risk of a more-damaging attack through access abuse, as well as lowering the severity of the result of a data breach if one does still occur.
Monitoring device hygiene at access time
Health checks on devices which monitor for vulnerabilities and outdated software on any device used to access an organization’s network are a vital part of maintaining effective security. The best approach to effective security is to check the device is in good order when it attempts to access the required application. This ‘access time’ check means the device logging into the network is always ‘healthy’.
Organizations should set standards that the devices either comply with or do not. If they do not, when trying to gain access to the applications they need, they will not.
The traditional alternative for attempting to enforce a particular security posture for a contractor is challenging. Certain endpoint configuration items or user behaviors may either be hard to measure without installing additional software on the contractor devices, or potentially seen as privacy-invasive by the contractor. In any case, these solutions are time-consuming to deploy and maintain.
Using a more modern application-specific approach with agentless enforcement, much of this can be done closer to the data you actually protect and value. It also reduces both the administrative burden on the contractor and the reliance in their production of audit data related to which devices used which applications.
There is no doubt that contractor or third party network access is vital for the effective operations of most organizations. However, to manage these risks, organizations should look beyond the traditional VPN network and move towards a per-application access policy. This will enable organizations to manage secure network access when temporary staff are brought in, without slowing them down or creating more work for the IT security team.