What are the potential risks of giving remote access to a third-party service provider?

BROWSE BY TAG Identity Management and Access Control,   Web Authentication and Access Control,   Enterprise Identity and Access Management,   Expert Archive: Identity Management and Access Control,   Information Security Policies, Procedures and Guidelines,   Information Security Management,   VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identity Management and Access Control Is Identity Management as a Service (IDaaS) a good idea? How to log in to multiple servers with federated single sign-on (SSO) How to confirm the receipt of an email with security protocols Learn about enterprise strategy for server virtualization single sign-on Employee information security awareness training for new IAM systems Can you combine RFID tag technology with GPS to track stolen goods? Is there a free enterprise-caliber password-management tool? Cryptosystem attacks that do not involve obtaining the decryption key Can any firm or organization get a digital signature certificate? Should the CTO have domain administrator access? Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management Expert Archive: Identity Management and Access Control Enterprise password management policy: Finding the balance How to conduct a periodic user access review for account privileges Options for a mechanical door security system on a server room door Comparing access control mechanisms and identity management techniques User provisioning and SSO for PeopleSoft- and Unix-based products Could someone place a rootkit on an internal network through a router? Should a new user have to confirm an email address to gain access? Can home PCs provide a way for viruses and spyware to enter a corporate LAN? What should an enterprise look for in a password token and a vendor? Using batch files for temporary user access to the local admin group

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

Giving any third-party provider access to your company's systems is a security risk. Even if there's no malicious intent, or the access is provided for a legitimate business purpose, it should be strictly controlled, if not prohibited.

Let's start with some potential risks and then provide ideas for workarounds. Besides the threat of introducing malware into your systems, there are other technical and business dangers.

First, granting system access to an outsider lowers your security level to that of the external provider. If they have feeble controls, they become the weakest link in your security chain. If a hacker compromises their system, he or she can use that as a backdoor into your network. In parallel, as their risk increases, so does yours.

Second, there are also business and reputation risks. If their breached system is used to gain malicious access to your system, your company's name will also be in the headlines. Bad press will drive away customers, actual and potential business and can even lead to an unwelcome regulatory review.

Third, allowing external access of this nature circumvents technical controls, such as firewalls. If unfettered access is allowed, why bother with firewalls and access controls? You might as well leave your network wide open for anyone to come in. Further, if the software they want to install contains malware, their remote access is a direct pipeline for malicious code into your network.

Before even considering such access, you'll need to do the following. First, conduct a thorough risk assessment of your partners. Even consider an onsite visit to their facilities, particularly their data centers and any other locations housing IT and network infrastructure. Make sure they meet your security standards in the following areas: physical and network security and access and administrative controls. Make sure partners have written information security policies covering all these controls, and an IT security department that backs them up.

Next, severely restrict access to your systems. The third party should only have access to a segment of your network that is separated from the internal network by firewalls or an isolated subnet. Access should be restricted to only specific IP addresses from the outside party, and be limited to a restricted time period and then closely monitored.

However, the best practice for updating third-party software is the reverse. Your IT team should access their network to retrieve updates rather than allowing them to go fishing in yours.

For more information: