The dangers of granting system access to a third-party provider

Granting system access to a third-party provider is a risk that can introduce security threats and technical and business dangers into your enterprise. In this tip from our Ask the Experts section, identity

    Requires Free Membership to View

management and access control expert Joel Dubin discusses the potential threats involved with granting access to a third-party provider, and examines solutions for avoiding these dangers.

Giving any third-party provider access to your company's systems is a security risk. Even if there's no malicious intent, or the access is provided for a legitimate business purpose, it should be strictly controlled, if not prohibited.

Let's start with some potential risks and then provide ideas for workarounds. Besides the threat of introducing malware into your systems, there are other technical and business dangers.

First, granting system access to an outsider lowers your security level to that of the external provider. If they have feeble controls, they become the weakest link in your security chain. If a hacker compromises their system, he or she can use that as a backdoor into your network. In parallel, as their risk increases, so does yours.

For more information:
Visit out Identity Management and Access Control Security School to learn how VPNs can reduce the cost of business communication while extending secure remote access.
Visit SearchSecurity.com's remote access policy topics page for the latest news and information on remote access.

Do you have an identity management and access control question? Ask Joel.

Second, there are also business and reputation risks. If their breached system is used to gain malicious access to your system, your company's name will also be in the headlines. Bad press will drive away customers, actual and potential business and can even lead to an unwelcome regulatory review.

Third, allowing external access of this nature circumvents technical controls, such as firewalls. If unfettered access is allowed, why bother with firewalls and access controls? You might as well leave your network wide open for anyone to come in. Further, if the software they want to install contains malware, their remote access is a direct pipeline for malicious code into your network.

Before even considering such access, you'll need to do the following. First, conduct a thorough risk assessment of your partners. Even consider an onsite visit to their facilities, particularly their data centers and any other locations housing IT and network infrastructure. Make sure they meet your security standards in the following areas: physical and network security and access and administrative controls. Make sure partners have written information security policies covering all these controls, and an IT security department that backs them up.

Next, severely restrict access to your systems. The third party should only have access to a segment of your network that is separated from the internal network by firewalls or an isolated subnet. Access should be restricted to only specific IP addresses from the outside party, and be limited to a restricted time period and then closely monitored.

However, the best practice for updating third-party software is the reverse. Your IT team should access their network to retrieve updates rather than allowing them to go fishing in yours.

About the author:
Joel Dubin, CISSP, is an independent computer security consultant. He is a Microsoft MVP, specializing in Web and application security, and the author of The Little Black Book of Computer Security. He has a radio show on computer security on WIIT in Chicago and runs The IT Security Guy blog at http://www.theitsecurityguy.com.

This was first published in July 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.