DoorDash: Remote Vendor Access Security Goes Out the Window

October 1, 2019 Andrew Silberman

DoorDash, a popular food delivery service, recently suffered a data breach exposing sensitive data for nearly 5 million customers, workers and merchants. This breach is significant both in terms of scope and the types of personal information that were poached. This includes: drivers’ licenses, credit card numbers, delivery addresses, as well the usual names, emails and phone numbers.

Like others before it, this breach was discovered months after damage had already been done. The breach was only discovered when the company noticed unusual activity from a third party service provider. This is what lies at the heart of many breaches.

Many organizations today rely on third parties, like contractors, partners or other technology and service providers, for critical IT operations. As part of this contracted work, third party vendors require remote access to sensitive internal resources. However, the current set of solutions that provide and provision proper privileged access leave much to be desired.

Since their inception in the mid-1990s, organizations have relied on Virtual Private Networks (VPNs). Unfortunately, VPNs extend network access to authenticated users and allow access to resources beyond what users need to do their jobs.

VPNs were invented before smartphones, bring-your-own-device and remote work were as commonplace and widespread as they are today. They weren’t intended to provide role-based access, which is key to limiting remote vendor access without interfering in their ability to work. A modern solution is required for this modern problem.

Understanding Remote Vendor Management

DoorDash announced that, moving forward, it would block access for unauthorized users, encourage users to change passwords and improve the security protocols that allow third party vendors to access its internal systems. However, it’s not clear, specifically, how DoorDash plans to do so.

Here are four actionable steps an organization can take to reduce the risk from remote vendor access.

  1. Implement and consistently enforce strict controls regarding who is able to access critical internal resources that house sensitive information.
  2. Enable alerting and response to anomalous behavior or activity by improving the visibility into the privilege-related events occurring in the network, such as who is accessing what resources.
  3. Implement automatic provisioning and de-provisioning processes. With this in place, third party vendors can only access the systems that they require for their jobs.
  4. Implement secure multi-factor authentication methods to verify identity of third party vendors.

Learn about securing remote vendor access without the need for VPNs, agents or passwords. Watch a video about CyberArk Alero or request a demo of CyberArk Alero. Join us on 5 November for a webinar on Alero and securing third party access.

Previous Article
Simple Rules for Smart IAM Solutions. – Part 2: Contexts & The Data Science Behind
Simple Rules for Smart IAM Solutions. – Part 2: Contexts & The Data Science Behind

Part 2 in a series on understanding how to evaluate IAM solutions – let’s dive into contexts and data scien...

Next Article
CyberArk Privilege Cloud Now Available on AWS Marketplace
CyberArk Privilege Cloud Now Available on AWS Marketplace

CyberArk is pleased to announce that our as-a-service CyberArk Privilege Cloud offering is now available on...