Nearly every organization today relies on a variety of remote third party vendors to access, maintain and support critical internal systems and resources. These vendors have come to play a critical role in maintaining modern organizations’ complex and distributed enterprise infrastructures.
Given that third party vendor access has been at the heart of recent breaches, CyberArk recently conducted a survey of IT and security decision makers to learn more about common approaches to managing and securing access to critical internal resources. Here are some of the most eye-opening findings:
Third Party Privileged Access is Everywhere.
It’s probably not a shock to most people that 90% of respondents said that they allow third party vendors to access critical internal resources. What was slightly shocking was that more than a quarter (26%) said that they use over 100 third party vendors! That’s a lot of accounts to account for, manage and secure.
For many organizations, securing third party vendor access is incredibly complex – often requiring a cobbled together solution of products like multi-factor authentication, VPN support, corporate shipped laptops, directory services, agents and more. This has not only led to confusion and overload for security practitioners, but also creates difficult and often insecure routes for third parties to access the systems they need to do their jobs.
Which leads to our next finding….
Third Party Access is a Top 10 Organizational Risk.
Nearly three-quarters (72%) of organizations view third party access as one of their top 10 organization-wide security risks, alongside others like cloud abuse, phishing and insider threats. Third party access is quickly rising in the ranks to become a top priority for organizations and for good reason. These attacks and resulting data breaches can be incredibly costly for organizations, both in terms of reputation and financial losses.
Despite this, the same organizations overwhelmingly aren’t satisfied with how they currently approach managing and securing access for these remote vendors. A whopping 89% of respondents felt that they could do better or were completely dissatisfied with their efforts to secure third party vendor access.
Provisioning and Acute Visibility is a Challenge.
So, if third party access is a top 10 risk, why are so many failing to secure it? We found that 50% of organizations state that provisioning and deprovisioning access was their biggest challenge, while 47% highlighted lack of visibility.
Provisioning and deprovisioning access can feel a lot like Goldilocks and the Three Bears. You can’t allow too much access (where vendors have access to things they don’t need or for longer than they’re needed) or too little (where vendors are forced to create unsafe backdoor routes to critical resources). It has to be just right.
However, currently, legacy solutions dominate. For instance, while 86% of organizations rely on VPNs to secure third party access, they were not designed to manage dynamic privileged access requirements like role-based access protection and session recording. On the visibility front, companies aren’t always aware of what third party vendors are doing once they authenticate – and that is a serious problem. A best practice – one often required for audit and compliance – is to record, log and monitor privileged activities.
As organizations depend more and more on third parties to get the work done, the difficulties they face when it comes to security is getting harder and harder to ignore.
Without a dedicated solution specifically for managing third party privileged access, organizations have been forced to use miscast solutions like VPNs . To remedy this problem, we introduced CyberArk Alero, a truly modern, innovative solution.
CyberArk Alero combines Zero Trust access, biometric multi-factor authentication and just-in-time provisioning into one Software-as-a-Service (SaaS)-based solution. Alero ensures that remote vendors only access what they need by integrating with CyberArk Core Privileged Access Security for full audit, recording and remediation capabilities.
Alero is designed to provide fast, easy and secure privileged access for remote vendors who need access to critical internal systems. By not requiring VPNs, agents or passwords Alero removes operational overhead for administrators and improves security.
To learn more about the challenges of securing third party access, read our eBook “Third Party Privileged Access to Critical Systems.” You can also request a demo to find out more about CyberArk Alero.