SUNNYVALE, CA — (Marketwired) — 06/21/16 — , an innovator of enterprise access as a service, today released a number of key insights about secure third-party access based on candid interviews with a number of members from its . Members of the Advisory Group, which includes security professionals, analysts and industry influencers, were asked questions about trends in third-party access security, what IT professionals should be doing to secure their networks and what they are doing within their own organizations to secure third-party access.
Advisory Group members who participated in this interview include Derek Brink, vice president and research fellow, Aberdeen Group; Slava Kavsan, founder and CEO, CKURE Consulting; Jim Rutt, CTO, The Dana Foundation; and Mark Carrizosa, CISO and vice president security, Soha Systems.
There–s clearly growth in providing third parties with access. Why? Because it–s helpful to business! This is the “enablement” motive that security pros like to talk about whenever they can. Third-party access can also be referred to as a “rewarded” risk — the type of risk associated with enabling assets, creating value and maximizing upside. Of course, there–s also increasing attention on the traditional security concerns of providing third parties with access to corporate resources — these are the “unrewarded” risks of defending assets, protecting value and minimizing downside. And as if these risk-based perspectives weren–t enough, there–s also a growing wave of regulation that allows you to outsource an activity to a third party but the regulation does not allow you to abdicate your responsibility for complying with security and privacy requirements.
As more organizations move their digital assets to public clouds, there is a need to better understand the security and privacy implications of third-party access within this environment, especially when the cloud provider itself is acting as the third party. Operators and cloud service providers often need to have high-level access privileges to their customers– data and to the applications they host in order to configure and secure the resources in their custody.
I–m seeing third-party solution adoption in a number vertical-specific industries, such as the healthcare sector. Healthcare solutions, in particular, have been built with the underlying assumption that third-party access relationships have to be explicitly defined and implemented rather than be based on a more generic private cloud approach. The rise of standards such as will provide momentum toward a more universal approach to this problem. However, different business models will need their own implementations and abstractions for third-party access, as the regulatory and governance requirements are too specific to apply to disparate industries.
The only trend I–ve seen is inactivity, and that–s part of the problem. Third party access methodologies have changed very little in the last decade. What–s worse, from a technology perspective, solutions assumed to be “new” and “innovative” continue to utilize the same underlying concepts that have been around for 20-plus years. It–s evident that bad actors understand where the weak points are, and based on the number of breaches related to third-party actions, it–s clear they are actively exploiting them.
If there–s one thing IT and security professionals aren–t paying enough attention to it–s that these are business decisions, and as subject-matter experts and trusted advisors, they should be expressing these risks properly, in terms of likelihood and business impact. Risk should not be expressed through hand-waving, techno-babble or the latest headlines; it must be explained quantitatively and with a proper sense of the inherent uncertainties.
When organizations deploy their digital assets to the public cloud, IT and security professionals need to pay special attention to requirements for achieving additional transparency into the provider–s access to their data, applications and networks. They also need to make sure that under normal conditions, provider operators and services do not have accounts on their customers– Virtual Machines and are prevented from gaining any access to an organization–s assets. In situations when provider operators and services need temporary access, the process of obtaining permissions for such access has to be justified, logged and approved (manually or automatically) for the specific asset and the period of time required to perform the maintenance operation.
We still lack a cohesive third-party plan of access that includes other critical stakeholders peripheral to IT and tech security, such as traditional risk disciplines and line-of-business areas. IT professionals alone have traditionally borne the burden of both securitizing and assessing risk. However, IT professionals have not been as strong in formulating proper vendor management and vendor communications ecosystems that help close the gap on the human-factor influence on third-party security. There needs to be a better standard for contingency planning in the event of a third-party breach, rather than reinventing the wheel for every breach incident.
The management of third-party access lifecycles has become one of the most tedious and time-consuming efforts within enterprise IT/security functions. As with other such tasks, such management is only given priority when absolutely necessary or when an event such as a data breach triggers a deep dive into existing processes. Organizations should re-prioritize their efforts and budgets to account for the new normal, where dependence on third parties is an integral component of current business models.
: We–ve created a vendor management plan in conjunction with our business units and developed a solid communications plan. This allows us to firm up our internal disaster-recovery plans, review third-party direct-report plans on a regular basis and enforce testing. In addition, we do a yearly insurance risk-review to ensure that we carry the correct amount of insurance.
In cloud-based working environments, all users are considered remote and operate similarly to how third parties have historically been provided access. What is different in our approach is a fundamental change in access methodologies; we incorporate concepts such as zero-trust, network abstraction, extended identity validation and full-session recording to effectively reduce overall risk and isolate any potential impact caused by third parties or any remote users.
Soha Systems formed the Advisory Group in May 2016 to act as a conduit for ongoing research on third-party access security. Most recently, the Advisory Group issued a and that revealed only two percent of IT experts consider third-party secure access a top priority, despite the growing number of security threats linked to supplier and contractor access. The Advisory Group includes a number of security professionals, analysts and industry influencers. In addition to the executives participating in this discussion, advisory group members include Shahed Latif, principal in the cybersecurity and privacy practice at PwC; Ajay Nigam, senior vice president, products, at Accellion; and Nico Popp, senior vice president, information protection, at Symantec. The group–s next survey and recommendations are scheduled for Fall 2016.
Soha Systems, named a “Cool Vendor” in “Cloud and Emerging Technology Security, 2016” report by Gartner, Inc., is an innovator of enterprise access as a service for third parties, including suppliers, contractors and franchisees. The service, Soha Cloud, provides a painless, convenient, secure and centralized controlled approach to third party access that does not require device specific software or direct access to the network. The Soha Cloud service, compliant with PCI DSS 3.1, can be deployed in minutes for third party access to corporate applications in data centers and hybrid cloud environments. For more information, visit and join the conversation on Twitter @SohaSystems.
Rick Popko
10Fold
415-800-5381
You must be logged in to post a comment Login