Secure vendor
access to corporate
infrastructure

Today it is almost impossible to imagine a company that does not outsource some of the work.

Outsourcers are often responsible for routine tasks, such as deployment and configuration of components in a corporate IT infrastructure. In some cases, third-party contractors take care of a whole set of operational tasks.

After purchasing an IT product your company may also need to grant follow-up access to a developer team as part of technical support.

Sometimes you may need to provide prompt remote access to a remote site for your vendor, while on other occasions you only allow on-site works. This may happen in the event of a serious failure, and the company cannot wait until a vendor’s representative arrives.

Another сommon practice is hiring auditors who can assess the state and performance of a company’s financial applications and accounts. Auditors may also be put in charge of evaluating the performance of the company’s IT components.

All these arrangements can introduce various security threats to your organization:

• Your company will have limited options in terms of monitoring of privileged user (vendor) activity, even if vendors work on site as you need to designate a staff member who will be responsible for controlling vendor activity throughout the duration of their work on your premises.
• You may lack the tools for monitoring external user activities on your computers.
• You will need to grant remote and local access to your company’s resources to third-party contractors and thus expose critical authentication data.
• You may have multiple uncontrolled third-party contractors simultaneously working with your IT components.
• You may not be able to assess the potential impact of the changes made by your vendors.
• It may be impossible to determine whether the changes made by a vendor meet the cyber security standards that have been declared.
• You may lack an understanding of the operations performed by auditors of the IT infrastructure and app performance.
• Third-party vendors may insert malicious pieces of code into your apps and web applications.
• The company’s information security is at risk since the privileged users in your company who are not responsible for network or information security may grant unauthorized remote access to third parties.
• Privileged authentication data allowing remote access to critical resources may be subject to theft or unauthorized disclosure.
• You cannot manage the IT environment of a third-party contractor with privileged access to your company’s infrastructure, which can pose a threat to corporate security.

In addition, your company may face other types of risks and challenges:

• It is costly and time consuming to arrange the contractors' visits to your premises.
• In the event of failure, there may be conflicts between the third-party contractors and your IT/IS department.
• You may face additional losses in terms of time and funding in the event of failure at a remote site in a hard-to-reach area.

When third-party personnel are granted privileged access rights to your resources, the company is bound to face escalated risks and vulnerabilities. The best solution would be to use specialized software suites for Privileged Access Management (aka Privileged User Management, Privileged Identity Management, Privileged Account Management).

These software solutions will allow you to streamline user activity monitoring for your contractors and employees of third-party organizations while they deal with your company’s IT resources.

Recording user activity and assessing the quality of work

Axidian Privilege supports recording of the contractor’s operations for subsequent use during user activity audits. Basic functional principles of PAM are designed to rule out bypassing established protocols when privileged users (contractors) connect to the target resource.

In addition, Axidian Privilege can use published apps to support other proprietary protocols.

Axidian Privilege offers the following session recording functionality:

• Text log
• Video records
• Keylogger
• File transfer control
• Command input control
• Connection metadata

You can use session records to form an objective opinion about the quality and scope of actual services with respect to the quality and scope of work stated in the SLA. This way you will only pay for the services that have been provided to you and get a clear idea about the professional capability of your third-party contractors.

Limited scheduled access and limited access upon approval

It’s no secret that the requirements governing third-party contractor access to any components of your IT infrastructure must be stricter than those that apply to your in-house personnel.

Axidian Privilege built-in mechanisms offer multiple options for managing privileged user access to target resources. These are a few key rules that are commonly used for managing privileged access rights of third-party contractors:

• Scheduled access
• Temporary access
• Access upon approval

You can use these settings to preconfigure user access rights and maximize user restrictions, which will rule out the possibility of any operational disruptions initiated by your vendors.

Ensuring secure remote access to critical resources

Sometimes companies are reluctant to provide external remote access to their most critical IT infrastructure, and they have a good reason to do so—it is almost impossible to control such connections.

Axidian Privilege can help you maximize the security of remote access to your critical resources while it is used by external personnel with real-time monitoring, two-factor authentication and filtration of commands.

All user activity is recorded, which allows you to perform expert audits of vendor activity at any time, not only when their work is in progress. Furthermore, in some cases you no longer need to have the contractor’s specialists actually visit your premises to do their job.

Monitoring auditor operations

Axidian Privilege allows you to monitor any user category, including special categories like auditors. Auditors are external experts hired to perform the following tasks:

• Analyze financial statements and transactions in financial apps
• Control the functionality of information security tools and run internal penetration tests
• Monitor the functionality of other IT tools
• Analyze organizational, administrative, and other documents

Although the auditors' key task is analysis and not an active manipulation of any components of your IT infrastructure (except for scenarios involving penetration testing), it may still be useful to understand what the auditors actually check and how they do it. You will find this information especially relevant if your company has failed an audit and needs to correct errors and address implicit concerns.

Monitoring developer operations

The PAM system enables activity monitoring for third-party developers of your internal software and web resources.

Malicious users often see code as their first priority for breaching security. Due to large volumes of written code and lack of specialized internal tools for code analysis and version control, an intruder can easily insert malicious or dangerous pieces of code into a corporate application.

However, the PAM tools designed for recording and subsequent analysis of changes allows you to test all new changes for malicious activity and take timely measures to mitigate their impact.

Saving your financial resources

With Axidian Privilege, you can save both your time and money while dealing with your third-party contractors.

First, session recording allows you to compare the actual scope and quality of work with the requirements stated in the SLA and pay only for the works that have been actually performed.

Furthermore, you can use these records for third-party expert assessment of your contractors' professional capability.

Also, you can save on travel costs since the vendor’s personnel no longer needs to visit your premises to do their job. Instead, they access your resources remotely via PMA tools.

Supported protocols:

• RDP
• SSH
• HTTP (s)
• Any other proprietary protocols by publishing relevant applications

Activity recording functionality:

• Video records of sessions (video quality can be adjusted)
• Text logs of sessions
• Periodical screenshots of sessions (image quality can be adjusted)
• Supported protocols—RDP, SSH, published web, and thick clients
• Shadow file copies

Supported user directories:

• Active Directory
• FreeIPA
• OpenLDAP

Two-factor authentication technologies:

• Password + TOTP (Time-based One-Time Password) from mobile app
• Password + OTP (One-Time Password) from email

Remote access technologies:

• RemoteApp (Microsoft Remote Desktop Server)
• SSH Proxy