The modern enterprise has become a complex structure that extends beyond the boundaries of the business itself to include many partners and other third parties that are connected to the organization. These partners come in different shapes and forms and are an integral and necessary part of daily operations. In fact, businesses are increasingly dependent on third parties to provide mission-critical services according to Deloitte. Yet, this dependency comes at a cost, as third-party contractors are responsible for a growing number of incidents and breaches.
The core challenge of handling third-party access is to validate that only authorized devices that meet minimal security posture criteria, and belong to approved users, are granted network access. Most businesses use VPN solutions to extend trusted enterprise networks to third-party workers, yet are unable to control the device. VPN solutions often introduce new security risks by adding entry points to the network and opening the door for lateral movement from unmanaged devices. When using VPN, there are no shades of gray – no ability to give partial access only to required resources. The more servers and applications your vendors can access, the higher the risk.
Typical threats originating from third-party access are initiated via unpatched vulnerabilities, on-device malware, malicious files, rogue browser extensions, inadequate credentials and even physical device takeovers. These threats are different in nature, yet all take advantage of a device that is not managed by the target organization. The reality is that enterprises struggle to manage the cyber risk associated with connecting external people to their core corporate assets, leading to a core blindspot in enterprise security: unmanaged endpoints.
In order to help address the challenge, third party risk management domain has evolved in an attempt to provide enterprises with the right set of tools and processes to effectively handle the risk. These solutions aim to deliver a good match between security policies and access needs, while taking into account the risk management component.
Some of the best practices discussed under the risk management paradigm include how to:
- Prioritize vendor importance and the impact it has on your business
- Evaluate risk against your organization’s risk appetite definition
- Leverage automation whenever possible to minimize unsecure processes
- Conduct a thorough risk assessment
- Carry out ongoing vendor monitoring
- Perform an efficient offboarding of the partner in case needed
Understanding this, it’s important to ask two important questions when it comes to ensuring the contractors accessing the organization are properly secured. How do the contractors conduct their work? Are the above best practices being followed?
More often than not, contractors use corporate or personal devices for interacting with the enterprise contracting their services. In the best-case scenario, these devices are managed by the contractor’s organization, but the truth is that many of those endpoints are not managed at all.
According to Bitglass, 85% of enterprises now allow data access from personal devices for employees, partners, customers, contractors and even suppliers. The implication is that unmanaged devices, which do not adhere to any security policy, have access to sensitive data via SaaS applications and other web resources. This means that any of the attack vectors mentioned could pose a real threat and that the overall risk strategy is not managed appropriately. Enterprises cannot accept situations like this for conducting ongoing business as the risk of data leakage, brand reputation and compliance violation is real. To avoid the worst-case scenario, the focus has been shifted from securing the device itself to protecting the method through which these unmanaged devices access the enterprise: the browser.
According to BeyondTrust, closing the gap of contactors’ device access requires a combination of security technologies that mitigate the diverse browser.
- Identity related solutions like password generator and multi-factor authentication.
- Zero Trust related solutions like full visibility into network access and least privileged role-based access.
- Monitoring solutions to see and understand in-app behaviors and act as a control mechanism to restrict access when needed.
- Implementing all those security solutions is a substantial challenge for any enterprise, given the number of third-party contractors they work with and the overall shortage of security staff. How can the browser help mitigate that risk?
The secure enterprise browser is a novel approach that is purpose-built to address challenges such as the unmanaged contractor device dilemma head-on. The notion is that all the above-mentioned technologies, and additional security controls, should all be incorporated into a single solution.
The secure browser better serves enterprise security needs and replaces the collection of point solutions that are difficult to deploy and manage. It not only centralizes browser-based access for unmanaged devices, but also provides the management layer needed to monitor the various partners and other third parties connecting to corporate resources. By testing device posture and analyzing access activity across the entire SaaS application range, it generates alerts on suspicious activity and simplifies the security stack due to how seamless it is to maintain and its cost effectiveness from a deployment and management perspective.
If you are looking to enforce a better risk management strategy across your unmanaged devices, we would be happy to chat.