Remote Vendor Access

Kris Zupan CEO/CTO e-DMZ Security


• The Issue - Remote Vendor Access • What is different between RVA and Remote Access? • Outsourcing Influences • Compliance • RVA Requirements • eGuardPost™ Discussion • eGuardPost™ Demonstration • Questions


The IssueRemote Vendor Access
• Most companies have spent considerable energy providing remote access solutions to allow better utilization of resources. • Remote vendor support is a standard approach for most companies to leverage support capabilities. • Remote vendor connections have a high degree of risk. • Most solutions (VPNs or Firewalls) can address some of the questions presented below, but today, none can answer all of them. • The questions: • Who can access my systems? • How can they access them? • Who did access them, and what did they do? • Has been a finding on many audit reports.


What is different between RVA and Remote Access?
• Remote vendors should be restricted to only be able to access the areas of the company they support. A remote vendor contracted to administer specific Unix systems should not be connecting to other systems or resources at will. • Remote vendors use their own client equipment to establish connectivity. This means that requirements around Personal Firewalls, Anti-Virus, platforms, etc. are difficult if not impossible to enforce. • Requiring remote vendors to utilized specific VPN client software to access remotely may not be possible and can introduce remote vendor system liabilities and/or create incompatibilities with existing vendor client software.. • Remote vendors have staff that is outside the view of the company. Staff changes at the vendor company may result in challenges around accountability.

Outsourcing Influences
• Outsourced system administration • Many companies have looked towards outsourcing of system administration due to the increasing complexity of system support. Keeping systems patched and protected has become a specialty. • Giving system level control to an outsource provider may jeopardize security controls implemented. • Outsourced development • Cost considerations have many organizations utilizing off-shore or other outsource development resources. • Many companies are concerned about production support risks. • MSSPs • Analysts have forecast that security will become the most outsourced IT function. • Issues around control of controls.

• SOX • Need to show that developers or system administrators did not adversely affect financial systems. • Many would like a centralized view into actions within their financial systems instead of system level audit information from every host. • GLBA • Demonstrate that privacy information is controlled from system level access. • Dual control as fraud prevention. • PCI (from PCI_Security_Audit_Procedures) • Section 8.5.6 Vendor accounts are monitored • Section 10.2.2 Logging all admin activity • HIPAA

RVA Requirements
1. The solution must provide granular access control, to completely control the access of the remote vendor. 2. The solution must be clientless, since most companies can not dictate the remote client system or software. 3. The solution must provide a complete and robust session and access audit trail, so that companies can answer the regulatory questions of vendor access to protected information. 4. The solution must provide protection of the customer network from network pathogens like worms and malware.


Current Approaches
1. Jump box • In this scenario, the vendor only has access to a few defined machines from which they initiate their sessions. • Pros1. Defined point of entry 2. If using keystroke logging, can provide a replay. • Cons1. Effort to ensure jump box is not circumvented 2. Only works for command line activities 2. VPN with ACLs • In this scenario, the VPN only allows connections to a few defined systems that are to be supported. • Pros1. Defined access • Cons1. No replay, administrative burden

eGuardPost™ Discussion
• eGuardPost provides the ability to answer the three questions: • Who can access my systems? • Provides granular authorization for administrative connections. • Allows for strong authentication at entry to protected environment • Provides basis for a segmentation strategy • How can they access my systems? • Secure connections provide privacy of information. • Proxies connections prevent direct system level connections that could introduce malware or worms. • Dual control available to provide pre-implementation control. • Who accessed my systems, and what did they do? • Concise connection logging. • Full session replay for review and reconstruction.


RVA Scenario




Sign up to vote on this title
UsefulNot useful