Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Limit access for third-party vendors without restricting their ability to get work done


Written by Chris Smith

October 22nd, 2019

Companies often work with outside experts, consultants and other third-party vendors who need privileged access to corporate resources. These third-party entities can’t do what they were hired to do if their access is too restrictive. You can’t maintain a strong security posture if access and oversight are too lax.

How do you, a security professional, walk the line to provide just enough access and oversight so the vendor can do their job and you can secure critical assets?

Imagine a few scenarios:

  • The marketing department brings on a third party—perhaps a market research contractor—to work on a specific project for a defined amount of time. The contractor will be working offsite and needs remote access to internal data repositories, communication tools (such as internal discussion boards), and shared drives. The contractor uses her own laptop.
  • The Support team hires a Customer Service representative to a long-term consulting contract, and he works alongside full-time employees. The contractor works onsite at the corporate headquarters, entirely within the corporate infrastructure, using a shared, company-issued computer.
  • All software development is outsourced to a remote third-party development team. The team is working on a critical project and requires access to internal tools, systems and privileged accounts. While the number of people on the development team remains constant, there is frequent turnover with some members leaving and others joining. The team works offsite, using their own sandboxed equipment, with secure remote access to critical corporate systems.

Without an airtight off-boarding procedure, it’s remarkably easy to lose track of a vendor account

In each scenario, the nature of the work is different: different duration, different privileges, different ownership of privileged accounts, different responsibilities. But there are many constants for a vendor security policy:

  • Each individual requires access to key corporate infrastructure and services.
  • Their employment agreement with the organization means they may have flexibility in how and where they perform their work, and in the control that the organization can have over the technology they use.
  • Because they are reporting to a specific group, that group may be responsible for on-boarding and off-boarding the contractor and may not have sufficient checks in place to ensure that these processes are fully followed.

Vendor security is important while the third party is actively employed with your organization, and once the engagement is over. The latter case poses some common challenges:

  • When the engagement ends, the vendor’s privileged access may not be revoked, either due to lack of oversight, or because of an expectation that they may have a future engagement with the company.
  • In the case where more than one person works for a vendor, those vendors may share privileged account credentials with their co-workers rather than have each individual apply for, and be granted, their own unique credentials.

Without an airtight off-boarding procedure for third-party vendors, it’s remarkably easy to lose track of a vendor account. Every abandoned or unknown privileged account is an opportunity for unauthorized access, ranging from an ex-contractor continuing to access the account with benign intent, to a third-party vendor using the account to perform unauthorized tasks, to a hacker discovering an abandoned account and using it to gain access to sensitive information.


IT Admins: Our collection of free IT tools makes your life easy and your organization safer!

Fortunately, smartly applied privileged access management solutions can help contain the risk, manage privileged access, and provide an audit trail to hold everyone accountable.

  • Workflow tools: Imagine the lifecycle of a vendor’s access: Authorize, Provision, Retain / Reclassify, Decommission… and at the end of the cycle, the account could be renewed, re-approved, disabled or expired. With PAM, you can create a standard, automated workflow to be used whenever a third party needs access to specific resources. By automating the workflow, you ensure that all contractors and vendors provide any requisite information, confirm that they are aware of acceptable use policies (and have signed off on them), and also receive management approval to grant them privileged access.
  • Policy-based roles and least privilege access: The first step when granting access is to ensure the vendor is given an appropriate level of access, and no more. You can use role-based access control (RBAC) to configure baseline and default access. This defines which systems the vendor can access, and their rights within each system. You can place a time limit on each account, automatically revoking access unless it is reviewed and extended.
  • Monitoring: With advanced PAM, you can track each vendor’s privileged account activity, including which systems they access, and actions taken within those systems. Depending on their level of privileged access, the sensitivity of their work, and the overall risk profile of the engagement, consider using tools for session monitoring, session recording, and keystroke logging.
  • Anomalous behavior detection: In conjunction with session monitoring, you can enable anomalous behavior detection. Is the vendor accessing systems to which they should not have access? Is there a sudden increase in account access by certain users or systems? Is there atypical access of certain privileged accounts? Are accounts accessed at odd times of day or from unexpected locations? Automated monitoring coupled with deep reporting tools helps identify risks to privileged accounts so you can take appropriate action.
  • Discovery: You can use privileged account discovery tools to periodically check for unused or unknown accounts. Only current third-party vendors in good standing should retain access.

Consider the policy and process aspects related to privileged access for third-party providers

In addition to technology-focused approaches, it’s important to consider the policy and process aspects related to granting and revoking privileged access to third-party providers.

Make sure you document and share a comprehensive PAM policy that incorporates vendor use cases:

  • Is there a clearly articulated policy for how vendors are granted access to internal resources?
  • Is the access policy based on standards set by external governing bodies, such as NIST, ISO, PCI-DSS, HIPAA, or GDPR?
  • Does the access policy include enough detail so it can be uniformly implemented?
  • Is the policy flexible enough to accommodate different usage scenarios?
  • Does the policy assess and segment vendors by their risk profile, based on the nature of the engagement, the systems to which they will need access, and the vendor itself?
  • How are exceptions handled?
  • Is there a version of the policy which is available to third parties and vendors, so they are aware of their rights and responsibilities, plus any consequences should they be out of compliance at any time?
  • Finally, is the vendor access policy documented and easily accessible to anyone within the organization who should have access to it?

Structure processes to mirror your access policies:

  • Is there an established process for how third-party vendors are granted privileged access?
  • Does the process require that the individual granting privileged access have sufficient rights and authority to do so? Is senior-level, or executive-level authorization required for access to highly sensitive infrastructure?
  • Is the process automated, so any actions taken are auditable and trackable?
  • How do you ensure that vendors are only granted the minimum level of access needed to get their jobs done?
  • Does the process include regular audits to ensure privileged vendor accounts are still in use, and that they remain configured with a least privilege posture relative to the vendor’s actual needs?
  • How is vendor off-boarding handled?

Vendor access management needn’t be overwhelming

With a structured approach to managing vendor security, you can reduce the risk associated with granting privileged access to critical systems, while effectively monitoring and auditing what the vendor is actually doing with that access.


Like this post?

Get our top blog posts delivered to your inbox once a month.