Privileged Access Management

PAM and Third Party App Maintenance

Organizations are increasingly outsourcing the maintenance of applications to third parties. Providers of this type of service range from global giants like IBM and HPE to smaller, specialized firms as well as cloud service providers. There is much to like about the idea of having someone else maintain your applications. It is often less expensive than having in-house staff handle the workload. Plus, you don’t have to be concerned with retaining (or losing) application skillsets in your IT department.

Outsourcing does expose you to a number of security and compliance risks, however. This article looks at how third party application maintenance works, how it affects security, and how Privileged Access Management (PAM) can be an effective countermeasure to mitigate third party application maintenance risks.

Understanding Third-Party Application Maintenance

Applications don’t like to be alone. Like an infant, a software application needs people around – often round-the-clock – to make sure they are working properly. For many organizations, the idea of hiring an outside firm to maintain an application is growing in appeal. As Figure 1 shows, companies worldwide spent $106 billion on third-party application maintenance in 2016, up from $97 billion in 2013.

Figure 1 – Growth of third party application maintenance as part of the broader IT outsourcing trend. Source (Statista)

Outsourcing application maintenance can help redirect IT personnel to work that is more business-facing and less administrative. The outsource firm usually has specialists on staff with deep expertise on the application. They can handle patches, upgrades, and troubleshooting so your people don’t have to.

Business models vary, but most third party application maintenance is delivered in one of the following ways:

Through an offsite third party firm – In this scenario, the provider (e.g. a firm like IBM or HPE) maintains the application from a remote location by accessing back-end administrative interfaces over networks. The third party vendor’s employees may be in a different country, such as India.

Through a third party on-site (i.e. “insourcing”) – Here, employees of the third party actually work on your premises. In some cases, they even have corporate email addresses and ID badges that make them appear to be employees of your organization.
Through the staff of an application service provider (e.g. SaaS or PaaS) – For organizations that outsource applications like email, customer resource management (CRM) and so forth, employees of the application service provider may be involved in maintaining the application for you.

Security and Compliance Issues with Third Party App Maintenance

Application outsourcing creates risk exposure along several different dimensions. For a start, it’s risky just to make administrative interfaces externally accessible. Then, there’s the risk inherent in granting privileged access to employees of third party firms. Privileged users are administrators who can access the back end of an application. They can set up, modify or delete user accounts. They can reconfigure the application, access the data stored by the app and so forth. In some cases, they may be able to override security settings and erase any evidence that they even had access at all.

Granting privileged (administrative) access to external non-employee users exposes you to the threat of unauthorized or improper access. Specifically:

A third party employee may accidentally or maliciously cause an outage or a data breach.
A malicious actor could gain access to the third party firm’s network and pose as an employee in order to improperly access your application.
A former employee of a third party firm may retain access rights to your application through a deficiency in the third party firm’s controls.

The impacts of these threat scenarios can be serious. A major security incident, outage or data breach is possible, with the added challenge of not being sure who was involved in the attack. A seemingly routine log in from a third party can be the first step in a serious incident. From a compliance perspective, not knowing who is accessing confidential data or modifying financial controls is highly problematic.

The Role of PAM in Third Party Application Maintenance

PAM consists of the processes and tools to ensure that only administrators with proper access rights can log into back-end systems. An effective PAM solution provides a secure and streamlined way to authorize, monitor, and control the activities of all privileged users. This should include third party administrators.

A PAM solution centrally and efficiently manages access over a disparate set of heterogeneous systems, enforcing policies that restrict privileged third party users from bypassing security systems. It grants privileges to users only for systems on which they are authorized. Access is only granted when it’s needed. Access is revoked when the need expires.

PAM reduces the risk of privileged access by former third party employees or by people who no longer require access. For example, if a third party employee was assigned to your account, he or she might need privileged access to one of your applications. However, if the outsourcing vendor switches that employee to a different account, he or she will not need (and should not have) privileged access to your systems.

PAM Tools to Address Third Party Application Maintenance Risks

The WALLIX Bastion provides a comprehensive PAM solution that addresses the risks posed by third party application maintenance personnel. It achieves this goal by enabling pervasive, sustainable deployment across cloud and on-premises infrastructure. Bastion sets up a single gateway with single sign-on for access by system admins, regardless of their location or corporate affiliation.

With WALLIX, you can define and enforce access policies for all in-house and outsourced admins as well as for the employees who need system access. It works for systems in the public cloud, private cloud, hybrid cloud and on-premises environments. The Bastion also supports security controls over third parties by precluding privileged users from having or needing local/direct system passwords. This reduces the risk of manual system overrides, which can be an issue if the third party has access to the physical hardware running the applications.

WALLIX offers several components that each play a role in mitigating third party access risks and adapt according to business needs.

With the Bastion PRO offer featuring WALLIX Bastion’s key component, the Session Manager, companies can monitor privileged users’ session activity in real time in order to manage access and provide a comprehensive audit trail. The tool can be configured to intervene automatically when user access policies are breached. By assigning each access to an actual identity, the Session Manager ensures that all users are accountable for their actions. Then, by creating an unalterable audit trail for any privileged operation, WALLIX speeds up the process of interpreting what might have gone wrong in an incident.
The Bastion Enterprise offer allows larger companies to monitor all access and sessions operating on various systems from one single centralized view thanks to the Access Manager component. In addition to letting users connect to resources with a single click and from any device without the need to install remote access tools, this “One-Click” portal simplifies granting system access to contractors and third-party vendors. It also features a a secure and certified Password Vault storing, encrypting, and periodically rotating all passwords.

The WALLIX solution features an agent-less architecture allowing users to connect through native RDP and SSH clients. This approach eliminates the risk that changes in protected systems will require extensive revamping of the PAM solution. In contrast, many other PAM solutions require a dedicated software agent on each administered device or workstation. Dedicated agents can delay PAM implementation and create difficulties when applications get upgraded.

Want to know more? Ask for a free trial or contact us for more information.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
__hstc	1 year 24 days	This cookie is set by Hubspot and is used for tracking visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
hubspotutk	1 year 24 days	This cookie is used by HubSpot to keep track of the visitors to the website. This cookie is passed to Hubspot on form submission and used when deduplicating contacts.
trackalyzer	1 year	This cookie is used by Leadlander. The cookie is used to analyse the website visitors and monitor traffic patterns.

Cookie	Duration	Description
__hssc	30 minutes	This cookie is set by HubSpot. The purpose of the cookie is to keep track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp.
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
messagesUtk	1 year 24 days	This cookie is set by hubspot. This cookie is used to recognize the user who have chatted using the messages tool. This cookies is stored if the user leaves before they are added as a contact. If the returning user visits again with this cookie on the browser, the chat history with the user will be loaded.

Cookie	Duration	Description
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.
__hssrc	session	This cookie is set by Hubspot. According to their documentation, whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_gat_UA-12183334-1	1 minute	No description
AnalyticsSyncHistory	1 month	No description
CONSENT	16 years 9 months 23 days 12 hours 13 minutes	No description
UserMatchHistory	1 month	Linkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
wp-wpml_current_language	1 day	No description

PAM and Third Party App Maintenance

Understanding Third-Party Application Maintenance

Security and Compliance Issues with Third Party App Maintenance

The Role of PAM in Third Party Application Maintenance

PAM Tools to Address Third Party Application Maintenance Risks

Changes in NYDFS Cybersecurity Regulations 23 NYCRR 500

How can we combat threats linked to privileged users?

Related Blogs

Related Resources

Products

Solutions

Resources

About