PAM and Third Party App Maintenance
Organizations are increasingly outsourcing the maintenance of applications to third parties. Providers of this type of service range from global giants like IBM and HPE to smaller, specialized firms as well as cloud service providers. There is much to like about the idea of having someone else maintain your applications. It is often less expensive than having in-house staff handle the workload. Plus, you don’t have to be concerned with retaining (or losing) application skillsets in your IT department.
Outsourcing does expose you to a number of security and compliance risks, however. This article looks at how third party application maintenance works, how it affects security, and how Privileged Access Management (PAM) can be an effective countermeasure to mitigate third party application maintenance risks.
Understanding Third-Party Application Maintenance
Applications don’t like to be alone. Like an infant, a software application needs people around – often round-the-clock – to make sure they are working properly. For many organizations, the idea of hiring an outside firm to maintain an application is growing in appeal. As Figure 1 shows, companies worldwide spent $106 billion on third-party application maintenance in 2016, up from $97 billion in 2013.
Figure 1 – Growth of third party application maintenance as part of the broader IT outsourcing trend. Source (Statista)
Outsourcing application maintenance can help redirect IT personnel to work that is more business-facing and less administrative. The outsource firm usually has specialists on staff with deep expertise on the application. They can handle patches, upgrades, and troubleshooting so your people don’t have to.
Business models vary, but most third party application maintenance is delivered in one of the following ways:
- Through an offsite third party firm – In this scenario, the provider (e.g. a firm like IBM or HPE) maintains the application from a remote location by accessing back-end administrative interfaces over networks. The third party vendor’s employees may be in a different country, such as India.
- Through a third party on-site (i.e. “insourcing”) – Here, employees of the third party actually work on your premises. In some cases, they even have corporate email addresses and ID badges that make them appear to be employees of your organization.
- Through the staff of an application service provider (e.g. SaaS or PaaS) – For organizations that outsource applications like email, customer resource management (CRM) and so forth, employees of the application service provider may be involved in maintaining the application for you.
Security and Compliance Issues with Third Party App Maintenance
Application outsourcing creates risk exposure along several different dimensions. For a start, it’s risky just to make administrative interfaces externally accessible. Then, there’s the risk inherent in granting privileged access to employees of third party firms. Privileged users are administrators who can access the back end of an application. They can set up, modify or delete user accounts. They can reconfigure the application, access the data stored by the app and so forth. In some cases, they may be able to override security settings and erase any evidence that they even had access at all.
Granting privileged (administrative) access to external non-employee users exposes you to the threat of unauthorized or improper access. Specifically:
- A third party employee may accidentally or maliciously cause an outage or a data breach.
- A malicious actor could gain access to the third party firm’s network and pose as an employee in order to improperly access your application.
- A former employee of a third party firm may retain access rights to your application through a deficiency in the third party firm’s controls.
The impacts of these threat scenarios can be serious. A major security incident, outage or data breach is possible, with the added challenge of not being sure who was involved in the attack. A seemingly routine log in from a third party can be the first step in a serious incident. From a compliance perspective, not knowing who is accessing confidential data or modifying financial controls is highly problematic.
The Role of PAM in Third Party Application Maintenance
PAM consists of the processes and tools to ensure that only administrators with proper access rights can log into back-end systems. An effective PAM solution provides a secure and streamlined way to authorize, monitor, and control the activities of all privileged users. This should include third party administrators.
A PAM solution centrally and efficiently manages access over a disparate set of heterogeneous systems, enforcing policies that restrict privileged third party users from bypassing security systems. It grants privileges to users only for systems on which they are authorized. Access is only granted when it’s needed. Access is revoked when the need expires.
PAM reduces the risk of privileged access by former third party employees or by people who no longer require access. For example, if a third party employee was assigned to your account, he or she might need privileged access to one of your applications. However, if the outsourcing vendor switches that employee to a different account, he or she will not need (and should not have) privileged access to your systems.
PAM Tools to Address Third Party Application Maintenance Risks
The WALLIX Bastion provides a comprehensive PAM solution that addresses the risks posed by third party application maintenance personnel. It achieves this goal by enabling pervasive, sustainable deployment across cloud and on-premises infrastructure. Bastion sets up a single gateway with single sign-on for access by system admins, regardless of their location or corporate affiliation.
With WALLIX, you can define and enforce access policies for all in-house and outsourced admins as well as for the employees who need system access. It works for systems in the public cloud, private cloud, hybrid cloud and on-premises environments. The Bastion also supports security controls over third parties by precluding privileged users from having or needing local/direct system passwords. This reduces the risk of manual system overrides, which can be an issue if the third party has access to the physical hardware running the applications.
WALLIX offers several components that each play a role in mitigating third party access risks and adapt according to business needs.
- With the Bastion PRO offer featuring WALLIX Bastion’s key component, the Session Manager, companies can monitor privileged users’ session activity in real time in order to manage access and provide a comprehensive audit trail. The tool can be configured to intervene automatically when user access policies are breached. By assigning each access to an actual identity, the Session Manager ensures that all users are accountable for their actions. Then, by creating an unalterable audit trail for any privileged operation, WALLIX speeds up the process of interpreting what might have gone wrong in an incident.
- The Bastion Enterprise offer allows larger companies to monitor all access and sessions operating on various systems from one single centralized view thanks to the Access Manager component. In addition to letting users connect to resources with a single click and from any device without the need to install remote access tools, this “One-Click” portal simplifies granting system access to contractors and third-party vendors. It also features a a secure and certified Password Vault storing, encrypting, and periodically rotating all passwords.
The WALLIX solution features an agent-less architecture allowing users to connect through native RDP and SSH clients. This approach eliminates the risk that changes in protected systems will require extensive revamping of the PAM solution. In contrast, many other PAM solutions require a dedicated software agent on each administered device or workstation. Dedicated agents can delay PAM implementation and create difficulties when applications get upgraded.