Don’t Leave Your Keys Exposed: Focusing on Access Control

Featured article by Matthew McKenna, chief commercial officer, SSH Communications Security

Access is the fundamental pillar that determines whether critical enterprise assets are safe or exposed. Being able to properly control access means the difference between a breach and brand reputation.

These days, access is about more than just network passwords. It extends well beyond the borders of the enterprise. Global supply chains are increasingly complex. The global supply chain is intertwined intimately, and it doesn’t seem it will unravel itself anytime soon.

It’s a challenge to manage access to clouds and their various flavors, along with their network infrastructure, applications and data. And in doing so, third parties become more and more critical to help deploy, control and maintain this transforming and fluid IT landscape.

In addition to the need for employees and contractors to gain access to machines to undertake their daily operational activities, access also includes machines talking to other machines in an automated fashion and the underlying content of those interactions.

However, despite the prevalence of machine-to-machine communication throughout network environments today, organizations often treat managing third-party access as an afterthought in terms of overall security strategies and postures. However, the data would suggest that this topic warrants more attention:

– Only 44 percent of organizationsthis year, compared to 54 percent last year, vet the security of third-party providers and others in their IT supply chain

– 70 percent of enterprises enter into contracts with vendors without having conducted any security checks

– 92 percent of enterprises don’t have any supply chain risk management capabilities in place

– 60 percent of organizations allow third-party vendors remote access to internal networks

– 58 percent of organizations have no confidence that their vendors are securing and monitoring privileged access to their network

– 63 percent of data breaches are caused by security vulnerabilities introduced by third parties

What happens all too often is that each party expects the other to take the primary responsibility for ensuring the security of the access. This is a significant

challenge to decreasing third-party risk exposure In reality, like any healthy relationship, security results from the equal, continuous, committed effort of both parties.

Fortunately, the data show that it is less complicated to address this challenge than it may at first appear. Basic measures put in place around people, processes and technology can help organizations decrease their risk exposure significantly.

These measures include:

– Limit on-premise and cloud infrastructures access and perform inspection of encrypted traffic for both interactive and machine-to-machine connections in tandem with existing DLP, IPS and IDS toolsets. An identifiable bridge between privileged access and data loss prevention should be traceable.

– Build in gateway or chokepoint structures through which privileged access to critical infrastructure is channeled. VPN access followed by a jump server is not a sufficient control channel. Again: auditing, monitoring and control of privileged encrypted sessions and data transfers should be supported in tandem with two-factor authentication mechanisms.

– Make sure that key usage can be monitored, key-based authentication for third parties is controlled on a time basis and—for longer-term engagements—keys can be rotated on a periodic basis. Be able to identify through IP source restrictions whether a key is accessing infrastructure from a non-authorized location.

– Engage with service providers, suppliers and vendors to create contractual obligations that ensure the vendor can control, monitor and audit their third-party access and verify why the access is required. Taking this one step further, enterprises should be able to enforce the same upon their own third-party access to their own IT ecosystem.

In a world where 63 percent of data breaches are introduced by third-party access, organizations need to introduce dedicated mechanisms at a people, process and technology level to reduce risk. The continuing growth of third-party access and the security concerns over the global supply chain means that access will continue to be a major concern and one that is at the forefront rather than an afterthought of a comprehensive security strategy.

Chief Commercial Officer

Matthew McKenna brings over 10 years of high technology sales, marketing and management experience to SSH Communications Security and is responsible for all revenue-generating operations. His expertise in strategically delivering technology solutions that anticipate the marketplace has helped the company become a market leader.

Prior to joining the company, Matthew served as a member of the executive management team of ADP Dealer Services Nordic and Automaster Oy, where he was responsible for international channel operations and manufacturer relations. In addition, he was responsible for key accounts including Mercedes Benz, General Motors, and Scania CV. Before this, Matthew played professional soccer in Germany and Finland.

Matthew holds a Bachelor of Arts degree in German from the University of South Carolina and an MBA from the Helsinki School of Economics and Business Administration.