Keeping the Rogue Vendors Out
- By Jeffrey Kok, Cyber Ark
- November 10, 2019
To secure valuable company information and protect personal data, organizations have tried various types of authentication. In Southeast Asia, governments and the financial services industry have primarily led the charge in introducing methods of authentication for citizens and customers that are more difficult for hackers to infiltrate and compromise.
Additionally, Singapore's Public Sector Data Security Review Committee will be releasing a final report for the entire public sector to conform to a common framework to safeguard citizens' personal data following recent data breach cases. This framework will include ways to manage third-party vendors better.
Benefits of Using a Third-party Vendor
For local companies, there is an excellent benefit in contracting with third-party vendors to manage critical operations and systems so that they can focus on core competencies to general revenue and enhance competitiveness in the economy.
However, similar to public-facing systems, extending access to vendors operating remotely comes with significant risk. Not only does it further break down the traditional IT perimeter, but it also introduces the new challenge of ensuring that these vendors have access to the exact systems they need only when they need it.
This is where biometric authentication, in the form of fingerprint readers, facial recognition systems, and retinal scanners, for example, can have the potential to provide a more secure way for users to log into systems.
3 Ways of Authenticating Vendors
To understand the ways that biometric authentication can improve the security of remote access for vendors, let’s first take a look at how companies are providing access today. At a high-level, authentication typically takes three forms:
Something you know like a secret word or a username and password
combination.
- Something you have like a smartphone or name badge.
- Something you are like a fingerprint or retina scan.
- Organizations often track who is accessing what systems or assets within their environment using the first step of authentication.
Only when every remote vendor user is identified and authenticated can the process of granting (and removing) access begin. This process of relying on manual processes to provision and de-provision access to remote vendors is far from foolproof and introduces several potential issues.
Gaps in Processes for Authorizing Remote Vendors
Remote vendors are contracted for specific periods and are typically not part of the organization's active directory or other directory services. Vendors also usually need only access to a particular subset of systems, based on the length of the contract with the organization or the number of sessions it takes to complete their tasks.
Manual processes such as these often lead to such problems such as over-extending access, which gives vendors access to systems they don’t need; under-extending access, which makes it difficult for the vendor to do their jobs properly; leaving unnecessary standing access for the vendor long after the relationship has ended.
Bring-your-own-device policies have also become the norm for remote access. However, IT teams need a way to ensure that these devices are secure even when accessing critical systems from afar. Zero Trust security frameworks focus security policies and access controls on the user and device identity, rather than on the location.
Access methods based on “something you know” and “something you have” come with inherent blind spots. Cyber attackers have a long history of cracking weak or loosely protected passwords. Additionally, portable devices such as mobile devices and corporate laptops can be stolen or intercepted, making them highly vulnerable.
A New Way of Authentication Through Biometric
As a result, organizations need new ways to secure their most sensitive internal systems. People lose their devices or re-use passwords more often than we care to admit. Still, your fingerprint or a retina scan can remove avenues of attack and improve security while also making for a smoother process for the end-user.
Introducing biometric authentication allows organizations to provide vendors with a stronger, more convenient method of confirming their identities. However, management can be a lot of work as most of the common methods require establishing back-end policies and strategies to ensure that users are only accessing the systems they need for their jobs. Until recently, there wasn’t a good solution to this problem.
Biometric authentication is particularly suited for Zero Trust security frameworks for the same reason that it is ideal for authenticating remote vendors – biometrics can’t be stolen, lost in transit, forgotten, or figured out. Combining biometric authentication with a robust backend solution, empowers organizations to automatically provide and remove the appropriate access to remote vendors as needed.
Jeffrey Kok, vice president, Solution Engineer, Asia Pacific and Japan, CyberArk, wrote this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.