Today’s workforce is undergoing a transformation, expanding to include a growing number of contractors, partners and service providers. This is especially true in the IT space, where contractors can add much-needed skills to in-house staff without the cost of a permanent hire. This type of outsourcing continues to be on the rise despite high-profile security incidents. Although the 2013 Target and NSA breaches grabbed a lot of headlines and may be the examples the industry most remembers, organizations like the University of Maryland and the State of Georgia have had breaches that were the result of “temporary” contractor access that resulted in the loss of millions of Social Security numbers, among other personal information.
So why is the trend continuing despite the evident risk? The truth is that businesses don’t really have the luxury of asking, “can we afford the risk of a contractor?” Business operations that must respond to bursting demand and the financial realities of maintaining a flexible workforce dictate the importance of contract help. So, rather than reducing the number of outside hires, IT and security teams are asked to find a way to mitigate the risk.
Contractors represent a unique business challenge for IT and security teams. These individuals have contracts with a defined lifespan, so there is a need to ensure that they are as productive as possible as soon as possible, and that the contractors stay productive. A substantial roadblock to productivity is granting them access to necessary applications and resources, which in many cases house sensitive information. Even when contractor access is for pedestrian purposes, if that access is unintentionally too broad, it can be abused. And the most honest contractor can present a greater risk if they are less protective of privileges than employees. The fundamental business challenge is how to ensure that these temporary workers become productive quickly without increasing risk.
What causes contractor risk?
Truth is, contractors themselves aren’t the only source of risk. In fact, many organizations have unintentionally built risk into the process of provisioning identity and access across the organization.
Here are a few common drivers of incremental risk:
– Over-credentialing: It is often difficult or time consuming to grant granular access to specific systems, and much easier to give blanket access to all systems. That makes stolen or misused credentials even more dangerous because of the extent of what can be done with them.
– Human error: The person requesting the access (the business sponsor) often isn’t the one who creates the access credentials. When there is a handoff, it is possible that the party responsible for granting access could misunderstand what is required, over-provision an individual and inadvertently increase business risk. Further, many systems rely on manual processes that introduce the possibility of human error.
– Bypassing processes: It is easy for the proper process to get circumvented, especially if it is time consuming. When time becomes an issue—whether because of other responsibilities or a high volume of provisioning requests—people take shortcuts. If the system allows for it, standard process will be ignored whenever expediency dictates.
It’s important to note that the risk isn’t just from granting access—it is also from not revoking it. Credentials generally remain active until turned off, and many organizations don’t have a formal process to do so. As a result, not only might contractors have access to too many things; they may also have it for far longer than needed.
Another problem is that once the credentials have been applied, they can be used for any purpose. Usually this happens because the credentials aren’t tied to a specific function. Access may be granted to the system, but there’s nothing in place to indicate what the user should be doing with that access. So there’s no “proper” usage standard against which to check. Even with a SIEM system in place, logged events don’t stand out because they frequently lack context.
Risk isn’t exclusively tied to breaches either. Especially in regulated industries, organizations must demonstrate proper governance – access certification for anyone with access rights to sensitive information. But if processes can be bypassed, proving compliance becomes difficult or impossible.
Further complicating matters, identity and access rights may not be centralized. That means the process of granting access must be replicated across cloud, physical and virtual environments. The bottom line is that businesses are often (unintentionally) responsible for creating the very situations that can be exploited through contractor access because expediency trumps risk management.
Addressing contractor access while minimizing risk
There are a range of solutions in the market that can help you minimize contractor access risk. Choosing the right one for your organization may seem like a daunting task. Here are a few things that you should look for when evaluating solutions:
– Ease of use: If the system is easy for everyone to use, it is less likely to be circumvented:
o Business sponsors (those who understand specifically what level of access is required) should be able to request access in an interface designed specifically for them.
o Access requests should be easy to define and limit at a granular level.
o Provisioning should happen with as little human intervention as possible, and should happen immediately.
o Access privileges should be very easy to turn off and/or they should be time bound.
– Comprehensiveness: The tool should work for all of the environments and systems you use in your organization (cloud software platforms, network access, on-premises tools) and apply consistent rules to each of those disparate environments.
– Reporting capabilities: For visibility and governance purposes, make sure the solution includes robust tracking and certification of access privileges, including when the access was granted, and by whom.
– Identity-based activity tracking: Provide identity-tracking capabilities, so that it is easy to see what is being done with credentials that have been issued. These tracking capabilities should also link to some kind of real-time alarm or notification system in the event that risky behavior is detected.
For most organizations, contractors and service providers are essential to maintain business operations. As the number of non-standard employees accessing critical systems continues to rise, your organization must rise to the access and risk challenge they pose.
By Travis Greene, NetIQ Identity and Access Solutions Strategist
About NetIQ
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.