A side effect of digital integration is the growing use of external service providers. The process seems natural, because today’s IT tasks are so complex that organisations work more efficient by outsourcing certain tasks. Also, new solutions are quicker deployed and better managed, if external know-how can be provided. But there are dark clouds out there. 

How to manage IT contractors' risks

Last year’s attack against the German Bundestag demonstrates the challenges with the aftermath of a breach. The trace of the attackers got lost in between the many actors involved, including several external parties. The people behind remain still unknown, even their target was heavily guarded. Until today, no one knows what was the goal of the attack.

IT operations staff cannot manage service providers accesses all the time manually  

 
According to the recent Information Security Breaches Survey by PWC 82 per cent of businesses employ some form of external providers and outsource business tasks. Also, 90 per cent of all organisations admit they suffered some kind of incident last year. Surprising is the fact that 48 per cent of the breaches came due human error and 17 per cent have been caused by deliberate miss use of systems through humans. The biggest threats are not external malware attacks, but rather actions taken inside an organisation´s network.

Digital integration does not only affect the day-to-day routine at work or in private. It changes the importance of human resources in companies, too. The staff turnover is higher and service providers often have their people in other parts of the world – credibility and integrity is more difficult to prove. Same time, several people often share accounts to access resources.

IT administrators have to provide access right to users and still have to meet different compliance rules, usually very specific for each industry. The amount of admins and super users is growing as well. Separate admins for windows environments and virtual platforms, SAP super users or DBAs for the database systems are just a few examples that more and more lie in the hands of service providers.

Misbehaviour and mistakes with such privileged accounts can severely harm organisations, but IT departments do not have the personal resources to monitor all actors, especially if they are employed by a third party. Micro-management of every single user is time consuming and inefficient. With a growing amount of devices and a heterogenic group of users, administrators need solutions to manage access rights. On the other hand employees need access right in time, because without access to cooperate resources people simply cannot work. This is especially true for service providers, which are usually hired for a limited time or for special tasks only.

Underestimated Privileged Users Risk Management

Different analysts find the problem in Germany. KuppingerCole sees a lack of life-cycle management for privileged users and also the danger of password leaks, when people leave an organisation or contract periods end. If not concerned, this leads to guaranteed fail with compliance rules, because it cannot be seen, who is actually using the administration account and what actions she or he is performing through their session. Security architectures must clarify the accountability of sessions for each user.

 A survey among 400 IT administrators provides another argument for new ways of managing access right. 74 per cent of all administrators argued that they easily could circumvent security measures in their current workspace and access confidential and sensitive data. If you imagine admins working for a service provider with shared accounts, the number of people that could steal data is very high. People with access credentials could use them simply to transfer data to their new employer, if their access is not managed in time and they change their job. It is quite common that access rights remain active, even when people have left an organisation long ago.

Privileged Access Management controls third-parties access

To reduce the efforts of admins and security departments the best-practice solution should come out-of-the box with a minimum of intervention necessary. This means minimal efforts for implementation and integration into an existing security concept. It needs a solution for Privileged User and Access management (PAM) that is able to include application onboarding, maintenance and offboarding. To cover the full life-cycle it has to start with initial integration into the system, then include all changes during the life-time and end with the system-removal after decommissioning.

Service providers in IT are crucial for their customer organizations. The global impact of digitalisation will lead to further virtualisation of workspace and business tasks. This is an important base and a starting point for service providers, because here they can create added value for their customers and show their potential in terms of innovation. Hence, the amount of providers will grow, but there is also a need for new ways of protection.

Other IT security tools are made to harden systems and networks. PAM is not focused on protecting software and hardware, but rather on human actions. It provides the right mix between protection of privacy rights and threat prevention. Regular workflow is not monitored, but in case of unusual behaviour IT departments can react quickly and take actions like limiting or blocking access. In case of an incident the culprit is forced to leave traces and can be found. Trust into service providers is important, but companies need the ability to manage access rights. The inside threat is real and companies need to be aware of actions taken by there privileged users.