Secure System Access

TL;DR

Reduce risks from third parties by limiting their access to only what they absolutely need, regularly reviewing those permissions, and monitoring for unusual activity. Use strong authentication methods.

1. Understand Third-Party Access

First, identify all third parties with any access to your systems. This includes vendors, contractors, cloud service providers, and anyone else who isn’t a direct employee.

• Create an Inventory: List each third party, what systems they access, and the reason for access.
• Access Types: Note how they access your systems (e.g., VPN, remote desktop, API keys, dedicated accounts).

2. Principle of Least Privilege

Give each third party the minimum level of access required to perform their job – and nothing more. This is crucial.

1. Review Existing Permissions: For each third party, carefully examine what they can currently do.
2. Reduce Access: Remove any unnecessary permissions. If they only need read-only access to a specific database table, don’t give them write access or admin rights.
3. Dedicated Accounts: Use separate accounts for each third party instead of sharing credentials.

3. Strong Authentication

Protect access with robust authentication methods.

• Multi-Factor Authentication (MFA): Implement MFA wherever possible. This adds an extra layer of security beyond just a password.
• Strong Passwords: Enforce strong, unique passwords for all third-party accounts. Consider using a password manager.
• Regular Password Changes: While debated, periodic password resets can be helpful in some situations (e.g., after a security incident).

4. Access Control and Monitoring

Control who has access and keep an eye on what they’re doing.

1. Role-Based Access Control (RBAC): Group permissions into roles, then assign third parties to those roles. This simplifies management.
2. Logging & Auditing: Enable detailed logging of all third-party access activity. Regularly review these logs for suspicious behaviour. For example, in Linux:

   sudo auditctl -w /path/to/sensitive/file -p rwa -k third_party_access

3. Alerting: Set up alerts to notify you of unusual activity (e.g., access outside normal business hours, large data downloads).

5. Regular Reviews

Access needs change over time. Don’t set it and forget it.

• Periodic Access Recertification: At least every six months (or more frequently for high-risk systems), review each third party’s access to ensure it’s still necessary.
• Offboarding Process: When a third-party relationship ends, immediately revoke all their access. Don’t just disable the account; delete it if possible.

6. Contractual Requirements

Your contracts with third parties should include security requirements.

• Security Standards: Specify the security standards they must meet (e.g., ISO 27001, SOC 2).
• Incident Reporting: Require them to report any security incidents promptly.
• Audit Rights: Include clauses allowing you to audit their security practices.

7. Cyber security Awareness Training

Ensure third parties understand your cyber security policies.

• Training Materials: Provide training on topics like phishing, malware, and data protection.
• Policy Acknowledgement: Require them to acknowledge that they have read and understood your security policies.