Securing third-party and contractor remote access requires focusing on the browser
Digital transformation is making the business world more open, more distributed, and more interconnected than ever before. Critical processes from product delivery to customer support are now outsourced to vendors, contractors, service providers, and suppliers. These third parties must access critical systems safely to keep processes moving and deliver seamless customer experiences.?
While this distributed business model has created a lot of efficiencies and innovation, it has also introduced more risk to organizations. Malicious actors now have yet another threat vector to target as a way of breaching enterprise networks, and going through a partner that is perhaps less savvy than the ultimate target presents an opportunity to bypass traditional cybersecurity solutions.
Blocking third parties from accessing applications and data is obviously not feasible. Organizations need to find a way to provide secure application access to both partners and contractors? – even if these third parties themselves are not secure.
Targeting enterprises through partners and contractors
Some attacks, including those known as “supply chain” attacks attempt to breach the intended target’s infrastructure through third-party partners or contractors. While that term is typically used to describe incidents involving larger firms, such as the SolarWinds Orion attack, it is also possible that an individual contractor could cause the same sort of damage, or that the contractor was actually employed by a partner firm.?
For example, imagine an attacker gaining access to a consumer brand through one of its many distributors, or finding a way into a big box store through a contractor hired by a delivery service. Business partners may be a softer target than the enterprise that spends tens of millions of dollars on cybersecurity, and individual contractors certainly are. Once a system of any size is breached, be they large partner firms or contractors, attackers can lay in wait, probing and investigating the various connections they can exploit to infiltrate the larger, more valuable target.
Unfortunately, traditional security tools such as firewalls, virtual private networks (VPNs), and antimalware solutions do not provide the visibility nor the control that organizations need to secure themselves against possible issues in partner networks. These network security solutions are designed to block unauthorized access, but when access is granted to an authorized entity, it can give users, attackers, or malware free rein to spread laterally – even from a partner’s IT environment or endpoint to your network.
A security strategy that focuses on the browser
Forward-thinking organizations have started to evolve their cybersecurity strategies to focus more on browser security. Work today is mostly conducted on applications and Software as a Service (SaaS) platforms accessed through the browser : half of all knowledge workers are able to perform their entire job using a web browser, while 80% can do 80% of their work through a browser. Threat actors know this, of course, and are increasingly targeting browser vulnerabilities as a way to gain initial access to enterprise IT environments.?
Moving from broad-based network-level access control to browser-based access controls can reduce exposure and limit access to specific applications only. A true solution must take into account that it is impossible to ensure the security of partner/contractor endpoints and that it is likewise impossible to control all of a partner or contractor’s actions, some of which might make that third party vulnerable without their knowledge.?
Secure Application Access , powered by the Menlo Secure Cloud Browser , enables the needed policy controls by rendering the content and applying policies in the cloud. This creates a separation between the user’s device and the Internet. That means that even if a third-party user clicks on a dangerous link, downloads a malicious file, or tries to access a sketchy application from an unmanaged device, the harmful entity or code never has a chance to interact directly with your sensitive apps or data.
To provide further protection for the valuable data these applications hold, Menlo Secure Application Access has additional layers of data security controls. These controls, which can be used to help with compliance, data leakage prevention, and more, include:?
In addition to these policy and security controls, Menlo provides complete visibility of the user’s session as the traffic passes through the Secure Cloud Browser with the addition of Menlo Browsing Forensics . The combination delivers the needed separation between endpoint and application and provides essential visibility into the user actions that have been almost impossible for security teams to gather in the past.
Application security, not network security
Today’s organizations cannot operate in a silo. Digital transformation requires extensive interconnectedness between an organization and a variety of contractors, vendors, suppliers, service providers, and partners, all of whom need some level of access to the organization’s critical business systems and applications. Existing network security solutions often provide third-party access to the whole network instead of individual applications, creating a major security risk for organizations.?
Moving away from network security solutions to a cybersecurity strategy focused on browser security can give partners and contractors secure access to only the applications they need without increased risk, with Menlo Secure Application Access. Browsing Forensics then completes the picture, with a detailed view of third-party actions, finally making it possible to ensure that access policies are working as they should while delivering evidence of intent and not more guesswork. Enterprises can now maximize the benefits of new business models that create operational efficiencies and drive innovation while retaining visibility and control.
Learn more about how to get complete control and visibility over third-party and contractor remote access here .