Secure Third Party Access Best Practices – It’s Time for Zero Trust

By Jacob Lee, Global Leader for SASE

In our hyper-connected world it’s imperative to collaborate with B2B business partners securely and seamlessly to be competitive. In today’s reality, most enterprises work with third parties to deliver new services, outsource various business functions, develop new technologies via R&D and support global growth initiatives in new markets.

Third Party Access Considerations

Third party users can be a diverse population including contractors, suppliers, resellers and technology partners that need access to internally hosted resources housing sensitive PII data or IP. These internal resources can reside anywhere from your data center or public cloud services such as AWS, Azure or GCP. To add to the complexity, third party users can be located across the globe in multiple time zones with a variety of unmanaged devices.

As we’ve seen in the news, third party related breaches are on the rise. According to recent studies, ~60% of data breaches are linked to third parties. The complexities and risks of exposing internal systems to B2B partners that are lightly vetted (or not vetted at all) leads to an attractive entry point for malicious actors targeting your enterprise.

It’s time to rethink our approach to secure remote access for third parties. The perimeter based legacy security approach using the “trusted networks” model is not suitable for B2B partners when you know little about the user or device accessing your internal resources.

Third Party Access Best Practices

As we are progressing to a new era of Zero Trust and SASE it’s time to rethink our approach to secure remote access for our B2B third party partners. Join the webinar on 10th February to secure third party access, while keeping your private apps private.

Below are best practices for Zero Trust third party access:

  • Adopt the principles of Zero Trust “never trust, always verify”. Assume your third party users are already compromised and reduce the attack surface as much as possible.
  • Take an identity centric approach – Ensure your remote access solution leverages identity at the core for authenticating third parties along with MFA vs IP addresses and location. For privileged users such as administrators, use built-in or dedicated privileged access management (PAM), and where possible, leverage granular role-based access control to authorize what users can do in a given application, e.g. read, write or edit at the app, page, directory or command level.
  • Segment network access to only the authorized resources a user is approved for vs allowing full network access. Providing layer-7 application access prevents network-layer risks such as lateral movement in the event that credentials are stolen, a device is compromised or network security controls are inadequate (e.g. poor firewall or IPS configuration).

SASE zero trust architecture

 

  • Log and record all user actions for full auditability. You need full visibility of every user action on your network. Integrate logs with leading SIEM tools for real-time analysis and alerts. Consider session recording for sensitive roles or applications.
  • Automate the lifecycle of users. Ensure third parties are not left lingering on your network longer than required. Utilize time bound controls or integration with identity providers (IdPs) to de-provision users from your internal resources.
  • Deploy a cloud based solution that is agile and clientless. Decrease time to value with a SaaS based solution that requires no clients to deploy and manage on your B2B partners end points. Since third parties are not company employees, evaluate solutions that provide clientless security, requiring no VPN agent to be installed.

Get Started with Zero Trust Third Party Access

Check Point Corporate Access redefines zero trust network access with a simple, clientless cloud-based service that deploys in minutes. Based on a Software-Defined Perimeter (SDP) approach, Check Point Corporate Access provides modern secure remote access for third party users while making the user experience a breeze.

To learn more about clientless third party access, check out these resources:

SASE user app portal