Aspects to look out for in vendors remote access

I'm drafting a guide on governing / reviewing external vendors connections to our corporate for support/development purposes:
so far we have 2 types of connections that are of concern (leaving out those ad hoc ones like Webex) :
a) permanent point-to-point VPN (using leased lines or permanent tunnel via Internet)
b) vendor are given RSA tokens to connect to us

Anyone has any such guide/doc to share & what are the fine points to look out for?  Eg:
1. periodically expiring the connection so that outsource owner (or the vendor's contact in our company) is forced to review it if it's still needed
2. review the staff list of the vendors (as user recertification of the vendor)
3. change in the hours of access?
4. permitting access to specific PCs at vendors' end?
5. logging / reviewing of the vendors' access?  (local regulator requires that vendors access must be 'monitored' so thinking of how to fulfill this)
6. ... ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Britt ThompsonSr. Systems EngineerCommented:
Windows domain environment? If so, you can enable audit logging in the domain and ensure your vendor access is only with domain based accounts. Within AD you can set an expiration for those accounts - in case their contract is up and their accounts are still enabled it will automatically disable their access on a set date. Hours of access can also be handled within AD and you can block remote access based on a specific set of IP addresses to prevent vendor remote access from wherever they please.

If not a domain environment your options are a bit more limited unless you have some sort of directory in place that allows the disabling of accounts from a centralized location. You can apply the logon time and remote access rules at the firewall level as needed.

2-factor authentication is a good way to prevent the vendor accounts from getting compromised but also practice least access for every vendor account.

Keep a good change management log of all the accounts associated with your vendors - sometimes you have to give them a second account for SQL, Linux, network appliance... ensure those accounts are removed or passwords are reset after the vendor contract is up or give them limited access on an as needed basis if this is a long standing relationship.

Vendors should never have an all powerful directory access account, like a domain admin. Controlling each vendor using a centralized account is key to ensuring you're protected at the end of a relationship.
btanExec ConsultantCommented:
Pointer to maintain oversight of vendor at workplace
  1. Security clearance required prior to start work. Security briefing to be conducted. Sub contractor to be briefed by Main Contractor
  2. Escort any new vendor or in waiting for clearance for those permanently sited at your workplace
  3. Remote Admin access to enforce 2FA as well as any remote access by user to employ 2FA. Local admin is to have 2FA too.
  4. Establish access matrix and role based access assignment. Least privileged access to be uphold.
  5. Separate patch/log mgmt admin from sys admin and db admin. The two latter role has higher permission. Restrict ops and log access.
  6. Employ jump host for each web/apps/db tier that will have a central privileged identity mgmt system that oversee all administration
  7. Restrict access for all administration within a CCTV surveillance Ops room and segregate out a contractor segment for such access
  8. Issue dedicated hardened notebook for administration as default. Any exception using vendor machine needs approval/checks
  9. Conduct random audit on the notebook issued or the approved vendor machine. Vendor to declare all unhardened setting.
  10. Restrict use of external portable device by using only authorised issued one. Wipe out after each usage at the end of the day
  11. Disallow any form of sensitive data to be brought out from the workplace premise unless it is approved.
  12. Monitor contractor machine using user activity monitoring agent to employ activity recording to augment PIMS session recording
  13. Access log to be review by authorised authority. Employ SIEM to correlate and alert on anomalous event or security breach
  14. Exercise incident response handling which should be regular reviewed for case of data breach, unauthorised access etc
  15. Ensure there is contractual obligation mandated for vendor handling of sensitive data entrusted to them. Include personal data.
  16. Ensure at proper dekitting of vendor at end of engagement - return all issued company document, secure wipe issued machine/peripherals, retain HDD of loaned device, removal of all accounts and related access to the system and debrief the handling of project information which is make known to them.
  17. Update management team on the contractor handling and propose policy/directive to make sure common practice across teams.

Hope it helps

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Remote Access

From novice to tech pro — start learning today.