asked on
How to provide multiple server and workstation access to a vendor
How to provide multiple server and workstation access to a vendor that is doing vulnerability scans and patching or running updates on our network.
Due to a lack of manpower we have outsourced the security aspects of our network to a SOC. Need assistance on the best way to provide secure access - maybe I am phrasing this wrong.
+1 for the vpn.
that said outsourcing security is a very debatable choice in itself and not necessarily safer than doing nothing at all. whatever company you delagate this to is supposed to setup said access themselves and take responsibility for any issues that may arise.
running scans and frenetically patching all outdated software does not achieve security. whoever sells this is either a scammer or vastly incompetent. scanning is not entirely useless though as long as you master the environment and understand the results.
soc companies typically do not care. they hire cheap folks with no security knowledge and teach them to press the scan button. the only possible result is loosing your time in endless remediation of typically non issues.
Provide access to some stepping stone server in a separated VLAN using a VPN. So there is a choke point, that can be observed.
The real problem is when you provide access from the stepping stone -> object(s) to be managed.
Can they move lateral to another system, what can be done there, what can be accessed from there etc. <-- This is the hard part.
Handing out control over your security will mean you will know LESS about your environment in the future...
IMHO it is better to invest in capacity to handle stuff on hands.
agreed.
and having a single host or location that has privileges to scan the whole network is a security hole. better not open it in the first place.
If I take Tenable tool as example, the remote scan will probably use Nessus Agents and Tenable.io
Nessus Pro are standalone scanners.
Nessus Manager is used for Nessus Agents.
Nessus Pro Scanners can be linked (managed) to either Tenable.sc or Tenable.io
Nessus Agents, are installed on each device and only scans the device the Agent is installed on, that data is then sent back to Nessus Manager, or Tenable.io
Agree with experts on concern for the "opening" and effectiveness for remote scan.
In my own exp, there are many concerns from CISO, hence a local machine to scan instead.
Concern on too many "opening" and "process" needed - untrusted remote machine coming in from untrusted locality, firewall whitelist allow remote machine IP for huge port list, scan period during off-peak (not to impact business) but SOC has to watch over it, verify all the steps reverse to secure by default)
and the machine that performs the scan should be offline most of the time, definitely not have full network access except when performing scans, preferably not run windows and definitely not be a domain member... assuming scans are indeed deemed useful. i prefer to rely on local agents or better use hardened systems that only run what is actually needed.
remember that security basics is not about scanning and patching. the very first steps are rather achieving decent network segmentation and NOT running anything that is unneeded.
How to provide multiple server and workstation access to a vendor that is doing vulnerability scans and patching or running updates on our network.
Due to a lack of manpower we have outsourced the security aspects of our network to a SOC. Need assistance on the best way to provide secure access - maybe I am phrasing this wrong.
My fellow experts above have raised some very good points and I concur with much of the above.
I'd encourage two primary discussions:
- Outsourcing security aspects
- Providing access for the above
Outsourcing security aspects
As noted by fellow experts, outsourcing this is a big decision and can pose as many risks as it solves.
consider very carefully if this is the only solution and push to keep ownership of security in house (at least at a tope level) if possible.
If outsourcing is the right option, spend time and money on the contractual agreements between you and the security company as this is where the biggest risk lies. If the agreement is solid then outsourcing may be relatively low-risk. if not, you expose your company to lack of accountability when something goes wrong.
e.g.
- Exactly what is their scope?
- How do they keep your data/VPN link secure?
- What scope of change are they allowed to make?
- What are their liabilities and penalties if something goes wrong?
- What audit compliance can they commit to on their processes, staff and actions taken on your systems?
- What are their SLAs and response times/hours for investigating AND resolving issues?
- How many 'get out clauses' are they including to deny accountability? (e.g. they make an impossible recommendation to you and use it as a way to get out of taking responsibility for future issues).
Providing access for the above
Where outsourcing is the right option for you, consider what scope they have; if just monitoring but not fixing, you can limit to read only accounts, or management/monitoring servers only, with no access to change your systems.
If they need to investigate also, make all your logging go to a specific place/platform and give them access to that but not the source systems.
If you have no choice but to allow them higher access to your systems, do so with dedicated user accounts segregated as much is viable and with predefined scope.
e.g.
if they have teams, ensure each team has only he access they can justify. do not allow any one person/team to have access everywhere.
Separate Active directory OU, with dedicated group policies, short lived account expiration etc.
I'm not a big fan of VPNs as a single solution for the above as a VPN is a direct link between your companies and are often allowed too much freedom to your network. If they or one of their staff are compromised it can put your network at risk. What if one of the other companies they have a VPN to are compromised? are you safe?
I recommend a VPN to a segregated section of your network (e.g. DMZ segregated subnet) that allows them to only access jump boxes or the systems looking after logging. If it were compromised, you can limit the scope of exposure at your side.
meaning they are expected to access your network using their own machine through a level 3 tunnel.
if you want to give such power to them you should at least provide a jump host you manage and monitor. they have control over your assets but you have control over what they do.
additionally, if they acces the network over zscaler (one other expensive product), neither they or you have control and remote testing tools will not be able to do part of the job you might expect.
you can have the answers you expect by reading through and interacting. and possibly mentionning your company will only consider paid solutions and your existing env.
The obvious way to provide access to your network is via a VPN.
Make sure that the vendor does not use a generic account, make them use individual named accounts, for auditing purposes.
Make sure their acccounts can easily be identified as theirs, either by attaching something like a "VEN" to their user name or by a AD tag thast says what type of user they are.
Make sure that their permissions are sufficient to do the job in hand and no more, but not too tight to restrict what they can and cannot do.