Productivity expert David Allen once stated that his approach, “Getting Things Done,” was based on the simple premise that you can’t do everything. In IT, we face this problem every day. Whether it is due to lack of domain specific expertise or simply not enough resources to handle all of our IT services, there are many reasons why we might look to third parties to help support our requirements.
Third party access can come in various guises – from full IT support and service operations, to specialist knowledge that is required on an irregular basis. The majority of this support is delivered remotely over the internet, making third-party outsourcers an even more cost-effective solution.
A research report by Ovum last year highlighted how many third parties have access to company IT networks. While 12% of organisations ran everything themselves, the majority of companies (56.3%) surveyed across Western Europe had granted access to between one and four suppliers, while 28.3% had between five and 29 suppliers. One company admitted that it had more than one hundred organisations with permission to access their networks.
Why does this matter?
One word: Security.
Third party access is only going to grow, as more devices become internet-enabled and more specialist knowledge is required to keep them running. However, third party access is also one of the areas where control and management is often overlooked. There are plenty of options out there for remote access to networks, but the security and management of those tools is not as mature. Too often, access is binary and broad. The third-party either has access to the entire network, or it doesn’t.
This is a significant security risk, as witnessed by the attack on U.S. retailer Target last year, one of the largest thefts of credit card data in recent history. Poor third party access management opened the door for hackers to access the entire Target network via the vendor responsible for managing the firm’s air conditioning services. Once in, the attackers were able to use a variety of tricks to navigate from that section of the network and to the credit card database servers.
The current press attention around remote access security should drive better industry practices, but there are further proactive steps that service desks can take now to protect themselves.
Steps to take
For companies running their own service desks, security around third party access should be part of the overall request management process. When internal customers ask for new services or need help that a third party will provide, consider the management of the session as part of the request process.
This includes being able to control access. Why should a third party have access to everything on the network, when they are being asked to fix a specific problem? Locking down access – either to a specific section of the network, or only allowing the third party access to access certain devices or applications – is one option that service desks can look at in more detail. Service desks should also capture a full audit trail of every action a third-party technician takes while on their network, and set up alerts for any suspicious activity, such as a vendor logging in in the middle of the night.
For third-party service providers, keeping their customers’ networks secure should be top of mind. Just as the Doctor’s Hippocratic oath states, “Do No Harm”, so too should third-party providers reduce security risks to their customers around remote access. Implementing secure remote access tools and best practices will help service providers set themselves apart from competitors and improve customer loyalty.
Ultimately, third party access has to be secure, auditable and controlled. At the same time, the requirement for more flexibility in how services are delivered will make remote access by third parties even more common than it is today. Within the overall service delivery strategy, keeping this third party access under control is a key management task to consider.