In this series, Computerworld Australia examines some of the information security threats facing small businesses and larger enterprises today. We’ve looked at hacktivism , social engineering and internal negligence and continue the series by speaking to security experts about the problem of third party access.
Whether it's suppliers, customers, business partners or any other third parties, giving access to your company data can be fraught with security risks. Add in the Cloud, where data can quickly move anywhere around the world and potentially into many hands, controlling who has access to data rises up the priority list pretty quickly.
In addition to security concerns, law enforcement agencies in Australia, such as the Australian Federal Police (AFP), have the power to request company data under the Australian Anti Terrorism Act of 2005.
The Anti Terrorism Act states that the AFP can request information from any source about any named person including information about the person's travel, residence, telephone calls and financial transactions.
The threat of third party access
According to Trustwave SpiderLabs Asia Pacific managing consultant, Marc Bown, third party access is often configured by the party itself, rather than by the organisation whose infrastructure is being accessed. “These third-parties are usually incentivised to make sure that they can get access at any time and fix a potential issue quickly,” he says. “They are rarely, in our experience, incentivised to do so securely.” As a result, Bown says this access is often poorly configured. For example, the remote access might be configured with a password that is easy to remember and that is shared with all staff within the third party support organisation. “There are no controls in place to change this password when a staff member leaves the support organisation, nor any controls in place to detect brute force attacks and lock login accounts,” he says.
IDC Australia senior market analyst, Vern Hue, warns that when enterprises provide third party access, they are placing faith in the partner or customer to have the right security levels in place.
“This, in essence, makes the third party the potential chink in the company’s information security armour because any attacks on the other party’s infrastructure may lead to the compromise of the enterprise as the malicious actors may find an access to this network via a backdoor,” he says.
Symantec Asia Pacific director of specialist solutions, Sean Kopelke, says that as more organisations leverage the Cloud and virtualization, they are potentially housing their data in an environment that plays host to a competitor’s. “It’s therefore important you do your due diligence and understand whether your provider has the right systems in place to ensure the integrity of your most sensitive information,” he says.
Extent of the threat
The threats from third party access can come from the loss of confidence of a breach if the partner, or third party, gets compromised, says IDC’s Hue. “The company’s reputation is also under scrutiny and this would certainly cost a lot of embarrassment, at the very least,” he says. “If the malicious actor finds a way into the network and breaches it, there may be financial losses incurred and the loss of trust that can ultimately lead to the abandonment by customers as no one would want to deal with an organisation which, in their view, takes security lightly.”
Trustwave’s Brown adds that many third party organisations require a very high level of access to the customer’s systems. “As a result, these support organisations have the ability to gain access to most systems and data within the customer’s environment," he says.
"A thief leveraging this same access will also have the ability to access, and change most systems and data, making the potential impact of improperly secured third-party access channels very serious.”
Addressing third party access
IDC’s Hue says that the most important way of addressing the need for third party access is to conduct a risk assessment exercise. “The objective here is to ensure that the third party’s security integrity, controls and standards meet your own organisation's standards,” he says. “This includes visiting your partners' facilities and data centre in order to ensure that they have adequate network and physical controls.”
Another way of addressing third party access is to ensure that the party has restrictive access to the company’s system.
“This means using least privilege access methods, where the third party has access to the very essentials of their tasks, and nothing more,” he says. “This ensures that it will not have access to information which it is not privy to. The third party should also be given access to a separate segment which is independent and removed from the internal network, by using firewall controls.”
According to Symantec’s Kopelke, trusting a third party with company data is part of doing business today. “Data loss prevention is the key because the alternative remedy is far more costly,” he says.
“Figures from the Australian 2011 Cost of a Data Breach survey found that costs relating to the detection of data breaches increased by only five per cent since 2010.”
According to Kopelke, this percentage was “unsurprising” given that Australia still lacks regulations requiring companies to notify their customers of a data breach. “It is important that Australia fast tracks the adoption of mandatory data breach notification laws which encourage business to minimise the likelihood of a breach rather than focusing on the aftermath,” he says.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU