Transcript Document

DCM 7.2
The Gap in Your Access Policy: Creating and Enforcing
Rules for Vendors
Justin Strackany
Vice President
SecureLink, Inc.
1
DCM 7.2:
The Gap in Your Access Policy: Creating and
Enforcing Rules for Vendors
Business associates cause 42% of HIPAA and HITECH
breaches, and tracking hundreds of third-party employees
that share privileged accounts is no easy task. Now that
HIPAA violations extend to out-of-house associates, securing
vendor access is more critical than ever. This session will
highlight the key pieces and challenges of managing remote
vendor access, and offer best practices for enforcing your
policies to maximize compliance.
2
Agenda
•
•
•
•
•
Introduction
Challenges
Impact
What To Do
Next Steps
3
Introduction
•
•
•
•
IT organizations
Technology Vendors
My role at SecureLink
My goal for this talk
4
About Us
•
•
•
•
•
Platform for remote access
Technology vendors
Security-conscious IT organizations
Services
Technology
5
Challenges
•
•
•
•
•
Shared Accounts
Broad, privileged access
Limited visibility
Lack of policy and dedicated resources
Increasingly stringent regulatory requirements
6
Impact: Shared Accounts
• Unable to tie actions to individuals
• Common attack vector
•
•
Target
2012: 42% of all breaches
• Terminated employees retain access
• Limited accountability
7
Impact: Access Control
•
•
•
•
Increases exposure of sensitive data
Difficult to enforce access policies
Increases magnitude of potential breach
Increases potential impact of mistakes
8
Impact: Audit
•
•
•
•
Higher compliance standards
Enables deeper forensics
Holds vendors accountable
Enforces policies
9
What to do?
•
•
•
•
•
•
Create a policy outline
Catalog and tier your vendors
Document your current process
Optimize the workflow
Map policies to vendors
Automate with technology
10
Policy Outline
•
•
•
•
•
•
•
•
Series of goals and requirements for vendor access
Designed to be aspirational
Named users
Access segregation
Audit
Password & authentication policies
Vendor requirements
Efficiency Goals
11
Catalog
•
•
•
•
•
Gather a list of vendor companies
Determine what systems they need to support
Determine when they need access
Define contacts (technical & business)
Define their current method of connectivity
•
•
•
VPN
Web Ex
Site-to-site
12
Your vendors may be hard to find
•
•
•
•
•
•
VPN’s
Finance / Contracts
Active Directory
Department Tribal Knowledge
Firewall Log
CRM System
13
Tier
• Criticality
•
•
How critical are the systems to our business?
What would be the impact of a compromise?
• Trust
•
•
•
Has this vendor ever made unauthorized changes?
Has this vendor lied about access?
Does this vendor follow sound security practices?
14
Tiers continued
Trust
Highest Tier
Middle Tier
Middle Tier
Lowest Tier
Criticality
15
Document Your Current Process
•
•
•
•
Define roles
Gather siloed information
Expose gaps
Discover frustrations and challenges
16
Gather List of Departments
•
•
•
•
•
•
IT / Network Operations
Security
Compliance
Help Desk
Application Owners
Executive Stakeholders
17
Conduct Interviews
•
•
•
•
•
•
Role
Inputs
Outputs
Challenges
Process
Systems
18
Process Categories
•
•
•
•
•
Approval
Setup
Access
Change Control
Termination
19
Workflow Categories
•
•
•
•
•
•
Action
Role
Input
Output
System
Dependencies
20
Workflow Process: Step By Step
1. Gather list of departments
2. Interview them about their role in the following vendor
categories:
1.
2.
3.
4.
5.
Approval
Setup
Access
Change control
Termination
3. Find out what systems & documents they use
4. Identify gaps & redundancies
5. Compile action plan
21
Your Action Plan
•
•
•
•
Break into each process category
Highlight duplication of effort
Highlight any gaps
Make recommendations
•
•
•
Improve efficiency
Increase security
Improve visibility
22
Document Your New Workflow
• Refer to your action plan
• Highlight each category
• Break out step by step:
•
•
•
•
•
Role
System
Input
Output
Dependencies
• Set action items to create new documents
23
Example Documents
•
•
•
•
•
•
Vendor Access Questionnaire
Vendor Assessment
Vendor Setup Checklist
Vendor Termination Checklist
Vendor Change Request Form
Vendor Access Policy
24
Vendor Approval
• Gathering of information
•
•
•
Named Users
Access requirements – when and to what systems
Policies
• Formal approval & handoff processes
•
•
Tier – based on criticality & trust
System levels of access
• Hand off to set up role
25
Setup
• External Access
•
•
•
VPN
Firewall
Vendor Management Platform
• Application Access
•
•
Active Directory
Operating Systems
• Enforce Tier
26
Access
•
•
•
•
•
Document steps to follow to request access
Communicate new process to vendors
May vary based on tier
Document steps to disable access
Ideally automated
27
Change Control
• Identify process to request changes
•
•
•
•
New Users
New Systems
Change in tier
Change in internal application owner
• Create approval process
28
Termination
• Create formal policy if relationship ends with
vendors
• Should cover terminated vendor named users,
as well
• Identify systems
• Run a fire drill
29
Map policies to vendors
• Per Tier
•
•
•
Identity Management
•
•
•
Shared Accounts
Source Network Control
Dual-factor authentication
•
•
•
•
Network Segmentation
24x7 access
Unattended access
Steps to request access
Access Control
Audit
• Document workflow for each tier
30
Automate with technology
•
•
•
•
Vendors want easy efficient support
Customers want security
These two are inversely proportionate
Technology can automate processes to keep
access easy while increasing security
31
Technology Goals
•
•
•
•
•
•
Authenticate Named Users
Secure authentication
Network segmentation
Encryption
Audit
Reporting
32
33