The security of third-party vendor relationships is coming under increased scrutiny given that the source of the Target breach was identified as a HVAC service provider who had remote access into the Target network. While details are still scarce, it's clear that a connection used to allow access for billing can be enough for an attacker to turn an innocuous entry into a data breach that, like for Target, can cost untold millions.
As businesses grow, they are forced to rely on third parties to provide services that require a trust in the provider to protect their networks and data at the same or greater level. Unfortunately, this is rarely the case. Security firm Trustwave analyzed 450 data breaches in 2013 that showed nearly two-thirds were related to third-party IT providers.
[To hear about how financial firms are managing their complex data architectures, attend the Future of the Financial Services Data Center panel at Interop 2014 in Las Vegas, March 31-April 4. You can also REGISTER FOR INTEROP HERE.]
With the increasing reliance on business-to-business connections, companies must protect themselves from the threats posed by allowing "trusted" third parties access to areas of their networks. While trust can be made in a vendor to provide the services it is committing to, it's a blind leap of faith to assume it will take the same precautions in protecting the information and access to your network it is trusted with.
Businesses need to protect themselves and treat the vendors accessing their networks as untrusted entities and put in the controls to protect themselves and monitor all activity sourced from the vendors.
The following are tips that have come from my experience as a security consultant, as well as countless conversations with companies that must allow access to third-party vendors and the vendors themselves.