Working with outside contractors, vendors, freelancers and external stakeholders presents multiple challenges for securing data, applications and infrastructure, and for ensuring productivity and a consistent experience, according to Leostream Corporation.

Granting access to corporate IT infrastructure for maintenance tasks, collaboration or to perform outsourced assignments is a common occurrence seen in corporations today.

The remote desktop access platform provider says the risks and vulnerabilities introduced by third-party user access can be mitigated by intelligent, common-sense management.

The company’s five most important considerations for third-party access are that it should be identity-based, secure, device-agnostic, VPN-free and verified.

Identity-based
Access to resources should be managed based on the third-party user’s identity and function so they are granted as much or as little access as is required by their role.

Use tools to limit their access by date and time and automatically revoke their access when no longer required.

Secure
Use a zero-trust approach that employs strict authentication and authorization policies.

Third parties can use a dedicated username and password for the access management system, but don’t need to know the username and password for the corporate machine they are logging into.

Device-agnostic
External users will need to connect from nearly any hardware, device, and OS, including Windows, Linux, macOS, ChromeOS, Android and iOS.

No agent software should need to be installed on corporate resources or the third-party user’s devices.

VPN-free
Don’t give external parties access through a virtual private network.

VPNs are frustrating for end users, constrain performance and introduce openings to the network where cyber attacks can enter.

Use a streamlined gateway that programmatically opens and closes access to the specific organizational resources that users are empowered to see and use.

Verified
Administrators should maintain comprehensive logs of remote access, including session recording.

Look for high-level reporting that tracks third-party login and resource usage, monitors for anomalous activity and ensures policies are enforced.

“It’s almost unavoidable that an enterprise has to provide some measure of access to non-employees, such as when IT services are performed by an outside provider, but that access cannot introduce security flaws or put corporate resources and data at risk,” said Karen Gondoly, Leostream CEO. “These guidelines will help develop the right policies and practices for granting third parties access to what they need to fulfill their tasks, while mitigating the threats that this can introduce.”

Leostream offers a Privileged Remote Access service that controls and secures third-party access to sensitive corporate resources.