Tech Alert: Using Vendor Privileged Access Management Tools within NIST and CIS Security Frameworks

BOSTON--(BUSINESS WIRE)--Software and tools to enable Vendor Privileged Access Management (VPAM) give third parties network access to perform critical services such as application management or contract-based work, but it’s important to use these solutions within established security frameworks, according to experts at Leostream Corporation, creator of the world-leading Leostream® Remote Desktop Access Platform.

Effective VPAM tools allow organizations to limit and protect access to data, isolate data and resources from third parties, and track what is accessed and by whom. Leostream offered the following tips for using VPAM while adhering to guidelines and standards such as those advocated by the Center for Internet Security (CIS) and the National Institute of Standards and Technology (NIST):

Limit and Protect Access to Data

Access control is a key framework in most common standards, including NIST 800-53, CIS Controls v8 (control 6), and ISO 27001. The access control measures most organizations implement for their own employees or users aren’t always appropriate for third parties. An example of this would be giving vendors Active Directory accounts that must be deprovisioned later under CIS Control standard 15.7.

VPAM solutions should provide only “need to know” access to third parties while isolating other data that may be more sensitive, such as customer financial records or patient health information. When VPAM software is based on least-privileged and zero-trust principles, organizations can grant access to only the resources the vendor actually needs and even restrict access to set days and times. Access should be based on a request/approval system.

The method of granting access privileges through a VPN introduces vulnerabilities that compromise data privacy. “Too many organizations still hand out VPN connections for vendors, which opens up the entire network, plus these connections often remain active after the vendor’s contract ends, which is a breach of security standards,” said Karen Gondoly, Leostream CEO.

Strict Identity Controls

CIS Control standards 5-6 and NIST 800-53 IA-2 all address account and identity management, including multifactor authentication to establish the vendor’s identity before they are granted access to the organization’s resources. While some corporate identity providers include options for third parties, not all do. Organizations that can’t, or may not want to, extend that to non-employees should choose VPAM solutions that impose MFA on external users to meet these security standards.

By providing that first level of authentication, VPAM tools can also satisfy NIST Control IA-2 (5) which addresses pre-authorizing shared accounts with individual accounts. When VPAM offers effective logging capabilities, administrators can map the VPAM login to the shared login in the system for accountability. With VPAM there is no need to share credentials such as administrator or root accounts, even with those performing IT services remotely, because IT teams can create and manage unique credentials for each individual who may require access.

“VPAM tools not only protect corporate data and other resources, they protect credentials used to access that data and resources,” said Gondoly. “In that sense, VPAM works both ways based on the asset or resource, and on the third-party end user’s identity,” said Gondoly.

Continuous Monitoring

With VPAM software, organizations get comprehensive monitoring and logging to maintain an audit trail of who accesses a resource, and session recording to show what actions have been taken during those remote sessions. Session logs should be easy to monitor and review by internal IT staff.

VPAM tools that log and record give organizations traceability and accountability so that administrators can make sure the vendor hasn’t removed data, engaged in malicious activities, or accessed personally identifiable information. Administrators can also review recordings to investigate and potentially uncover the root cause of an incident.

“When third parties know the session is being recorded they follow the rules,” said Gondoly. “Giving third parties remote access to corporate data and applications is inherently risky, so VPAM software like Leostream’s Privileged Remote Access Service used within established cybersecurity frameworks eliminates or prevents a host of threats.”

For more information on Securing Third-Party IT Vendor Access click here.

Leostream makes VPAM simple to deploy and configure, even for organizations with small or no internal IT teams. To learn more about Leostream's Privileged Remote Access service please visit or contact info@leostream.com.

About Leostream

Leostream solutions embody over 20 years of Leostream research and development in supporting customers with hosted desktop environments, including VDI, hybrid cloud, and high-performance display protocols. The Leostream Remote Desktop Access Platform provides the world’s most robust desktop connection management and remote access feature set, allowing today’s enterprises to choose the best-of-breed components to satisfy their complex security, cost, and flexibility needs while working with them as they evolve into tomorrow. The Leostream Privileged Remote Access service simplifies, secures, and monitors temporary access to corporate resources for vendors, service providers, and external contractors.

Follow Leostream on LinkedIn and X.

Leostream is a registered trademark of Leostream Corporation in the United States. All other trademarks are the property of their respective owners.