It's crucial to ensure that any third parties accessing your organization's valuable assets are doing so securely. You need well-defined processes and technical controls to maintain the security posture of third-party endpoints. Without proper security around third-party access, you're exposing your crown jewels to unnecessary risk.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix here. The CCM provides a comprehensive set of security controls specifically designed for cloud computing environments. It's considered an industry-standard framework for securing the cloud.

For more background, check out the AWS Security Best Practices whitepaper which covers managing third-party access.

Who should care?

This is relevant for:

• Security architects designing controls around third-party access
• Vendor management teams responsible for security clauses in contracts
• IT managers granting access to partners and contractors
• Compliance officers ensuring third parties meet regulatory requirements
• Executives ultimately accountable for security incidents involving vendors

What is the risk?

The main risk is unauthorized disclosure, modification, or destruction of sensitive data by third parties. If their endpoints aren't properly secured, it provides an easy entry point for attackers to compromise your organization. Even partners with good intentions may have poor security hygiene.

There's also the risk of non-compliance with regulations like HIPAA, PCI-DSS, GDPR etc. that hold you accountable for the sins of your third parties. You can outsource the function but not the responsibility.

What's the care factor?

You should care a lot. According to Ponemon, 59% of companies have experienced a data breach caused by one of their third parties. The average cost of such an incident is $7.5 million.

For a real-world example, look no further than the massive Target data breach in 2013. Attackers gained access to Target's network using credentials stolen from their HVAC vendor. The result? 110 million customer records compromised.

When is it relevant?

Implementing third-party endpoint security is a must whenever you have external entities accessing your systems and data. This could be SaaS providers, contractors, business partners etc. The more sensitive the data, the more critical the control.

It may be overkill for one-off, low-risk engagements. For example, hiring a design agency to make your marketing website probably doesn't warrant the same level of scrutiny as onboarding a payment processor.

What are the trade-offs?

Locking down third-party endpoints comes at a cost:

• Time and effort to assess each vendor's security posture
• Potentially limiting your pool of partners to those meeting your standards
• Pushing up prices as vendors have to invest more in security
• Administrative overhead of managing endpoints outside your environment
• Frustrated users dealing with tighter controls and limited functionality

You have to weigh these downsides against the security upside on a case-by-case basis. Don't let perfect be the enemy of good.

How to make it happen?

Here's a step-by-step guide:

1. Inventory all third parties with access to your data/systems
2. Classify them based on risk level (e.g. critical, high, medium, low)
3. Define security requirements for each tier (e.g. endpoint encryption, MFA, patching cadence)
4. Update contracts with security clauses matching those requirements
5. Assess current vendors against the new standards
6. Remediate gaps through technical controls and/or vendor pressure
7. For new vendors, make security assessment part of the procurement process
8. Use a tool like Axonius to continuously discover and validate third-party endpoints
9. Setup automated alerts for any deviations from your security baseline
10. Require vendors to notify you of any relevant personnel changes

What are some gotchas?

• Make sure you have a complete asset inventory. You can't secure what you don't know about.
• Beware of "fourth parties", i.e. your vendor's vendors. You're still ultimately responsible.
• Pay attention to insider threats, not just external attackers. Vet partner personnel.
• Technical controls won't help if the underlying endpoint OS is vulnerable. Stay on top of patching.
• You'll need admin rights on third-party endpoints to enforce policies. Make sure contracts allow this.
• Certain tools like DLP may not work for BYOD users. Have fallback controls.

What are the alternatives?

If directly managing third-party endpoints is infeasible, you have other options:

• Provide vetted company-owned devices for them to use
• Don't give them direct access at all, use an SSO portal
• Restrict access to non-sensitive data and systems
• Implement Just-In-Time access rather than standing privileges
• Place them in an isolated AWS account with limited blast radius

The key is to follow the principle of least privilege while still enabling the business.

Explore further

• CIS Controls v8 3.3, 3.4, 3.5 cover securely managing third-party access
• NIST 800-53 Rev 5 controls like PS-7, SA-9, SR-1, SR-2 provide relevant guidance
• The CSA STAR registry can help with assessing vendor security
• Sharedassessments.org has useful third-party risk management resources

I hope this practical walkthrough helps you tackle third-party endpoint security with more confidence. Stay safe out there!

‍