Security Best Practices: Third-Party Onboarding

The key to successful third-party onboarding is to balance the need for security with the need for third parties to be functional in their roles. Different jobs have different urgency, and there may not always be time to adjust the entire environment to allow a third party to onboard in the ideal fashion. While setting up virtual desktop infrastructure (VDI) for third-party use is a good start, other techniques and technologies may be needed, depending on the role. This piece explains the issues with onboarding third parties (especially in a remote environment) and offers tips for ensuring the process is both flexible and secure.

Shifts in Business Onboarding

The difficulty of filling key positions is forcing more organizations to turn to third parties, ranging from independent consultants to comprehensive agencies. As the business world increasingly shifts to this type of working, the nature of onboarding these workers has changed.

While all the regular challenges of onboarding still exist, the new model has ramifications across the board, from changing the basic onboarding process, to new security controls and specific niche issues.

Remote Onboarding Complexities

The onboarding process is made more complex when third parties are onboarded remotely because not only must their work be done offsite, but all the minor exceptions that arise during the process take longer to address when resources aren’t sitting in the same building as human resources (HR).

Issues with Remote Verification

Traditionally, a worker (in the U.S.) provides a driver's license and social security card or similar document to prove identity. In a remote onboarding scenario, transferring that data can bring additional risks, especially if the organization does not have a secured area in which HR can keep these documents. This issue is usually addressed by having the third-party company verify the identity of the resource they are supplying.

That works well unless you are dealing with an independent consultant. In that case, it might be wise to consider setting up a remote video meeting in which verification of critical information can occur in real time. (A video meeting is preferred to voice-only to limit the potential of the individual looking up information during the vetting process.)

Ideally, the vetting process involves verifying information from a background check and credit check. However, the effectiveness of such an approach varies state to state, because laws may prevent different types of checks and/or authorize the delivery of the reports to the recipient. Generally, a video-based verification process is sufficient for most circumstances.

For highly security-critical roles, it may also be necessary to have the individual vetted by an independent third party using a process like that used for drug checks.

Issues with Credential Delivery

Once vetted, the challenge of delivering credentials arises. If the organization has a self-service credentialing system, the difficulty isn't great. However, if such a system doesn’t exist, the organization must find a way to deliver the initial username and password securely.

Issues with Ramp-Up Time

Another concern with onboarding is that of ramp-up time. Organizations with strict onboarding requirements could experience delays as the new resources go through the online training process and acknowledge all the required compliance items. Issues to watch for might include, but are not limited to:

Access: For third parties, it is critical that access to these training/compliance systems be tested.

Expectations: The third party must be notified how long training will take and the criticality of completion. Many third parties are being brought into an organization to address time-sensitive issues, and the ramp-up element of onboarding can greatly delay the start of their work process – in some cases, catastrophically so.

Clear, concise communications: If a third-party worker is being onboarded for a two-week project but will not have access to critical files until the completion of a three-day ramp-up period, the worker may not be able to meet the deadline unless the ramp up time is included in their project plan. Onboarding third parties tasked with specific time requirements requires much more up-front communication versus onboarding employees who typically have more leeway in the initial weeks of a new job.

Third-Party Security Controls 

The standard solution for third-party workers today is some form of VDI, ideally with session recording. This approach serves to streamline the set up and monitoring of security controls, while obviating the need to remotely manage non-company-owned devices or maintain a fleet of remote laptops.

However, VDI is not a perfect solution for all use cases. Not only is it expensive and more complex to manage for the organization, but it can be very limiting for certain types of third-party workers. Some individuals have a niche skillset that involves tools not commonly part of a VDI environment and, for special cases, cannot be installed in the VDI environment at all. Many information security assessment tools fit this pattern. So even if VDI is in place, it may be necessary to provide third-party workers with their own company-owned laptop or even to allow their resources to connect to yours in a bring-your-own devices (BYOD) scenario.

The key to success for these cases is to limit access to the minimum necessary and attempt to manage compensating controls where necessary. This can result in some complexity, but it can be more easily managed through reasonable classification of the third-party resource based on which technology best fits their needs.

By identifying the worker type ahead of time, it is possible to identify specific controls that apply to that use case. Combined with a reasonable exception policy run by security-trained individuals, this method can be highly effective.

Managing Time Slicing and Conflicts of Interest

Some third-party contractors may be "time slicers," meaning they work for multiple organizations at the same time. Depending on the circumstances, VDI may not be suitable, which puts you in the situation of weighing the value of the work to the risk of having your data potentially stored along with other data on the same device.

Where this is a concern, providing a dedicated machine is usually the best option, even if it is going to be a dedicated one-off machine that doesn't meet all corporate standards due to the worker's need to run specialized tools. In general, where this situation exists, the best control is to:

Verify the worker's professionalism and setup. Ask questions about how data is handled. Many information security consultants, for example, require Linux as a baseline system, simply due to tool availability and efficiency. While it is not possible to run traditional EDR tools on such systems, it is possible to get proof the organization’s data is partitioned in encrypted vaults and the device itself uses appropriate encryption methods throughout.

Ensure conflicts of interest are avoided. For example, even if a third-party specializes in financial services companies, they should not set market strategies for two insurance firms competing against each other in the same market. This is usually ensured via contract with the contracting firm (not the individual).

Establish trust. As with all security issues, there is a limit beyond which it is not practical to attempt to enforce control and, instead, you must simply trust the individuals you are working with. This trust, however, needs to be backed up with contractual clauses and verification the controls they use are properly in place.

International Concerns

If you are onboarding a third party based in a different country, the most significant change is usually regarding the laws of that country and how they differ from yours. Most of such concerns focus on background checks – which can vary drastically from country to country – and the ability to pursue legal action should the worker act improperly. For both, the use of VDI is often the best approach, because you then get full control of their work environment and stand a better chance of preventing improper data access and copying.

Where that is not feasible, incentives must be aligned to encourage proper action by the worker. For many such situations, the best incentive can involve sponsorship for immigration, although other incentives such as funding education or supporting family needs can also work well in these situations.

Third-Party Onboarding Tips

Fundamentally, most workers (third party or not) just want to do a good job and make a good living. While security teams certainly need to consider the possibility of malicious actors, it is critical the onboarding process does not involve creating a draconian environment that prevents workers from doing a good job and costs so much it prevents your ability to provide them with a good living.

In the end, the reason such workers are being onboarded is to help the organization succeed. If the security controls themselves work counter to that goal, the environment is not improved (even though it may be more secure). When onboarding third-party workers:

• Focus on worker success: The most critical element of all is that they be empowered to be successful in their new role, whatever that role may be.
• Encourage good behavior. Controls should be aligned first to encourage good behavior (e.g., making approved data transfers seamless and automated, so workers don’t try to work around the process) and secondarily to detect and, where possible, block the bad.
• Set appropriate access limits. No environment or control set can be perfect, so if it is believed a third-party worker poses a greater risk than others, that worker should be limited in capability and data access, fully leveraging least privilege and need to know.

The balance point between security restrictions and worker efficiency is going to be different in each organization and for each worker. In most cases, it is best to create a reasonably locked-down environment for the majority of such workers and to develop a flexible approach to meet the needs of others where that environment is either too restricted or too permissive for each unique situation.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.