We were recently joined by Martin Knight, international sales manager for privileged access management at Imprivata, to take us through some of the findings from HTN’s survey on healthcare network management, which asked respondents a series of questions about their organisation’s current practices around managing third-party access, covering onboarding, deprovisioning, audit trails, and more.
Here, Martin shares his views on the results from the survey and shares his key learnings and takeaways to support health and care organisations.
Allowing 3rd party access and managing internal privileged accounts
Respondents hailing from organisations across the NHS and beyond first shared how their organisation currently allows third-party access to their network, with 47 percent currently using enterprise directory services like Microsoft Active Directory and a VPN; 29 percent using access management solutions; 12 percent using desktop sharing tools; and 12 percent using vendor-supplied solutions.
Looking at the use of legacy technology to allow access to internal networks, Martin noted the costs associated with the approach of having a VPN and an access directory (AD) account, adding, “there are risks around that, as well, because if you give someone AD credentials, you don’t know whether they’re still working for their organisation, whether they’re sharing credentials, and it’s hard preventing lateral movement.”
Our survey also sought to understand how organisations are managing internal privileged accounts, with 39 percent of respondents reporting using a second elevated active directory account; 3 percent reporting using shared credentials; 31 percent reporting using their own personal active directory account; 27 percent reporting using a privileged access management (PAM) solution.
“The risk of having a second elevated AD account,” Martin said, “is that users need to have two passwords to be able to access, which they might be jotting down on a notepad somewhere; and also it’s looking at what happens as people move through the business and their roles change – are we still controlling what access they have?”
The approach Martin’s team takes, he said, involves asking vendors and users to create their own accounts through their own domain email address, “putting the time needed to create an account onto the vendor, not the internal team managing the process, as well as removing the need to create multiple AD accounts, because if you have a vendor coming in with 500 users, that’s a lot of accounts to create”.
That also has the effect of removing that risk associated with vendors needing to know domain credentials, and with the risk of them jumping across to a different application in the server, “because they don’t have the rights to do it”. This offers more control, and means organisations can “keep the keys to their kingdom” internally, without vendors ever knowing what they are, he said.
Password rotation and dedicated individual accounts
When it comes to handling the rotation of passwords for privileged accounts, 10 percent of respondents said that they were using a credential vault; whilst 53 percent reported that it was automated through a PAM solution; 20 percent said that this was done manually; and 17 percent reported that passwords are not rotated.
Having a PAM solution does take away the “heavy manual process”, Martin said, “and you’ve also got an audit log of who’s changed a password, when they’ve done it, and all of that sort of thing as well”. There are risks with not having some kind of password rotation in place, particularly for elevated accounts that can offer ongoing access to different systems, and there’s always the possibility of someone coming across that password, he added.
“With the PAM solution we can integrate with our internal PAM solution, or another vendor’s PAM solution,” Martin told us, “to make use of their own password vaults and the rotations of passwords directly within that, which takes away some of that manual work or risks when they aren’t rotated.”
The survey asked respondents whether every vendor user for their organisation has a dedicated individual account. 77 percent reported that their organisation does create an individual account per user; whilst 6 percent said that vendors shared accounts; and 17 percent reported a mix of shared and individual accounts.
Even though most report having individual accounts, there’s still no guarantee about who is actually using those accounts or whether those accounts are being shared, according to Martin, “because what quite often happens is a generic company email address is used, and then that’s being used by multiple people”. And when individual accounts are used, there’s “still a lot of manual work involved with that” Martin told us, “as you need to make sure those users are still active at that organisation”.
Audit trails and deprovisioning access
Respondents were asked whether or not their organisation has an audit trail or video recording of vendor’s sessions. 21 percent said that their organisation had both in place; 50 percent did have something in place but reported that it was a lengthy and manual process to obtain audit logs; and 29 percent didn’t have anything in place.
“It can be a lengthy process going into an AD account and trying to pinpoint when you think an issue happened,” said Martin, “so not having a simple solution in place to simplify that can put a lot of pressure on internal teams”. That is particularly true when it comes to audit or governance reports, he noted, which can place timelines and additional stressors on teams.
With the PAM solution, Martin told us that a full HD video recording is available of each vendor session, and customers are given the option to have the full video recording, or an abridged version which simply shows key movements and streamlines the process.
When it comes to deprovisioning access in a timely manner when a vendor no longer needs access, 51 percent of respondents said that access is automatically deprovisioned after a set time; 39 percent said that access is manually revoked, but not always in a timely manner; 10 percent reported that they don’t always know when a vendor no longer needs access, or can often have access longer than is needed;
Automatic deprovisioning is relatively simple to set up when you have a company coming in for a set amount of time, according to Martin, “but when it comes to manually deprovisioning, it’s whether the organisation has that team and capacity to go through a vendor’s account and look at metadata relating to last login, etc.”. The risks with this are largely the same as those with other manual account management, he added, “as if someone’s left the business, they may no longer have access to their organisation’s account, but they could still have access to their AD account”.
The “best case” scenario for deprovisioning would be a PAM tool, Martin considered adding automation into a PAM solution, whereby it can recognise where there hasn’t been a login for a set period of time, and control a time window during which vendors are permitted to log on. “It offers a bit more security,” he said, “in that you know someone isn’t going to be coming in on a Saturday afternoon when they shouldn’t be”.
Onboarding and preventing lateral movement
Respondents were also asked about the onboarding process for new vendor access at their organisation, with 33 percent reporting there was a manual process to create an account and provide VPN access; 21 percent stating that their organisation has a dedicated team who handles vendor onboarding; 15 percent provisioning an account to a remote access or virtual desktop solution; and 31 percent sharing that they had ad-hoc processes in place depending on the vendor and access needed.
With ad-hoc processes in particular, Martin said his team tend to find “some vendors have a tool in place” like TeamViewer or their own VPN connectivity, “which is great, but creates challenges for companies, because if they have 20 vendors coming into their network, that’ll mean managing 20 different ways they’re going to gain access”. From an internal point of view, manually creating accounts offers control over that, but there are still risks, which can potentially be mitigated through the use of a PAM solution, he continued, where a dedicated team can manage the onboarding process “to take away that time needed to bring a new technology to a vendor each time a vendor comes on board”.
The final question from the survey asked respondents whether their organisation had the capability to prevent lateral movement once a vendor is inside their network. 50 percent said that they did have this in place; a further 37 percent said that this was somewhat in place with more complex firewall configurations; and 13 percent reported that this was not in place at their organisation.
Martin focused on the benefits of having a PAM solution in place to “remove the need to configure firewalls for specific use cases”, allowing users to define access to specific applications or servers, meaning “if they try and hop onto another server they won’t know the credentials, because we’ll inject those directly into the session when the vendor joins”.
Keeping that password away from users and vendors offers an additional layer of security, “so all they know is the password they’ve created themselves to gain access to the portal, and they don’t know the credentials to move anywhere else”.
Key takeaways
Looking at key takeaways from the survey’s findings, Martin highlighted the security risks around not having complete control over individual accounts and who is using them, as well as with VPN and AD account access, whereby “a vendor could come in over the weekend and make changes to a network or system which could cause issues come Monday morning”. That’s why having a PAM solution in place is so important, he stressed, “so you can define what times vendors can come in, and there’s a workflow in place to have that just-in-time access requirement”.
Whilst there are businesses out there looking at how they can create zero-trust network access, Martin considers that “there’s still a lot of work to be done”, pointing to the tendency for people to use the “simple and cheaper route of VPNs”, which “opens up a whole can of worms on risk and creates issues with audit reports, as well”.
It’s always difficult to justify an expenditure such as this technology, Martin said, “but you have to look at how much time is being used by internal teams on creating and managing these accounts for vendors – we’ve seen a lot of customers where the solution has paid for itself within the first 12 months by removing some of those manual tasks”. It can also offer benefits when it comes to meeting regulations such as NIS2, he went on, “and being able to tick a box there is a big part of it, as well”.
Having a solution which is “fairly self-managed” can help organisations to work around the expense of having internal teams managing access and vendor accounts, Martin said, “taking away that internal pain, whilst adding that security and ease with compliance”.
When it comes to the future of PAM, Martin sees analytics as playing a larger role, highlighting the potential for the “huge amounts of information collected” to be used to train internal resources, save downtime, and in harnessing the power of AI.
Describing Imprivata’s PAM solution, Martin said that it’s “enterprise grade, simple, secure remote access” for vendors to gain access to an internal network, simplifying the process by putting some of the work onto the vendor. “We try and simplify the licensing,” he told us, “so rather than catering for every single person who wants to use a solution, we do it per vendor, so it covers the email domain, and companies can have as many users as needed”.
It’s about making things like checking vendor access and sessions easier, he said, “so that things which may have traditionally taken days can be done in just a few clicks, which not only saves time, but also makes ensuring network security that much easier”.
Imprivata’s PAM solution also offers multi-factor authentication (MFA) which ties into vendor’s own MFA solution, meaning users need to provide “that second layer of authentication to get into the system”, by receiving an email to their domain email address, “because if a user leaves a business their email is often one of the first things to be removed”.
To learn more about PAM solutions and the benefits they offer for network access management, please click here.
