Announcements
April is Volunteer Appreciation Month! We want to thank all of our
volunteers for all the hard work they do! Join us in celebrating!
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Newcomer I

3rd Party Vendor Access - VPN with limited access vs WebEx with manual start

I wanted to get opinions regarding 3rd party remote vendor access.  There is more overhead when using VPN (2FA) for my 3rd Party vendors (long term). Does anyone know of the risks/concerns with the WebEx approach  appoarch? I to configure the manual start and appropriate notifications etc..? I can see a possible issue with Accountability here.

1 Solution

Accepted Solutions
Highlighted
Viewer

Re: 3rd Party Vendor Access - VPN with limited access vs WebEx with manual start

It would depend on your risk appetite but common issues that i call out with things like webex;

 

- 'always on' connection where the 3rd party may be in control, do you have the ability to kill the connection?

- traffic is often tunneled so if you are breaking and inspecting network connections with your IDS / IDP tools, web ex is likely to breach this so potential malware introduction from the 3rd party

- I can't remember the exact issue but there was a vulnerability previously with webex if i remember correctly relating to eavesdropping and remote code execution

- Data loss risk - DLP tools are unlikely to be covering the connection so third party has the potential to ex filtrate data without it being noticed

 

In summary, there are quite a few 'risks' that you can call out with webex but it comes down to what's realistic. Do you have robust contracts in place? and can you keep as much control as possible? The key part is to be able to kill the connection and ensure they no longer have access, whilst protecting the asset from compromise due to poor 3rd party controls and identify any data loss.

 

Hope that helps?

4 Replies
Highlighted
Viewer

Re: 3rd Party Vendor Access - VPN with limited access vs WebEx with manual start

It would depend on your risk appetite but common issues that i call out with things like webex;

 

- 'always on' connection where the 3rd party may be in control, do you have the ability to kill the connection?

- traffic is often tunneled so if you are breaking and inspecting network connections with your IDS / IDP tools, web ex is likely to breach this so potential malware introduction from the 3rd party

- I can't remember the exact issue but there was a vulnerability previously with webex if i remember correctly relating to eavesdropping and remote code execution

- Data loss risk - DLP tools are unlikely to be covering the connection so third party has the potential to ex filtrate data without it being noticed

 

In summary, there are quite a few 'risks' that you can call out with webex but it comes down to what's realistic. Do you have robust contracts in place? and can you keep as much control as possible? The key part is to be able to kill the connection and ensure they no longer have access, whilst protecting the asset from compromise due to poor 3rd party controls and identify any data loss.

 

Hope that helps?

Newcomer III

Re: 3rd Party Vendor Access - VPN with limited access vs WebEx with manual start

Webex, can be a convenience issue.  You set aside an employee to use their laptop for the Webex.  Then the employees suddenly needs to do work or falls asleep and the webex window closes.  Basically you take an employee and an end node offline or you interrupt the workflow of a vendor and hinder the project.

 

It's a tough choice.

Newcomer III

Re: 3rd Party Vendor Access - VPN with limited access vs WebEx with manual start

I work for one of those 3rd party vendors, and we even make our own employees use a VPN when accessing a production environment from a company office, let alone from home.

I'm a big fan of VPN with MFA in place.
Community Champion

Re: 3rd Party Vendor Access - VPN with limited access vs WebEx with manual start

 

If you're dealing with a 3rd party vendor, the level of access you'd want to give them will depend on what they have to accomplish, the duration required for this, and --- as @ordos mentioned ---your organisation's risk appetite in conjunction with WebEx issues & the vendor contract.

 

If it's just a short session for, say troubleshooting a system, you might opt for a WebEx session to save on the time needed to configure a VPN gateway just for this. To be on the safe side, you can have a preset window for the session & have it on a hardened system in your network, from which you can then take SSH sessions to specific systems to be worked on.

 

On the other hand, if it's required for an implementation or an ongoing project, a remote access or site-to-site VPN would be preferable, since you can achieve accountability, control the connection's duration and scope, and do away with the resources --- people and systems --- needed to cater to a WebEx session.

 

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz