Four Ways to Secure Interactions With External Customers and Partners

As reported by ZDNet, authorities and security professionals are discovering that hackers have widely deployed command and control infrastructure at their disposal. The implications of this are apparent when the organization’s own employees are part of the attack vector.  Organizations that provide services to customers and partners however, need to broaden their security strategy to consider how this threat may impact the employees of those customers and partners who interact with their network.

If you are an organization that provides services to customers or partners, hackers can bring their command and control infrastructure against you through them by using their vulnerabilities to hack your infrastructure. This means that you must equip your customers and/or partners with the right level of authentication, encryption and security so that they can safely access your services. As we noted in our review of the fundamental steps necessary to protect your organization, users outside your organizations (e.g., customers and/or partners) need to be secured with an appropriate level of determination and control similar to your employees. 

What Do We Mean by Securing External Users? 

To establish an authentication and access strategy, assume that you will need to provision your customers’ and partners’ users with access credentials or, at a minimum, conduct the requisite due diligence on your customers’ and/or partners’ users – your customer and/or partner are not trusted and do not have sufficient network security in place, which requires your organization to manage them accordingly. Per the Digital Identity Guidelines published by NIST, this means implementing access to your digital service by external users will require the organization to assess the user’s Identity Assurance Level, Authentication Assurance Level and if there are federated systems, their Federation Assurance Level.

As part of designing a security strategy for external users, organizations must define and implement authentication, encryption and access privilege management. The good news is that many of the techniques you use for internal employees are applicable to your external users as well. Some of these applicable components and techniques are:

• Advanced Multi-Factor Authentication – Organizations can use Advanced MFA to provision to external users (like customers and partners) so that only necessary users gain access to critical services, applications and data. This can be accomplished while maintaining the highest level of convenience — such as allowing the usage of mobile devices that users may already have in their possession, and that provide the convenience and security of mobile push authentication.
• PKI and Digital Certificates – With the use of PKI and Digital Certificates, organizations can cater to the authentication and encryption of all external users in a manner that has the needed security strength and appropriate scope and adaptability for future needs while maintaining a practical balance between manageability, scalability, ease of implementation and ease of use. 
• Identity Vetting – Organizations can implement independent identity verifications of external users as part of their registration process. This aids in establishing secure identities that are required in regulated, and increasingly, in near-regulated industries.
• Scalable Identity Lifecycle Management – Establishing a structured identity and credential lifecycle management for managing external users will help organizations scale to high volumes of users.

Implement a Strategy for Securing External Interactions

With today’s hackers employing wider and wider attack infrastructure, they are just as likely to target your customers and partners as they target your employees. As such, organizations need to have a comprehensive strategy for securing interactions of their online services and network with their external customers and partners. This will require organizations to abandon today’s practice of implicitly trusting external users using traditional shared secret techniques.  They will need to incorporate advanced authentication techniques, PKI, digital certificates and\or scalable identity management along with contextual-based risk management within their security strategy. 

To learn more about our scalable, cloud-based solutions and how it helps enterprises support authentication of external users, take a look at our identity and access management solutions or talk to one of our experts.

Mrugesh Chandarana is Product Management Director for Identity and Access Management Solutions at HID Global, where he focuses on IoT and PKI solutions. He has more than ten years of cybersecurity industry experience in areas such as risk management, threat and vulnerability management, application security and PKI. He has held product management positions at RiskSense, WhiteHat Security (acquired by NTT Security), and RiskVision (acquired by Resolver, Inc.).