The challenge of providing access while maintaining control
A fast-growing provider of software solutions for marketing, web analytics and customer relationship management has a large pool of third-party contractors whose services are shared between different groups within the company. The IT team is responsible for ensuring the safety and integrity of key corporate applications, especially when most of the third-party contractors and freelancers use personal devices to do their work.
The company’s contractor workforce is distributed worldwide, helping support round-the-clock operations and serving global customers. While most vendors are carefully vetted, the risk assessment process is imperfect due to the volume and variation. “Sometimes we engage contractors from a large agency, while other times we hire individual freelancers, depending on the job,” says the company’s security manager. “The vetting process is not consistent across all vendors, and we can never be certain that specific contractors have the right security controls in place to help safeguard our internal applications.”
And even fully vetted providers present a security risk: the company’s IT team found out that a growing number of remote contract workers tend to use their own devices — unsecured, unmanaged laptops and desktops that are often shared by family members and used for personal browsing, email and other tasks.
The company’s IT team tried enforcing the secure access policy by physically shipping IT-managed laptops to each contractor, but that quickly proved too complicated. Not only was it logistically difficult to supply, maintain and distribute laptops to hundreds of contractors around the globe, some countries’ import regulations and certification requirements created logistical obstacles that could not be easily resolved. The company needed a solution that would allow them to grant their remote contract workers access to critical applications, while maintaining control over their data and managing privileges on a granular, role-based level.
"We can never be certain that specific contractors have the right security controls in place to help safeguard our internal applications."
- Security managerSilo for Safe Access mitigates risk while allowing contractors to work from anywhere
Prior to acquiring Silo for Safe Access licenses, the IT group attempted to set up virtual desktop infrastructure (VDI), which proved cumbersome for these particular users and not easily scalable. The team ultimately selected Silo to use with Okta identity and access management solution to create access controls for most of the applications contractors need to perform their tasks.
Important applications are locked down, so they can only be accessed through Silo, and not a local browser. Okta controls the point of entry for each application, verifying that a user is connecting from a Silo IP address before granting access. IT has set up role-based permissions, giving them visibility, control and assurance that sensitive information is not accessed through unsecured networks and unmanaged, shared devices. Each contractor is assigned to a group depending on their function and job requirements and is granted access only to the applications that are vital for their work. The role-based provisioning also applies to data policy controls, with each group given specific privileges regarding data copying/pasting, uploading and downloading, as well as the printing of documents.
“Our security personnel performed extensive testing on Silo’s data transfer policies by emulating a remote machine, and they found the policies to be sound,” explains an IT engineer. “Our default approach is to restrict all copying and pasting of data from any internal application and no uploads or downloads from external devices. For exceptions, we have created specific groups within Silo, which we can closely monitor to prevent data leakage or loss.”
Using an isolated browser also helps protect the company’s infrastructure from malware and other web-borne threats. “Since we can’t control each contractor’s device or install software on their machines, we use Silo to air gap unmanaged machines to obfuscate potentially exploitable web code from reaching our applications,” explains the IT engineer. “So, even if a contractor clicks on a phishing link and their personal machine is compromised, our systems are protected and we are not vulnerable to data loss.”
The IT team processes all new onboarding requests and — even with limited resources — can reduce risk and manage access for a growing pool of contractors. The Silo rollout was a success, and the company is now considering a future project to extend Silo to employees, specifically in situations when their IT-managed laptops are out for repairs or otherwise must access company applications from personal devices.