Why Managing Vendor Access is Critical to IT Security
What can we learn in the wake of CDK Global’s Cyberattack?
An insider’s perspective to CDK Global NetraVine CEO, Kenny Sallee, worked for CDK Global, between 2001 and 2012, when it was called Automatic Data Processing (ADP) Dealer Services. He was both an individual contributor and research and development (R&D) engineering manager of 5 highly certified CCIE and several other CCIE level engineers. During his tenure there, Kenny and his team IT developed products and services in mass and consulted with the Top 10 largest automotive groups in the USA. Kenny designed some of the connectivity solutions, formerly known as the Service Delivery Network (SDN), now known as CDK Cloud Connect, which is an Software Defined Wide Area Network (SDWAN) solution. He also worked on the data center designs that CDK still uses today and is intimately familiar with the overall infrastructure of the CDK dealer management system . Kenny still works with and remains friends with CDK engineers. |
CDK Global provides SaaS application(s) and IT solutions for over 15,000 car dealerships in the USA and more worldwide. In June of 2024, CDK Global had an IT security event that brought the automotive industry in the USA to a standstill for several weeks. Most dealerships and groups had to turn to paper-based, manual, labor-intensive methods to sell services and vehicles leading up to the big 4th of July holiday and the event disrupted the US Economy for a couple weeks.
Anderson Economic Group estimated that the attack cost car dealerships more than $1 billion collectively.
How to protect your dealership from your vendors?
CDK Global's DMS, network, and security infrastructures were designed to be more operationally efficient than secure. The company conditioned automotive dealerships to believe CDK is a trusted source in terms of infrastructure security. Dealerships connected to them in most cases without a firewall or Access Control Lists (ACLs) in place to protect themselves from network traffic that originates on CDK's network. Having this inherent trust is flawed thinking and can be detrimental to a dealership, and to CDK.
CDK Global, in this case, is just one vendor. Most car dealerships have at least 20-30 vendors that solve many different business problems. All of them are attack vectors that need to be managed as hostile from an IT security perspective. So how do you protect your dealerships and your business?
Implement a Secure Access Service Edge (SASE) security and connectivity model
SASE is a modern approach to IT security designed to protect businesses in today’s virtual and digital world, regardless of where the business or individuals work from. Think of SASE as a combination of security services and operational and network management delivered through the cloud to make delivering services for your employees simpler and safer for the end users and the business.
Further, SASE delivers converged network and security as a service capabilities, including SD-WAN, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Next Generation Firewall (NGFW) and Zero Trust Network Access (ZTNA). SASE supports branch office, remote worker and on-premises secure access use cases. SASE is primarily delivered as a service and enables zero trust access based on the identity of the device or entity, combined with real-time context and security and compliance policies. (Gartner)
11 best practices for vendor security and connectivity management
Protecting your company from vendors who connect to your network requires a comprehensive approach that focuses on securing third-party access, limiting risks, and ensuring compliance with your security policies. Here are some best practices to consider:
-
Implement a Vendor Management Program
-
- Establish a formal program that evaluates vendor security practices before granting access.
- Regularly review vendors’ security controls, compliance standards, and access requirements.
-
Use Network Segmentation
-
- Segment your network to isolate vendor access to only the specific resources they need.
- Use separate DMZs, VLANs or virtual networks to contain vendor activity and prevent unauthorized access to sensitive areas of your infrastructure.
-
Enforce Least Privilege Access
-
- Limit vendor access strictly to what is needed for their job (least privilege principle).
- Implement role-based access controls (RBAC) to ensure vendors can only access specific resources.
-
Multi-Factor Authentication (MFA)
-
- Require MFA for all vendor access to your network, where applicable. Specifically anywhere a vendor requires a login, they should use login as should your organization.
- Use strong authentication methods like hardware tokens or biometric authentication for added security.
-
Secure Remote Access Solutions
-
- Use VPNs, secure tunneling, or Zero Trust Network Access (ZTNA) solutions to provide controlled and encrypted remote access.
- Avoid direct network connections from vendors by using secure gateways.
-
Continuous Monitoring and Logging
-
- Monitor vendor activities in real-time using intrusion detection systems (IDS), network monitoring tools, and security information and event management (SIEM) systems and vendors.
- Maintain logs of all vendor actions on your network for auditing and forensics.
-
Vendor Access Review and Termination
-
- Regularly review and update vendor access permissions.
- Immediately revoke access once a vendor no longer requires it or when the contract ends.
-
Use Endpoint Protection
-
- Require vendors to have endpoint security measures (e.g., antivirus, anti-malware, data encryption) on their devices before accessing your network.
- Consider providing a managed device or virtual desktop infrastructure (VDI) for vendors to use while connecting.
-
Security Awareness Training
-
- Ensure vendors are aware of your company’s security policies and best practices.
- Include requirements for regular training and certification for vendors who handle sensitive data.
-
Conduct Regular Risk Assessments
-
- Periodically evaluate the risks associated with each vendor and update your controls accordingly.
- Perform penetration tests or vulnerability assessments focused on third-party access points.
-
Use Contractual Security Clauses
- Include security requirements in vendor contracts (e.g., incident reporting, compliance with standards like ISO 27001 or SOC 2). Or in the automotive vertical, FTC Safeguards rule as well as PCI standards and compliance.
- Establish penalties for security breaches or failure to comply with agreed security measures.
NetraVine, with specific knowledge of the automotive industry and IT landscape, can help you assess and secure your organization.
Keywords: IT security, Vendor access, Vendor security, compliance, penetration testing, security audit