I've been working at my new job for three months and have been cleaning up security issues. Recently, I discovered that a managed service provider we stopped using two years ago still has VPN access and admin rights to our backup system. It turns out five technicians from that MSP still have active VPN credentials, and their access includes domain admin abilities on some servers, full access to our Veeam backup environment, and read access to file shares with customer data. This situation is alarming because if they wanted, they could log in right now without us knowing, as their accounts look legit in our logs.
When I inquired about the process for offboarding vendors, I learned there isn't one. When contracts end, procurement simply closes the purchase order, but IT isn't informed to revoke access. Despite having a formal process for terminating employees, vendor relationships just end without a proper cleanup of their access rights. I've even found other former vendors with active accounts.
To better track vendor technical access, how do organizations ensure that offboarding vendors' access is managed when procurement and IT don't communicate effectively?
5 Answers
For tracking vendor access effectively, assign a sponsor for every external account along with a set expiration date. Some companies also automate reminder emails as accounts near expiry, but many just rely on someone remembering to renew them, which often leads to oversights.
It's frustrating how common this is! I suggest disabling any vendor accounts that haven't logged in for over a year. This action alone could significantly reduce your security risks. Always ensure that the vendor access lifecycle is tracked closely with proper processes in place.
True. An immediate solution would be to disable all inactive vendor accounts right now. Then, review your logs to see if any were ever actually used.
What you described isn't unusual at all; it’s a common oversight. A solid fix would be to implement a joiner/mover/leaver process for vendors. Right from the start, create a system where every account has an internal sponsor, business purpose, hard expiration date, and scoped access to prevent permanent admin rights. A quarterly review would also ensure that access is valid—keeping it simple is key, even just using a spreadsheet can be better than not having anything at all.
A regular access review can solve this problem, along with implementing that offboarding process you mentioned. It's essential to establish protocols for vendor access management and have a routine schedule to check for any lingering accounts after a vendor contract ends.
Exactly! Setting up expirations for vendor accounts—like making sure they expire a few weeks after the contract ends—can help. This week before expiry can remind the relevant staff to review access, and if no one responds, the accounts can be disabled automatically.
We do a similar process at my company, but with external auditors checking annually. It requires a lot of effort, but it pays off by preventing issues like this.
Sometimes, the disconnect between procurement and IT is what's most damaging here. You'd think IT, who usually manages these vendor relationships, would keep track of when the contracts end and act accordingly.
That's also the norm at my workplace. We make sure vendor accounts have a six-month expiration cycle, with a two-week advance notice sent to the appropriate staff.