How to Manage Access for Vendors and Contractors

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Background

Employees aren’t the only group of people who need remote access to a business’ private network resources. Businesses frequently work with independent contractors, vendors, and other service providers who need access to those resources too.

Unique issues raised by vendor remote access

Managing access for vendors raises a few issues that are different to managing access for employees:

Vendor relationships tend to be more transient. A contractor may be brought on for a 3-month engagement, and then they move on after it’s done. A vendor may staff a small team on a project, and the composition of that team might change over time as the vendor swaps individuals in and out as needed. As a result, vendors onboard/offboard more frequently than employees, which means additional work to ensure accounts are provisioned and deprovisioned in a timely manner.
Vendors may need more targeted access to resources rather than the broader access an employee may have. This may be the case when a vendor is brought on to help with a specific task or project.
Vendors may access systems using their own devices and from remote locations such as their own offices, the security posture of which is unknown. For example, employees are typically issued laptops by their company, but it is common for vendors to work using their own laptops.

How Twingate is used to facilitate vendor remote access

Twingate helps businesses to manage the access control challenges raised by these factors in a variety of ways.

Easy onboarding/offboarding. Twingate overlays access controls over any private network resource, without requiring any changes to that resource. Twingate also integrates with SSO and identity providers like Okta and Google Workspace and delegates authentication to them. This means that disabling a contractor’s SSO account will disable access to all resources secured by Twingate - even if a resource doesn’t natively support SSO and requires a separate account for logging in. See our guide on Identity Providers for more information.
Granular access controls. Twingate can grant and restrict access to specific resources in seconds. Control over access at the application-level means that access can be provisioned on a “least privileged” basis, so contractors don’t see more than they need to. Contractors can be assigned to groups, and permissions can be assigned to groups, making management even easier. (Traditional VPN solutions rely on complicated network segmentation projects to cordon off access to specific resources. This approach is not nimble and, as a result, it’s not uncommon for companies to grant contractors with more access than they need for expediency.) See our guide on Resources for more information.
Visibility over contractor devices. Twingate can log network access activity across the entire enterprise, giving visibility over who is accessing what. This allows businesses to monitor things such as what devices are in use, where they are located, and what their security posture is - including for contractor-owned devices. See our guide on Network Traffic for more information.
Time based ephemeral access. Resources in Twingate can be configured to allow access for a specific time period, after which access is automatically revoked. This is useful for contractors who only need access for a limited time. See our guide on Ephemeral Access for more information.
Usage-based auto lockout. Twingate can be configured to automatically lock users out of a Resource if they haven’t accessed it after a certain period of time. This is useful for organizations that have issues with over-provisioning access to contractors. See our guide on Auto-lock for more information.

Last updated 3 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription