Vendor remote access via jump host + MFA
Demonstrate that all vendor remote access is mediated through a designated jump host with mandatory MFA enforcement and that direct vendor connectivity to internal networks is technically prohibited.
Description
What this control does
This control requires that all vendor or third-party remote access to internal systems be routed exclusively through a dedicated jump host (bastion host) with multi-factor authentication enforced at the point of entry. The jump host serves as a hardened, monitored gateway that segregates vendor access from direct network connectivity, logs all vendor sessions, and applies least-privilege access policies. This architecture prevents vendors from establishing direct VPN or remote desktop connections to production environments and ensures centralized oversight of third-party activity.
Control objective
What auditing this proves
Demonstrate that all vendor remote access is mediated through a designated jump host with mandatory MFA enforcement and that direct vendor connectivity to internal networks is technically prohibited.
Associated risks
Risks this control addresses
- Unauthorized vendor access to production systems via stolen or weak credentials without MFA verification
- Lateral movement by compromised vendor accounts across internal network segments due to lack of access segmentation
- Undetected malicious activity by vendor personnel operating outside centralized logging and monitoring infrastructure
- Credential-stuffing or brute-force attacks succeeding against vendor accounts lacking multi-factor authentication
- Vendor devices infected with malware establishing persistent backdoors into internal environments through unmediated connections
- Insider threat scenarios where vendor personnel exploit direct network access to exfiltrate sensitive data or intellectual property
Testing procedure
How an auditor verifies this control
- Obtain the complete inventory of vendors with remote access privileges, including vendor names, access purposes, and authorized personnel lists.
- Review network architecture diagrams and firewall rule sets to identify all designated jump host systems and confirm they are the sole ingress points for vendor remote access.
- Examine jump host configuration files and authentication settings to verify MFA is technically enforced for all inbound vendor sessions and cannot be bypassed.
- Select a sample of 10-15 vendor access sessions from the past 90 days and trace authentication logs to confirm MFA challenges were issued and successfully completed before session establishment.
- Inspect firewall and network access control lists to verify that vendor source IP ranges or VPN endpoints have no direct routes to internal systems, forcing all traffic through jump hosts.
- Interview IT operations staff to understand the provisioning process for vendor accounts and confirm jump host access is the standard implementation without exceptions.
- Attempt to simulate a vendor connection using test credentials without completing MFA and verify the session is rejected at the jump host authentication layer.
- Review session logs from the jump host for the sampled vendor sessions to confirm all commands, file transfers, and activities were captured and retained per the organization's logging policy.
Where this control is tested