Every organization relies on external vendors: maintenance technicians, IT service providers, software suppliers. The challenge isn't that they need access — it's that in most cases, that access is uncontrolled, undocumented, and far broader than necessary.

According to Ponemon Institute, external third parties are involved in more than 51% of all data breaches. At the same time, NIS-2 now explicitly requires organizations to actively manage and document the cybersecurity of their entire supply chain — including the access rights of external service providers.

This article explains why traditional solutions like VPNs fall short, what NIS-2 specifically requires, and what a secure model for third-party access looks like in practice.

Why Third-Party Access Is So Dangerous

External service providers need access — that's a reality for every organization. Maintenance technicians need access to production systems, IT service providers need server access, software vendors need test environments. The risk doesn't come from the access itself. It comes from how that access is granted.

In practice, the picture is often troubling: a vendor receives permanent VPN credentials that are rarely rotated, never revoked — not even after a project ends. The internal IT team has no real-time visibility into who is connected to what system at any given moment.

According to the Ponemon Institute Third-Party Risk Report 2025, external third parties are involved in more than 51% of all data breaches. The SolarWinds attack — where adversaries compromised a software vendor to gain access to dozens of critical organizations — is the most prominent example of a whole category of breaches where privileged third-party access was the entry point.

"The most dangerous access is the access you've forgotten about. Permanent credentials for external vendors are silent risks that grow the longer they exist." — CISA Supply Chain Risk Management Guidance

The VPN Misconception: Why Classic Solutions Fall Short

The default response most organizations reach for is a VPN. The logic seems sound: if the external vendor can only connect through an encrypted tunnel, the connection is secure — right?

The issue isn't the encryption of the tunnel. The problem is what happens after authentication. A VPN typically gives an external user access to an entire network segment, not to a specific system or a specific task. Granular control — who can access which system, for which duration, for which purpose — is not something a traditional VPN provides.

Three structural weaknesses make VPNs unsuitable for this use case:

• No visibility: VPNs log connection establishment and termination, but not what the user does during the session. Session recording doesn't exist.
• Shared credentials: VPN credentials for external vendors are frequently shared between different employees at the same vendor. Individual accountability becomes impossible.
• No revocation on demand: Access is rarely deactivated after project completion. The result: a growing network of permanent accesses that nobody knows whether they're still needed.

NIS-2 and the Obligation for Supply Chain Security

Since December 2025, Germany's NIS-2 implementation act (NIS2UmsuCG) has been law. § 30 BSIG mandates ten minimum security measures — including explicitly supply chain security (measure 4) and access control (measure 9).

What this means concretely for third-party access:

• Organizations must actively review the cybersecurity practices of their direct suppliers and service providers, incorporating them into their risk analysis.
• Privileged access by external third parties must be controlled, documented, and limited to the necessary minimum.
• In the event of a security incident, organizations must demonstrate which external actor accessed which system and when — with early warning within 24 hours (§ 32 BSIG).

Organizations that don't document external access cannot meet these proof obligations. For a full overview of NIS-2 requirements: NIS-2: What the New EU Directive Means for Your Organization

The Secure Model: Centralized Access with Full Control

The opposite of an uncontrolled VPN connection is a centralized access point through which all external privileged accesses flow — with full control over every dimension of that access.

A secure model for third-party access has four core characteristics:

• Individual identities: Every external user has their own identity in the system. Shared credentials are eliminated. Who accessed what and when is answerable at any time.
• Granular permissions: Access is granted at the system level, not the network level — specific system, specific function, specific time window.
• Session recording: Every session is fully recorded. Video-like capture of all actions enables forensic traceability in case of an incident.
• Granular auditing: All access is documented in a tamper-proof audit log — machine-readable and exportable for compliance evidence.

Just-in-Time Access: Minimal Exposure, Maximum Control

Just-in-Time (JIT) Access is the gold standard for privileged external access. The principle: an external service provider receives access not permanently, but only for the specific time window in which it is actually needed — and automatically loses that access afterward.

A typical JIT workflow looks like this:

1. External service provider submits an access request for maintenance work on System X.
2. Responsible internal team member approves the request with a defined time window and scope.
3. External vendor receives temporary, system-specific access.
4. After the time window expires, access is automatically revoked.
5. The complete session is recorded and documented in the audit log.

The result: no permanent credentials, no dormant accesses, complete traceability. More on least privilege: The Principle of Least Privilege: Foundation of Modern Security

VISULOX in Practice: External Access in Under Two Days

VISULOX is built as a decentralized remote PAM platform for exactly this use case: the secure, controlled connection of external service providers and internal administrators to critical IT infrastructure — agentless, without disrupting ongoing operations.

• Agentless: No software installation on target systems required.
• Implementation in under two days: Production-ready within two business days — unlike traditional PAM solutions requiring months-long rollout projects.
• Full session recording: Every external session is recorded in video-like fashion and stored in a tamper-proof manner.
• JIT access: Temporary credentials with automatic expiry — no manual revocation required.
• MFA for all external users: Multi-factor authentication enforced for all external accesses, regardless of the vendor's device.

The result: organizations fulfill NIS-2 requirements for access control and auditability — while simultaneously closing one of the most common entry points for cyberattacks.

Checklist: Secure Third-Party Access in 5 Steps

1. Inventory: Get a complete picture of all existing external accesses. Which vendors have access? To which systems? Since when?
2. Eliminate shared credentials: Identify all shared credentials and replace them with individual identities per external user.
3. Deactivate permanent access: Review all existing accesses and deactivate those no longer actively used. Establish a regular review process.
4. Introduce a central access point: Route all external access through a central PAM gateway. No direct system access without logging and session recording.
5. Establish a JIT workflow: Replace permanent credentials with JIT workflows that include an approval process and automatic expiry.

For a comprehensive introduction to PAM: Privileged Access Management: The Complete Enterprise Guide

Third-party access is one of the most consistently underestimated attack surfaces in IT security. VPNs don't solve the problem — they obscure it. The combination of NIS-2 requirements, growing supply chain risks, and the professionalization of cyberattacks makes a structured approach essential.

With a centralized PAM approach, just-in-time access, and complete session recording, organizations don't just close a compliance gap — they actively reduce their attack surface. VISULOX makes this level of control production-ready in under two days, agentless and without operational disruption.