>_AYSOLI SECURITY HUB
THREAT AREA

External Partner Access

When external partners access your resources, you extend your trust zone. This requires strict controls and a clear separation of responsibilities.

Your Strategy

Use guest accounts (Entra ID B2B) instead of local accounts. Enforce MFA for externals too and limit access to the absolute minimum (Least Privilege).

Best Practices

  • Identity: Enforce phishing-resistant MFA (FIDO2) and use Conditional Access.
  • Data Flow: Block exfiltration via Tenant Restrictions and DLP policies.
  • Governance: Review monthly which partners still require active access and integrate logs into your SIEM.

STRIDE-LM Design Risks

SpoofingS-01

Identity Spoofing

Attacker impersonates a legitimate user or partner.

TamperingT-01

Data Tampering

Unauthorized modification of shared data or configurations.

RepudiationR-01

Audit Log Manipulation

Deleting or altering traces of an action.

Information DisclosureI-01

Sensitive Data Exposure

Unintentional disclosure of internal information to externals.

Denial of ServiceD-01

Resource Exhaustion

Overloading systems through massive requests or resource hogging.

Elevation of PrivilegeE-PART-01

Guest-to-Member Escape

Guest user gains privileges of an internal employee.

Lateral MovementL-01

Lateral Movement

Accessing further internal systems after initial login.

Monitoring GapsM-PART-01

Guest Activity Blind Spot

Partner activities are not centrally monitored.

MITRE ATT&CK® Techniques

Reconnaissance
T1592

Gather Victim Digital Network Information

ATT&CK

Collecting information about the target infrastructure.

Mitigated by
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Terms of Use (B2B)Baseline ProtectionLow
CIS: 6.2NIST: PR.IP-3
Partner Security Assessment (Supply Chain)Extended ProtectionHigh
CIS: 15.1CIS: 15.2NIST: GV.SC-7NIST: ID.AM-7
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Initial Access
T1566

Phishing

ATT&CK

Delivering malicious content via electronic communication.

Mitigated by
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Terms of Use (B2B)Baseline ProtectionLow
CIS: 6.2NIST: PR.IP-3
Partner Security Assessment (Supply Chain)Extended ProtectionHigh
CIS: 15.1CIS: 15.2NIST: GV.SC-7NIST: ID.AM-7
Incident Response Playbook (Partner Compromise)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
T1078

Valid Accounts

ATT&CK

Exploiting existing credentials for access.

Mitigated by
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Guest Invitation GovernanceBaseline ProtectionLow
CIS: 6.2NIST: PR.AC-1
Partner Account DeprovisioningBaseline ProtectionMedium
CIS: 5.3NIST: PR.AC-1NIST: ID.AM-7
Partner Security Assessment (Supply Chain)Extended ProtectionHigh
CIS: 15.1CIS: 15.2NIST: GV.SC-7NIST: ID.AM-7
T1133

External Remote Services

ATT&CK

Access via VPNs or cloud management interfaces.

Mitigated by
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
Partner Security Assessment (Supply Chain)Extended ProtectionHigh
CIS: 15.1CIS: 15.2NIST: GV.SC-7NIST: ID.AM-7
Persistence
T1098

Account Manipulation

ATT&CK

Changing permissions or creating new accounts.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Guest Invitation GovernanceBaseline ProtectionLow
CIS: 6.2NIST: PR.AC-1
Partner Account DeprovisioningBaseline ProtectionMedium
CIS: 5.3NIST: PR.AC-1NIST: ID.AM-7
Incident Response Playbook (Partner Compromise)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1
T1484

Domain Policy Modification

ATT&CK

Modifying domain policies for privilege escalation.

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Guest Invitation GovernanceBaseline ProtectionLow
CIS: 6.2NIST: PR.AC-1
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Credential Access
T1539

Steal Web Session Cookie

ATT&CK

Capturing active session tokens to bypass authentication.

Mitigated by
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
Conditional Access PoliciesBaseline ProtectionMedium
CIS: 6.1NIST: PR.AC-7OWASP: API2
T1110

Brute Force

ATT&CK

Attempts to gain access to accounts or API keys through systematic trial and error.

Mitigated by
FIDO2 EnforcementBaseline ProtectionMedium
CIS: 6.5NIST: PR.AC-7OWASP: A07:2021
T1552

Credentials from Password Stores

ATT&CK

Extracting passwords from web browsers or password managers.

Mitigated by
Output Content FilteringBaseline ProtectionLow
NIST: AI-1.2OWASP: LLM02
Discovery
T1087

Account Discovery

ATT&CK

Enumeration of internal accounts and group structures after initial access.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Partner Account DeprovisioningBaseline ProtectionMedium
CIS: 5.3NIST: PR.AC-1NIST: ID.AM-7
Lateral Movement
T1021

Remote Services

ATT&CK

Use of legitimate remote services for lateral movement within the network.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
Partner Account DeprovisioningBaseline ProtectionMedium
CIS: 5.3NIST: PR.AC-1NIST: ID.AM-7
Collection
T1213

Data from Information Repositories

ATT&CK

Accessing data from knowledge bases (SharePoint, Confluence).

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Terms of Use (B2B)Baseline ProtectionLow
CIS: 6.2NIST: PR.IP-3
T1530

Data from Cloud Storage Object

ATT&CK

Accessing data from cloud storage (S3, Blobs).

Mitigated by
Least Privilege PrincipleBaseline ProtectionMedium
CIS: 6.2NIST: PR.AC-6OWASP: A01:2021
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
Exfiltration
T1567

Exfiltration Over Web Service

ATT&CK

Data leakage via legitimate web interfaces.

Mitigated by
Tenant RestrictionsExtended ProtectionMedium
CIS: 6.1NIST: PR.AC-3
Data Loss Prevention (DLP)Baseline ProtectionMedium
CIS: 13.3NIST: PR.DS-1
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
Incident Response Playbook (Partner Compromise)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1
Impact
T1531

Account Access Removal

ATT&CK

Removing access for legitimate users.

Mitigated by
Regular Access ReviewsBaseline ProtectionLow
CIS: 6.6NIST: PR.AC-1OWASP: A01:2021
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
DDoS Protection & Rate LimitingExtended ProtectionMedium
CIS: 16.10NIST: PR.PT-4NIST: DE.AE-1
Incident Response Playbook (Partner Compromise)Baseline ProtectionLow
CIS: 17.3CIS: 17.4NIST: RS.MA-1NIST: RS.AN-1
T1485

Data Destruction

ATT&CK

Irretrievable deletion of company data.

Mitigated by
SIEM IntegrationExtended ProtectionHigh
CIS: 8.5NIST: DE.AE-3NIST: DE.CM-1OWASP: A09:2021
DDoS Protection & Rate LimitingExtended ProtectionMedium
CIS: 16.10NIST: PR.PT-4NIST: DE.AE-1

Is your scenario more complex?

AYSOLI experts support you in implementing your specific security requirements.

Free consultation
External Partner Access | IT Security Checklist for SMEs · AYSOLI Security Hub