When a Contractor Asks for Access,
Which Tool Do You Reach For?
Third party access has become the most common breach vector for the small and mid market businesses MSPs serve. Nearly half of organizations have suffered a security incident traced to a contractor, vendor, auditor, or consultant in the past twelve months, and Verizon's 2025 report shows third party involvement in breaches doubled in a single year. The pattern repeats: the user is provisioned in a hurry, granted more access than the engagement requires, kept active long after the work ends, and audited through logs that were never built to track non employees. The tools MSPs reach for to handle these requests were designed for permanent staff on managed devices. Site to site VPN exposes the full subnet the moment a user authenticates. Shared admin accounts erase per user identity at the exact point forensic proof is needed. VDI shifts the cost to the client without solving offboarding. A one off file share lives in a recipient mailbox long after the engagement closes. Each workaround creates its own failure mode, and a single MSP runs all of them at once across thirty or more tenants.
Sources: Verizon DBIR 2025, Imprivata Ponemon Third Party Risk Report 2025, IBM Cost of a Data Breach Report 2025, Zscaler ThreatLabz 2025 VPN Risk Report.
THE TOOLBOX MSPs ACTUALLY USE FOR THIRD PARTY ACCESS
| Tool | Used For | What Breaks |
|---|---|---|
| Site to site VPN | Network access for outside users | Full subnet exposure post auth. Agent on an unmanaged laptop you do not own. |
| VDI or DaaS | Isolate the contractor inside a desktop | License cost per user, multiplied by tenant count. Latency. Off boarding still manual. |
| Shared admin or jump host | One account, many vendors | No per user identity. No session recording. Auditor cannot tell who did what. |
| Email or cloud file share | Quick one off file handover | Zero policy, zero audit, zero revocation. The file lives in the recipient account forever. |
| Password sharing | Skip provisioning altogether | Credential survives the engagement by months. MFA exists, but the secret already left. |
WHY DEFENSX GRANULAR BROWSER ZTNA IS BUILT FOR THIS
- DefensX Browser Extension – The agent your contractor already trusts: Chrome, Edge, Brave. Install in seconds on any device, managed or not. Works on personal laptops without endpoint enrollment.
- DefensX Secure Access Connector – Outbound only connector inside the client environment. Zero inbound ports. RDP, AD, SMB tunneled by user identity, not by network rule.
- DefensX Time Bound Policy – Every grant carries an expiry. When the engagement ends, the policy ends, the access ends. No spreadsheet, no forgotten ticket.
- DefensX Multi Tenant Console – One screen, every client. Templates roll forward across tenants. Isolation is the architecture, not a configuration habit.
External Auditor, Three Week Engagement
Today (VPN / VDI / Shared)
VPN account with full subnet access, or a Citrix seat at premium cost per user. IT cuts a ticket, AD account, group mapping, policy clone. Five days later the audit team starts. The account is rarely retired afterward.
With DefensX ZTNA
Invite link from the DefensX multi tenant console. Auditor installs the DefensX browser extension. Read only WebDLP. On screen watermark. Time bound policy expires the day after engagement closes. Per session log inside the DefensX console.
Vendor Support Engineer, Emergency RDP
Today (VPN / VDI / Shared)
Inbound firewall change. VPN account or shared jump host login. Vendor signs in as a generic admin. No session recording, no scoped target. The PDC sees one big anonymous user.
With DefensX ZTNA
DefensX Secure Access Connector is already running outbound only on the client side. Vendor launches RDP through a DefensX browser session. Identity bound to the named engineer. Session recorded, scoped to one server.
M and A Diligence, Sixty Day Window
Today (VPN / VDI / Shared)
Acquiring counsel needs document repo access. IT either stretches an existing tenant (drift) or builds a brand new tenant for two months (overhead). Off boarding lives in a spreadsheet nobody updates.
With DefensX ZTNA
Diligence group lives inside the existing DefensX tenant. Policy bound to the engagement window. Documents view only, no download, no print. At day sixty one, access disappears on its own.
