Andy Richter, network pro and technical director at IT services provider Presidio, calls it “the auditor problem.”
Someone needs network access at the office, but they’re too familiar to be considered a guest, yet too unfamiliar to be a true employee. A financial auditor, a corporate-event organizer, medical-device tech support at a hospital, or even a trusty Presidio consultant might need to get on the wi-fi and look through important documents.
That kind of short-term, high-access situation calls for careful technical considerations from the in-house network admin, who likely has the same two questions that any host might have of a mystery guest: What do you need, and how long are you going to be here?
Network pros shared their recommendations with IT Brew.
“We have to make sure what a contractor plugs in—if they happen to have a virus—that we’re segmenting the network so they can’t just run around and break everything,” Richter told us.
The first questions. In addition to learning start and end dates of the access, there’s also the question of what data repositories will need to be accessed.
A financial auditor, for example, might need file-sharing access to Excel, an accounting ledger, and an ERP or CRM system.
Stephen Montgomery, senior solutions architect for mobility at Presidio, has one more question for a guest—one familiar to hosts of any house party: What are you doing here? IT pros should document the business case for why a visitor requires employee-level access, he said.
The first options. From there, a network admin has a range of options to provide the limited access.
- An admin can use a virtual private network (VPN), which provides encrypted, tunnel-like access to specific internal resources. A finance server, for example, has its own internal IP address. Once the VPN assigns a guest an internal IP address, an in-house admin can apply firewall rules or VPN access policies to allow entry to certain IP destinations. Logging and monitoring are also possible.
- A network access control (NAC) tool offers admins the ability to set specific access rules, based on characteristics like the guest’s known MAC address—a unique identifier for a network device.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Why not both? One organization might already have work-from-home employees—and an IT staff very comfortable with VPN users. Other industries—maybe healthcare and manufacturing, Richter suggested—might have more familiarity with the isolated, segmented network zones that a NAC tool allows admins to configure.
Admins that successfully handle guest access, Richter said, don’t rely on a uniform approach, “They lean into the organization’s cultural strengths as an IT department,” he said.
NAC rulz. Bruce Johnson, senior product marketing manager for enterprise wireless solutions at enterprise networking and telecoms company Ericsson, works with hospital contractors who need to monitor and remotely access internet-connected hospital equipment. Hospital IT staff can use “zero trust” network access tools that provide entry on a per-session basis, according to Johnson , as well as “deny all by default” capabilities. Role-based access policies, via “ZTNA”, can also offer access to specific resources for specific days, and enforce rules like automatic timeouts, he said.
Richter recommends placing the provisioning specs in a ticket: permit access to those specific systems and deny access to all else. Additional important information includes the arrival and departure dates of the guest. “You close the ticket when the auditors are done and they leave,” Richter said.
Don’t mean to intrude…According to Verizon’s Data Breach Investigations Report, “system intrusion” increased from 27% of breaches in 2024 to 53% of breaches this year.
Ericsson has a “clientless” approach to counter unexpected system interactions and ensure that potential malware on contractor machines cannot infect company resources; a new guest can receive a URL that provides access to an isolated portal with the approved applications.
“Instead of giving broad access once they’ve logged in, you give them only specific access, and you verify it before you ever give them access into the network,” Johnson said.
Without access plans like this, companies could face a whole new kind of auditor problem.