That supplier wants to have a shell on our box

You are the security manager and a project manager comes to you and say: that supplier wants to have a shell on our box.

What is your advice, let him have it or not, under which conditions?

As a cybersecurity manager, my default position is “no direct shell access” — and if there is a strong business need, it must be exception-based, tightly controlled, and risk-accepted by management.

Quick answer

Do not give a supplier a shell on our system by default. Only allow it if there is a documented business necessity, and only under strict security, legal, and technical controls.

The verdict

• default response: no shell access
• exception: yes, only with:
  • clear business need
  • no safer alternative exists
  • strong technical controls are in place
  • legal coverage
  • continuous monitoring
  • time-limited approval