Foundation for Secure Remote Access, Especially Third-Parties
Posted August 25, 2020 by Greg Toler
The need for secure remote access continues to grow as we still battle the impact of Covid-19 on business operations. Without a real end in sight, we can no longer rely on our rapidly deployed solutions as long-term options without re-evaluating our security posture.
When this unprecedented pandemic occurred, businesses had to adapt quickly to sustain operations. Many businesses already supported some work from home (WFH), albeit on a smaller scale, but had never fully established a corresponding strategy that supported a completely remote workforce. Organizations struggled during the abrupt shift to securely provide access to both authorized and third-party resources. Unfortunately, many are still struggling to implement, or just unaware that enterprise-grade technologies exist to securely allow employees, third parties, and other authorized resources onto approved systems, regardless if the device is corporately provided or unmanaged.
According to Morphisec’s 2020 WFH Employee Cybersecurity Threat Index, 56 percent of employees required to work from home are meeting the demand by using their personal computers to resume business activities. Additionally, the index states 23 percent of individuals using their own devices for work are unsure of what security protocols are currently on the device. Given these numbers and lack of control for non-corporate and unmanaged systems, you can understand how the corporate threat landscape has significantly increased. Unmanaged endpoints are a perfect gateway for attackers seeking to penetrate corporate networks allowing them access to sensitive data. Companies have graciously risen to the WFH challenge, but now it’s time to respond with an enterprise-grade solution and strategy that provides secure access from managed and unmanaged systems.
Traditionally, IT teams have allowed remote and application access through client virtual private networks (VPN). However, VPN connections often also provide access to the underlying connected networks, not just to the specific application intended. This approach creates risk by allowing access to other systems not in-scope, or possibly a jump point to other systems not in-scope. Also, VPN access most often requires an agent installation and other configurations, which can and will conflict with existing settings for other corporate or personal devices. To secure access to VPN connections, an organization can and should simply enforce multi-factor authentication (MFA). While sufficient for employees, however, MFA is difficult for third-parties, vendors, contractors, and other resources who are likely not in the same corporate identity directory. These third parties also don’t follow the organization’s identity workflow and onboarding/offboarding processes. In most cases, third-party access removal follows a manual out-of-band management process which can create additional security concerns around expired credentials, access authorization, and auditors’ visibility.
To understand a modern approach to supporting application access for employees and third parties on both managed and unmanaged devices, an organization should consider the following guidelines in their identity strategy:
Establish Identity as the new perimeter with Zero Trust Privilege.
- Perimeter-based security (systems, firewalls, networks, etc.) provides limited protection against identity and credential-based threats.
- The meaning of Zero Trust Privilege is to “Never Trust, Always Verify, Enforce Least Privilege” and is not associated with a specific technology, but rather a holistic approach to network security & access.
- Employing this strategy successfully requires no account should be trusted by default (regardless if they are inside or outside of the network). Users will also be forced to verify who they are by providing at least two factors of authentication. Lastly, this ensures users do not have “keys to the kingdom” and can only access the required application(s) in a particular system to complete a task.
Adopt a centralized identity management platform.
- The threat landscape is larger than ever with the adoption of cloud, big data, and DevOps in enterprise environments. Ensuring your identity solution has integration capabilities with these environments will facilitate an enterprise-wide push for a unified solution to manage privileged and non-elevated credentials.
- An all-encompassing solution managing all privileged and non-elevated credentials in an organization eliminates the need for several different manual, time-consuming processes in the identity lifecycle (e.g. provisioning, de-provisioning). Establishing automated workflows reduces the time wasted performing these types of tasks and enables IT to focus on higher priority objectives.
Identity verification steps.
- Multi-factor authentication is considered table stakes for all remote access solutions, whether using a soft token, hard token, phone factor, or another approach.
- MFA factor types should be carefully assessed as many are no longer considered secure. SMS has been abused for quite some time and also, some push notifications are being “authorized” by users due to habit rather than actual self-access requirements.
- Adaptive MFA is a newer, cutting edge alternative to traditional MFA that enables organizations to apply authentication requirements based on the information being accessed and the risk level of a user.
- In Adaptive MFA, authentication rules can be customized for endpoints depending on several factors such as IP addresses outside corporate networks, day of the week, geographic location (geofencing), internet browser, device operating systems, and more.
Implement the least privilege, minimize the risk of lateral movement, assume you are already breached.
- Minimize or eliminate administration privileges on corporate devices, within applications and the data being accessed.
- End users should have access to ONLY the applications, data, and systems required to perform their job.
- Users and their respective devices should only have access to certain resources during specific times from specified locations to perform certain tasks, and context for each user should always be considered. Every user and device should be interrogated to minimize and eliminate lateral movement and vertical compromise or breach.
- Take on the mentality that assumes you are already breached. What is your response?
Secure the admin environment.
- Prevent direct access from user workstations to privileged systems. User workstations typically have access to the internet and email and are highly susceptible to infections.
- Only grant access to privileged resources through hardened admin consoles, such as jump boxes or bastion hosts.
- Modern cloud jump boxes can be utilized to grant access to systems outside the network, such as cloud resources or DMZ, and act as distributed gateways to resources that otherwise would require internal network access.
- Traditional VPNs expand your security perimeter to the endpoint, a modern remote access solution like a distributed gateway can be agnostic to the security posture of your endpoints and expand to additional platforms and form factors without the additional risk an unmanaged device typically exposes.
Incorporate session recording and auditing.
- When third parties, even employees, are accessing critical resources it is important to understand and audit their activity. Consider full user session recording with the ability to search for keystrokes and issued commands.
- If you have compliance requirements, such as FERPA, HIPAA, and/or SOX, this may be required. Regardless, it should still be considered, especially when accidental disruption occurs. Session recording could provide the information necessary to revert to previous settings and configurations.
Numerous deployment options for every environment.
- On-premises and cloud deployment options should be considered and evaluated to determine which best meets the needs of the organization.
- Cloud is rapidly moving to the deployment method of choice.
- Competitive PAM software companies have hybrid offerings to facilitate the management of all identities whether on-premises or in the cloud.
If an enterprise relies solely on legacy solutions to “secure the perimeter” from external connections, unsecured endpoints, and malicious actors, it is operating with an antiquated security strategy that should be immediately addressed. In today’s world, hackers simply do not hack, they exploit human naivety to compromise and breach an organization’s sensitive infrastructure. Without a Zero Trust Privilege approach, these “hackers” are free to roam corporate networks easily disguised with compromised identities. Modern PAM solutions decrease the likelihood of exploited privilege by including environments such as cloud, big data, DevOps in a Zero Trust Privilege strategy.
Sayers offers an extensive list of Identity and Access Management (IAM) Services that supports your corporate cybersecurity initiatives, including a variety of IAM assessments to help you better understand the gaps in security.