The “Great Remote Work Experiment, compelled by the pandemic, has matured a great deal over the 18+ month, and many lessons have been learned. The need to adapt to new working conditions also supercharged the growth of digital transformation. All of this has reshaped the trajectory of work and enterprise security well into the future.
In the hasty push to go remote and enable productivity in the early months of the pandemic, security best practices were relaxed, or simply ignored. Workers were issued privileged access rights that exceeded the level required for work, bloating the attack surface. Remote access technologies, like VPN and RDP, were frequently stretched far beyond their safe use cases, and often misconfigured. Many of these security deficiencies remain today and attackers are actively targeting them.
This blog will discuss how various access control models and technologies can help ensure adequate security around remote access to support a work-from-anywhere business model.
Access Controls: An Abridged Overview
Solutions for the management of access rights, IAM (identity & access management), are a foundational security piece. The correct configuration and implementation of access controls is also critical for enabling a secure remote work environment.
Absent high automation levels for access control systems, enterprises are unable to adequately scale security and dial in user access rights in even modestly complex environments that may encompass cloud or hybrid computing, and a mix of employee, vendor, and machine identities and accounts.
Let’s review some fundamental access control technologies and approaches and how they can play a role in remote access security.
The predefined role-based access control (RBAC) structure is often used in identity management solutions. RBAC helps to manage access control based on the principle of least privilege (PoLP). This structure is also very useful for providing remote access to data stored on corporate servers. User roles prescribed in specific information systems determine what an employee can work with remotely and prohibit access to information unrelated to their job function.
For example, the role of Tom, who is an employee of the IT department, suggests the ability to make changes to certain libraries and files of system A. But this role cannot be used by employees with a lower level of access, for example, from the accounting department.
On the contrary, the accountant, Kate, may receive rights in system A that allow her to conduct certain financial transactions. However, these operations are unavailable to office manager Susan, since she is at a lower functional level, and her role in system A allows only viewing data.
The RBAC approach helps reduce the risk of malware infection and compromise when employees use remote endpoints or unsecured networks to connect to corporate servers. This access model also reduces the likelihood of errors when assigning permissions to users and makes access more transparent to control.
However, role-based access control by itself is not sufficient. Moreover, especially when operating in an emergency mode, it may not be possible to foresee and immediately build everything to acceptable security standards relying on RBAC.
Yes, the role model reduces risks, but, again, it does not completely eliminate them. So, additional steps must be taken. It is here that we should talk about identification. In the context of remote connection, identification can be divided into two aspects:
- Device identification
- User identification
Here you create a database that includes both device data and information about users. This will allow defining permitted and prohibited combinations, thus, introducing an additional level of control. This gives us an attribute-based access control (ABAC) model. Now, users with predefined roles are granted access to specific sections of the internal corporate network in accordance with the specific combination: User ID - Device ID.
For example, marketing manager, John, will receive access permissions based on the marketing department role, if he connects to system A from his corporate laptop. His device identification number will be recognized by the system. On the other hand, an employee of the legal department, Adam, will be denied access, as he is trying to set up a connection to system A from his personal home computer, the identifier of which is not listed among approved devices.
The access control attribute model is quite reliable in helping solve for some additional information security problems associated with the growing volume of remote access. Yet, further controls are still needed.
Multi-factor authentication (MFA) is increasingly a must-have layer of defense, particularly when it comes to remote access and scenarios involving elevated privileges beyond that of a standard user.
Consider that, even with the above measures in place, there is still a risk that passwords will be brute-forced or otherwise compromised. This can potentially occur even if the passwords are very complex and stored in an encrypted database. When an attacker captures this database, then the issue of obtaining a password is limited only by the amount of time and the power of the hardware. Keep in mind, widely available hacker tools can crack 14-character alphanumeric passwords in about two minutes.
Multifactor authentication combines two or more methods to strongly authenticate a user: something you know (like a password), something you have (like a token), or something that confirms who you are (biometric data). Each additional factor increases confidence that the person who wants to access the system is who they claim to be. Organizations may want to increase the number of factors used to protect the most sensitive assets and areas of privileged access.
Typical MFA scenarios include:
- Reading a smart card and entering a PIN
- Logging in to the system and requesting to enter an additional one-time password (OTP), which can be sent to the phone or email address
- Downloading the VPN client with a valid digital certificate and logging in to the VPN before granting network access
- Reading a card, scanning a fingerprint, and answering a security question
- Using a hardware token via USB that generates a one-time password and using a one-time password to log into the VPN
Many considerations, based on a particular business or the operating environment, can drive the decisions around which authentication factors to implement. For example, biometric authentication using a fingerprint can be a convenient and reliable second factor for everyday office work. But if an employee works remotely and must connect to company resources from different geographic locations, then it may not be convenient to always carry a reader for biometric authentication with them. In this case, software tools that generate one-time login PINs, SMS messages, or OTP applications for smartphones can be used.
The goal of the MFA is to create multi-layered defenses and make it too expansive for an attacker to gain access to the system. Even if one factor is compromised, there will be at least another factor, which must be overcome in to penetrate the network.
Privileged Access Management
Privileged Access Management (PAM) systems are a robust means of protecting remote connections to corporate assets, and any other types of access, whether it involves human or non-human identities, employees or vendors.
Many security incidents are associated with the compromise of credentials and overprivileged accounts, which can provide unrestricted access to critical resources. PAM reduces these risks by managing privileged credentials, enforcing least privilege, and brokering secure remote sessions.
By actively managing credentials, such as rotating them or expiring them after each use, systems and accounts can be protected against password re-use attacks, since passwords are quickly expired. In addition, the PAM system checks the user's access rights—whether they are allowed to access the target resource under the account used, and asks for an additional factor of reliable authentication. By enabling just-in-time and adaptive access controls, PAM products minimize the time during which privileges can be compromised and also revoking access if context or risk changes.
The most advanced of PAM solutions also provide secure remote access capabilities, which can proxy access to resources—without the use of a VPN—ensuring privileged remote access is locked down, least privilege is always enforced, and every session is audited. Session monitoring and management can include performing keystroke logging and video recording, with the ability to pause or terminate suspicious sessions
PAM is also a keystone security technology necessary for enabling zero trust security models and architectures, which we will cover next.
Zero trust model
The zero trust security model has been gaining momentum for years. However, zero trust has recently been cemented as a must-implement ideology, in response to the surge in remote working and cloud computing, and the high-profile cyberattacks taking advantage of the increased attack surface.
In fact, an IDSA study earlier this year reported that 93% of IT security pros claim zero trust is strategic to securing their organization, with 97% also affirming that identity is a foundational component of a zero trust security model.
Implementing zero trust requires authentication and authorization for every user and device on the network, for every application they access. Even if applications and devices are united into one corporate network, authentication and authorization under a zero trust model operate under the assumption that no user is trustworthy.
The traditional approach to network security is based on the assertion that it is very difficult to access the network from the outside. You must go through several cordons of network protection. A big risk here is that, when the user (including a malicious one) is already inside the network, they are automatically perceived as trusted.
Historically, companies have placed too much trust in individual users. Zero trust maintains that it is unsafe to focus primarily on protecting the corporate network perimeter. Under zero trust, no user, either inside or outside the network, is considered trusted. The zero trust model is a more reliable tool for protecting critical assets in a world where environments are increasingly distributed, endpoints and users can connect from anywhere, and the network perimeter security is less effective.
The technical approaches to implementing such a model may vary, but the basic principles to be followed are the same:
- No user is trusted by default, and even when access is given, it should be finite
- Users should receive the minimum sufficient level of rights to perform their duties (known as the principle of least privilege).
- Network perimeters should be broken down into small components (micro-segmentation), where each segment has individual access requirements.
Leaning into Artificial Intelligence
Finally, peering a little into the future, let us consider the promise of artificial intelligence (AI) in helping address challenges around access control.
Huge amounts of data may run back and forth during massive remote connections, in particular, during the authentication and authorization processes. Here, the use of AI can help significantly, such as by analyzing and identifying anomalous user behavior and potential security breaches. Artificial intelligence technologies can be applied to require users to re-authenticate in the middle of a session, if suspicious activity is detected.
Next Steps for Dialing in Secure Access Control
The world of technology and work has experienced a mini-revolution in response to the global pandemic. While the initial scramble is well past, it is crucial to review and ensure the right access controls are in place for the appropriate use cases to close security gaps and support the successful implementation of digital transformation initiatives.
The Cyberattacker’s Path of Least Resistance is Shifting: Here’s How You Must Adapt (Blog)
Malware Threat Report 2021 (Research Report)
Alex Vakulov, Guest Blogger
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He writes for numerous security-related publications, sharing his security experience.