NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

Remote Access Control Strategies for the Work-from-Anywhere (WFA) Era

September 16, 2021

  • Blog
  • Archive

The “Great Remote Work Experiment, compelled by the pandemic, has matured a great deal over the 18+ month, and many lessons have been learned. The need to adapt to new working conditions also supercharged the growth of digital transformation. All of this has reshaped the trajectory of work and enterprise security well into the future.

In the hasty push to go remote and enable productivity in the early months of the pandemic, security best practices were relaxed, or simply ignored. Workers were issued privileged access rights that exceeded the level required for work, bloating the attack surface. Remote access technologies, like VPN and RDP, were frequently stretched far beyond their safe use cases, and often misconfigured. Many of these security deficiencies remain today and attackers are actively targeting them.

This blog will discuss how various access control models and technologies can help ensure adequate security around remote access to support a work-from-anywhere business model.

Access Controls: An Abridged Overview

Solutions for the management of access rights, IAM (identity & access management), are a foundational security piece. The correct configuration and implementation of access controls is also critical for enabling a secure remote work environment.

Absent high automation levels for access control systems, enterprises are unable to adequately scale security and dial in user access rights in even modestly complex environments that may encompass cloud or hybrid computing, and a mix of employee, vendor, and machine identities and accounts.

Let’s review some fundamental access control technologies and approaches and how they can play a role in remote access security.


Role model

The predefined role-based access control (RBAC) structure is often used in identity management solutions. RBAC helps to manage access control based on the principle of least privilege (PoLP). This structure is also very useful for providing remote access to data stored on corporate servers. User roles prescribed in specific information systems determine what an employee can work with remotely and prohibit access to information unrelated to their job function.

For example, the role of Tom, who is an employee of the IT department, suggests the ability to make changes to certain libraries and files of system A. But this role cannot be used by employees with a lower level of access, for example, from the accounting department.

On the contrary, the accountant, Kate, may receive rights in system A that allow her to conduct certain financial transactions. However, these operations are unavailable to office manager Susan, since she is at a lower functional level, and her role in system A allows only viewing data.

The RBAC approach helps reduce the risk of malware infection and compromise when employees use remote endpoints or unsecured networks to connect to corporate servers. This access model also reduces the likelihood of errors when assigning permissions to users and makes access more transparent to control.

However, role-based access control by itself is not sufficient. Moreover, especially when operating in an emergency mode, it may not be possible to foresee and immediately build everything to acceptable security standards relying on RBAC.


Attribute model

Yes, the role model reduces risks, but, again, it does not completely eliminate them. So, additional steps must be taken. It is here that we should talk about identification. In the context of remote connection, identification can be divided into two aspects:

  • Device identification
  • User identification

Here you create a database that includes both device data and information about users. This will allow defining permitted and prohibited combinations, thus, introducing an additional level of control. This gives us an attribute-based access control (ABAC) model. Now, users with predefined roles are granted access to specific sections of the internal corporate network in accordance with the specific combination: User ID - Device ID.

For example, marketing manager, John, will receive access permissions based on the marketing department role, if he connects to system A from his corporate laptop. His device identification number will be recognized by the system. On the other hand, an employee of the legal department, Adam, will be denied access, as he is trying to set up a connection to system A from his personal home computer, the identifier of which is not listed among approved devices.

The access control attribute model is quite reliable in helping solve for some additional information security problems associated with the growing volume of remote access. Yet, further controls are still needed.


Multi-factor authentication

Multi-factor authentication (MFA) is increasingly a must-have layer of defense, particularly when it comes to remote access and scenarios involving elevated privileges beyond that of a standard user.

Consider that, even with the above measures in place, there is still a risk that passwords will be brute-forced or otherwise compromised. This can potentially occur even if the passwords are very complex and stored in an encrypted database. When an attacker captures this database, then the issue of obtaining a password is limited only by the amount of time and the power of the hardware. Keep in mind, widely available hacker tools can crack 14-character alphanumeric passwords in about two minutes.

Multifactor authentication combines two or more methods to strongly authenticate a user: something you know (like a password), something you have (like a token), or something that confirms who you are (biometric data). Each additional factor increases confidence that the person who wants to access the system is who they claim to be. Organizations may want to increase the number of factors used to protect the most sensitive assets and areas of privileged access.

Typical MFA scenarios include:

  • Reading a smart card and entering a PIN
  • Logging in to the system and requesting to enter an additional one-time password (OTP), which can be sent to the phone or email address
  • Downloading the VPN client with a valid digital certificate and logging in to the VPN before granting network access
  • Reading a card, scanning a fingerprint, and answering a security question
  • Using a hardware token via USB that generates a one-time password and using a one-time password to log into the VPN

Many considerations, based on a particular business or the operating environment, can drive the decisions around which authentication factors to implement. For example, biometric authentication using a fingerprint can be a convenient and reliable second factor for everyday office work. But if an employee works remotely and must connect to company resources from different geographic locations, then it may not be convenient to always carry a reader for biometric authentication with them. In this case, software tools that generate one-time login PINs, SMS messages, or OTP applications for smartphones can be used.

The goal of the MFA is to create multi-layered defenses and make it too expansive for an attacker to gain access to the system. Even if one factor is compromised, there will be at least another factor, which must be overcome in to penetrate the network.


Privileged Access Management

Privileged Access Management (PAM) systems are a robust means of protecting remote connections to corporate assets, and any other types of access, whether it involves human or non-human identities, employees or vendors.

Many security incidents are associated with the compromise of credentials and overprivileged accounts, which can provide unrestricted access to critical resources. PAM reduces these risks by managing privileged credentials, enforcing least privilege, and brokering secure remote sessions.

By actively managing credentials, such as rotating them or expiring them after each use, systems and accounts can be protected against password re-use attacks, since passwords are quickly expired. In addition, the PAM system checks the user's access rights—whether they are allowed to access the target resource under the account used, and asks for an additional factor of reliable authentication. By enabling just-in-time and adaptive access controls, PAM products minimize the time during which privileges can be compromised and also revoking access if context or risk changes.

The most advanced of PAM solutions also provide secure remote access capabilities, which can proxy access to resources—without the use of a VPN—ensuring privileged remote access is locked down, least privilege is always enforced, and every session is audited. Session monitoring and management can include performing keystroke logging and video recording, with the ability to pause or terminate suspicious sessions

PAM is also a keystone security technology necessary for enabling zero trust security models and architectures, which we will cover next.


Zero trust model

The zero trust security model has been gaining momentum for years. However, zero trust has recently been cemented as a must-implement ideology, in response to the surge in remote working and cloud computing, and the high-profile cyberattacks taking advantage of the increased attack surface.

In fact, an IDSA study earlier this year reported that 93% of IT security pros claim zero trust is strategic to securing their organization, with 97% also affirming that identity is a foundational component of a zero trust security model.

Implementing zero trust requires authentication and authorization for every user and device on the network, for every application they access. Even if applications and devices are united into one corporate network, authentication and authorization under a zero trust model operate under the assumption that no user is trustworthy.

The traditional approach to network security is based on the assertion that it is very difficult to access the network from the outside. You must go through several cordons of network protection. A big risk here is that, when the user (including a malicious one) is already inside the network, they are automatically perceived as trusted.

Historically, companies have placed too much trust in individual users. Zero trust maintains that it is unsafe to focus primarily on protecting the corporate network perimeter. Under zero trust, no user, either inside or outside the network, is considered trusted. The zero trust model is a more reliable tool for protecting critical assets in a world where environments are increasingly distributed, endpoints and users can connect from anywhere, and the network perimeter security is less effective.

The technical approaches to implementing such a model may vary, but the basic principles to be followed are the same:

  • No user is trusted by default, and even when access is given, it should be finite
  • Users should receive the minimum sufficient level of rights to perform their duties (known as the principle of least privilege).
  • Network perimeters should be broken down into small components (micro-segmentation), where each segment has individual access requirements.

Leaning into Artificial Intelligence

Finally, peering a little into the future, let us consider the promise of artificial intelligence (AI) in helping address challenges around access control.

Huge amounts of data may run back and forth during massive remote connections, in particular, during the authentication and authorization processes. Here, the use of AI can help significantly, such as by analyzing and identifying anomalous user behavior and potential security breaches. Artificial intelligence technologies can be applied to require users to re-authenticate in the middle of a session, if suspicious activity is detected.

Next Steps for Dialing in Secure Access Control

The world of technology and work has experienced a mini-revolution in response to the global pandemic. While the initial scramble is well past, it is crucial to review and ensure the right access controls are in place for the appropriate use cases to close security gaps and support the successful implementation of digital transformation initiatives.

Related Reading

The Cyberattacker’s Path of Least Resistance is Shifting: Here’s How You Must Adapt (blog)

Malware Threat Report 2021 (research report)

A Zero Trust Approach to Secure Access (white paper)


Photograph of Alex Vakulov

Alex Vakulov, Guest Blogger

Alex Vakulov is a cybersecurity researcher with over 20 years of experience in virus analysis. Alex has strong malware removal skills. He writes for numerous security-related publications, sharing his security experience.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Up next

From September 7, 2021:
How Well do Windows 10 Security Features Protect against Ransomware?
From September 24, 2021:
Privileged Password Management in a Zero Trust Environment

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.