It’s no revelation that almost every organization today uses some form of remote access for third parties, vendors, and remote workers. The problem with this is that some common modes for extending remote access open your organization up to manifold cybersecurity risks. In fact, if you examine the data, almost every major data breach over the past several years has involved some manner of unauthorized remote access. And generally, company leaders at least recognize that this threat exists. A recent study reported that 86% of business executives believe that data breaches are more likely to occur when employees are working remotely.
According to another study performed a couple years back, IT professionals report that, on average, nearly 181 third-party vendors access their internal network on a weekly basis. These third parties range from point of sale (POS) vendors, to software manufacturers, to IT outsourcers.
The Perils of VPNS
To establish remote connections, organizations often use some form of Virtual Private Network (VPN) to allow users to interact with their systems. But VPNs present problems for securing remote access. VPNs act as both a front door and backdoor to your critical data and applications. As such, VPNs attract considerable attention from hackers because they can be used to gain unauthorized access to your systems.
VPNs are also entry points into the administrative back-ends of systems, giving hackers an opportunity to reset configurations and wreak all kinds of havoc. For infosec teams, securing VPNs presents a constant challenge. Many of the most notorious data breaches can be traced directly to VPN exploitation.
Having some sort of remote access is non-negotiable for almost every organization’s IT processes. Remote workers, third parties, vendors, and others need to access your systems from outside the firewall. However, remote access, by its very nature, creates exposure to cybersecurity risks.
Organizations often lack visibility into what vendors are doing – or are too trusting – when vendors access their network.
Extending Privileged Access Security Controls to Remote Users
A privileged user is someone with elevated access rights, who you may allow to set up, modify, or delete system accounts and software, among other privileged activities. As an example, the person you give the rights to establish and delete email accounts on a Microsoft Exchange Server is a privileged user. This privilege should only be given to your most trusted employees, and only when it’s absolutely necessary. The people you choose should be responsible enough to be entrusted with “root” privileges like the ability to change system configurations, install software, change user accounts or access secure data.
However, one should never unconditionally trust anyone, so you want to have measures in place to monitor and control how they use these accounts. Given this much power over your environment, privileged users can disrupt your IT systems, which could lead to some serious risk exposure if not properly managed.
Privileged access management (PAM) is the solution for properly managing this access. PAM is a collection of technologies (privileged credential management, session monitoring, privilege elevation and delegation, etc.) and practices that will allow you to monitor and manage privileged or administrative access to your critical systems.
Replacing VPN access with a PAM solution will enable your organization to configure access granularly instead of an “all or nothing” VPN connection. Reduce the attack surface and remove the administrative burden of configuring and installing VPN clients; instead, they can get access via a web console or secure appliance.
If you examine three of the most notorious remote access breaches, Ashley Madison, Target, and Georgia-Pacific, you will see that PAM deficiencies exacerbated those breaches.
Apparently, Ashley Madison did not have a PAM solution at all, leaving an unattended and easily discovered remote access backdoor to their administrative capabilities. Target also seemed to have lacked a PAM solution with effective alerting and session tracking that could have notified security personnel about suspicious privileged account activity. Additionally, it is evident that Georgia-Pacific lacked a PAM system that could cut off privileged access for a terminated employee. Using an effective PAM solution will allow you to defend against remote access threats like these.
PAM will enable you to provision and de-provision administrative privileges to individuals using your system. For example, with PAM, you will be able to assign administrative rights to the VPN and then rapidly withdraw them when you have an employee leaving your organization. That way, even if someone gains unauthorized remote access to your organization's systems, their ability to cause harm will be minized.
At minimum, the PAM solution can monitor your back-end access logins and alert your administrators about privileged sessions that don’t comply with your access policies. For example, in the Target incident caused by an exploit of an HVAC company, you would have to wonder why an HVAC vendor would be logging into the Point of Sale (POS) system, and this would cause you to examine this situation further.
Why You Need A PAM Solution
There are many compelling reasons for you to use a PAM solution in your environment. Deploying PAM can keep your organization safe from accidental or deliberate misuse. This is very important if your organization is growing, because the larger and more complex your organization’s IT systems get, the more privileged accounts your various users will have access to. This includes many types of users, such as your employees, contractors, remote or even automated users. Many organizations have far too many privileged users, 2-3 times more than the number of actual employees!
Some of these privileged users have the power to override your existing security protocols. This leads to a significant vulnerability to your system. If your administrators are allowed to make unauthorized system changes, access forbidden data, and then hide their actions, you have a big problem. This leads to the chance for an outside attacker to gain access to your environment using these admin credentials. PAM helps stop this from occurring.
If you implement a PAM solution, you will have a more secure, streamlined method to authorize and monitor all your privileged users for your essential systems.
What to Look for in a PAM Solution
When you decide to mature your privileged access security controls, there are a few things you should keep in mind. Ensure your chosen solution offers the following components:
- Access Manager – This PAM module governs access to privileged accounts, providing a single point for defining and enforcing your policies. Using the access manager your privileged users can request access to your systems. The access manager knows which systems the user can access and at what level of privilege. This approach will reduce the risk that a former employee will retain access to a critical system.
- Password Safe – Your PAM system should keep privileged credentials in a secure password safe, and open access to a system for the privileged user only after being cleared by the Access Manager. This password safe should also rotate (change) credentials at intervals that reflect their sensitivity, while enforcing security best practices in generating new passwords.
- Privileged Session Manager – A session manager allows you to track actions taken during a privileged account session. This is essential for ensuring accountability.
The bottomline is that you can have the latest and greatest technology, but it will not operate at its most effective state without proper control, management, and implementation. Ultimately, the best way to defend your organization against a security compromise is to ensure that proper access controls are implemented in the first place.
Security and user experience are essential prerequisites for allowing remote access to your business. Your PAM solution will help you maintain that security and user experience. For deeper insights on this subject, check out my on-demand webinar: Mitigating Remote Access Risks with Privileged Access Management.
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.