Secure remote access for administrators is possible — without VPNs
This is a guest post by Andy Smith, cybersecurity evangelist at Centrify.
The prolonged stint of home working poses significant challenges to businesses. Many have already written about the social and psychological issues that have arisen from home working, including isolation and stress, but one aspect is sometimes overlooked: maintaining cybersecurity and avoiding breaches and data loss.
Millions of administrators are now handling sensitive work data and accessing sensitive servers from outside their office, perhaps for the first time. It can be hard enough to keep data locked down within the four walls of a building, where there are IT perimeter controls monitoring the network. Working from home presents a new set of challenges. These include administrators using both company-issued and personal devices on their home networks, and being caught by more and more sophisticated phishing scams and hacker attempts, without being covered by traditional network perimeter controls.
In an ever-changing work climate that can be quickly shifted by a crisis, companies have a lot of work to do when preparing for and handling changes. According to a survey performed by PwC, more than two-thirds of global CEOs believe that their businesses are experiencing more threats to business growth than three years prior.
National Cyber Security Awareness Month’s week 2 theme is “securing devices at home and work,” the perfect time to shine a light on some of the rising technological issues we’ve seen in our shift to WFH and how to proactively combat them.
Trouble with VPNs
One of the first issues that organizations faced when scaling up their remote workforce was the short time that they had to create secure remote access options for workers, administrators and third parties. Most organizations opted for virtual private networks (VPNs) to enable access to network systems remotely. However, many VPNs on the market grant access to the entire network, allowing too much lateral movement, and lack sufficient security to meet the current demand.
VPNs were originally developed to create a connection between two internal points within a network and eliminate intrusion. Although this particular application of VPN is still a relevant way to mitigate these attacks, over time, the use case of VPNs has been stretched to not only connect points within the same network but also from an external point to an entire internal network.
As the security landscape has developed, it has become apparent that VPNs are too vulnerable to be used to facilitate connections like these because they are not set up to give any significant, granular control. This can significantly increase the risk of falling victim to insider threat attacks, or of a hacker simply logging in as an employee on the VPN with a compromised credential. Just look at the recent vulnerability reports around some of the most popular VPNs on the market.
Secure remote access with privileged access management
When considering business continuity challenges related to a 100% remote workforce, it’s especially important to secure privileged access by administrators to systems and infrastructure. Organizations need to:
– Allow secure administrative access to the resources required but not the entire network
– Ensure that only the specific admin is taking actions on the resources
– Provide granular privilege – only allow access to the target resource, just in time, for just the amount of time needed to complete the task
– Manage resources anywhere without requiring knowledge of the network configuration to access the resources
– Allow an admin to access the resources they need to manage from a business point of view without the dependencies on a VPN. It’s critical not to alter the user experience for administrators in these cases, to allow them to stay productive
To accomplish these goals, organizations should avoid the VPN altogether and use the full capabilities that a modern privileged access management (PAM) solution can provide to enforce least privilege.
Providing IT administration teams, outsourced IT and third-party vendors with secure access to critical infrastructure resources regardless of location enables security professionals to control, monitor and manage access to critical systems by privileged users.
If faced with scaling a VPN solution to support a huge uptick in remote users, this approach is much more cost-effective. Arguably, the biggest benefit is enforcing a Zero Trust approach that trusts no one, verifies everyone, and avoids granting anyone full access to the network, and in the process, ensuring a “clean source” that doesn’t require IT to worry about the health of third-party workstations or laptops, VPN infrastructure and software, etc.
As we’ve seen, not all remote access is secure, and certainly not all equal. A VPN may be serviceable and better than nothing, but there are far better options available that provide more granular control, reduce risk, maintain user experience and enable outsourced IT.
Many organizations thought they were ready, or adapted well to the new normal of a larger remote workforce. But relying on VPNs for administrative access will create more risk and vulnerability to breaches. By ditching the VPN and solidifying your secure remote access with a best-of-breed, Zero Trust-based PAM solution, you’ll be well on your way to enabling automated, intelligent, real-time decisions for granting privileged access.
About the author
Andy Smith is a cybersecurity evangelist at Centrify. Centrify is redefining the legacy approach to Privileged Access Management by delivering multi-cloud-architected Identity-Centric PAM to enable digital transformation at scale.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.