Driven in large part by the globalization of technology, focus on a healthier work-life balance, an increase in the number of millennials entering the workforce, and more recently, social distancing initiatives in response to the novel coronavirus, we are increasingly seeing companies across the globe offer their employees the option to work remotely. Not surprisingly, a recent survey from Bayt.com1 found that 79% of professionals in the Middle East and North Africa (MENA) region would actually prefer to work for companies that offer a remote working option. Offering employees the opportunity to work remotely can actually work to the advantage of the organization. According to Gartner,2 “by 2020, organizations that support a ‘choose-your-own-work-style’ culture will boost employee retention rates by more than 10%.”
Remote Access Architecture
For this to succeed and be secure, please consider the following attack risk surfaces:
Remote Access Connectivity: In most cases, remote employees connect to corporate resources directly via a VPN or via hosted cloud remote access solutions. These employees are often behind their own home routers that employ technology like Network Address Translator (NAT) to isolate the network. However, this poses a network routing challenge for traditional IT management and security solutions like VPN. For one, corporate cybersecurity solutions cannot push updates directly to remote employees, nor directly query their systems in real-time due to the lack of downstream network routes. As a consequence, the only way for these remote employees to get cybersecurity updates or submit data is to poll (initiate an outbound connection) into the corporate cybersecurity resources. This often requires a persistent outbound connection to determine state, regardless of using a VPN or cloud resources, and is susceptible to trivial network anomalies commonly found in home-based wireless networks or cellular technology.
Additionally, as a result of name resolution and limitations in routing, processes such as discovery and pushing of policy updates all become batch-driven, as opposed to near real-time. Even remote support technologies require an agent with a persistent connection to facilitate screen sharing since a routable connection inbound to SSH, VNC, RDP, and the like is not normally possible for remote employees. Thus, the number one hurdle to securing remote access for employees is around managing devices that are no longer routable, reachable, or resolvable from a traditional corporate network for analysis and support. This is entirely independent of the privileges the remote user may invoke while connected to the network.
Corporate supplied IT resources
Bring your own device (BYOD)
While corporate-issued devices and resources can be strongly hardened and controlled, personal devices are frequently shared and may not undergo the same level of security attention. Organizations may mandate Mobile Device Management (MDM is discussed in Chapter 16) tools on personal devices to aid in management, but user resistance may stymie adoption. For obvious reasons, corporate IT teams cannot harden employee-owned devices and govern the device operations as tightly as they could corporate-owned without the enforcement of MDM. The methodology your organization chooses to support BYOD is ultimately a balance between cost, risk, user acceptance, and usability for remote access. With threats like SIM jacking, it is nearly a must to consider an MDM solution for any personal mobile device that accesses corporate resources.
Cybersecurity Hygiene: Finally, there is the challenge of deploying basic cybersecurity controls like patch management and antivirus to remote access users. This assumes remote access is available to users via their home computers and laptops, not just mobile devices. Traditionally, these cybersecurity basics are performed using network scanners, agents, and services to execute various functions and require connectivity to on-premise servers. The good news is that cloud technologies have simplified the management of these security basics using SaaS and PaaS solutions. With the inability for cellular and other mobile technologies to maintain a persistent and routable connection, organizations must embrace the cloud for managing basic cybersecurity disciplines when remote access is a requirement. The cloud offers universal resources, outside of a traditional datacenter, to which remote devices can securely connect and take advantage of methodologies like geolocation and two-factor authentication. This ensures the source and health for any remote access can be managed and validated regardless of the device type. Also, the cloud can provide access without the flaws of VPN technology to ensure the health of a source device does not become a liability.
Remote Access Security: The best advice for IT teams that need to secure remote workforces (employees, vendors, managed service providers, and contractors) involves keeping an open mind and being accepting of new technologies, methodologies, and workflows to accomplish their goals. This includes new ways to perform secure remote access that does not require VPN, NAC, or traditional VDI bastion host technology. Team members need to think out of the box regarding connectivity and plan for the bandwidth revolution of 5G cellular technology. Large-scale data theft can transpire within minutes using the latest wireless technology and traditional remote access tools. It can happen via any remote session that has privileged access to sensitive corporate resources. With all the above taken into account, teams need to understand their business models, the roles remote users play, and the data and system risks they represent. Then, a defensive strategy can be built using modern remote access technology. Finally, with the proliferation of infrastructure components that have moved to web-based management interfaces in the cloud, information and security technology administrators are faced with new threats for managing credentials to administer these solutions remotely. It’s a challenge to control, audit, and enforce proper authentication for privileged access to browser-based cloud resources without negatively affecting business productivity. Administrators, and even power users, need a way to effectively control and audit resources managed via cloud-based web consoles and treat them like a console that should only be accessed via a secure remote access solution, instead of directly from the Internet. This is why remote access and privileged access management go together hand-in-hand.
Vendor Remote Access
At any given time, vendors, contractors, building maintenance, managed service providers, and other organizations may have access to your network to fulfill contractual obligations, provide services, or resource maintenance. Many of these vendors and workers connect to your systems remotely to go about their daily business in supporting your organization. The problem is that many of the systems they interact with are also connected to your corporate network. Numerous high-profile breaches have demonstrated that vendor networks can be leveraged to gain access to customer environments.
Threat actors can steal credentials to gain access to vendor-controlled systems and then exploit vulnerabilities or poorly managed privileges to move throughout the organization, sometimes machine by machine. You are only as secure as your weakest link and the security of your environment may rest on the security practices, and controls, of a third party.
The big issue with adhering to policy and maintaining security across two companies is that often the credentials used by the remote vendor are not under the direct control of the customer. Two different networks with two different user directories, and perhaps two different security policies, make the job of security compliance a challenge. Even if you had a way to ensure security best practices were being followed, you still have no visibility into what activity is being performed on equipment that is connected to your network. This creates a unique set of new challenges when remote access is not being performed by an employee, but rather by some form of vendor. The following are some key best practices for ensuring secure vendor access:
- Vendor Credential Management: Vendors accessing an organization’s resources remotely should have all credentials:
- a.
Rotated regularly after any and all access, and completion of sessions. This can be done natively or via integration into a password management solution.
- b.
Enforce a workflow to ensure the access was appropriate.
- c.
Support multi-factor authentication to ensure credentials have not been shared or compromised.
- d.
Provide ephemeral or just-in-time access.
- a.
- Network Access: Vendors requiring network access to manage resources should have:
- a.
Access to only the applicable resources.
- b.
Capabilities in place for detection and prevention of their lateral movement.
- c.
Support for connectivity without the need for a bastion host.
- d.
Support for connectivity without the need for protocol tunneling.
- e.
Routing of all sessions through a gateway or proxy to perform session monitoring.
- f.
Requirement for appropriate attribute-based proof that network access is from the proper source.
- a.
Privilege Monitoring: Vendors requiring access should have all sessions monitored and audited with capabilities to review activity similar to shoulder surfing.
Application Control: Vendors should be monitored for all application and command usage, including file access. In addition, vendors should only be granted specific least privilege access to the applications they require.
To alleviate all of these challenges for vendor remote access, privileged access management solutions should be fully integrated. Vendors typically need to access a third-party organization’s resources with privileges and only this type of integration can securely provide the appropriate access.
Working from Home
The days of commuting to an office have evolved rapidly in the last 30 years to include telecommuting, remote employees, and flexible office hours. In early 2020, the changes have been life altering and realistically we may never go back to the office environments established B.C. (Before Corona). In addition, some countries have mandated for companies a few workdays at home to accommodate the overload at facilities, high volume of traffic, employee burnout, and even pollution. And, sometimes, finding the best employee may not even be possible within your geography, warranting the consideration of a purely remote employee. Generally, they work from home.
Information technology professionals are tasked with providing remote access for these employees and have implemented a variety of solutions, architectures, policies, and diverse technology over the last three decades to accommodate remote work. Some of the decisions by IT and security professionals are innovative, secure, and even cutting-edge, while others are downright cringeworthy and laden with potential risk.
One of the more common trends is to allow the installation of the organization’s virtual private network (VPN) software on an employee’s home computer for remote access. While some security professionals may think of this as an acceptable practice, this policy presents an unjustifiably high security risk. For example, consider the following:
Lower Malware Defense: Home users are typically local administrators for their personal computers. They rarely create secondary standard user accounts for daily usage. This makes them more susceptible to malware. The vast majority of malware needs administrative rights to infect a system, and home users typically do not place any restrictions on their own access simply for convenience. The older the home computer operating system, the worse the operating system is at defending against malware that requires administrative rights for system exploitation.
Multiple Users: If a personal computer is shared among multiple family members, even with multiple user profiles, there are very few mitigations to prevent an infection or poor judgment of one individual from infecting others. Also, techniques like fast user switching compound the problem by keeping other profiles in memory, making them susceptible to a variety of attacks based on other active profiles. A compromise of one user not related at all to the organization can be leveraged against an active VPN session connected to the organization.
Lack of Authority: Organizations do not have the authority to manage an individual’s home computer. While network access control solutions can validate antivirus signature versions and other basic hardware characteristics, they cannot inventory a home computer to ensure it is hardened and maintained like a corporate asset. These gaps, even when connected to a bastion host, can allow data leakage from keystroke loggers and screen-capturing malware that can place data and the organization at risk.
Inability to Secure the Host: Corporate VPN solutions typically embed a certificate into a connection or user profile to validate the connection. This is independent of the authentication the user should provide via credentials and, hopefully, some form of two-factor authentication in order to make a connection. The security of the certificate and the credentials for authentication are only as secure as the security maintenance implemented for the asset. These are a prime target for a threat actor on a poorly maintained host to initiate their own connections or hijack sessions used by remote employees. If you cannot secure the host, how can you secure the connection software it is running?
Lack of Protective Resources: Lastly, home users typically only have antivirus on their computers. They usually do not have endpoint detection and response (EDR) or endpoint privilege management (EPM), nor do they have vulnerability or patch management solutions to ensure their assets are being properly secured and to elevate any threats for awareness. Home users typically operate as independent workstations with no monitoring from security professionals to respond when something goes awry.
Even with all of these elements, some organizations have accepted the risk of VPN software on resources not being maintained by the organization. They have developed highly secure virtual desktop infrastructure (VDI) environments and bastion hosts to proxy (or gateway) the connection to shield applications and sensitive data. They have created isolated networks and resources in the cloud to manage these connections and, in many cases, paid tens of thousands of dollars in licensing costs just to stand up resources in a defensive network strategy to mitigate these risks. In many cases, they are effective, but they are all geared to allowing the organization's VPN software on untrusted assets maintained by home users.
Issue corporate-owned assets that are hardened and managed to provide connectivity.
License a third-party remote access solution that does not require a complex environment to provide connectivity and can perform the connection through a web browser without the need for VPN software, dedicated applications, virtual desktop environments, or protocol tunneling.
If employees who need remote access have traditional desktop computers, consider replacing them with corporate-owned and managed laptops with docking stations. In the office, a laptop would operate as a regular desktop, including having large monitors, but when required at home, it could travel as a managed asset, minimizing the risk.
And as a final thought (which may not be for every business, and will certainly not apply well in the era of the coronavirus), don’t allow employees to work remotely. Companies like Yahoo3 required all employees to come into the office during its restructuring, and even certain governments require, by law, that employees cannot take work home after hours to prevent labor abuse. While controversial, this may result in less employee fatigue, happy work-life balance, and overall better security by keeping the perimeter better defined. Ironically, this is the exact opposite of zero trust.
There are so many factors to review when considering whether to allow home users VPN access from their personal computers. It is puzzling that so many environments allow this practice when, in many cases the cost of a tablet managed by the company can provide a more secure experience compared to the runtime costs of a bastion host and VDI environment. The choice is ultimately a business decision, but allowing VPN access to personal computers by remote workers is a technology practice that should never be deployed in the first place.
Secure Remote Access
Compatible with existing remote access protocols like RDP, VNC, SSH, and HTTP(S).
Supports agent-based technology for remote access without the need for open listening ports.
Supports a multitier architecture as management nodes to reach deep within an organization.
Supports a deployment architecture that is on-premise, in a private cloud, or as a SaaS solution.
Supports remote connectivity via x86, x64, or MacOS-dedicated client, mobile devices using dedicated apps, or via an HTML5 browser to avoid any protocol tunneling.
Provides full session monitoring capabilities in accordance with privileged access management best practices.
Provides strong authentication and workflow to determine whether or not the user requesting access is appropriate.
Provides advanced capabilities to determine the inventory of the host and enumerate key settings.
Protects against lateral movement and inappropriate application and command usage.
Integrates or provides native password management capabilities that can be delegated to users to control appropriate privileged access.
Provides remote access to any resource in any location from the cloud to on-premise and even supports remote employees. This solves the problem of having to secure cloud-based management consoles.
With these requirements in mind, connectivity, regardless of the source, can be secured for privileged remote access.