COVID-19

Centrify CTO on securing privileged access for remote admins

While many organizations already have telecommute policies and solutions in place, they are most commonly for either fully-remote workers or for employees who typically work in the office but need flexibility for unusual situations. The current environment most companies now face may put their remote workplace capabilities to the test.

This is most pronounced when considering security controls, cyber-hygiene, and reducing risk exposure that a more remote workforce creates. Are organizations prepared for such a distributed workforce and the potential risks that come with it?

When it comes to IT administration teams, outsourced IT, and third-party vendors who might have privileged access to systems and infrastructure, they need secure, granular access to critical infrastructure resources regardless of location and without the hassles of a virtual private network (VPN). Ideally, how privileged users access these systems shouldn’t be different, regardless of whether they are in an on-premise data center or accessing remotely.

Ditch the VPN

Last year it was reported that Citrix was breached through a password spraying attack that also sought to leverage VPN access. ARS Technica also reported last year that energy companies have specifically become targets of attacks that use password spraying and VPN hacking.

Unlike a VPN that generally gives users visibility to the entire network, organizations should only grant access to resources on a per-resource basis. This gives privileged internal IT admins access to only as much  infrastructure as necessary, while limiting access by an outsourced team to only the servers and network hardware their role requires.

Privileged users should authenticate through Active Directory, LDAP, or whatever the authoritative identity store is, or grant granular, federated privileged access to resources for business partners and third-party vendors.

Guard against cyber-attacks by combining risk-level with role-based access controls, user context and MFA to enable intelligent, automated and real-time decisions for granting privileged access to users who are remotely accessing servers, on password checkout or when using a shared account to log into remote systems.

Secure Privileged Access for On-Site and Remote Administration

Here are six ways any organization can create consistency in their privileged access management (PAM) approaches to secure remote access to data center and cloud-based infrastructures through a cloud-based service or on-premises deployment.

  1. Grant IT administrators secure, context-aware access to a controlled set of servers, network devices and Infrastructure-as-a-Service (IaaS).
  2. Enable outsourced IT without the need of including administrators in Active Directory.
  3. Control access to specific data center and cloud-based resources without the increased risk of providing full VPN access.
  4. Secure all administrative access with risk-aware, multi-factor authentication (MFA).
  5. Single secure access point for administrators to manage infrastructure using shared accounts or their own Active Directory account.
  6. Enable secure remote access to data center and cloud-based infrastructures for internal users, third party vendors and outsourced IT through a cloud service or on-premises deployment.

Many organizations may think they are ready for a larger remote workforce, including privileged administrators. But relying on VPNs rather than maintaining consistent security processes, policies, and postures will create more exposure and risk. Step up your secure remote access game and enable intelligent, automated, real-time decisions for granting privileged access.

Leave a Reply