Hand on heart - Can you say for this moment how many external users are connected to your company network? Normally, you will have to answer no to this question on an ad hoc basis. You may be able to name the internal daily users, assign them to groups and track them. But for external users, such as IT service providers, suppliers or remote maintenance companies, this does not apply in most cases.
But aren't these users the ones you should be keeping an eye on? Those who partly walk around with the logical master key for your critical areas and move freely and unobserved in your infrastructure.
The security measures for external access to your systems by your suppliers or ITSupport must be based on more than blind trust and service level agreements. Not only do you need to know what technologies and tools the various vendors use to access your network, but you should also monitor and know when and to what extent they access your systems and what activities they perform. Live and retrospectively.
Top risk remote maintenance access
IT service providers, long-standing external partners, remote support, technicians, suppliers, external employees, data scientist - the list of third parties that require temporary or anytime access to your corporate network in their own scopes is very long. In addition, centralized provision of access paths is becoming more challenging due to hybrid and cloud-based infrastructures. It is a fact that not a single day goes by without someone accessing your internal critical assets that require protection from the outside. Remote access is absolutely standard, whether in accounting, production or IT administration.
Third parties rely on common solutions such as VPN connections, JumpServers or application sharing tools. These all have one thing in common: they connect the security zone in your company's network with the uncontrolled security zone of the external user.
This means that security measures you have carefully built up internally to protect different network areas are severely compromised in this case. On top of that, employees coming from outside usually use anonymous user accounts, such as "admin.company_XY". This means that user activities cannot be assigned to any person in the event of a breach or for reconnaissance purposes. Companies usually implement VPNs to enable uncomplicated access for third-party providers but incorrectly assume that this leads to an absolute increase in cyber security. VPNs enable access, but they are primarily one thing: a tunnel. You have no external influence on activities within a (VPN) tunnel. This possibility guarantees dedicated access, but does not allow any conclusions to be drawn about what was done when, where and how by third party users.
Uncontrolled access for third-party providers holds countless risks
Infiltration of malware
Inadequately protected access credentials, so that they can be intercepted or reused, potentiate the risk. VPN access lacks granular controls. Malware could still enter your systems through provider access. The lack of granular controls in the VPN also means that the provider account may have much more access to systems than necessary, increasing the risk of misuse - especially if the account is compromised by a threat actor.
People make mistakes
Some vendor threats are not malicious in nature. For example, mistakes made by an external IT administrator can bring production equipment to a standstill or cause the ERP system to fail, inadvertently open security gaps or lead to compliance issues. A user's risk here increases in proportion to the access rights granted and uncontrolled privileges. In the worst case scenario, a cyber incident is exacerbated by the fact that errors cannot be reproduced, session records are missing or activities cannot be neatly attributed to individuals.
Non-compliance with legal and contractual requirements
Compliance with regulations and guidelines issued to maintain information security is usually already a major challenge internally. But who controls the password and access policy at your third-party provider that has access to your IT infrastructure? Often the credentials used by the third party provider are not under the direct control of the client. Two different and networks with two user directories and heterogeneous security requirements make security compliance almost impossible. Vendor audits and service level agreements increase organisational security, but even if you could ensure that best security practices are followed, you may not have visibility into the ultimate activities that take place covertly by third parties in your internal IT infrastructure.
Basic measures for securing remote maintenance accesses
- Get rid of functional and bulk accounts
A clear assignment of user activities to real persons ensures clean traceability in case of emergency and prevents the uncontrollable use of the same passwords by several users. The documentation of activities requires a link to the persons who carry them out. Without exception.
- Multi-factor authentication (MFA)
Multi Factor Authentication is a must for any sensitive access to servers, applications and data. To provide a higher level of identity security for remote access by providers and staff, an additional independent factor must be implemented for session authentication. It is important that the second factor is never received on the same device on which the primary login is performed. Technically, this can be ruled out.
- Allocate least privileges - All access should be limited to the exact set of tools and permissions a user needs to perform their defined role. Coupled with fixed periods of time during which the user is allowed to access the IT infrastructure, this results in a just-in-time access model. No access should be open-ended and permanent and should comply with specifications, i.e. it is only granted if certain parameters are met and it is withdrawn as soon as the activity is completed, the context changes or a certain time has elapsed.
- Monitoring and control of the network infrastructure - Authorised persons within your IT department should always have a live overview of all privileged users who are on the network. In addition, it must bepossible to retrospectively determine who was active where and when. If necessary, it should be possible to identify all users on the network and remove them from the infrastructure in an emergency.
Offer your suppliers, service providers and external employees one central portal to access just the individually required resources for their daily work within your IT infrastructure.
Leading Privileged Access Management portfolio with Remote Support from Germany
VISULOX is a unique Privileged Access Management solution focusing on the control of remote access.
VISULOX enables your internal IT department to control, verify and automatically document the privileged remote access of external employees, service providers and suppliers.
Regardless of the industry, our customers rely on our Privileged Access Management solution and place great value on the advantages of our individual modules:
- The principle of granting the least privileges: Provide a privileged user only with the applications, tools and authorisations he or she needs to carry out his or her work. And only during the periods in which they need them - just in time. Define which endpoints a user may access and when, and which actions are permitted during a session. For example, deprive the user of copy & paste functionalities or provide him with a single dedicated application without a desktop interface. If required, it is also possible to restrict users based on their location and notify authorised persons if specified security parameters are violated.
- Secure authentication and password management:
Increase login security adhoc by enforcing multi-factor authentication (MFA). Identity security by integrating an MFA to manage passwords of providers and external staff. It is possible to establish single sign on functionality so that for selected sessions, users never see a password. The integrated password cache supports the IT organisation in enforcing password policies even for users outside the own IT infrastructure. Continuous changes to privileged user passwords, SSH keys reinforces the robustness of the External Access Platform. A standard integrated MFA functionality supports numerous factors, such as OTP, email, SMS, voice, physical tokens, etc. Vendor-independent, it is possible to seamlessly integrate existing MFA solutions.
- Reliable performance records at the push of a button:
On the one hand, all activities carried out by third parties within your IT infrastructure should be documented. Ideally, this record serves as an operational performance record for activities. On the other hand, a privileged user has the option tovoluntarily record critical commands or challenging activities for traceability. A user cannot be secretly recorded under any circumstances. Even in the case of multiple user cooperation through application sharing, it is possible to record user interactions individually and separately. The optional key-stroke recording allows console inputs and commands to be recorded transparently. The films have a definable storage period according to legal or organisational requirements and are stored encrypted and audit-proofat a volume of approx. 5 Mb per hour of film.
VISULOX is a leading privileged access management solution with integrated remote support platform for secure external access. We help answer the question of who did what, where and when in IT infrastructures.
VISULOX is used globally and, on the one hand, fulfils the tasks required by the actual operation. On the other hand, it provides the evidence required by laws or regulations. Especially the transparency of activities by third parties is mandatory to ensure control over the actual user activities when accessing the IT infrastructure.
Today, the solution is used by a large number of companies from a wide range of industries in many countries. From installations with 5 users to enterprise installations with over 7,500 concurrent users, at SMEs and Dax30 companies. All to be implemented without any changes to clients or servers.
Our experience shows that we are good listeners. A short personal conversation can very often save long distances. We would be pleased to meet you in a short appointment, if desired with a possible live demo.