Internet sources cite Vladimir I. Lenin as the origin of the quote in the title. My history knowledge is not deep enough to tell what was the context of the utterance but I am rather certain that the father of the Russian Revolution was not thinking of allowing trusted third-parties access to his ICT infrastructure.
All well on Cloud 9?
Yet the quote fits well a situation that is getting more and more familiar to an ever-growing number of enterprises that host their production IT services in the ubiquitous cloud hosting environments. Moving an e-commerce site, a CRM system, or just the corporate webpages to the cloud offers many attractive benefits with little headache. A successful cloud hosting customer will enjoy freedom from hardware maintenance, sees how CAPEX turns into OPEX, and gets peace of mind with predictable cost models and easy ROI calculation. The cloud hosting providers’ marketing message is less vocal on the things that do not change with cloud adoption.
Outsourcing Effort – In-house Accountability
While many hosting tasks are almost too apt to be outsourced from best-of-breed experts and service providers, the corporate accountability is nothing of the like. Regardless of the model of hosting and service provision, the compliance with various regulatory requirements will always remain on the responsibility of corporate players themselves. While the actual system administration (application configuration, database optimization, performance tuning etc.) may be (and often is) performed by external consultants over secure and encrypted remote access, the responsibility over the outcome of these actions lies within the customer.
To express the situation in plain English – a number of people have invisible and unlimited access to resources that you are responsible for. A chilling thought, is it not?
Turn on the lights. And control.
The monitoring and auditing of remote access connections to corporate resources can be described with the analogy to a surveillance camera. With monitoring and auditing, the hitherto unseen actions below the hood of the corporate IT can be detected, controlled, and recorded for later perusal (as evidence, if necessary).
And as with the analogous security camera, the mere existence (and knowledge of) a watchful eye may itself prove to be of increased security. Who would want their misdeeds be taped on digital media?
While there are businesses where such visibility and control may be a convenience, the most pressing motivation is regulatory responsibility. Any system that stores, handles, and processes sensitive data – credit card numbers, healthcare records, personnel records, and the like – is under a clear mandate from its respective regulator to comply to certain minimum audition criteria. These criteria are spelled out in industry-specific laws and standards, such as the Sarbanes-Oxley Act (SOX) for the financial industry, HIPAA for healthcare, and PCI-DSS for the card payments industry.
A sample scenario where such requirements come to play for third party access, could be for example an external database expert doing performance tuning to an e-commerce platform over a secure management connection. Since the database contains payment-related data, the requirements of the PCI-DSS standard must be complied with.
Audit the Encrypted Channels – for Control and Compliance
To make the most of external or third-party experts’ services, and to do so in a way that allows the corporate management to sleep their nights in peace, some level of third-party privileged access control is a hard requirement. Deploying a PSM (Privileged Session Management) solution strikes an optimal balance of security, control, and auditability.
Opening up an encrypted channel through the corporate firewall and into the heart of corporate ICT infrastructure requires that the incoming sessions can be recognized, their contents inspected and filtered, and the sessions recorded for replays later. Identifying the encrypted administrative session and peeking inside their contents allows real-time control over thus far invisible privileged access. The same method can easily be extended to cover the filtering of the sessions to detect and repel attempts to infiltrate malware or to exfiltrate sensitive data. The session recordings an be used for re-plays – for education, for service reviews, or in the worst-case, for forensics in case of suspected criminal activity. All this can be realized with CryptoAuditor, a solution from SSH Communications Security, the original inventors of the SSH protocol itself.