For obvious reasons, a vast majority of your system administrators, DevOps teams and software engineers are forced to adopt remote work habits right now. They are called privileged users for a reason, since they access to business-critical databases and maintain IT infrastructures. But are security controls under threat now that this shift was so sudden?
Here are five ways how companies can ensure their secure remote access is fast and convenient without adding operational obstacles or risking security posture.
1. Mitigate the risk of privilege abuse by removing credentials from all IT
Password sharing risk increases in a de-centralized model. But there are reasons why passwords and secrets are shared, and the pressure to do so for the sake of convenience and expediency is just mounting under exceptional circumstances.
This naturally leads to rising concerns about data breaches, but hackers rather harvest for compromised credentials using advanced tactics like AI spearfishing. According to Verizon report, 81% of all breaches are caused by stolen passwords.
You’ve probably heard of passwordless authentication in the business application context (likeOffice 365). How about the same ease of use and a reduced risk of privileged abuse for your subcontractors and DevOps teams? With our solution:
- they get single sign-on (SSO) access to target hosts without anyone handling any passwords or privileged credentials or seeing any secrets at any point
- access is granted just-in-time, based on unique, ephemeral certificates that automatically expire after the authorization is done
- there are no leave-behind permanent credentials to steal, lose, misconfigure or harvest
- you get multi-factor authentication (MFA) or it can interface with existing passwordless authentication methods that Identity and Access Management (IAM) providers offer, like biometric authentication
Gartner also recommends companies to forget standing privileges and move towards a zero standing privileges with just-in-time (JIT) authentication model.
2. Minimize training and configuration needs, maximize simplicity
We believe in an agentless model where you do not need to install or configure any software components on your target hosts.. There is also no need to spend days to train anyone on how to use the solution. So instead of signing in to their usual remote terminals, consultants and administrators simply:
- log in to a browser-based UI
- have access only to their available servers, cloud hosts, web applications or network devices
- are granted only the right level of privilege to get the job done
You can even define the duration of the session in advance with just a couple of clicks. One less reason for teams to adopt shadow IT practices, since security doesn’t get in the way of productive work. Also, this is nicely aligned with the Zero Trust framework: by default you should not trust anyone to access anything but instead verify and validate each time access is needed.
3. Automate onboarding, offboarding and auditing of outsourced IT
Our solution interfaces directly with your identity management system (IAM/Active Directory/LDAP) where identities and authorizations are located. Your admin then simply maps your IAM users and groups to corresponding roles within our solution, enabling role-based access controls (RBAC).
This is a one-time configuration, after which our product automatically keeps both your 3rd parties and admins up-to-date on any changes in authorizations. This makes onboarding, changing roles and offboarding hassle-free and your Joiners, Movers and Leavers process is mostly automated.
Admins no longer need to grant, modify and revoke access with the right entitlements manually per individual. They can just monitor how devs have just the right level of privilege for the task at hand and enjoy the view.
All sessions are logged, you get a solid audit trail and all sessions can be recorded if needed to improve compliance with mandatory regulations, like GDPR. With industry standard REST application programming interfaces (API), audit data can be sent to security information and event management (SIEM) or data loss prevention (DLP) for further processing.
4. Choose a scalable solution for the hybrid and multi-cloud
A sudden spike in remote workers affects operations and software needs in IT. We believe in a solution that is purpose-built for the hybrid and multi-cloud and is based on microservices architecture that matches the elasticity of the cloud where servers are spun up and down all the time. The solution can be deployed within days and it requires virtually no maintenance to ensure that your Return on Investment (ROI) and Total Cost of Ownership (TCO) are great.
Our solution auto-discovers all cloud hosts (Amazon Web Services, Azure, Google Cloud Platform) and keeps you up-to-date on their status automatically.
5. Think beyond VPNs, jump hosts or bastion hosts
If there is a sudden spike in remote traffic, VPNs are under tremendous pressure, and the first security check point for software engineers is VPN. If the DevOps engineer cannot access the VPN, she cannot access the next checkpoint either.
The next checkpoint is usually a jump host or a bastion host. However, they need to be set up, re-configured and updated constantly. This, combined with the already-mentioned complex access lifecycle management, simply becomes a nightmare for your IT admin or security staff. And they operate using passwords.
Passwordless privileged access management (PAM) made easy
Take the leap towards making secure remote access a positive experience for your software engineers, admins and third parties. Our solution, PrivX, is a quick-to-implement and scalable privileged access management (PAM) solution for establishing secure remote access to hosts, network devices or web applications and managing third party access. See how it works below!
With PrivX, you get all the required security checkpoints but they are just automatically baked in the process and mostly invisible to the user. Read more about the 5 must-haves that a modern PAM solution needs.
We’ll make a pledge to you: in a new environment, where nothing is replaced, our solution is up and running in your production environment in less than a week! Contact us here.