Kamel Heus at ThycoticCentrify explains how it’s possible to meet the dual challenge of simplifying access and protecting against threats
Providing secure server access for authorised IT staff, whilst simultaneously protecting against malicious threats and hackers who want to steal your data, is the double-edged sword facing every organisation.
When it comes to secure server access, less really is more. The days of granting an IT administrator unfettered access are disappearing and now best practice demands that access for all users should be via a clean, reliable source. For optimum ongoing security, admins can record user activity, or at the very least, monitor users to detect any suspicious activity.
Security teams would be wise to move from unlimited access towards a least privilege approach based on identity and just enough, just-in-time access. Occasionally an administrator may require access via a local admin account, but this is rare. Access can be granted to admins using a unique account assigned to them with user-specific privileges.
The right privileged access tools
Choosing the right privileged access tools can yield a host of benefits. A privileged access management system designed to empower ‘least privilege’ and ‘ease-of-use’ ends up ticking multiple boxes. As well as successfully protecting against data theft, it can also help your organisation meet compliance requirements, and mitigate against damage via an exploited privileged account.
Another spin-off benefit is that by reducing the complexity normally associated with managing privileged accounts, you can improve efficiencies and thus gain better productivity.
Making access for all IT staff easy, without bypassing security controls, is a question of selecting the right strategy and tools. The key points to consider are whether to choose a native or web browser client; provide login via an admin account or shared account; or choose a cloud SaaS service or an on-site server gateway for access.
The right decisions for your security needs
Choosing between a browser-based portal or a native remote access client is often a highly scrutinised decision. A browser-based portal is the most popular go-to option, and it tends to satisfy the most users. It offers everything required to serve a rising user base and increasing back-end business content and data.
It’s also often the easiest solution – it doesn’t require anything on the workstation, not even network connectivity. This model works well for staff in a remote or hybrid working pattern, or outsourced IT with temporary access.
There are scenarios where IT staff would prefer to use their native remote access client, but this does pose a specific set of challenges: the networking required makes the connectivity very difficult without granting the user a VPN connection – which conflicts with firewall settings. If their workstation’s native client cannot perform the DNS lookup, then it won’t even establish the connection.
One fix is to find a solution that can act as a jump host, or ‘jump server’ – which has a capacity to accept inbound connections, and then find the local systems in order to enable and track user login and record sessions.
But what about when an administrator wants to use a native client to Remote Desktop Protocol (RDP) instead of using a browser?
In this scenario, the most robust solution will remove all obstacles to privileged access, making every option available according to administrator preference – enforcing the security required whilst also simplifying access to IT staff.
The two options that enable the most choice are:
- Using a native client to access a specific target without going via a central portal. Both the client and the target will usually have firewalls and there may be one or more hardware firewalls. IT can use a jump host to broker the connection for the user to the target. “Use-my-account” (UMA) support is useful here: once the user authenticates to a cloud service, they may wish to use their own account to log into a target machine.
- Organisations can also opt to enable a single pane of glass to work for both cloud-based PAM in addition to traditional break glass scenarios. For example, should an IT administrator break glass or just log on as normal and use privilege elevation? With permissions this is possible and can be done via a browser on a laptop, workstation, or even a tablet or mobile device, and doesn’t require connectivity to any of the target systems.
Both these options are as simple as choosing a client, selecting network connectivity, and picking an identity.
Whether an organisation provides privileged access management tools tends to depend on whether it prioritises security or ease-of-access. If it doesn’t provide them, IT staff will inevitably develop creative ways to work around existing security best practices to suit their preferences. They want ease of use and access, just as business owners do, and will gravitate to their normal practice and processes, whether or not these align with security protocols.
Given the rapidly escalating security threats in our digital world, it’s a dance with disaster for IT staff to circumvent implementing privileged access management. And the more automated and mature a privilege management implementation, the more effective it will be for both condensing attack surface, mitigating against attack and streamlining work processes.
Kamel Heus is VP of EMEA at ThycoticCentrify
Main image courtesy of iStockPhoto.com