Given the recent explosion in remote working, you’d be forgiven for thinking it was a relatively new phenomenon. Much of the talk in the business arena has been focussed on adapting standard practices to fit the novel situation we find ourselves in. But the tools needed to make these changes were in fact already available for organisations to use, as even before our current situation, remote working was on the up. One study from Q1 2019 even found that almost three quarters (73 per cent) of UK employees considered ‘flexible working’ to be the new norm, a considerable figure.
Remote working studies often overlook third parties such as contractors and partners however, who require access to critical systems the same way an employee does. In order to provision access, organisations frequently lean on insecure and inefficient methods, typically relying on VPNs.
However, not all remote workers’ privileges are created equal. Some may require access to just email and a smattering of business applications, while others may need access to the full suite of critical business applications including payroll, HR, and sales and marketing data. External IT service providers performing outsourced help desk support, for example, require the same depth of access as internal IT providers.
We’ve identified the top five types of remote workers who require elevated privileges to systems and how best to secure them below.
1. Remote IT employees
Remote IT employees include users like domain admins and network admins who typically access critical internal systems from inside the office but may now have to do it remotely. When IT work is done from outside the office walls, it throws a wrench into the security administrators’ day-to-day.
Identifying the precise levels of access needed by remote IT and security employees and implementing least privilege rights to ensure that they’re only accessing what they need is critical. Traditional solutions like VPNs can’t provide the necessary level of granular, application-level access to do this effectively. Assigning this kind of detailed access is important as it helps to prevent situations where unwanted users have access to root accounts – the account with the most privileged access within a system.
In order to overcome this hurdle, security tools must be integrated with the directory service to provide automated, specific access needs set up ahead of time. This means that, in the event of an unplanned spike in remote work, there are no gaps in IT or security functions while secure conditions for working from home are established.
2. Third-party hardware and software vendors
Third party vendors for hardware and software, including IT service providers and contracted help desk support, often provide remote services requiring elevated privileges. These types of vendors would typically require admin-level access to perform tasks on any variety of servers or databases because of their role.
Third parties therefore are entitlement with very high, and in some cases, far reaching privileges – which represent a huge risk if their access is targeted by attackers. Identifying these users and accounting for their individual levels of remote vendor access is usually done on a case-by-case basis by administrators. The downside of this vital measure is that it can take a huge amount of time, so many businesses are beginning to introduce automated security policies which authenticate each user when they try to access certain information or systems.
3. Supply chain vendors
It’s common for businesses to bring in specialised supply-chain vendors to help support the delivery or production of goods. These remote users often have access to the network in order to monitor organisations’ inventories, forecasted output, quality control, and other critical systems that could be related to Industrial Control Systems or on-site supply chain processes.
These vendors may not be the first to come to mind because they’re not as qualified as administrators, but supply chain vendors have access that could be leveraged in a dangerous way by malicious attackers, or become a serious problem due to inadvertent internal misuse.
4. Service companies
Service companies that perform departmental tasks like legal, PR, and payroll may require access to specific business applications in order to be efficient. It’s important to identify such users and enforce the principle of least privilege so they don’t gain or retain access to anything they shouldn’t. It would not make much practical sense for a legal service company to have access to payroll information, for example. All it would do is increase potential risk.
Business-critical applications like Customer Relationship Management (CRM) or Enterprise Resource Planning (ERP) are important for business continuity and operations, but in the wrong hands the data that lives in these applications can be misused. Identifying who has access to said applications is important. Minimising the ability to move laterally from one business application to the next can be the difference between a major data breach and business as usual.
5. External consultants
Business and IT consultants will sometimes need privileged access in order to be productive on the projects that they’re contracted to do. These types of vendors are temporary by nature and will often only require access for days, weeks, or months at a time. However, within that time frame, external consultants will often receive sweeping access to certain areas of the business.
Identifying early on who these consultants are and what type of access they require helps reduce risk and safeguard the business. In addition, an external consultant’s access should be closely monitored and secured while active. Their access should be automatically deprovisioned with equal importance as soon as their contract concludes. If given negative feedback, a consultant may feel the need to take vengeful or disruptive action against the company, as experienced by Jet2 back in 2018. Deprovisioning access in a timely fashion reduces this risk.
Whilst it can seem like an overwhelming task to secure the broad range of users who have access to an internal network, there do exist some solutions that bear the weight of the burden. One of such solutions is Privileged Access Management, a cybersecurity measure that provides individual accounts with unique access controls. Third-party vendors, consultants, and service companies will, therefore, only ever have access to the areas of a network that are vital to their functions. Contemporary SaaS solutions provide the answer to those businesses that are looking for a one-stop-shop for remote security.
As more and more companies lean on remote users as part of their day-to-day business plan in the expected ‘new normal’, it’s important that the various types of users logging into their systems are closely monitored and secured. Without these measures put in place, businesses risk being thrown into a whole new crisis resulting from a cyberattack or data breach in the worst-case scenario.
David Higgins, EMEA Technical Director, CyberArk