The physical location of users matters less and less in how we conduct business in the new normal. Even before COVID-19 changed the way business is done, a 2019 study showed that 62% of people surveyed worked from home at least part of the time. In the same study, 82% of those who worked remotely at least part of the time reported that they planned to either maintain or increase their level of remote work. Further, more than half (51%) of those who did not do any remote work wanted to start. These numbers have surely only gone way up.
One additional thing to keep in mind is that these figures don’t even take into account the number of remote vendors who function like employees by performing essential tasks for the company. These users often need access to critical systems the same way an employee does. Of course, with greater flexibility for workers comes greater security risks. In order to provision access, organizations often rely on insecure and inefficient methods, typically relying on VPNs to provide secure access.
However, not all remote workers’ privileges are created equal. Some may require access to just email and a smattering of business applications, while others may need access to critical business applications like payroll, HR and sales and marketing data. External IT service providers performing outsourced help desk support require the same broad access as internal IT providers.
Today, we’ll identify the top five types of remote workers who often require elevated privileges to systems and discuss how privileged access management (PAM) can help organizations provide secure and easy access to critical systems.
1. Remote IT or Security Company Employees
These users include people like domain admins, network admins and others who typically access critical internal systems from inside the office, but are now working from home as the default. When IT or security work from outside the office walls, it throws a wrench into security administrators day-to-day.
Identifying the precise levels of access needed by remote IT and security employees and implementing least privilege rights to ensure that they’re only accessing what they need is critical. Traditional solutions like VPNs can’t provide the necessary level of granular, application-level access to do this effectively. Assigning this kind of granular access is important as it helps prevent situations like a Windows admin having access to root accounts.
Integrating security tools with the directory service to provide automated, specific access needs to be set up ahead of time so that, in the event of an unplanned spike in remote work, there’s no gap in IT or security functions while secure conditions for working from home are established.
2. Third-Party Hardware and Software Vendors
Third party vendors for hardware and software, including IT Service providers and contracted Help Desk support, often provide remote services and maintenance that require elevated privileges. These types of vendors would typically require admin-level access to perform tasks on any variety of Windows or Linux servers or databases and are called on to perform patching, system updates and more.
They each essentially act as domain level administrators and, thus, can wreak havoc on the environment if not properly monitored and provisioned properly. However, identifying these users and accounting their individual levels of remote vendor access is usually done on a case-by-case basis by administrators which can take an abundance of time. It’s important to make sure that all of these users are identified and have the correct access provisioned.
3. Supply Chain Vendors
When supporting the production or delivery of goods isn’t the bread and butter of an organization, it’s common to bring in specialized supply chain vendors to help. These remote users often have access to the network in order to monitor inventory in retail or manufacturing organizations. They may also have access to sensitive data related to forecasted output, quality control and other critical systems that could be related to Industrial Control Systems and Operational Technology (ICS/OT) or on-site supply chain processes.
These vendors may not be the first to come to mind because they’re not qualified as administrators, but supply chain vendors have access that could be leveraged in a dangerous way by malicious attackers or become a serious problem due to inadvertent internal misuse.
4. Services Companies
Service companies that perform departmental tasks like legal, PR and payroll may require access to specific business applications in order to be efficient. It’s important to identify these types of users and enforce the principle of least privilege to make sure they don’t gain access to anything outside of their purview or retain access longer than they need it. It wouldn’t make much practical sense to have a legal service company have access to payroll information; all it would do is increase potential risk.
Business critical applications like Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), cloud consoles and more are important for business continuity and operations, but in the wrong hands the data that lives in these applications can be very dangerous. Identifying who has access to these applications is very important and minimizing the ability to move laterally from one business application to the next can be the difference between a major data breach and business as usual.
5. External Consultants
Business and IT consultants will sometimes need privileged access in order to be productive on the projects that they’re contracted to do, but they should only have that access during the time period they’re contracted for. These types of vendors are temporary by nature and often will only require access for days, weeks or months at a time as they perform their duties. However, within that time frame, external consultants will often receive sweeping access to certain areas of the business.
Identifying early on who these consultants are and what type of access they require (and to what and for how long) – helps reduce risk and safeguard the business. In addition, an external consultant’s access should be closely monitored and secured while active and their access should be automatically deprovisioned as soon as they’re time working for the company concludes.
Imagine this. A consultant is brought on for a three-week project, gets poor feedback and feels slighted in how they are compensated. If they aren’t deprovisioned automatically, it’s possible they could maintain elevated levels of access past the end of their contract and use it to cause irreparable harm to the organization as payback. While this may seem like an unlikely scenario, it’s just one example of the harm elevated access can cause if not monitored and updated regularly.
As more and more companies rely on remote users as a necessity for day-to-day business plans, it’s important that they understand the various types of users that are logging into their systems outside of their offices. And more importantly are managing, monitoring and securing that access.
While it can feel like an overwhelming task, CyberArk Alero is a SaaS offering that helps organizations provide and provision secure access to remote users accessing critical systems managed by CyberArk. It can be easily deployed across any number of remote users without the need for VPNs, agents or passwords.