Many organizations today rely on contracted remote vendors to manage critical systems, freeing themselves up to focus on their own core competencies. However, the fact that these vendors operate remotely further breaks down the traditional IT perimeter and introduces a new challenge — ensuring that remote vendors have proper access to the specific systems that they need while only providing access when they need it. Organizations often track who is accessing what systems or assets within their environment using the first step of authentication – where users or machines somehow prove that they are who (or what) they say they are. It’s only when every remote vendor user is identified and authenticated that the process of granting (and removing) access can begin.
Relying on manual processes to provision and de-provision access to remote vendors is far from foolproof and introduces lots of potential issues. Remote vendors are contracted for only specific periods of time and, typically, aren’t part of the Active Directory or other directory services. They also usually only need access to a specific subset of systems, bound by either the length of their contract with the host organization or the number of sessions it takes to complete their tasks. Manual processes often lead to any combination of: over-provisioning access so that remote vendors get access to systems they don’t need, under-provisioning access and making it difficult for the remote vendors to do their jobs or leaving unnecessary standing access for the vendor long after it’s moved on.
Bring-your-own-device policies have become the norm for remote access, making the job of the IT security team that much harder and further breaks down the “perimeter” as we know it. IT teams need a way to ensure that these devices are secure even when they’re accessing critical systems from afar. Zero Trust focuses security policies and access controls on user and device identity rather than the location of the user or the device. This affects what the ideal method of authentication is.
Proving identity through authentication, whether outside or inside the office, can take many shapes. Examples include classics like entering a username and password combination or more modern methods like biometric recognition systems or using a trusted and known device. At a high-level, authentication typically takes three forms:
- Something you know. Examples: A secret word or a username and password combination
- Something you have. Examples: Your smartphone or a name badge
- Something you are. Examples: A fingerprint or a retina scan
These are the three top-level forms of authentication, but there are countless technological advances that introduce ways for companies to regulate and track who’s accessing what. One thing that’s typically recommended, especially for critical assets, is instituting an additional layer of security with multi-factor authentication, which requires users to utilize more than one method of proving their identity. This can include something they know, like the answer to a security question or something they have, like a text message confirmation sent to a cell phone.
Up until recently, authentication for remote vendors has typically leveraged VPNs, which provide sweeping network access for remote users. While VPNs do have security measures in place to attempt to verify identity, they often allow remote vendors unfettered access to systems that they don’t need to access. Some organizations opt to ship corporate laptops to their remote vendors, only granting access through these remote computers. Agents installed on the laptops ensure that remote vendors only access the systems they’re supposed to. This falls back on the “something you have” form of authentication and leaves organizations susceptible to laptop theft or damage.
“Something you know” and “something you have” are both methods with inherent blind spots. “Something you know” can be figured out by someone else. Cyber attackers have a 30-year history of cracking loosely protected passwords. “Something you have” can be stolen or intercepted. Mobile devices, corporate laptops and the equivalent, being portable, are all very vulnerable to this. So, organizations look for new ways to secure their most sensitive internal systems. People lose their devices or re-use passwords more often than we care to admit. But, your fingerprint, for example, will always be unique patterns. Using a retina or fingerprint scan instead of a password or a company phone can remove avenues of attack and improve security while also making for a smoother process for the end-user.
By introducing a better form of biometric authentication, organizations can provide remote vendors with a stronger and more convenient method of confirming their identity. However, managing all of that can be a lot of work. Most of the common methods require establishing back-end policies and strategies to ensure that users are only accessing the systems that they need for their jobs, provisioning this access when it’s needed and de-provisioning access when the need is over. Until recently, there wasn’t a good solution to this problem.
Biometric authentication is particularly suited for Zero Trust for the same reason that it’s ideal for authenticating remote vendors – biometric authentication can’t be stolen, lost in transit, forgotten or figured out. For this reason, organizations using the Zero Trust security model often choose biometric authentication to verify their remote vendors. Combining biometric authentication with a strong backend solution enables organizations to provide only the right access to remote vendors and automatically provision and de-provision. That is exactly what CyberArk Alero does.
Learn more about CyberArk Alero, a new SaaS-based solution from CyberArk. Alero combines Zero Trust access, biometric authentication and just-in-time provisioning to secure remote vendors accessing critical systems managed by CyberArk. It doesn’t need VPNs, agents or passwords and creates a seamless and secure experience for IT administrators, operations teams and remote vendor users.