Three Best Practices to Get Privileged Remote Access Right for the New Normal Workforce

February 17, 2021 Andrew Silberman

Three best practices

While I haven’t seen many of my co-workers in person in almost a year, we’ve found new, collaborative ways to tackle projects – and along the way, we’ve managed to forge even closer connections. We’ve come up with exciting new ideas in virtual meetings, live-chatted through successful product sprints, and even streamed virtual cooking classes together. Thanks to digital technology, the “watercooler” may be gone, but the culture and camaraderie aren’t.

After settling into the new normal, many employees around the world seem to agree that there is some upside to an otherwise once unimaginable situation. They feel connected and productive at home and want to keep working there long-term. Yet, while many businesses want to enable their employees with flexible models, a major ongoing challenge is securing their distributed workforces, particularly for those requiring privileged access.

In 2020, VPN usage skyrocketed to 277 million downloads worldwide as IT teams worked to bring, and keep, remote workers online. But after months of working from home, 78% of employees said challenges in connecting to corporate systems was their No. 1 gripe with the new working norm. And considering the number of recent breaches linked to remote access systems, it’s clear that providing secure and simple access for remote employees is far from a perfect science.

Every remote worker, third-party vendor, or contractor requiring access to your sensitive company systems needs a way to get inside. The question is, how do you keep the bad guys from doing the same?

Here are best practices your organization can take today to not only bolster remote privileged access security controls but also minimize headaches for your remote employees and trusted third parties:

1. Start with strong authentication. This may seem obvious at this point, but it bears repeating that the ability to authenticate each individual identity – whether a remote worker or vendor – with high accuracy is table stakes for any cybersecurity program today. And for individuals requiring privileged access, it is mission-critical to enforce multi-factor authentication (MFA) any time they require access to sensitive internal resources. With no shortage of MFA options out there (keys, tokens, push notifications, texts, and biometrics, to name a few), what’s less obvious is finding a method that’s both secure and minimally bothersome for the end-user. Productivity and overall morale hinge on that decision – so choose wisely.

2. Re-visit your VPN use. VPNs, if not properly implemented and maintained, can be exploited by attackers to gain privileged access to sensitive systems and data. Attackers know they can skip time-consuming steps in their attack chain (like stealing non-privileged credentials and moving laterally and vertically to escalate privileges) by starting with targeting privileged users connecting from home via VPN. Insecure or misconfigured home routers also introduce risk in the VPN equation – and give attackers an easy “in” to corporate systems. What’s more, home routers often establish a permanent VPN connection, meaning anyone on the home network could access company resources. The 57% of remote workers who admit to allowing household members to use their corporate devices for schoolwork, gaming, and shopping are making attackers’ jobs even easier.

While I’m focusing here on corporate IT infrastructure, it’s also important to acknowledge attacks on operational technology (OT) are on the rise. Recent headlines show how dangerous it can be if attackers gain remote access to critical infrastructure and manipulate systems that power and supply the planet. VPNs are insufficient for these environments and should not be used to provide secure remote access to privileged users, such as operators and engineers. Instead, rigorous security controls must be implemented to secure identities throughout their lifecycle, access should only be brokered via secure gateways connecting directly to critical targets and every privileged session must be monitored and recorded to reduce risk.

3. Don’t mess with people’s workflows. To quote Salesforce CEO Marc Benioff, “Speed is the new currency of business.” And privileged users – from IT admins to cloud security architects – have a lot to do, and need to do it fast. They need to be able to log into their workstations and access systems and applications with minimal disruption. But in distributed work environments, these privileged users often require multiple RDP connections each day – and manually establishing connections over and over is a major pain and slows things down. Remote desktop connection managers can help centralize that process and make life easy on end-users, but they can also create blind spots for security teams. To maintain visibility and minimize risk, make sure that each time a remote connection manager is used to launch a session, the session is isolated, monitored, and recorded. This is really the best of both worlds: it removes end-user friction while giving security teams the information needed to maintain a full audit trail.

Also, consider ways to help your admins, so they can help everyone else. In the remote work world, working nine-to-five has stretched substantially, and admins are feeling the pressure to grant access quickly and smoothly to a disparate, “always-on” workforce. Solutions with push notifications and the ability for admins to get direct requests on their smartphones help fast-track end-user demands while giving admins more flexibility.

Finding the right balance between security and business agility takes time and adjustments along the way. Join our on-demand webinar to dig deeper into these recommendations and explore new features to help you take remote access enablement to the next level. You’ll see how CyberArk Remote Access (formerly Alero) can help your digital business prosper – from the office to the kitchen table, on the road, and everywhere in-between.

Previous Article
The Anatomy of the SolarWinds Attack Chain
The Anatomy of the SolarWinds Attack Chain

Imagine there’s an attacker lurking inside your network right now. Do you have the ability to find out and ...

Next Article
Beyond Buy-In: True Change Is Only Achieved Through Accountability
Beyond Buy-In: True Change Is Only Achieved Through Accountability

If there is one concept that has dominated the tech world over the past few years, it’s … disruption. It se...