How to secure remote access with Osirium PAM

More than ever, attention must be given to reviewing and securing remote access methods into an IT environment. With more people than ever working outside corporate offices, the issue of how they can safely access the IT systems they need to do their work while protecting those valuable systems from attack must be apriority.

In this blog, we’ll discuss who we’ll be granting access to, what access they need, and how to enable them to access the systems and devices they need while improving their productivity and IT security.

What’s the problem with traditional remote access?

Remote access can be applied to anyone connecting to the environment from outside of the corporate network. The remote users could be external suppliers, contractors, or staff working from home, connecting across the internet.

Usually, the easiest and simplest method to enable remote access is to deploy a Virtual Private Network (VPN). But this isn’t without risk. For example, the VPN obscures the traffic on connections, so it’s hard to tell what happened while the connections were active. There may only be logs of the times a client was connected for auditing purposes, not what systems were accessed or what was done during those sessions.

The VPN doesn’t help ensure the security profile of the client system. For example, what software is installed, what accounts and their privilege levels are on the client, what password policies are enforced, and so on. Besides anything else, accessing the VPN usually requires the remote user to install an appropriate client and configuration – hard enough for remote staff, even harder for external suppliers or other third-parties. There is a risk that poorly managed clients could be compromised, say by malware, and infect corporate systems if the client connects to internal devices directly via the VPN.

Then there are the general best-practice principles of “least privilege” (sometimes known as “POLP”)  – ensuring only the right people have the right level of access to the right systems for just the amount of time they need it. A VPN has nothing to help in this regard.

Screensharing or remote access tools are being deployed, but these can still provide a user with an elevated session. Sessions also may need someone watching the work being carried out - every mouse click! There’s little in the way of audit trails captured, and recordings are often clunky and require a lot of storage.(If we remember to enable recording at the start!)

The PAM advantage for remote workers and third-parties

Osirium’s Privileged Access Management (PAM) solution addresses those challenges, simplifies and secures remote access, and provides the audit trails to achieve compliance and satisfy auditors.

How do we do this? It starts with separating remote access from managing the privileged access. With the PAM UI appliance, you can expose just a web portal to the internet for the external users to connect to without exposing the crown jewels. As a result, you can securely control and manage the user’s authentication before they even get access to the credentials they’ll be using. Once they’re past that step, a secure connection to the internal PAM server is established on behalf of the user, so they’ll always be operating a secure air-gap type connection.

PAM Remote Access Architecture

Here’s what it looks like as a high-level overview:

An overview of enabling remove access without exposing internal systems using Osirium PAM

With this configuration, there are a number of advantages:

  • Only the PAM UI server is deployed in the DMZ (or other internet-facing zones),which means there’s no access from outside the business to the PAM Server. The PAM Server is only accessible from within the corporate network.
  • The remote user doesn’t need to install any specific client software. They only need to access PAM via a supported web browser.
  • The remote user accesses the PAM UI where authentication, including multi-factor authentication (MFA) if desired, takes place – before the user can even reach the PAM Server. That authentication can use Active Directory (AD) based or Local User account authentication within PAM. With Local Users, time-based expiration can be applied, ensuring access is only granted during the allowed periods (ideal for situations such as vendor only having access to do maintenance outside regular office hours).
  • Once successfully authenticated, PAM UI opens a secure connection with internal PAM Server to traverse the network zones. There’s no need to open RDP or SSH ports anywhere.
  • The PAM Server then connects the users to the target devices using privileged account credentials. Those credentials never passed to the user’s workstation, so can’t be compromised.

 You can see how this all looks to the user in the video below. The experience is the same, whether it’s a remote or on-premise user.

 Osirium PAM – The best solution for remote access

With the PAM UI, organizations can secure remote privileged access without exposing the keys to their kingdom. External users can access just the UI and only use the privileged accounts that they have been provisioned to use. Osirium PAM can provide the user with access to a Role, rather than an actual privileged account, to achieve least-privilege. The accounts the users interact with have their credentials and passwords managed automatically by Osirium PAM, ensuring they are changed regularly, have appropriate complexity, and access is easily removed when necessary.

Additionally, the privileged sessions are always recorded, so the full video and keystroke data is available should it need to be reviewed.

Finally, workflows such as a request for approval and ticket system integration can provide some additional context to why a user is connecting and reviewing the request before granting or denying the access.

You can see the benefits of Osirium PAM for third-party and remote access in this video.

Ultimately, the organization benefits from secure remote access, great user experience and improved system security beyond what is possible with VPN remote access systems.

If you’d like to learn more, please get in touch.

Related Topics