Achieving Zero Trust Remote Access with Privileged Access Management

Written by Matt Miller, BeyondTrust.

The radical shift to embrace largescale remote work—and even a work-from-anywhere mindset, the accelerated pace of digital transformation, the proliferation of ransomware, and massive breaches (i.e. SolarWinds Orion, Colonial Pipeline, etc.) together have kicked down the last vestiges of the perimeter-focused security mindset. In the wake, the concept of zero trust has finally sailed past the threshold of aspiration to one of enterprise necessity. According to an IDSA study, 93% of IT security professionals now say zero trust is strategic to securing their organization.

A zero trust security posture condenses the threat surface, helping to protect against everything from simple malware to advanced persistent threats to insider threats. It can not only help prevent attacks outright, but also stop lateral movement, or otherwise mitigate, an attack in progress. Privileged access management is not only fundamental to supporting zero trust, it also helps enable these desirable security outcomes.

With the massive expansion of remote working and utilization of cloud services, insecure remote access pathways have multiplied. These pathways are actively under attack by threat actors. By remediating these weak spots with privileged access security controls, organizations can reduce the likelihood of breaches, while also supporting a zero trust architecture (ZTA).

Common Remote Access Technologies Run Counter to Zero Trust

The urgency to “go remote” in response to the COVID-19 pandemic compelled organizations to lean into VPNs and remote access technologies, like remote desktop protocol (RDP), more heavily than ever. This seismic workplace shift magnified the considerable, pre-existing security faults inherent to many remote access technologies. Tools like VPN and RDP have their valid use cases, but the problem is they are routinely treated as the default ways for IT to provide access, including for use cases for which they are clearly a security mismatch.

For instance, here are a couple use cases where VPN should never be implemented:

• Providing access to a third-party vendor or privileged user
• Providing access to a user operating from a personal device (BYOD)

In addition, cyberattackers have exploited dozens of VPN vulnerabilities over recent years to breach businesses and government agencies. Threat actors grasp that, once a VPN is compromised, they can often skate by the stack of traditional, perimeter-based security controls (firewalls, etc.) to gain unencumbered access to a company’s network.

Likewise, RDP is a useful tool. While leveraging RDP on a private network for remotely accessing a computer is a valid use case, RDP should never be exposed to the Internet.

According to the Ransomware Uncovered 2020/2021 report, ransomware attackers relied exploiting publicly accessible RDP servers to gain an initial foothold in the majority (52%) of their attacks. In 2020, ransomware attacks surged 150%. Of course, 2021 has been littered with spectacular ransomware-related attacks, such as the shutdown of Colonial Pipeline—an attack that reportedly originated via a dormant VPN account accessed via a compromised credential.

VPN – Not a “Security” Tool

VPNs were developed to extend access and protect data in transit to outside the traditional company network. While various VPN technologies may differ in their security features, they are each more aptly understood as a business enablement technology, as opposed to a security tool.

Here are some VPN shortcomings that are important to understand:

• Incapable of enforcing the principle of least privilege (PoLP): VPNs provide all-or-nothing remote access to corporate networks. Open-ended access swells the attack surface, especially where IT staff and external contractors need privileged access. The risk is amplified—and utterly unjustifiable—when a user is provided VPN access via their personal device (BYOD). Some of the heightened risks associated with personal devices include having local admin rights, lack of security hardening and compliance, outdated/unpatched software, and devices shared among others those in the household.
• No session monitoring or management: VPNs cannot effectively exert oversight over sessions. This deficiency creates risky blind spots and compliance issues.
• Complicated to securely implement. Misconfigured VPNs are a common error that creates backdoor access for threat actors.
• Prone to vulnerabilities (which may be onerous to patch): Due to fears of disrupting access or performance, enterprises often neglect, or delay, VPN device and software patching.
• Poor scalability: VPN technology has high dependencies on the bandwidth of the external connection into the environment, internal network links connecting the VPN into the network, and network segmentation to isolate external connections from sensitive resources. VPNs can max out capacity, prohibiting users from initiating new sessions and leading to performance degradation for those users already connected.

How to Align Remote Access with Zero Trust

A zero trust architecture (ZTA) treats all access requests as potentially malicious—a stark departure from the all-or-nothing access allowed by VPNs. While there are multiple frameworks (NIST, Forrester, etc.), at its core, zero trust aims to eliminate default and persistent trust, enforce continuous authentication, apply least privilege everywhere, and implement segmentation and microsegmentation. This also entails the deployment of technology to monitor and manage data, users, applications, assets, and other resources between zones, and, more importantly, authentication within a zone(s).

Put simply, a mature zero trust architecture should have visibility and control over who is doing what, and why, across the network. But what are the practical pieces to improving security around remote access and align with zero trust?

Here are 7 tips for maturing your zero trust security controls for remote access:

1. Disable remote access protocols (RDP, SSH, VNC, etc.) as a default on computing devices
2. Implement a remote access solution that doesn’t require inbound Internet connections. These solutions typically direct outbound traffic via ports 80 and 443 and can replace VPN and reverse proxies.
3. Inject managed credentials to initiate the remote access session, always obfuscating the credentials from the end user.
4. Enforce least privilege across all remote access sessions—including to disconnected networks—with privilege elevation strictly controlled.
5. Apply just-in-time access policies. Only grant access for those finite moments appropriate contextual triggers are met. This means access should be ephemeral rather than persistent, and expire based on time, completion of a task, or a change in context around the access or vulnerability of the asset, application, resource, etc. being accessed.
6. Implement application-level microsegmentation that prevents users from discovering apps for which they lack authorization to access
7. Monitor, manage, and audit all privileged remote access sessions. This entails video screen recordings of all session activities, keystroke logging, and more. The typing of inappropriate commands or other suspicious activities should generate automated alerts and/or initiate workflows that enable the pausing or terminating of a session.

As a foundational component of enabling the zero trust approach, Privileged access management (PAM) solutions can help organizations achieve the above list of security measures. PAM solutions minimize cyber risk and ensure all access is appropriate, managed, and documented. This means replacing inappropriate use of VPNs, RDP, and other remote access tools and protocols. PAM can also be applied to improve the security of RDP and other remote access technologies for their valid use cases.

Insecure remote access pathways have become the attacker’s path of least resistance. Zero trust remote access, enabled by privileged access security controls, represents a constructive movement towards a more secure architecture.

About the Author

Matt Miller is Director, Content Marketing at BeyondTrust. Prior to BeyondTrust, he developed and executed marketing strategies on cyber security and cloud technologies in roles at Accelerite (a business unit of Persistent Systems), WatchGuard Technologies, and Microsoft. Earlier in his career Matt held various roles in IR, marketing, and corporate communications in the biotech / biopharmaceutical industry. His experience and interests traverse cyber security, cloud / virtualization, IoT, economics, information governance, and risk management. He is also an avid homebrewer (working toward his Black Belt in beer) and writer.