Secure Remote Privileged Access

PAM remote access

With a large portion of the workforce suddenly shifting to a remote model, secure remote access is in critical demand, stretching resources thin.  As a former IT security team leader in a large corporation, my toughest challenge was getting vendors’ access to critical systems in a timely fashion.  In most cases, it took more time to get a vendor provisioned than their actual work.

Secure Remote Privileged Access is a welcomed alternative to the conventional provisioning of vendors and consultants needing privileged access.  It has the potential of provisioning within minutes vs. weeks or months.

Traditional PAM Methods

The traditional methods of remote access are not capable of providing just-in-time access.  Think of Secure Remote Privileged Access as an add-on to an existing Privileged Account Management (PAM) system, such as Beyond Trust, Centrify, and CyberArk.  I am intentionally oversimplifying this concept.  It will leverage the existing control, auditing, session, and keystroke recording of the privileged session management component of an existing solution.

The Secure Remote Privileged Access add-on consists of vendor provisioning and VPN-less access.  Segregation of vendors happens in an external federated provisioning process.  Once provisioned and enrolled via a mobile app, the vendor connects to a web-facing access portal, which tunnels their browser to the PAM front-end after authentication.  The portal is typically cloud SaaS-based.  The authentication process uses MFA in numerous configurations, such as SAML.

Biometric verification

However, it is referencing the external federated LDAP, which is a SAML IdP.  Vendors use their phones to provide biometric verification (other methods are available as well).  The PAM system then grants external users’ access to specific systems or safes where the vendors are needed.  Vendors connect transparently to remote systems without ever having access to a password.  Real-time monitoring and recording and threat protection are standard. Since this can be SaaS-based, spinning up instances provides ad-hoc scalability as well as high availability.

I wish I had Secure Remote Privileged Access available to me when I was a security team lead.   Provisioning would have dropped from months to minutes, and I would have had a recording of everything accomplished to update internal procedures and runbooks.