Industrial Grade Secure Remote Operations - Part-2
Continued from Part-1
WHY WE NEED TO THINK BEYOND VPN SOLUTIONS
VPN was initially designed to extend a trusted network to include a remote user and device. Thus, a laptop or a desktop outside the company network, be able to go across the internet and be part of that trusted business network.
There is no one that stands in your way on a per session, there is multi-factor authentication. Once VPN is established, the remote device becomes a member of the trusted network. In certain deployments there is an ability to have per user firewall rules so that once a user is connected, there is a limit on what you can get access to, but this is not always the case. There is also an ability to put in minimum patch and security policy requirements like a posture assessment, wherein corporate devices need to have a minimum antivirus and Windows Firewall is enabled, but that is all. The device is a part of the whole network and you can connect to any server, any workstation, any resource on that inside the company network, once you are connected to VPN and thus the user can get anywhere within this network. There is logging of this connection, its termination, but there is no supervision of user’s actions. The logging information will capture a user connected at this time and moved this much data. Nobody really knows what a user is doing across those sessions, and then once connected you could tunnel connect to anything Remote Desktop, Web Services, and other services.
Enterprise Secure Remote Access Feature Set
Going far beyond a typical IT VPN, an enterprise secure remote access solution should layer in security for IT network & systems in support of a defence-in-depth strategy. Most security professionals recognize that delaying attackers, complicating their attack path, or incurring upon them excessive costs are all barriers to mitigating risk of complete malicious outsider penetration and access to critical assets. Technology feature sets that should be part of an Industrial Grade Secure Remote Access solution are listed below:
- A single, outbound-initiated remote connection between protected enterprise assets and the centralized communication server, to provide robust security similar to a “data diode,” but with all the additional benefits of bidirectional communication.
- The ability for on-premise personnel to have the final say in granting remote access to any system. Remote access requests can be configured to require approval by an authorized personal at head-quarter/site, who is able to supervise and video record the remote activity.
- Extensive granular controls, such as permissions for each user, preventing them from executing specific remote activities or granting them view-only permissions that prevent them from performing any other remote activity.
- Advanced encryption, using Transport Layer Security (TLS) v1.2 and higher, with 2048bit encryption. FIPS 140-2 validated cryptographic modules are also important. (Federal Information Processing Standards (FIPS) is a US-government computer security standard put in place by the National Institute of Standards and Technology.)
- Use of certificates for authentication, following standard public key/private key cryptography protocols, including to negotiate and transfer symmetric key for data encryption.
- Support for two-factor authentication with customized access controls.
- Password vaulting that allows the use of mapped accounts without disclosing internal shared credentials to less trusted third parties.
- Full audit trail of authorizations, protocols, sessions, users, etc. – Audits logs stored in two isolated locations
- Authorization and expiration per session, per-user, per-protocol
- Just-in-time, point-to-point channel is established within reverse-tunnel after authorization
- Remote user/computer is never part of the trusted network
ACCOMMODATING FOR SCALE
Another consideration for laying this foundational technology is the ability to scale and grow capabilities as operations evolve.
CONCLUSION
Managing Dynamic Risk Conditions
In recent years, cybersecurity attacks have increased against enterprises, and the nature of risks remains dynamic. Implementing a centralized, secure remote access solution lays the foundation for agility as needed for business continuity in compliance with cybersecurity best practices.
In addition, more recent concerns such as health pandemics may have longer-reaching consequences that are difficult to predict. Implementing a robust architecture that allows for flexible staffing and ongoing operations despite personnel disruptions can represent a wise investment.
