Three Tips for Managing Privileged Access in Remote Work Environments
by Mahesh Babu, on May 01, 2020
Recent public health concerns aside, teams are becoming more and more distributed as a way to access a broader talent pool, drive down fixed costs and improve employee retention. Gartner predicted that by 2021, the increase in remote workers will allow organizations to support 40% more employees in the same amount of office space they currently use . A recent Gallup study revealed that 37% of employees would change jobs for one that allows for remote work at least part of the time .
What this implies, especially in firms with a technology-heavy work force, is that you now have more privileged users (e.g., engineers, DevOps, help desk personnel) than ever before accessing sensitive resources and operating with elevated privileges over a remote connection.
There are three key best practices that firms can employ today to manage this without adding friction to employee experience:
- Implement Single Sign-On (SSO) and multi-factor authentication (MFA) for access to company resources for all employees: Implementing a robust SSO offering will ensure strong authentication, robust password management (including complex password requirements and change frequency), as well as authorization to the right resources. This will also allow remote employees to conduct their day to day without the added friction of handling multiple accounts and complex passwords.
- Enforce an added MFA or VPN layer for access to sensitive resources: For developers accessing a company’s code repository remotely or an admin logging into a critical production server should be treated differently. Specifically, an added VPN layer will enable companies to segment their IP and critical infrastructure and control access to those resources separately. In addition, an added MFA layer for administrators may be added to these resources to verify sensitive actions (e.g., code commits, production config changes).
- Offer remote access to production servers / critical infrastructure only on a Just-in-Time (JIT) basis: Having standing authorization to critical infrastructure or sensitive production environments could increase a company’s risk exposure. This is primarily because if an attacker hijacks the remote session, they would have immediate access to the critical infrastructure. If access is managed on a JIT basis, the attacker would not be able to access the critical resources, even if they hijacked the remote session.
The good news is that there are tools (commercial grade, enterprise grade and open source) that can be leveraged to quickly implement these best practices. With a few steps and a little elbow grease, happy, productive, cost-effective and secure remote teams can be a reality.