Top reasons your security protocols are bypassed during third-party access

Top reasons your security protocols are bypassed during third-party access

BifrostConnect Blog

BifrostConnect's Blog

Top reasons your security protocols are bypassed during third-party access

In this follow-up post, we delve deeper into the key scenarios where Jan Mortensen, Senior Cloud Solution Architect at Microsoft, encounters security protocol bypasses during third-party access.
BifrostConnect doesn't sponsor Jan, and all opinions expressed are firmly rooted in his personal experiences and insights.

Recall in our previous piece, "Why Remote Access Becomes a CIO's Illusion of Control," we discussed the significant friction driving individuals to bypass official remote access procedures.

For Jan, these scenarios fall into two primary categories: access during the commissioning phase and access within active environments.

Access During Commissioning

 

Commissioning new equipment typically involves unboxing and integrating fresh hardware into a new setup. Without an installed operating system and a configured network, this stage inherently lacks internet access, rendering traditional remote access solutions ineffective, even with company networks or dedicated 4G modems connected.
 
During commissioning, compliance regulations tend to be less stringent since the equipment is not yet processing sensitive data or connected to corporate networks. So, what's the alternative when an on-site visit isn't feasible? The solution varies depending on the type of equipment:

 

Computers and Servers
Without direct remote access, Jan’s options include:

 

  • Guiding onsite staff over the phone, a challenging and inefficient method due to language barriers and varying technical skill levels.

 

  • Utilizing hardware-enabled remote access like iDRAC, iLO, vPro, if available. These systems, embedded with dedicated chips, enable native device access. They require activation and configuration via BIOS, a LAN-based network connection, and often a paid license. Many IT departments are wary of these services due to their potential as static attack surfaces, offering bad actors control once security is breached.
 
Network Equipment
Typically configured via terminal or local web interfaces. Here, onsite personnel might connect a laptop to the equipment, allowing Jan to remote control through remote desktop or Teams screen-sharing. However, this method can inadvertently grant Jan unauthorized admin access to sensitive networks and applications.

 

Access to Live Environments

 

In live settings, third-party access challenges escalate. Now, the equipment is fully operational, linked to other network devices, and handling active applications, heightening the risk.

End Customer Perspective
Protecting networks and applications is paramount. Using well-known Identity Access Management (IAM) tools to manage third-party access seems logical but isn't foolproof. Similar to VPN access through firewalls, once a bad actor gains access, they can move around virtually undetected. The procedure, which includes creating users, defining privileges, granting access within specified service windows, and deactivating users after completion, is labor-intensive, prone to errors, and vulnerable to credential compromise. For Jan, waiting weeks or even months to receive user credentials is not unusual, but this is just the start.

Third-party Perspective
Once user privileges are established, Jan needs to obtain the sanctioned remote access tools. However, Microsoft imposes restrictions on which applications can be accessed and installed on his computer, and external VPNs often clash with Microsoft's VPN. Utilizing a personal computer means forgoing the assurance from Microsoft that its security systems prevent malicious software or malware from infiltrating the end customer's endpoint or network. Additionally, Microsoft's network policies may restrict the types of connections Jan can set up when working on a corporate network. This is particularly challenging as some end customers restrict access to specific IP addresses.

Once again, workarounds such as the notorious screen-sharing method are employed as operational staff attempt to circumvent these challenges. They do this by allowing Jan to remotely control a laptop with network and application access through a straightforward Teams session. This process provides unauthorized access that often goes unnoticed by IT managers in charge. As for file transfers? Dropbox, WeTransfer, and similar services come into play. These platforms, not officially sanctioned or compliant with any party's policies, are commonly used to transfer updates, log files, or sensitive information, with no guarantee that the data remains secure and unaltered during transmission.

 

Bridging the Gap with Zero Trust Access

 

The intersection of critical infrastructure and third-party access is full of pitfalls. Excessive restrictions or management burdens can render tools ineffective or too slow for access requests. Deep integration into critical systems risks creating vulnerable attack surfaces.

The solution? A remote access approach that:

  • Enables hands-on capabilities during both commissioning and live environments.
  • Operates clientlessly without impacting the end customer's network.
  • Adopts a Zero Trust, least privilege, just-in-time methodology.
  • Eliminates the need for vulnerable user credentials.
  • Reduces management overhead for IT professionals.
  • Seamlessly integrates with AIM solutions and ensures comprehensive audit logging.
  • Most importantly, alleviates the friction for onsite personnel and third-party specialists, thus eradicating the need for workarounds.

Interested in learning more? Watch our webinar for an introduction to securing remote third-party access in critical infrastructure, or contact us for a demo.

Image link

Lasse Irmer

Product Manager at Bifrost

Discover How You Can Establish Zero Trust Access to Your Equipment

Get in touch with one of our experts today.

Explore related resources