Top reasons your security protocols are bypassed during third-party access
In this follow-up post, we delve deeper into the key scenarios where Jan Mortensen, Senior Cloud Solution Architect at Microsoft, encounters security protocol bypasses during third-party access.
BifrostConnect doesn't sponsor Jan, and all opinions expressed are firmly rooted in his personal experiences and insights.
Recall in our previous piece, "Why Remote Access Becomes a CIO's Illusion of Control," we discussed the significant friction driving individuals to bypass official remote access procedures.
For Jan, these scenarios fall into two primary categories: access during the commissioning phase and access within active environments.
Access During Commissioning
- Guiding onsite staff over the phone, a challenging and inefficient method due to language barriers and varying technical skill levels.
- Utilizing hardware-enabled remote access like iDRAC, iLO, vPro, if available. These systems, embedded with dedicated chips, enable native device access. They require activation and configuration via BIOS, a LAN-based network connection, and often a paid license. Many IT departments are wary of these services due to their potential as static attack surfaces, offering bad actors control once security is breached.
Access to Live Environments
In live settings, third-party access challenges escalate. Now, the equipment is fully operational, linked to other network devices, and handling active applications, heightening the risk.
End Customer Perspective
Protecting networks and applications is paramount. Using well-known Identity Access Management (IAM) tools to manage third-party access seems logical but isn't foolproof. Similar to VPN access through firewalls, once a bad actor gains access, they can move around virtually undetected. The procedure, which includes creating users, defining privileges, granting access within specified service windows, and deactivating users after completion, is labor-intensive, prone to errors, and vulnerable to credential compromise. For Jan, waiting weeks or even months to receive user credentials is not unusual, but this is just the start.
Once user privileges are established, Jan needs to obtain the sanctioned remote access tools. However, Microsoft imposes restrictions on which applications can be accessed and installed on his computer, and external VPNs often clash with Microsoft's VPN. Utilizing a personal computer means forgoing the assurance from Microsoft that its security systems prevent malicious software or malware from infiltrating the end customer's endpoint or network. Additionally, Microsoft's network policies may restrict the types of connections Jan can set up when working on a corporate network. This is particularly challenging as some end customers restrict access to specific IP addresses.
Once again, workarounds such as the notorious screen-sharing method are employed as operational staff attempt to circumvent these challenges. They do this by allowing Jan to remotely control a laptop with network and application access through a straightforward Teams session. This process provides unauthorized access that often goes unnoticed by IT managers in charge. As for file transfers? Dropbox, WeTransfer, and similar services come into play. These platforms, not officially sanctioned or compliant with any party's policies, are commonly used to transfer updates, log files, or sensitive information, with no guarantee that the data remains secure and unaltered during transmission.
Bridging the Gap with Zero Trust Access
The intersection of critical infrastructure and third-party access is full of pitfalls. Excessive restrictions or management burdens can render tools ineffective or too slow for access requests. Deep integration into critical systems risks creating vulnerable attack surfaces.
The solution? A remote access approach that:
- Enables hands-on capabilities during both commissioning and live environments.
- Operates clientlessly without impacting the end customer's network.
- Adopts a Zero Trust, least privilege, just-in-time methodology.
- Eliminates the need for vulnerable user credentials.
- Reduces management overhead for IT professionals.
- Seamlessly integrates with AIM solutions and ensures comprehensive audit logging.
- Most importantly, alleviates the friction for onsite personnel and third-party specialists, thus eradicating the need for workarounds.
Product Manager at Bifrost