Why Remote Access becomes a CIO's illusion of control
At BifrostConnect, we live and breathe remote access – so much that some might say we're slightly biased. That's why we've brought in Jan Mortensen Senior Cloud Solution Architect at Microsoft, to co-write a series of posts and share his take on the remote access hurdles he faces daily while setting up, assessing, and troubleshooting server and network installations for enterprises globally. Jan isn't sponsored by BifrostConnect, and all opinions expressed are firmly rooted in his personal experiences and insights.
For IT pros, it's no bombshell that Remote Access is a major bottleneck, often creating a lot of friction when external experts come to the aid of big corporations. But, if a CIO shadowed Jan for a day, they'd quickly see that this friction drives folks within the organization to bypass standard tools and security measures to get things done. This tends to fly under the radar of IT admins, giving IT management a false sense of security.
The Remote Access dilemma
VPN, RDP, SSH, Remote Access Software - the choices are many when designing a resilient way of providing remote access to a global workforce, partners, and vendors. Add to that the myriad applications and endpoints needing support, and it's clear why finding a one-size-fits-all remote access solution is a tall order for CIOs, CISOs, and Tech Leads. On the flip side, assembling a collection of tools requested by different teams isn't just a hefty investment; it's also a strain on internal IT to keep up and secure each static application – each a potential entry point for hackers.
As a server and network specialist, Jan helps Microsoft Partners during the commissioning, assessment, and troubleshooting of clients' mission-critical infrastructure.
Time and again, Jan runs into instances where the approved remote access tools don't cut it, leading to rogue workarounds that breach security protocols.
As a fiery cybersecurity advocate, Jan constantly cautions against these shortcuts. Still, when deadlines or business continuity clash with ticket times and bureaucratic delays, operational teams often take a leap of faith. More often than not, these quick fixes do the trick, but once the job's done, these rogue solutions are sometimes forgotten, leaving unseen backdoors for Cyber Security Teams.
The Ideal Remote Access
Whenever Jan aids a partner, he's confronted with the classic trust dilemma – who's given access? Who holds the credentials? Are they being shared unknowingly?
In an ideal world, even if credentials fell into the wrong hands, they'd still be useless because sessions are authenticated and green-lighted just in time. Moreover, remote access should strictly adhere to a least privilege approach, restricting access to the bare minimum needed to accomplish the task. Therefore, keeping Remote Access separate from network access is often advisable to prevent unauthorized entry into other network applications.
When the Trusted Solution Falls Short
To meet this ideal, decision-makers often lean towards solutions they've known and trusted for ages. As a result, tools meant for IT access often end up being used for Operational Technology and backbone tech like servers and networks. However, these solutions are usually far from perfect as they frequently fail to provide the needed access.
For instance, Jan often gets VPN access to a safe zone, only to realize the endpoint he needs isn't even on that network. To reach the endpoint, Jan needs to jump 2 to 3 times via a jump host, ending up with a desktop in a desktop, making it a clunky and inefficient workflow as even simple tasks such as running scripts, copy/paste, and file transfers are impossible. While the jump host solution is somewhat bearable, when it's not attainable or when time is pressing, that's when those notorious workarounds come into play.
Consider an edge-case solution
Above all, CIOs, CISOs, and Tech Leads need to acknowledge that solutions adequate for 90% of standard IT-based scenarios don't cut it for the remaining 10% – the edge cases often linked to third-party access, backbone infrastructure, and OT equipment, where the stakes are much higher.
Therefore, offering a secondary tool with zero trust access on demand without tapping into the customer's network allows operations to grant hassle-free third-party access during edge cases, cutting out the need for rogue workarounds.
Stay tuned for the next post in this series, where we'll explore real-life situations and unauthorized shortcuts, uncovering the top reasons your security protocols are bypassed during third-party access.
Product Manager at Bifrost