The importance of remote working has increased in the situation that we find ourselves in today and it is also likely that the number of remote workers will continue to risesignificantly. It has come to a stage where the physical location of users matters less and less in how we conduct business nowadays.
One thing to keep in mind is that the increasing number of remote workers do not necessarily take into account the number of remote vendors who function like employees by performing essential tasks for the company. These users often need access to critical systems the same way an employee does. Of course, with greater flexibility for workers comes greater security risks. In order to provide access, organizations often rely on insecure and inefficient methods, typically banking on VPNs to provide secure access.
However, not all remote workers’ privileges are created equal. Some may require access to just email and a smattering of business applications, while others may need access to critical business applications like payroll, HR and sales and marketing data. External IT service providers performing outsourced help desk support require the same broad access as internal IT providers.
Today, we’ll identify the top five types of remote workers who often require elevated privileges to systems.
1. Remote IT or Security Company Employees
These users include people like domain admins, network admins and others who typically access critical internal systems from inside the office but may now have to do it remotely. When IT or security work from outside the office walls, it throws a wrench into security administrators day-to-day.
Identifying the precise levels of access needed by remote IT and security employees and implementing least privilege rights to ensure that they’re only accessing what they need is critical. Traditional solutions like VPNs can’t provide the necessary level of granular, application-level access to do this effectively. Assigning this kind of granular access is important as it helps prevent situations like a Windows admin having access to root accounts.
Integrating security tools with the directory service to provide automated, specific access needs to be set up ahead of time so that, in the event of an unplanned spike in remote work, there’s no gap in IT or security functions while secure conditions for working from home are established.
2. Third-Party Hardware and Software Vendors
Third party vendors for hardware and software, including IT Service providers and contracted Help Desk support, often provide remote services and maintenance that require elevated privileges. These types of vendors would typically require admin-level access to perform tasks on any variety of Windows or Linux servers or databases and are called on to perform patching, system updates and more.
Each of them essentially act as domain level administrators and, thus, can wreak havoc on the environment if not properly monitored and provisioned properly. However, identifying these users and accounting their individual levels of remote vendor access is usually done on a case-by-case basis by administrators which can take a lot of time. It’s important to make sure that all of these users are identified and have the correct access provisioned.
3. Supply Chain Vendors
When supporting the production or delivery of goods isn’t the bread and butter of an organization, it’s common to bring in specialized supply chain vendors to help. These remote users often have access to the network in order to monitor inventory in retail or manufacturing organizations. They may also have access to sensitive data related to forecasted output, quality control and other critical systems that could be related to Industrial Control Systems and Operational Technology (ICS/OT) or on-site supply chain processes.
These vendors may not be the first to come to mind because they’re not qualified as administrators, but supply chain vendors have access that could be leveraged in a dangerous way by malicious attackers or become a serious problem due to inadvertent internal misuse.
4. Services Companies
Service companies that perform departmental tasks like legal, PR and payroll may require access to specific business applications in order to be efficient. It’s important to identify these types of users and enforce the principle of least privilege to make sure they don’t gain access to anything outside of their purview or retain access longer than they need it. It wouldn’t make much practical sense to have a legal service company have access to payroll information; all it would do is increase potential risk.
Business critical applications like Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), cloud consoles and more are important for business continuity and operations, but in the wrong hands the data that lives in these applications can be very dangerous. Identifying who has access to these applications is very important and minimizing the ability to move laterally from one business application to the next can be the difference between a major data breach and business as usual.
5. External Consultants
Business and IT consultants will sometimes need privileged access in order to be productive on the projects that they’re contracted to do, but they should only have that access during the time period they’re contracted for. These types of vendors are temporary by nature and often will only require access for days, weeks or months at a time as they perform their duties. However, within that time frame, external consultants will often receive sweeping access to certain areas of the business.
Identifying early on who these consultants are and what type of access they require (and to what and for how long) – helps reduce risk and safeguard the business. In addition, an external consultant’s access should be closely monitored and secured while active and their access should be automatically deprovisioned as soon as their time working for the company concludes.
As more and more companies lean on remote users as part of their day to day business plan, it’s important that they understand the various types of users that are logging into their systems outside of their offices. And more importantly are managing, monitoring and securing that access.