Many IT administrators remember the uneasy feeling when you need to let a developer or a designer from the other coast perform work on your servers. No doubt, they asked for administrator and root access. And most likely, they will pass these credentials along the chain to those who will actually do the scripting on these computers. Ultimately, this is not a bad thing to quickly bring the best person from around the globe to solve a specific problem. But what should you do? Email them a certificate? Refer to the corporate policies and tell them “no” for now? Promise to initiate the process of creating AD account? Call your boss? After all, someone still needs to do the job on these servers the sooner the better.
This article discusses several ways to handle this situation and how to be ready for the request. IT administration have become more specialized in the last decade. New aspects of the administrator job are not even to do the actual administration but rather let other people from remote offices, vendors or contractors to take over. Vast majority of them are trusted people but the communication often happens through the wild world via Internet with its constant background level of permanent attacks.
There are several potential threats to consider when granting access to local computers to a third party. Priorities of these risks depend on the situation.
Risk Associated with the Communication Channel
Nobody would trust the Internet as a communication channel so posting a password on a WEB site in an open form is clearly a bad idea. Moreover, once the password went through an untrusted unencrypted communication channel at least once there is a risk of a compromise that might not be realized immediately. The risk still might be acceptable but then it leads to a revoke issue discussed later.
Risk Associated with Receiver
Most likely, the end user is trusted (otherwise pick another contractor). However, it would be nice to monitor when the login from a contractor happens and ideally what exactly did they do so that negative consequences could be appropriately traced or proven unrelated to the work done on servers.
Risk Associated with Access Revoke
Traditionally it is easier to grant access to a resource rather than to revoke the access. So when granting the access it makes sense to think about how to revoke it when it is not needed anymore. Ideally setup the expiration at the same time of creation.
Grant the Access
The most simple method to give somebody root access is to email or message the credentials. Maybe even email an account and message a password or a certificate to use via two unrelated communication channels (username via email and password via text message). It would help to use encrypted email although the setup and key exchange should be done ahead of time. Ensuring that all recipients are connected through the same secure server (MS Exchange or Skype for Business) is hard because once disclosed the credentials could be transmitted further.
The biggest issue of disclosing the password is the access revoke. The only way to make the credentials invalid is to change them in their origin. First, it effects (usually unknown) other people who would fail to learn about new credentials. Lastly, admins need to remember to reset these passwords in time. However, sometimes the group of users of the server is limited and amount of such events is small so that simplicity of this method is worth the risks and a post-work on access revoke.
Below is the table that summarizes pros and cons of emailing (or messaging) the password to the destination.
|Simple and quick to use||Exposes credentials to communication channel|
|No preparation needed||Hard to revoke access|
|Works only with direct access to the resource (in front of the firewall)|
|Provides no monitoring and auditing capabilities|
Another typical method to let remote users work with corporate resources is to open VPN access to the network. There are numerous VPN implementations starting with the one included with the operating systems and advancing to the complex infrastructures with hardware required to deliver to the end user.
This method is secure although it requires some preliminary work in setting up the access. In case of client side hardware or special software required it makes it hard to use by the end user. This notebook with the special VPN hardware often appears at the wrong place at the wrong time (I left the laptop at the office but need to fix something now at 2:00 a.m.) It slows down the right person to perform the work. VPN handles well access revoke from all resources altogether although revoking access from some resources while keeping other resources open could be a challenge. In addition to this, once connected to a corporate network the user could have access to additional resources by being included in some common user directory groups or by just being inside the network.
The table below summarizes benefits and risks associated with using VPN to grant access to the internal resources.
|Secure for communication channel||Hard to setup and use especially with hardware device shipped|
|Revoke is easy for the global network access although challenging for individual accounts, resources or services||VPN allows flexible configuration on the network firewall but requires significant skills and efforts to do so|
|Provides some monitoring capabilities||Provides too much access to unrelated resources|
|Enables access to resources behind the firewall||Hard to use for resources outside of the network|
Content Management System
A clever method to distribute privileged account credentials is to keep them as records in a content management system. The Content Management System (CMS) system could the one on-premises like Microsoft SharePoint or OpenText ECM Suite or the cloud one such as Google Drive, Office 365 OneDrive for Business or DropBox Enterprise. In any case a CMS might provide permission controlled access for both internal or external users. CMS improves the risk associated with the communication channel by providing secure way to access the data.
When the organization develops a culture of using a CMS to manage identities, access revoke becomes a bit easier as compared with the emailing the credentials because a CMS will reflect password change or revoking the certificate in the same system for all interested parties who have access to see the credentials.
Below is the formal assessment of benefits of using CMS as a credential management solution.
|Secure communication channel||Requires third party software|
|Easier to revoke access (as compare to email or VPN)||Stores passwords in the open form|
|Provides identity level permissions||Lack of field level permissions|
|Provides little monitoring and auditing capabilities|
Enterprise Password Manager
Enterprise password managers include Identity Vault or Database for Secrets component. This component enables storage of sensitive information such as passwords, certificates and keys with the ability to share this information among system users. Good password managers would allow external users to join the system and access identities in a secure permission controlled way.
Some Identity Vault implementations even include the process that resets the account in the remote system some time after disclosing the identity to the external user. After that the vault remembers the new password for everyone else to use when needed. This function provides very good credentials revoke experience keeping the network accounts as safe as possible. In addition to that, most of enterprise password managers provide detailed audit trail about system access and changes in permissions.
There are multiple enterprise password manager vendors on the market. Examples include Oracle Privileged Account Manager, Thycotic Secret Server, BeyondTrust PowerBroker and Xton Access Manager.
The table below compares benefits with drawbacks of using identity managers to control access to the company accounts.
|Easy to use after setup||System discloses the password to the destination|
|Easy / automated access revoke||Requires special software|
|Maintains audit logs about identity access||Lack of monitoring of actual system access after disclosing credentials|
|Secure for communication channel|
Session managers create and maintain a communication channel between remote client and the server usually in the form of RDP, SSH or VNC session. When used in combination with password manager, session manager can login a user to a remote server without user knowledge of the password or possession of the access key based on the user’s permissions in the password vault. A session manager can monitor the session, record the video of the session, restrict certain commands that a user can execute on the remote server and alert admins about certain activities.
Session manager used together with the identity vault provide the ultimate secure access control over the accounts in the organization. When the user does not know the password to access the server the system revokes access by removing user permission in the identity vault without even resetting the actual account. CyberArk and Balabit are two examples of vendors that make session manager products.
Session managers used to be complex and hard to maintain systems with client and remote side agents required as well as heavy server side installation. However, with the technological advancement some vendors provide simple lightweight agentless session and identity management solutions that could be (and probably have to be) used by the majority of the organizations whether small, medium or large ones.
The table below summarizes pros and cons of session management systems use in the access control.
|No identity disclosure||Requires special software|
|Easy to use after setup||Requires preliminary setup|
|Provides ultimate control over identities|
|Maintains audit logs about identity and account access|
|Record actual remote sessions|
|Restricts commands executed on remote server|
The intention of this article is to discuss computer architecture that allows qualified professionals to work together over complex problems easily and safely. The problem of granting access to the remote contractors did not even exist for the majority of the organization a decade or two ago. Improvement in communications made it possible for people to collaborate on a global level. The goal of the technology is to make this collaboration more efficient.
What do you think about our assessment? How do you handle this situation today? Please comment on this article. Let’s make the world better connected and more secure – together.
Xton Access Manager is an unlimited, agentless, cross-platform privileged access management solution built from the ground up with an enterprise feature set. Simple to implement, without your typical enterprise cost and effort.
Xton Access Manager is now available for download. Please fill out this form to receive a download link to get started today, even on your current desktop or laptop. Documentation is available to help or you can email or call us to request a trial extension, discuss questions and share your feedback. We would love to talk to you.