External providers may also need an access to your critical assets inside your corporate network when they are outside.
With the recent pandemic, the Remote Office was the rule and IT administrators needed to keep their access to critical assets but without being inside the corporate network. External providers may also need an access to your critical assets inside your corporate network when they are outside.
The connections need to be secured and you need to ensure that only the right person can access the right resource for the right purpose. Also, how can we protect the passwords of the privileged accounts with external access?
Moreover, to comply with regulations or policies or just to keep a trace if an incident occurs, you may need to keep logs for privileged access and be capable of giving them to the auditors or authorities.
The user installs a heavy client on his device and will connect to the corporate network with a VPN Tunnel. Inside this tunnel, all the traffic will be encrypted.
This solution has some drawbacks:
- It may require the installation of a thick client on the contractor workstation or more globally a tunnel between the two company, which will require additional effort for deployment and maintenance.
- The monitoring of the sessions of privileged user access is not possible and so, it is impossible to perform an audit on these access. The organization can be out of compliance without the logs.
- The user must know the privileged accounts to connect on resources, so an attacker may take advantage to that in order to steal and use them
- It might be complex to restrict access restricting access rights for users, accounts, and computing processes to only those resources absolutely required to perform contractor activities.
Wallix Access Manager
In addition to the deployment of a PAM (Privileged Access Management) with Wallix Bastion (which can manage the privileged access inside the corporate network), it is possible to add Wallix Access Manager.
Wallix Access Manager will allow external users to access to critical resources through the Bastions without any VPN client, or plugin. The users will connect to a Web Interface and will be able to access to the same resources as they connect to the Bastion.
Meanwhile, they will be able to connect to critical resources through the web interface without installing anything on their side.
This solution provides many advantages including:
- The integration of multi-factor authentication: Even if a hacker knows the password of a user, he must also have access to the second factor of authentication of the user. The Access Manager supports the authentication with RADIUS, which is a standard for second factor, but it supports also the SAML. For example, with the RADIUS:
- The interface is user-friendly. When the user is connected, he can directly connect to all his privileged access with one single click. He can search the wanted resource, then the connection will be established directly through his web navigator, without installing any client or plugin and without showing the password of the privileged account. This connection can be RDP, SSH or even a file-transfer with SCP or SFTP, everything will be done through the web navigator.
- The connection between the user and the Access Manager is secured with the HTTPS protocol.
- The solution takes all the benefits of the PAM (Privileged Access Management) solution Wallix Bastion which includes:
- The management of privileged accounts (password automatic rotation). It means that the users who will connect to critical resources do not need to know the passwords of the privileged account.
- An easy management of rights on privileged access (who can access what and in which conditions?)
- The recording of privileged sessions and the activities of the privileged accounts.
- All the privileged accesses are recorded and logged. All the audit logs are accessible inside the Access Manager. So, when the auditors desire to review sessions done with the Access Manager, they can connect to one of them and they will access to all the sessions done.
As you can see, Wallix Access Manager gives a flexible and secure way for external users to connect on critical resources without compromising the security and the compliance of your organization.
More information : Access Security (powerappsportals.com)
Author : Maxence GODEFERT, Consultant Network & Security at Excellium Services