Background

Some companies are still using legacy VPN technology for employee and contractors to access on premise system remotely.

Under the cloud trend, more and more system and applications are migrating to cloud platform. The requirement of secure remote access is evolving. Legacy VPN solution deployed on premise data centre edge is no longer suitable for the cloud remote access needs.

Remote Access Definition

Remote Access Business Cases

1. Employee access corporate internal system and applications

• Wide access for regular employee
• System and applications are hosted internally (on premise) not able or have plan to migrate to Cloud
• System and applications are hosted in Cloud but not Internet directly accessible

2. Admins access privileged and restricted system and applications back-end

• Only for system administrators use
• The system and applications management interfaces are hosted internally (on premise) not able or have plan to migrate to Cloud
• The system and applications management interface are in Cloud but not Internet directly accessible

3. Vendors and Contractors access OT system and devices for maintenance

• Only for third party vendors and contractors
• The system and devices are physically located in OT environment
• The system and devices management interface are hosted in private Cloud but not Internet directly accessible

Zero Trust Security Model

Years ago, IT and security professionals began to give up on the concept of a security perimeter. It’s not feasible anymore to build a barrier around your corporate network and then assume all the activity on the inside is trustworthy.

Around that time in 2010 the Zero Trust security model was introduced by John Kindervag, a principal security analyst at Forrester Research. Zero Trust is about granting the least-privileged access necessary within an environment, based on 1) who is requesting access, 2) the context of the request, and 3) the risk of the environment being accessed.

There are many benefits to taking a Zero Trust approach. In terms of risk reduction, it can help a company cut back on complexity, reduce its attack surface, and increase visibility for auditing and compliance.

When a business uses a VPN, it’s common practice to segment the network with VLANs and subnets, keeping the most sensitive assets and data in the most secure zones.

By contrast, Zero Trust architecture creates something closer to one-to-one segmentation. Moving laterally within the network is impossible, which prevents some types of attack entirely:

• DDoS attacks
• Server scanning
• Application exploits
• Man in the middle attacks
• SQL injection

Remote Access and Zero Trust Approach

6 Core Tenets of Zero Trust

Verify who: Make sure to integrate with directories rather than local accounts, because this keeps the number of vulnerable accounts and passwords to a minimum. Always use multi-factor authentication (MFA).

Contextualize requests: Before you approve any access request, be sure to understand the context. Then, once a request is approved, grant the minimum level of access necessary, and only for long enough to perform it.

Secure the admin environment: Try to keep access sources clean. If possible, ensure direct access can’t be made from workstations with open internet access and email (to avoid malware).

Grant least privilege: Keep strong zoning in your network so there’s minimal ability to move laterally.

Audit everything: Audit logs are your friend in a Zero Trust framework, especially if you use a tool like Netop Remote Control that supports screen and video recording for sessions.

Adaptive control: Prepare to actively respond by ending sessions or following up with forensics when needed. In a Zero Trust model it’s important to get realtime notifications and closely monitor risky activity. For the sake of scalability, it’s important to keep controls flexible based on the risk context. Even if someone enters the proper credentials, you might want to require stronger verification, if a request is coming from a risky or unknown location or device.

Best Practices for Zero Trust Remote Access

Admins and users need varying levels of access across cloud infrastructure, databases and network devices — not to mention containers, microservices, digital twins and more — seamlessly.

When you’re configuring remote access rules within a Zero Trust framework, there are a few best practices to follow:

Verify who: Make sure to enable strict authentication rules within a secure tool including multi-factor authentication across the board.

Contextualize requests and grant least privilege: With an advanced tool, you can restrict authorization based on user groups, location, and IP address. You can also apply function-based restrictions to a user or group, so they can only perform certain functions on specific devices or servers.

Auditing: Whereas VPNs don’t usually have built-in audit logging, remote access software offers unalterable audit logs and full session recording — including video recording.

Recommendations

• With the zero trust remote access and cloud infrastructure approach, how to remotely access the system is no longer the key of secure remote access, but the authentication and authorization piece.
• With the zero trust and cloud approach, the company security boundary is no longer that clear. Almost all system can be accessed from Internet. The most important things become how we decide who can access what (authentication and authorization)?
• The secure remote access solution should align with Identity & Access Management strategy and also properly doing the data classification.