As the title says, I’m looking for a way to grant access to vendors in a secure way.
Right now we will do a shared screen session using either GoToMeetings, Zoom or MS Teams, so that we can monitor their doings and provide the access when required. However, many of the vendors are from places like the UK or India so the times are wild. So we’re looking for a way to give unattended access.
It doesn’t help that most of these persons are connecting from their homes so there is no static IP to limit access to, and we have no idea what kind of security they have in place.
What options are available that you know about or have implemented?
Edit 2022-06-05:
The general consensus is VPN with certs and MFA, along with PAM (beyond trust and cyberark came up quite a few times). VDI was also mentioned by a few others.
I’m going to do a bit of research on these and provide an update later this week before marking as solved. If anyone else has any recommendations please add. Thanks to everyone who added their $0.02.
We use a product called SecureLink. Allows us to manage our vendors access to various resources and has a ton of auditing. It also allows us to provide some vendors access to manager their support folks, we just approve their access requests through the product, don’t have to worry about setting up accounts and managing those accounts for individuals from the vendor.
It also records the whole RDP session if we want to go back and review.
We use ConnectWise Control. Login is tied to Azure AD (vendors get invited as a guest account). This allows us to enforce MFA and use Azure Conditional Access policies, restrict login times, etc. ConnectWise Control also has an excellent connection history feature letting us see who connected when.
Can also disable various features such as file transfer or requiring permission from a user at the device.
Not cheap but we built our solution around CyberArk.
I had to slam something in quickly as usual. But we also have a requirement that anyone who accesses our secure boundary un-escorted must have a 6C security clearance, and furthermore any privileged access must be authenticated by using a PIV-I card. So the vendor has to identify a pool of technicians who will be allowed to work on our systems; we get their federal security clearances, and then give them AD accounts just like employees. Then we fly them in to be issued their PIV-I cards.
Once that’s all set up, they use SSL VPN (which also uses Azure MFA) to open an RDP tunnel to our CyberArk server, log into CyberArk via their PIV-I cards (which covers the privileged access requirements), then connect to their server(s) using the privileged credentials that they are allowed to use in CyberArk.
Bonus: we get a recording of every session; we can also shadow active sessions live, and force close them if it ever becomes necessary.
CyberArk also does many other things for us, including managing all of our domain service account passwords, which are prohibited from having “never expire” set, so it’s not a single-use product by any means. Yeah, it’s expensive but it also checks a whole lot of compliance boxes for us.
Vpn config only allows access to bastion
Bastion can be configured to have acces request flows, monitoring/ shadowing / recording and has a probe tool that launches on each RDP connection to deny running certain tools (eg poweshell) or outbound protocols (avoid RDP to other hosts). Unfortunately the probe tool is less reliable than we hoped
As one of those vendors who frequently remote-accesses very large corporate customer networks, the way it generally works for me is that I go through the customers HR process for onboarding and am given credentials in the customer environment.
Then I use the customers VPN service to access their network, usually through a Citrix or RDP or VDI gateway of some kind. In most cases I assume those sessions are recorded, and sometimes I’m given explicit notice that they’re recorded.
Sometimes I need a certificate provisioned for my laptop to access their VPN. That’s the easiest solution for “no static IP”.
In a few cases, the customer would ship me one of their standard laptops with their own preloaded software & VPN to use for the duration of the contract. That includes their own endpoint monitoring aside from the VPN and Citrix/RDP monitoring.
Many of them use something like CyberArk to centralize privileged password management and RDP session all in one - those are great because I don’t even need to see my privileged credential, I just select “Use credential for RDP / SSH session” and it passes through the password (that expires after 8 hours or so) for me, all while recording the session that they could review later.
They RDP into a virtual workstation with the tools they need, on an isolated network with only access to the equipment and systems they need to access through the internal firewall.
Though we’ve never used it, we’ve always had our eye on Fudo. The vendor was Wheel Group, now seemingly renamed to Fudo Security. It’s a locked-down jumpbox with logging and auditing.
VPN with DUO MFA. Named user accounts. Heavily segmented network with a firewall around each segmenr allowing only the traffic needed to run the services and for clients to access the services.
RDP only accessible through an RD Gateway, granting access only to servers they need to perform work on.
And ThreatLocker.
With most of the business apps still on-prem, these basic security measures have been working pretty well so far.
If you are required to give on-prem access to physical servers etc there is an alternative that I didn’t explore. You can put in an RDP gateway which can perform full session recording. That will help with at least watching exactly what they’re doing (even if no one regularly reviews it).
(Cloud speech)
One of the truly great features of the cloud (Azure in my case) is it has some really nice identity governance, internal and external access control and conditional access policies.
I use Azure (hybrid) and have since I arrived in my current role been aggressively ‘kicking out’ vendors that had VPN access to my on-prem environment. They didn’t really need it. They now use guest accounts with limited access to just what they need and they have to pass a series of Conditional Access policies to get in.
With Azure (and I presume AWS and GCP) you could put a number of conditional access policies in place that could do things like reqiure MFA, FIDO, compliant devices (running AV, bitlocker, be an Intune-enrolled device etc etc), restricted by IP blocks, regional IP (no Russian IPs etc), “Risky sign in” (calculated by Azure using a lot of metrics) and more.
If you can move some of the resources to which the contractors need to the cloud, it becomes even easier as you can use “access packages” to give the vendor very limited access to just a Sharepoint site, MS Team, SaaS/SSO app etc.
You can require approvals where the vendor consultant working for say accounting requests access to say SAP, an accounting approver gets the request, approves it granting the consultant access for perhaps 24hrs a week etc. After that, the access expires and the process repeats. Compliance etc can get a report of all these accesses.
You can set up recurring access reviews so accounting has to review/attest that all of the guest accounts in the “accounting vendor access” security group belong there otherwise they can be auto-removed etc.