Welcome back! This is the second part of a blog about Secure Remote Access for IT Administrators, which highlights Good/Better/Best methods. In case you missed the first part, you can read it here.
Let’s recap what we learned in the first blog:
- GOOD: A VPN is better than nothing, but it’s not great at securing remote access for IT administrators, which increasingly includes outsourced IT, managed service providers, and other third parties and the risk that could come with them being able to access other systems on the broader network.
- BETTER: Adding Centrify Privileged Access Service on top of a VPN is a better option because it provides better control, security, and operational efficiencies. In this hub and spoke model, the Centrify Gateway Connector spoke acts as a bridge – the ONLY bridge – to the servers and network devices.
With the “Better” option, the user is still network-attached so there’s inherent risk there, but with the additional Centrify security, many risks of the “Good” approach are mitigated.
The Best Option: Ditch the VPN Completely
When you look at business continuity challenges related to a 100% remote workforce, the business needs to:
Allow access to the resources required, NOT the entire network.
- Provide granular privilege, not just administrator or root. Not everyone with access
truly needs complete administrative access.
- Ensure a higher level of certainty that it is truly the admin taking actions on the resources.
- Manage resources anywhere without requiring knowledge of the network configuration to access the resources.
- Allow an admin to access the resources they have a business need to manage without dependencies of VPN or client software.
- Allow any admin to access the resources they have a business need to manage without requiring corporate owned machines and provide access from a clean source.
To accomplish these goals, organizations should avoid the VPN altogether, and use the full capabilities of the Centrify Privileged Access Service to enforce least privilege. This “Best” approach offers several benefits in addition to the “Better” option.
With this approach, you get all the Centrify benefits of the “Better” solution, plus all the benefits of avoiding the VPN-based downsides. If faced with scaling a VPN solution to support a huge uptick in remote users, this approach is much more cost-effective.
Arguably, the biggest benefit is keeping users off the network, and in the process, ensuring a “clean source”. IT doesn’t have to worry about the health of 3rd-party workstations or laptops, VPN software and infrastructure, VPN-related help desk calls, elaborate tools such as Cisco NAC, etc.
Some might argue the biggest benefit is its ability to scale out to accommodate networks of IT infrastructure in different places, with ease. Its hub and spoke model allows you to deploy as many Centrify Gateway Connectors as you need with no additional license cost. As a lightweight service, the Centrify Gateway Connector has minimum system requirements, installing on a non-dedicated Windows server. Got a new VPC for a new service? Workloads in multiple VPCs or multiple clouds? A merger or acquisition? Simply drop in a new Centrify Gateway Connector, enroll it in your Centrify Privileged Access Service SaaS, and you’re on your way.
Below is a demo of how secure remote access for administrators via Centrify Privileged Access Service works:
As we’ve seen, not all remote access is secure, and certainly all are not equal. While a VPN is better than nothing and can be serviceable, there are better options available with Centrify Privileged Access Service that provide more granular control, reduce risk, and enable outsourced IT without the need of including administrators in Active Directory.
To learn more, view our CyberCast On Demand: Secure Remote Access for Administrators.