April 13, 2020//Ellen NeveuxLast Updated: January 15, 2021
The COVID-19 pandemic has driven the remote access market to new heights. More and more enterprises are seeking secure ways to support remote contractors, temporary workers and other partners. However, most are finding that traditional VPN technology may not be up to the job of offering the security, performance, and granular control needed.
Simply put, cybersecurity hygiene may become a victim of improved bacterial hygiene. Austin-based SecureLink is aiming to reestablish cybersecurity hygiene with SecureLink For Enterprises, It’s a platform-based approach to securing remote connections while eliminating the potential security issues of VPNs.
VPN technology has recently come under fire as a security solution that can be compromised. VPNs tend to give full access to a connected network, making them a pathway for lateral attacks. That is simply because VPNs often lack critical abilities, such as zero-trust access and privilege control; they also are often deployed as stand-alone solutions without integration into other security products or platforms deployed on the network.
It’s those issues that have led to some serious network intrusions and breaches, especially those predicted by stolen credentials. According to a Verizon report, 69% of network intrusions were perpetrated by outsiders, making many wonder how many of those intrusions were caused by someone carelessly sharing VPN logon information. With the sudden growth of remote access needs driven by COVID-19 and other concerns, enterprises may need to look beyond the traditional VPN to ensure that offering remote access to vendors, contractors, employees, temporary workers and other partners remains secure.
With VPNs failing to fully protect enterprises, SecureLink has developed a different way to secure remote connections from third-party vendors, contractors and others who may need controlled access with SecureLink for Enterprises, a platform that brings authentication, access control and full auditing to remote connections. Where SecureLink really shines is with the concept of vendor-privileged access management (VPAM), an ideology that pairs privileges specifically with the third-party user and takes into account defined policies. In other words, privileges can be assigned or revoked based on more than just the user’s identity, but also on other factors, such as location, time and date definitions, work hours and so forth.
Privileges can also be assigned for a specific time frame, meaning that privileges can automatically be revoked when a project end date occurs. All of these are critical considerations when it comes to allowing external access to the internal network. Concerns that would have prevented the all-too- famous Target breach of 2013, which was attributed to failing to properly secure access to Target’s systems by an external HVAC contractor.
Further bolstering the VPAM ideology is the concept of least privileged access (LPA), where by default, permissions are limited until granted, and then permissions are only given to the applications and resources that the remote user must have. LPA prevents the accidental granting of more privileges to a remote user than they actually need. Full auditing further rounds out the remote security paradigm by tracking all remote user activities.
File transfers, services accessed and commands entered are all logged, which helps with both compliance and security forensics. Desktop sharing and RDP sessions can also be recorded for future analysis if needed. Other capabilities include multi-factor authentication, real-time monitoring and audit reporting, all of which contribute to the overall security hygiene of remote access.
As mentioned before, SecureLink uses a platform-type model, where an access server is installed at the network edge and configured in the network DMZ. [A DMZ, short for demilitarized zone, is a network (physical or logical) used to connect hosts that provide an interface to an untrusted external network – usually the internet – while keeping the internal, private network – usually the corporate network – separated and isolated form the external network.]
The SecureLink Server routes traffic through a lightweight client that functions as the gateway for approved network access. The server-side software can be integrated into directory services, PAM providers, LDAP and several other identity-management and policy-enforcement engines, allowing SecureLink adopters to leverage existing technologies to minimize any disruption to internal users, while also extending the same style of access to remote users.
The SecureLink platform itself was born as a way to control and secure access from external vendors or contractors. Perhaps the perfect explanation for that type of cybersecurity focus comes from that Target breach–where the credentials from an air-conditioning contractor were used to conduct a lateral attack across the network and compromise numerous systems.
SecureLink recognized the problem presented by non-employee access into critical systems and developed the platform to prevent intrusions like those that plagued Target and numerous other organizations in the years following. Lateral attacks over remote connections are still occurring, with Microsoft reporting that as many as 280 million Microsoft customer records were exposed in January 2020, and the makeup company Estee Lauder reported that 440 million customer records were exposed the following month.
SecureLink has embraced the core ideology to eliminate the possibility of a lateral attack, limit the privileges of anyone entering the network remotely and incorporate numerous policy controls, along with a zero-trust ideology. The result is a platform that offers security, combined with user validation, incorporated full auditing capabilities and automation to reduce the administrative load.
With the level of different integrations available, plus the overall configurability of the system, looking at the server side of the product from a deployment standpoint proves to be much more than can be covered in the typical product review. That said, the product was tested in a pre-configured environment with the server already supporting a typical network from the edge, with a few pre-selected cloud and local applications.
The testing focused on the capabilities offered by the platform once installed, such as secure access, policy definition, and overall management, as well as the end user experience.
Platform management proves to be very straightforward. Administrators are able to quickly define default rights, policies, and account enablement workflow. The system uses a browser-based dashboard, which proves intuitive to most any administrator.
The administrator is able to define what applications are available, control the remote users access to certain services, such as RDP and file transfer. The admin can also define time limits, setup access expiration dates, and so forth. Administrators can also define workflows, allowing a user to request access and then have that request emailed on to someone assigned the task of approval, who then can grant access to the remote user. The platform can be further integrated into a CRM system, which can also be used to prompt those requesting access for additional information, such as the reason for access and other administrator defined fields.
For those remotely accessing the system, everything takes place via a browser–the remote user simply enters the URL to the SecureLink server and then fills out forms for requesting access or just logs in if access has been approved. Although the design was originally built around remote vendor or contractor access, it works perfectly fine for a traditional remote user as well. In other words, the platform has the ability to bring simplified and secure remote access to those working from home or from any other location, as long as they have reliable internet access.
Once authenticated, remote users will have access to the applications that they have been granted privileges for. Remote workers will find the support for RDP rather handy, allowing them to take control of their desktop located in the office to work on it as if they were physically there. What’s more, remote administrators will also be able to leverage RDP sessions to access servers or troubleshoot desktop PCs for end users.
For those concerned with compliance and more specifically, the auditing requirements around compliance, the platform provides plenty of tools to ease those chores. All activity is recorded and is fully auditable. The system also offers reports that lend additional forensic information to the auditing process.
SecureLink does an excellent job of resolving the common problems that VPNs present to enterprises today. Unified management, as well as privilege and policy definition return control back to administrators wanting to properly secure their networks for remote access tasks.
Integrated auditing and the ability to connect to third-party security solutions and cloud services help to make SecureLink a real consideration for those seeking to secure remote connections, while also maintaining control over all remote access sessions using policies and preventing privilege creep that could lead to lateral attacks.
What’s more, the access paradigm proves to be easier for remote users than traditional VPNs, while those concerned with compliance will have all of the necessary metadata to make their reporting chores much easier.
SecureLink offers an all-in-one subscription pricing model. Implementation, training, support, and technical maintenance are all included. Unlike most software licensing, the subscription price is all you pay and gives organizations predictability in their investment and eliminates hidden costs for services or add-on capabilities. The price is based on the number of unique vendors (not users) connecting through the system and starts at $500 per vendor per year. Typically, organizations have little control over the number of users their vendors may need, so this approach elicits more certainty and control than a traditional user-based licensing model.