This year has seen the rise of Zero Trust, as calls for its implementation came down even from the White House. In the wake of significant increases in ransomware attacks, and the major shifts to remote work, today we are looking at the stages of the secure remote access maturity model.
Secure remote access (SRA) is a key component in the Zero Trust architecture. It enables you to enforce the least privileged access to your endpoints for a user performing their role. Managing the connections between partners, contractors and employees can be a challenge, but reaching a mature level of privileged access management is critical for the safety of your network.
Do you know where you stand in the secure remote access maturity model and does your current level meet the requirements to enable Zero Trust?
What is a Secure Remote Access Maturity Model
A mature secure remote access implementation would have prevented some of the attacks we’ve seen in the news before they even started. As we’ll review in the secure remote access maturity model below, there are 5 distinct levels.
Each maturity level builds on the last and layers in additional security and least-privileged access of users connecting to your endpoints. Some of these levels also look at the structure of your architecture, helping you to enforce other security standards as well.
Though we are looking at secure remote access, it’s important to remember that a fully mature cybersecurity architecture will go beyond simply enforcing least privileged access and even Zero Trust. Zero Trust should be your goal “foundational” security level. From this foundation, you build more sophisticated and layered defenses on top, taking you beyond Zero Trust and increasing your defense against even the most sophisticated of attacks.
Secure Remote Access Maturity Model Stages
SRA Maturity Level 0
No secure remote access exists. At this level of privileged access management maturity, there is essentially no plan in place to control a users’ access to endpoints. Here a truck is simply rolled to a site and access is granted based on knowledge of the password to the endpoint. Anyone with this password can access the endpoint and no one will know who accessed it when or what they did.
This level has no “roles” to speak of. You are at your most vulnerable to attack here. This is made worse by your lack of insight into how an attack may have occurred or even what happened during it.
SRA Maturity Level 1
Sites are added to a network containing strict firewalls with normal connectivity (SSH, Dial Up). In this level of the privileged access maturity model, many of your vulnerabilities remain from level 0. Access is granted manually by an administrator who decides if certain actors are allowed. However, nothing is done to verify an actor after initial access is granted.
Visibility into identities and the risks associated with access is limited. If another user has the password, then they have the keys into your network without any way for you to know who they are or what they are doing.
SRA Maturity Level 2
A Jump Host is added to the network. User access is tightened and more defined. You start to identify users at this level for access into the network and its endpoints. Certain verifications are added, like checks on the location a user is trying to access the network from and what role that user may have.
SRA Maturity Level 3
At this level in the secure remote access maturity model, you reach a mature realization of firewalls with an added DMZ. Access is further controlled, with durations for access assigned to certain roles. Identities are associated with specific access-level capabilities for these roles as well, further limiting what a user can do or see on the network.
SRA Maturity Level 4
More user authentications are layered in at this level, with things like two-factor authentication/multi-factor authentication. We are approaching a very mature realization of privileged access management. Here we see robust network access control, with combinations of authentication, enforcement of security policies and strong endpoint security.
We are also near the true realization of Zero Trust secure remote access at this level. Trust at this level is highly diminished in the network. Identity access policies now gate access to applications and endpoints within the network and we begin to see analytics implemented to improve situational awareness on the network.
At this level, just knowing a password is no longer the same threat that it was at the lower levels, as other authentications are required, and access given to any user is substantially controlled by permissions.
SRA Maturity Level 5
You have reached the highest level in the secure remote access maturity model. Level 5 is the full realization of Zero Trust secure remote access. User activity is logged, providing critical information on who connected to what, what they did and when. Granular control of user connections inside each security zone also means users are only permitted to see the applications or endpoints necessary for them to perform their role.
Users are monitored in real time and their risk is assessed continuously; they may only be able to perform certain commands. If their behavior is viewed as suspect, their connection is terminated, and the incident escalated. Every action is auditable.
Access is only permitted when it is needed, to whom needs it and only for the duration they need it. For example, if a contractor arrives on a certain day, their access is only granted for the date and time of their arrival, along with their duration needed to perform the work.
A protocol break now stands between the user and the endpoints in the network. With this, they never directly connect to any endpoint within the network, instead ConsoleWorks brokers the connections between user and endpoint, protecting you from viruses, malware or ransomware.
The Path to Achieving SRA Maturity
Many organizations struggle to reach the higher levels of privileged access management maturity. It is imperative that these levels be attained as passwords alone will not protect you from an attack, nor will simply assigning roles to users who access your network.
The best security attained is by permitting least-privileged access, only when it is needed and only for as long as it is needed, while treating every connection as untrusted. This means continual monitoring and auditing of connections on your network to ensure an attack is not taking place and that a bad actor has not gained access.
ConsoleWorks is built with SRA maturity in mind and takes you to level 5 with ease, significantly heightening your security and even taking you beyond the Zero Trust baseline. Talk to us about your secure remote access needs here to achieve the highest maturity level possible today.