Remote Vendor Access

Kris Zupan
CEO/CTO e-DMZ Security

1
 Agenda
• The Issue - Remote Vendor Access
• What is different between RVA and Remote
Access?
• Outsourcing Influences
• Compliance
• RVA Requirements
• eGuardPost™ Discussion
• eGuardPost™ Demonstration
• Questions

2
 The Issue-
Remote Vendor Access

• Most companies have spent considerable energy providing remote access

solutions to allow better utilization of resources.
• Remote vendor support is a standard approach for most companies to
leverage support capabilities.
• Remote vendor connections have a high degree of risk.
• Most solutions (VPNs or Firewalls) can address some of the questions
presented below, but today, none can answer all of them.
• The questions:
• Who can access my systems?
• How can they access them?
• Who did access them, and what did they do?
• Has been a finding on many audit reports.

3
 What is different between RVA and
Remote Access?
• Remote vendors should be restricted to only be able to access the areas
of the company they support. A remote vendor contracted to administer
specific Unix systems should not be connecting to other systems or
resources at will.

• Remote vendors use their own client equipment to establish connectivity.

This means that requirements around Personal Firewalls, Anti-Virus,
platforms, etc. are difficult if not impossible to enforce.

• Requiring remote vendors to utilized specific VPN client software to access

remotely may not be possible and can introduce remote vendor system
liabilities and/or create incompatibilities with existing vendor client
software..

• Remote vendors have staff that is outside the view of the company. Staff
changes at the vendor company may result in challenges around
accountability.

4
 Outsourcing Influences
• Outsourced system administration
• Many companies have looked towards outsourcing of system
administration due to the increasing complexity of system support.
Keeping systems patched and protected has become a specialty.
• Giving system level control to an outsource provider may jeopardize
security controls implemented.

• Outsourced development
• Cost considerations have many organizations utilizing off-shore or
other outsource development resources.
• Many companies are concerned about production support risks.

• MSSPs
• Analysts have forecast that security will become the most outsourced
IT function.
• Issues around control of controls.

5
 Compliance
• SOX
• Need to show that developers or system administrators did not
adversely affect financial systems.
• Many would like a centralized view into actions within their financial
systems instead of system level audit information from every host.

• GLBA
• Demonstrate that privacy information is controlled from system level
access.
• Dual control as fraud prevention.

• PCI (from PCI_Security_Audit_Procedures)

• Section 8.5.6 Vendor accounts are monitored
• Section 10.2.2 Logging all admin activity

• HIPAA

6
 RVA Requirements
1. The solution must provide granular access control, to completely control
the access of the remote vendor.

2. The solution must be clientless, since most companies can not dictate the
remote client system or software.

3. The solution must provide a complete and robust session and access
audit trail, so that companies can answer the regulatory questions of
vendor access to protected information.

4. The solution must provide protection of the customer network from

network pathogens like worms and malware.

7
 Current Approaches
1. Jump box
• In this scenario, the vendor only has access to a few defined
machines from which they initiate their sessions.
• Pros-
1. Defined point of entry
2. If using keystroke logging, can provide a replay.
• Cons-
1. Effort to ensure jump box is not circumvented
2. Only works for command line activities

2. VPN with ACLs

• In this scenario, the VPN only allows connections to a few defined
systems that are to be supported.
• Pros-
1. Defined access
• Cons-
1. No replay, administrative burden
8
 eGuardPost™ Discussion

• eGuardPost provides the ability to answer the three questions:

• Who can access my systems?

• Provides granular authorization for administrative connections.
• Allows for strong authentication at entry to protected environment
• Provides basis for a segmentation strategy

• How can they access my systems?

• Secure connections provide privacy of information.
• Proxies connections prevent direct system level connections that could
introduce malware or worms.
• Dual control available to provide pre-implementation control.

• Who accessed my systems, and what did they do?

• Concise connection logging.
• Full session replay for review and reconstruction.

9
RVA Scenario

10
Questions

11