Tuesday, March 23, 2010

Securing Offshore Remote Access

Question:
How to secure data and protect intellectual property while allowing remote access to remote consultants / outsourcing partners / offshore captive operations?

Answer:
This is a long procedural and legal discussion. Restriction of access for remote administrators / consultants / offshore centers is not an actual “productivity” solution, so there is a clear need for sharing data in an intelligent and secure way.
Recently I have seen several discussions on policy based governance and operational controls but I was disappointed with the available technical options. Most of the articles I have seen so far were limited with phrases like “We do use firewalls”, ”We have SAS 70” , “We have strong authentication” or “We do have encryption” type of over the counter canned answers. The most joyful one was (this was on an overseas web site describing how secure the outsourcing operations were) : “We do use SecureFTP”
Well, basic technical controls are nice, like using scrubbed test data, segmenting servers,  using strong auth, physical data center security, or using full VPNs..But, what if the requirement is to have real controls?

The technical controls can be deployed at 2 layers:
1-    Controls at the Offshore Center: Regardless of the desktop security controls, endusers at remote data centers can access and steal critical data, at the end of the day, who will stop them if they can take a 5 megapixel shot of their screens with their cell phones. So it is a good idea to have a CCTV / camera based monitoring where access stations are (All remote access should be limited to secured facilities where it is possible – try to avoid roaming laptop based remote workers). I use the term access station because it makes no sense to have regular desktops at offshore operational centers.  Using terminal server type of solutions are great but citrix/terminal server type of emulations do not work great for developers. I like virtual desktop infrastructure (VDI) for developers since it gives them full independence in a controlled environment.  Base station should be thin clients or must be managed (e.g. group policies with limited user rights) even if they are using the base station only for terminal session.
If you do not have a captive center, and you do not have the full control on remote desktops or you cannot enforce thin client stations or managed workstations, securing the other endpoint (where terminal connection/citrix/VDI term is run) is very difficult. On these cases, make sure that you require VPN connection from individual endpoints so that you can control split tunneling, and you can apply /enforce pre-auth/during-auth posture checks very much like a NAC. The idea is to enforce endusers to install a security applet before they login to your network and run cleaning prior to auth. Create onetime secure virtual workspace that expire at the end of the session. You may also create remediation and quarantine options for non-managed remote access.
When you are securing the remote offshore centers never skip the “air” piece. Roque AP detection is a key feature. Your remote switch must detect any attached device to network esp if it is working as a switch. Also your policies must limit usage of cell phones and other wireless gadgets.
Of course endpoint security is still a key, like using full group policies, firewall/IPS, antimalware, antivirus, encryption, rights management etc, but it is much better to have it on a VDI system. It is also easier to control peripherals on a VDI.
Non-repudiation is another important point. Like the physical camera, a secure remote tamper proof logging facility is highly recommended.
2-    Controls at the server level: Consultants / remote system administrators/ offshore developers do need to access servers in development, test and sometimes production environment. It is a mandate to enforce individual user identities, with full access audit. Actually you can steal the PCI requirements.  There are systems that record every single move (literally on a video file  - ObserveIT) of a remote administrator. Or you can basically deploy privilege escalation management systems integrated with jump servers (e.g. SSH proxies, Power Broker) Need to know access is essential, but even after policy decisions, make sure that every activity is logged at different layers (network layer, OS layer, DB layer and Application layer) Remote admins should never access to log settings or the log repository (tamper proof logging is the key). This is the time to put SIEM solutions in use. Write correlation rules to alert you when suspicious activity is detected.
Segmentation is another key, but today’s high speed computing makes network level firewalling very difficult. (If you have 100 servers with only 1 Gbps NICs, you will a 100Gbps full duplex firewall ,  and as of today there is no IPS). I do expect switch vendors to offer port based filrewalling / IPS in the very near future but not today unless you have 7 figures to spend. Either way segment your servers at network level as much as possible, Even if you are using VMware, categorize servers physically according to their risk levels. There are also creative solutions like Apani Networks, Rohati Networks (now Cisco), or the NAC vendors for network based segmentation using user identities. Basically segmenting users with their user IDs instead of their source and destination addresses is better. You can even utilize secure de


Again, none of the technical controls eliminate the need for governance, policy based controls and the risk management frameworks.
Full data life-cycle management, data privacy, data security, audit program, security management program (like ISO 27001)  are all essential. But technical controls do really help you to reach your security objectives.

Let me know if you have a detailed question

Regards,
-    Yinal Ozkan