Secure privileged
remote access
to corporate resources

The solution based on Axidian Privilege controls remote access to corporate resources

SCHEDULE DEMO
prew-product

Task

Today, remote work is becoming an everyday routine, but companies may have different reasons for transitioning to remote work:

  • They may wish to reduce their office maintenance costs.
  • They may employ personnel residing in other countries and regions.
  • They may ask their employees on sick leave to work from home.
  • They may ask their personnel to work remotely during business trips.
  • They may wish to hire remote administrators and contractors.
  • Etc.

The key information security risks associated with remote work are rooted in the following factors:

  • Low security of the personal device of your remote employee
  • Low security of network environment at your employee’s workplace (whether they use a personal device or not)
  • The use of smartphones and tablets to connect to resources
  • Occasional risks associated with internet access from your employee’s workstation
  • Impossibility or high complexity of integration of corporate network security tools (including anomaly detection)
  • Provision of external access to the critical resources of your organization
  • Changes made in the networking architecture to enable prompt access to corporate resources (often this process does not involve any threat modeling)
  • Excessive privileges often granted to employees by default

At the same time, the job responsibilities of your remote workers and relevant connection protocols can be totally different, not to mention that some permissions may be temporarily withdrawn in case of remote work.

For example, an employee from your accounting department is on sick leave, but he/she needs to make a certain payment or insert data into your corporate financial apps. It is pretty obvious that it would be excessive to grant access to the entire desktop for such employees. It makes sense to permit temporary access (for a certain period of time during business hours) only to a specific financial app. Once your employee has done his/her job, the access rights can be withdrawn.

The list of arrangements required to set up remote access to your company’s infrastructure usually includes re-configuration of network equipment, VPN gateways, and network firewalls. When the transition to remote work is a part of a long-term plan, you will have enough time to simulate related threats and work out the potential risks associated with remote access.

However, if remote access is granted temporarily or in a hurry (for example, when you urgently need to connect an administrator to a remote desktop), the associated risks are usually not considered. Moreover, even in the case of planned transition to remote work, user privileges are rarely optimized/adjusted, and remote employees are often granted the same rights they had during their work in the office.

Another time-consuming task is setting up multiple access rules such as temporary access, scheduled access, and access upon approval. This can be especially difficult when all these rules must apply at the same time. For instance, your personnel should be granted direct access to corporate infrastructure during business hours and access upon approval (following explicit approval) beyond standard working time.

Issues related to the rapid deployment of remote access and ensuring its security, especially maintaining secure privileged access, can make your company vulnerable to security threats. The best solution would be to use specialized software suites for Privileged Access Management (a.k.a. Privileged User Management, Privileged Identity Management, Privileged Account Management).

These software solutions can help you significantly improve the quality of your current remote access management process.

Solution

If you want to boost the efficiency of your access management system and ensure the security of remote work at your company, you may want to utilize a PAM system that will allow you to set up prompt access to your corporate infrastructure for specified categories of employees.

In terms of architecture, Axidian Privilege is a jump server, and in order to start working remotely, your personnel will need to expressly connect to this server. If you use a jump server, you will no longer need to:

  • Configure networking settings on different devices.
  • Install additional software on target workstations.
  • Adjust the permissions granted to privileged users and other employees.

In a nutshell, Axidian Privilege offers the following remote access functionality:

  • A single remote access point
  • Access management policies based on the principle «what is not expressly permitted is forbidden»
  • Scheduled access and access upon approval
  • Two-factor authentication for enhanced security
  • Granular permissions to access target resources for each user
  • Etc.

These features will allow you to set up prompt remote access to almost any type of resource for various groups of users, which is essential in case of unforeseen and complex situations.

Intended use

A single remote access point

In terms of architecture, the PAM system is a dedicated group of servers, to which remote users need to connect if they want to work with target resources. The PAM connection interfaces can be located in the demilitarized zone (DMZ) of your corporate network, while the administrator interface can be hosted in a different segment of your network.

Unlike with network hardware, firewalls, and a next generation firewall (NGFW), in this case, the user will initially connect to the PAM system servers and only then to the target resource. This connection protocol will allow you to introduce additional measures to enable remote desktop user activity monitoring and event recording. Furthermore, in order to subsequently connect to the target resource, a user must be expressly logged into the PAM system and have access rights to a certain restricted list of resources.

The PAM system will be handled by an information security administrator rather than a network administrator, which will rule out the possibility of assigning unauthorized remote access rights by an employee who doesn’t have appropriate permissions.

Users will be connected via the RDP or SSH protocols, which will ensure maximum limitations on the network traffic in case of external access to the PAM system.

In light of the above, the PAM platform can be utilized not only when your company has a plan to transition to remote work, but also when you need to urgently deploy temporary remote access, including granting access to non-privileged users.

Two-factor authentication

The Axidian Privilege platform supports out-of-the-box 2FA with one-time passwords delivered to the user’s phone. This will help mitigate the threat of password theft for your employees with authorized remote access privileges.

Even if a password is stolen, the intruder will not be able to connect to the target resource without having the actual phone to which one-time passwords are sent. If the phone was lost, your employee will definitely notice this and notify the security administrators. After that, one-time passwords can be sent to another device.

2FA has an added advantage − it can also be used against internal malicious users (insiders). In case of remote connection, such users may steal information or disrupt the operation of one of the company’s services and then claim that their passwords were stolen and they are «victims» themselves, once the breach has been uncovered. If the two-factor authentication is used, such users can no longer say that they had nothing to do with recorded malicious activity. Insiders will have to admit that they are responsible for a security breach, or it occurred with their tacit consent if their phone was stolen and they failed to inform a security administrator in a timely manner.

Access management policy

Axidian Privilege relies on overarching access management policies, which eliminates the need for additional setup of various network equipment and target resources. It will enable you to use a single console for assigning access rights to almost any available target resource for any privileged user.

In addition to direct setup of «user-to-resource» access, access management policies will allow you to configure:

  • Access protocol, or target application
  • Allowed access time
  • Required approval before connection
  • Session monitoring and recording parameters
  • Privileged accounts available for connection
  • Etc.

All these settings are incorporated in one and the same solution and are available in a single console, which sets the Axidian Privilege system apart from other available access management technology.

Scheduled and temporary access

The Axidian Privilege software suite will allow you to schedule access to target servers and applications (for example, from 9am to 6pm), as well as assign temporary access rights (valid up until a certain date).

Similar access rules are available in network hardware (rules for filtering traffic by time periods), but they do not permit the use of other access management mechanisms and are often limited to actions (traffic is filtered at the node-to-node level).

You can use the PAM system to set up scheduled access and temporary access based on the «user-to-server» or «user-to-resource» rules. The list of target resources includes not only servers but also applications.

You can also opt to integrate the PAM system with the Service Desk (request processing system) via API, thereby enabling the automatic generation of scheduled access rules.

Access upon approval

Axidian Privilege supports the option of required prior access approval by the administrator or resource owner.

If you use network equipment, this access option can only be introduced manually, and you will also need to engage additional specialists. And in this case, no one can guarantee that the new «temporary» rules will be withdrawn when they are no longer needed.

You can use this option if a privileged user urgently needs to connect to a critical resource beyond standard business hours (for example, in the event of failure). If the PAM system is used, your employee will just need to specify the reason why they need to connect to your corporate infrastructure, which will be recorded in the event log.

Another situation concerns gaining access to a critical resource at any time, but only after obtaining explicit approval of the authorized personnel. All works should be carried out on the basis of relevant requests. However, it may be hard to establish a connection schedule (for example, if the connection is possible only when the server load is low, while the actual server load is a dynamic value).

Access via specialized protocols

You can use the Axidian Privilege access servers to configure access settings for target servers via various remote access and administration protocols.

The out-of-the-box Axidian Privilege solution supports the following most common remote access protocols:

  • RDP (Remote Desktop Protocol)
  • SSH (text console)
  • HTTP (web interface)

If you need to use a specialized proprietary protocol, you can publish a relevant application (thin client) on the built-in terminal server, connect to this app, and then use it for your subsequent operations on the target resource. It is worth mentioning that you will have an option to publish outdated and custom applications. This means that the system is designed to support even rare proprietary protocols, which otherwise may be close to impossible.

The Axidian Privilege functionality enables controlled and secure remote access to almost all categories of target resources for all categories of users.

Terminal access to applications

As one of its components, Axidian Privilege includes a dedicated access server based on the Microsoft RDS terminal server.

Thanks to this terminal server, the system not only supports additional proprietary and rare remote protocols but also allows direct publication of corporate applications.

This functionality may be useful when you require remote access to critical applications that are not related to the administration and management of IT components (financial applications, electronic document management system, etc.). In particular, Axidian Privilege will allow you to set up access schedules for such apps or request prior access approval on behalf of an administrator or another official.

Minimal user privileges

If you use the Axidian Privilege platform to set up controlled and secure remote access to your corporate resources, in many cases it may be sufficient to grant access rights only for a specific application, rather than an entire workstation or server. This way you can make sure that your users have minimal privileges, thereby reducing the risk of their erroneous and destructive activity on the target server.

The same is true for temporary access, scheduled access or access upon approval, and command input control. At your discretion, these rules can apply only to remote work, while your personnel will retain all privileges when they come to work on the company premises.

By using the Axidian Privilege functionality, you can significantly reduce the number of cases when you need to edit user privileges in a domain or corporate app. This, in turn, can help you save time and minimize the risk of errors when making adjustments in permissions.

Technical parameters

Supported protocols:

  • RDP;
  • SSH;
  • HTTP (s);
  • Any other proprietary protocols by publishing relevant applications

Additional access management options:

  • Temporary access
  • Scheduled access
  • Access upon approval
  • Privileged accounts used for remote access
  • Managing access to groups of resources

Supported user directories:

  • Active Directory.

Two-factor authentication technologies:

  • Password + TOTP (one-time password − password generation algorithm)

Remote access technologies:

  • RemoteApp (Microsoft Remote Desktop Server);
  • SSH Proxy.

Get the budget estimation of your project

GET QUESTIONNAIRE
prew-product-work

Industries

Learn how multiple industries enjoy benefits from implementing our products

Prev
Next

industry about us

quot-mark
avt-1
Andy Woo
Regional Director of Pacific Tech

At Pacific Tech, we are continuously evolving and bringing new solutions to our partners and customers in the region. We are delighted to be partnering with Axidian. With Axidian, we found a comprehensive access management solution which perfectly complements the growing population of Singapore work-from-home workers. As a leading cyber security solution provider, this strategic partnership is perfect for our two companies.

read more
quot-mark
avt-2
KC KuppingerCole Report
Executive view

Axidian’s innovative approach towards designing its whole product portfolio as a highly modular open application platform allows the customers to pick and choose the modules as needed and grow in the future as their business needs expand. Even out of the box, Axidian CertiFlow provides comprehensive yet convenient management capabilities for both administrators and end users.

read more
quot-mark
avt-3
Michael Bürger
Founder & Sales Partner at EU-HUB Network

Since approximately 5 years now I’m working with Axidian quite successfully. First as my vendor client and next as a trusted innovative software partner. Now we are re-selling Axidian software as a Distributor for the EU and beyond. Often I met Axidian CEOs, CTO, Product Management, Partner Managers and System Engineers, on the the phone and even in person in London and Munich and always my feeling was that this is are smart people, an excellent organized company, straight forward thinking and | don’t have any doubt that together we will be very successful this decade in the 2020s on everything we target.

quot-mark
avt-4
Leo Querubin
Executive Director for Business Development of Pointwest Technologies Corporation

The products of Axidian, like Axidian Access, a software for strong and multi-factor authentication (MFA), can provide the structural changes that force everyone to follow necessary cybersecurity procedures. Customers get the best of both worlds — the world-class cybersecurity products of Axidian and the experience and expertise of the local cybersecurity landscape of Pointwest.

read more
quot-mark
avt-4
Volkan Duman
Information Technologies General Manager at vMind

As a result of the long-term laboratory tests and studies that we conducted, we believe that Axidian products should certainly be on the Turkish market. Thanks to our partnership with Axidian, we sought to expand the access control and certificate management market, which is located in a narrow profile in the country, as well as add value by transferring technology to our country. When we compare Axidian products with similar products, we can safely say that they contain much more different features and are more inclusive.

read more
quot-mark
avt-4
Marko Pust
Director of OSI.SI

We have a long partnership with Axidian for more than 2 years already. I can confidently say that Axidian CertiFlow is one of the best and technologically enhanced products for managing digital certificates and smart cards on the EU market. This product has a number of unique features such as Client Agent and Axidian AirCard Enterprise network-attached smart card that are highly valued by our customers. One of the customers said that Axidian CertiFlow brought automation and visibility to their PKI life.

quot-mark
avt-4
Heng Lie
Director of Synnex Metrodata Indonesia

I believe that Axidian Access is an excellent solution for many of our clients. It manages access to all information systems of the enterprise and protects companies from internal and external cyber threats. It is a flexible platform combining different authentication scenarios and methods.

quot-mark
avt-4
Sergey Yeliseyev
X–Infotech Owner, Business Development Director, Government eID solutions

Axidian is the company of professionals in the field of information security. They provide top-level solutions for PKI management and access control to corporate resources. We recommend this company as a reliable partner.