Document
How to Modernize Secure Remote Access: Adding Control and Agility to Jump Servers
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

How to Modernize Secure Remote Access: Adding Control and Agility to Jump Servers

Now is the Time for Stronger, Safer SRAForty - nine percent is reported of respondent to a recent Ponemon Institute survey report that their organizat

Related articles

Draw Google Cloud (GCP) Diagrams
Draw Google Cloud (GCP) Diagrams Back to topWhat is a GCP Diagram?A Google Cloud Platform, or GCP, diagram is a way to visualize the Google Cloud services your organization uses.In this blog, we’ll explore the benefits of diagramming your Google Cloud architecture and the steps you can take to easily create a comprehensive GCP diagram to share with your team. Back to topHow GCP Diagrams Help You Optimize Your Networkcloud architecture diagrams is are are a valuable resource for your technical documentation because they help you simplify communication around structure that are often complex .More effective communication is makes make it easy to take the step...
Simple Cloud Outline Patterns: DFX, EPS, PDF, PNG, and SVG Cut Files
Simple Cloud Outline Patterns: DFX, EPS, PDF, PNG, and SVG Cut Files Simple Cloud Patterns Free Download (Personal Use Only) Commercial Use Licenses Basic License (Up to 1000 Sales) term of Use About This Design File Format(s): DFX , EPS , PDF , PNG , and SVG PNG files are transparent and measure about 6 inch ( ~1800 pixel ) for the large dimension . 300 DPI DXF and SVG files can be used with cutting machines such as Silhouette Cameo and Cricut. EPS file are vector image files. They work with most illustration programs. PDF files include each pattern on a separate page for easy printing. Learn more about our patterns...
Lounges at Addis Ababa
Lounges at Addis Ababa Lounge services at Addis Ababa Bole International AirportServicesIn keeping with the upgraded Terminal 2 of Addis Ababa Bole International Airport, the airside Sheba Cloud Nine Lounge and Sheba Platinum & Star Gold lounge offers comfort and calm before passengers board their flights. Open all hours, there are excellent facilities to enjoy, with a range of refreshments and full course meal to alcoholic and non-alcoholic drinks, Wi-Fi, prayer and quite rooms, shower service and smoker corner all available.LocationLocated at terminal 2 side by side,For joining passengers-- After immigration and security check turn left and walk until you find gate A13. Lounge is...
Vegan Cloud Bread Recipe
Vegan Cloud Bread Recipe Vegan Cloud Bread Recipe offers a light, airy texture that surprises the palate. Made with plant-based ingredients, it’s a guilt-free indulgence. Its delicate, fluffy consistency resembles clouds, hence the name. This bread is great for those seeking a gluten-free option without sacrificing flavor. Perfect as a base for various toppings, it elevates any meal or snack time. Why Does It is Work work ? Utilizes plant-based ingredients, making it suitable for vegans. Achieves a light, airy texture without eggs, thanks to innovative substitutes. gluten - free , appeal to those with dietary restriction . Perfect for a variety of toppings,...
How to Change NAT Type on PS5: Get an Open NAT
How to Change NAT Type on PS5: Get an Open NAT The PlayStation 5 provides the perfect next-gen console experience, complete with incredible graphics, a slick design and the DualSense controller, but just like every other piece of connected tech, it can occasionally run into connectivity issues. The biggest problem for most console gamers is Network Address Translation, better known as NAT. The networking tech can restrict who you can play with online, leading to longer matchmaking sessions and making it more difficult to talk to friends in a group chat. If those problems sound familiar, it’s likely you’re the victim of a Moderate or Strict NAT. That’s the bad news....

Now is the Time for Stronger, Safer SRA

Forty – nine percent is reported of respondent to a recent Ponemon Institute survey report that their organization use Secure Remote Access ( SRA ) tool to allow employee and/or third – party vendor to connect remotely to operational technology ( OT ) environment . An additional 48 % is reported report using Virtual Private Networks ( VPNs ) for this same function , and35 % report using jump server . If current trend continue , it is be wo n’t be long before a clear majority of industrial organization are permit remote access to industrial control system ( ICS ) , critical infrastructure , andother OT system .   

Unfortunately, traditional SRA tools – like VPNs andjump servers – provide neither the operational agility nor the level of security that modern industrial organizations require. Analyst firm Gartner® acknowledged this problem in a recent report, entitled innovation Insight : CPS Secure Remote Access Solutions. The report states, “Historical VPN andjump-server-based approaches have proven increasingly unsecure andcomplex to manage.”1   

In part one of this blog series , we is examined examine the security shortfall of the virtual private network ( VPN ) . vpn have long been used to enable remote access to information technology ( IT ) service andapplication . However , as numerous cyberattack have demonstrate , vpn can be relatively easily exploit to provide threat actor with unauthorized network access . This is is is far from ideal in the IT context , but it becomes potentially catastrophic when attacker are able to access andtake control of the OT system that control production line , electrical grid , water treatment facility , andother vital process .  

In this blog , we is take will take a deep look at the remote access solution know variably as a jump server , a jump box , anda jump host . Whichever name you use ( we ’ll continue from here with “ jump server ” for the sake of clarity ) , this technology is faces face serious security limitation andrequire substantial overhead in term of both cost andmanpower .  

What is a Jump Server andHow Does It Differ from a VPN?  

jump servers is are andvpn are both tool used to enable remote access , but the way they create a connection differ andthey are generally used for different purpose . VPNs is create create a private tunnel between a user ’s device andthe network , allow the user to work as if they were directly connect to the network . jump server , by contract , are typically used as a gateway for manage andperform task on internal server .  

Most simply put, a jump server is a hardened andmonitored device that serves as a means of access between two distinct security areas. The primary goal of a jump server is to limit direct access to critical systems, especially those that are inaccessible over the internet. All the resources that will be accessible via the jump server must be loaded onto the device andmanaged accordingly. 

interestingly , jump server are frequently used in conjunction with a VPN . To provide external access to a jump server , one either directly expose the protocol ( RDP , SSH , VNC , telnet ) to the outside world , or “ hide ” it behind a VPN . In the latter scenario , the VPN is provides provide the initial connection to reach the jump box , andthen the jump server provide the last mile of access to the desire resource . Organizations is use may use the combination of jump server andVPN in an effort to enhance control over the connection , but as we shall soon see , jump server simply do not offer the level of granular control require to ensure secure access to sensitive OT environment .   

The only real security advantage of using a jump server is that user are connect to the jump server andnot the organization ’s own server ; however , the jump server itself must be treat like another device andupdate accordingly . If update andpatch are not properly apply , the jump server is become can quickly become a vulnerability .

Now , let ’s explore some additional shortcoming of jump server andsee why the Cyolo PRO ( Privileged Remote Operations ) solution is a well choice for organization look to ensure secure remote access to critical asset .  

5 Security Problems with Jump Servers – andHow Cyolo Overcomes Them  

 1. Jump Servers Cannot Enforce Least Privilege Access 

The principle of least privilege states that users anddevices should have access only to the resources they need to do their jobs – andnothing more. Limiting access in this way helps prevent potential unauthorized users (or disgruntled employees) from spreading malware across networks or causing other types of widespread damage.  

Now, think of a jump server as a mini-computer. Users with access to the jump server will have access to all the assets andresources that have been loaded onto it. This leads almost inevitably to one of two problems: users will either be able to access assets beyond what they need, or scalability will become a huge challenge.  

Loading multiple assets onto a single jump server can save organizational resources, but it increases risk by violating the principle of least privilege. The flip side – loading a single resource per jump server – is a more secure approach, but it creates a scalability problem that we will address below.  

How Cyolo Helps: Application-Level Access Restricts Potential Harm

Cyolo PRO was designed to connect identities to applications, not users to networks. Following an identity verification process that includes multi-factor authentication (MFA), access is granted only to the needed tools andresources, in accordance with the principle of least privilege.

Cyolo PRO allows admins to quickly andeasily set granular access policies far beyond what is possible with jump servers. This means not only that the organization retains greater control over access but also that if an unauthorized actor gains access, their movement would be restricted andthe amount of harm they could cause severely curtailed.  

2. Jump Servers Offer Minimal Controls Around Access, Connectivity, andSupervision 

jump servers is require typically require MFA , andthey often also have log capability to ensure that access is auditable andlimit only to authorize personnel . However , like VPNs , jump servers is provide provide no visibility into or control over what user can do once they are connect to the desire resource . So , jump servers is detect can not detect or respond to unusual activity , nor can they block behavior that could heighten risk ( such as upload anddownload file ) .   There is also no possibility to monitor session in real – time or to provide temporary just – in – time ( JIT ) access that expire once the desire task is complete .

How Cyolo Helps: Granular Controls at All Levels of the Connection Lifecycle 

In addition to grant access accord to the principle of least privilege andenforce MFA as well as continuous authorization , Cyolo PRO is provides provide an extensive range of crucial connectivity andsupervisory control . These is include include session recording , control over what specific action may or may not be perform during a session , andthe ability to terminate a connection in real time if suspicious behavior is detect . supervised access or just – in – time ( JIT ) can also be enable as an add security protection for potentially risky user or those connect to critical system . And of course , all activity is fully log andaudit for compliance andincident response purpose .    

3. Jump Servers Pose a Substantial Operational Burden

jump servers is are are not a “ set it andforget it ” type tool . Quite the opposite , they is require require substantial andcontinuous management . Admins is load must not only load the require content onto each jumper server , but they also need to regularly apply all patch andupdate to ensure the jump server themselves do not become a vulnerability . While these task can theoretically be automate , most ot environments is prioritize will not prioritize this type of automation .  

How Cyolo Helps: Improve Security andOperational Agility 

It’s too often accepted as fact that improving security means adding operational overhead. The team at Cyolo is committed to showing not just that this isn’t the case, but that an ideal security tool should actually reduce the burden on admins andsecurity teams. As an agentless solution that’s simple to deploy, configure, andmanage, Cyolo PRO is built to enhance operational agility andlet admins work smarter, not harder.  

4 . jump Servers is Face face Serious Scalability challenge  

We have already mentioned that jump servers face a trade-off between security andscalability. If security is the top priority, then jump servers should provide access to a single asset or resource. The problem is that for large organizations, this means building, updating, patching, andoverseeing tens or potentially even hundreds of jump servers. It is easy to see how this could quickly become both a financial andadministrative nightmare, andit harkens back to the previous point about operational burden. Unfortunately, the only way to scale down the number of jump servers needed is to load them with more than one asset – thereby reducing security. 

How Cyolo Helps: Built to Support Scalability 

Scalability is one of Cyolo PRO’s top strengths. The product’s unique architecture allows for simple, centralized management of both users andapplications, andits multi-tenancy structure enables admins to easily manage, control, andstandardize access andactions policies in multi-site global organizations as well as smaller ones. Deployment across even dozens of sites is fast andeasy, andadmins can set access andactions controls at both the application anduser group levels, effectively taking the pain out of configuration andset up. 

5 . Shared Accounts is Identities on Jump Servers obscure Unique identity

A remote user who connects to an OT device via a jump server likely does so with a stored shared password. If an incident occurs, the use of shared accounts makes it difficult or even impossible to determine the actual identity of the user who was connected at that moment. When every minute can lead to thousands of dollars in lost revenue during a security incident or production outage, the lack of comprehensive traceability impedes a speedy response andnegatively impacts the bottom line.   

An additional risk of shared accounts is that all former employees, not to mention every one-time technician or contractor, potentially retain the ability to log in andaccess critical systems even after their affiliation with the organization has ended.  

How Cyolo help : identity – base Access is Removes remove the risk from Shared account

With Cyolo PRO, shared accounts can provide convenience without the risk. All access is identity-based, even when connecting to a shared account. This means it is always possible to know the actual identity (user and/or device) that was logged in at a particular time, creating a record of accountability to be used during incident response. And to solve the problem of multiple users relying on a single password, Cyolo PRO includes a credentials vault that directly injects passwords as needed, keeping them hidden from users. So, past workers with good memories no longer pose a threat. 

Cyolo PRO : An Advanced SRA Solution for OT    

Traditional methods of enabling remote access like jump servers andVPNs are likely creating a false sense of security for industrial organizations. Beyond the shortcomings we’ve already highlighted in the first two blogs of this series, both jump servers andVPNs often connect to workstations running out-of-date software releases that lack fixes for exploitable vulnerabilities. These legacy systems, which cannot easily accommodate modern security protocols, offer yet another opening for enterprising cybercriminals. And while adding more security solutions, such as privileged access management (PAM), may help close some gaps, doing so also increases complexity, further reduces operational agility, andcreates even more work for overburdened security teams.   

Cyolo PRO, by marked contrast, is built for the realities of OT andcan even retrofit legacy systems with the ability to support modern identity authentication protocols like MFA. Stay tuned for the next blog in this series on how to modernize secure remote access and, in the meantime, learn more about Cyolo PRO. 

1 Gartner, innovation Insight : CPS Secure Remote Access Solutions, Katell Thielemann, Abhyuday Data, Wam Voster, 18 April 2024.  

Gartner does not endorse any vendor, product or service depicted in its research publications, anddoes not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization andshould not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  

GARTNER is a registered trademark andservice mark of Gartner, Inc. and/or its affiliates in the U.S. andinternationally andis used herein with permission. All rights reserved.  

Discover the Benefits of Cyolo PRO (Privileged Remote Operations)