PAM-Demonium II: Long Live Remote Access

Introduction

Remember VPNs? Neither does your threat actor — they've moved on. In this act, we uncover how modern privileged access management (PAM) must handle privileged remote access with surgical precision, lest third-party contractors become accidental breach points.

Our story…

It was supposed to be a routine vendor check-in. Bob from "Totally Legit HVAC Services" logged in from a beach in Cabo, VPN'd straight into the network, and — by accident or margarita-induced bravado — triggered a script that took down the internal HR portal. He meant to check the thermostat API, but instead launched what the team would later call "The Great PTO Calculation Crisis."

The kicker? The credentials he used hadn't been rotated in 14 months. The last person to touch them was outsourced IT from three fiscal years ago. The incident report consisted of four screenshots, one beach selfie, and a note that simply said "Oops."

Moral of the story? If you're giving third parties privileged access without tight controls, you might as well hand them a flamethrower and a map to your data center.

The problem

Once upon a time, VPNs were the crown jewel of remote access — king of the castle, lord of the tunnel. But now? They're the dusty flip phone of cybersecurity: clunky, always on and way too trusting. In today's hybrid world, giving a contractor permanent VPN access is like handing your house keys to a food delivery driver because they "might" come by next month. We're past the point where 'always-on' equals 'always-secure.'

Example: In 2021, hackers compromised a third-party HVAC contractor's VPN credentials to breach Target's network. Once inside, they moved laterally into payment processing systems.

VPN sprawl with standing access
Shared credentials among vendors
No audit trail for what actually happened

Business risk

Vendors and contractors are like in-laws — you didn't choose them, but they have access to everything. They log in from who-knows-where, at who-knows-when, and somehow always seem to have more privileges than your actual employees. Without tight controls, your external access strategy quickly turns into a reality show: Privileged and Unsupervised. Spoiler alert: The finale is a breach.

Example: In the SolarWinds breach, attackers compromised a vendor's privileged access, pivoting to internal networks and launching a devastating supply chain attack.

Supply chain vulnerabilities
Insider threat exposure
Compliance gaps (think SOC 2, HIPAA, etc.)

What to do about it

If your remote access model still relies on trusting humans with full tunnels into your crown jewels, it's time for a rebrand — from remote access to remote attack surface. The good news? We now have tools that act more like bouncers than bellhops. Think JIT access, session approvals, credential injection — basically the cybersecurity equivalent of a velvet rope, guest list and metal detector, all rolled into one.

Enforce just-in-time (JIT) access.
Example: Microsoft Azure allows time-bound privileged access using PIM, eliminating standing privileges for most admins.
Require MFA and credential brokering for vendors.
Example: A manufacturing company implemented BeyondTrust PRA to broker third-party access via ephemeral credentials and enforced MFA per session.
Monitor and terminate sessions in real-time.
Example: A major telecom uses real-time analytics to identify anomalous session behavior and terminate sessions with embedded keystroke tracking.

Top 3 vendors for privileged remote access

BeyondTrust Privileged Remote Access
Secure third-party and internal access without VPNs; includes session recording, JIT access and credential injection.
🔗https://www.beyondtrust.com/remote-access
Delinea Secret Server
Provides secure PAM capabilities including remote session brokering, access request workflows and vaulting.
🔗https://delinea.com/products/secret-server
ManageEngine PAM360
Offers granular remote access control, approval workflows and real-time session oversight for hybrid environments.
🔗https://www.manageengine.com/privileged-access-management/

Closing thought…

Privileged remote access shouldn't feel like handing out guest passes to your data center's VIP lounge, but that's exactly what happens when anyone with a VPN and a vague job title gets 24/7 admin rights. Just-in-time access? More like Just-In-Case-We-Get-Breached access.

The reality is, giving third-party vendors always-on access to critical systems is the cybersecurity equivalent of giving your neighbor a garage code in 2019 and then forgetting about it until they "borrow" your snowblower, lawn mower and half your holiday decorations.

Modern remote access needs boundaries, receipts and the digital equivalent of a nosy security guard with a clipboard. Start using ephemeral sessions, session recording and strong identity verification—or you'll find out the hard way who was "working on production" at 3:17 a.m. last Saturday.

Read on for Part 3: PAM-Damonium III: CSI: Session Control

To discuss this article further, please contact Jeff Clayton Contact

Learn more about WWT's take on identity and access managementclick here