Overview
Remote Access Security encompasses the controls, technologies, and practices that ensure administrative sessions to production systems are authenticated, authorized, encrypted, monitored, and auditable. Administrators rarely sit next to the servers they manage—remote protocols like SSH, RDP, and web consoles bridge the gap between the administrator and the target system. Without proper security controls, these remote connections become attack vectors: credentials can be captured, sessions can be hijacked, and malicious commands can be executed with impunity. Secure remote access architecture typically includes jump servers or bastion hosts that serve as choke points, MFA requirements before session establishment, integration with credential vaults for password injection, and session recording for forensic capability. Modern approaches extend these concepts through Zero Trust Network Access (ZTNA), which grants application-level access based on identity and context rather than network location.
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Remote access architecture | Direct access, Jump server/bastion, Connection broker, ZTNA | Jump server for traditional; ZTNA for modern cloud-native | Direct access to production should be eliminated |
| Protocol security | Standard SSH/RDP, Certificate-based SSH, Jump proxy termination | Certificate-based SSH; PAM-brokered RDP with NLA | Key-based SSH without central control creates key sprawl |
| Authentication model | Password, SSH keys, Certificate-based, Hardware MFA | Certificate-based with hardware MFA for Tier 0; MFA everywhere | MFA should be enforced at the bastion, not just the PAM portal |
| Credential handling | User brings credentials, PAM vault injection, Transparent proxy | PAM vault injection; users never see privileged passwords | Visible credentials can be captured by keyloggers or cameras |
| Network exposure | VPN + bastion, Bastion on internet, ZTNA broker | ZTNA preferred; VPN + bastion for legacy environments | Internet-exposed bastions require hardening and monitoring |
| Session monitoring | Logging only, Recording, Real-time view + intervention | Full recording with real-time intervention for Tier 0 | Logging without recording cannot reconstruct sessions |
Architecture & Reference Patterns
Pattern 1: Jump Server (Bastion Host)
Single entry point for administrative access, deployed in a secured network segment. Administrators connect to the jump server first, then initiate sessions to target systems from the jump server. All traffic is logged and recorded at the jump server. Network firewall rules block direct access from corporate network to production systems.
Pattern 2: PAM Connection Broker
Administrators connect through a PAM platform that brokers the session. The user authenticates to PAM, selects the target system, and PAM retrieves credentials from the vault, establishes the session to the target, and injects credentials. The administrator's client connects to PAM, not directly to the target. Session recording occurs at the PAM layer.
Pattern 3: Zero Trust Network Access (ZTNA)
Application-level access based on identity and device posture. No network-level connectivity granted; instead, a broker validates the user's identity, device compliance, and authorization before creating an encrypted tunnel to the specific application. Works well for cloud resources and geographically distributed infrastructure.
Pattern 4: SSH Certificate Authority
Replace static SSH keys with short-lived certificates issued by a CA. Administrators authenticate to the CA (often via PAM), receive a certificate valid for hours, and use it for SSH access. Target systems trust the CA; no key distribution required. Certificate expiration eliminates standing access.
Implementation Approach
Phase 0: Discovery
Inputs: Network architecture, current remote access methods, compliance requirements Outputs: Remote access inventory, risk assessment, requirements document
Key activities:
- Inventory current remote access methods (VPN, RDP, SSH, web consoles)
- Map network flows for administrative access
- Identify direct access paths that bypass controls
- Document compliance requirements for remote access
- Assess user population and access patterns
- Evaluate ZTNA readiness and feasibility
Phase 1: Design
Inputs: Requirements document, security architecture, PAM platform capabilities Outputs: Remote access architecture, protocol specifications, network design
Key activities:
- Design remote access architecture (bastion, broker, ZTNA)
- Specify protocol security requirements (SSH ciphers, RDP NLA, TLS versions)
- Plan network segmentation and firewall rules
- Design authentication flow with MFA requirements
- Integrate with PAM for credential injection and session recording
- Define certificate-based authentication where applicable
- Plan user experience and workflow changes
Phase 2: Build & Integrate
Inputs: Design documents, infrastructure, PAM platform Outputs: Deployed bastion/broker infrastructure, integrated PAM, configured protocols
Key activities:
- Deploy and harden bastion hosts or connection brokers
- Configure PAM connection manager integration
- Implement protocol security hardening (SSH, RDP)
- Deploy SSH certificate authority if applicable
- Configure network firewall rules to enforce architecture
- Implement session recording and SIEM integration
- Deploy ZTNA components for applicable systems
- Test end-to-end administrative workflows
Phase 3: Rollout
Inputs: Deployed infrastructure, user communication, training Outputs: Enforced remote access controls, trained users
Key activities:
- Migrate administrators to new remote access method in phases
- Train users on new workflows and MFA requirements
- Block direct access paths via firewall rules
- Monitor for attempts to bypass controls
- Establish support procedures for access issues
- Communicate policy requiring compliant remote access
Phase 4: Operate
Inputs: Operational remote access infrastructure, monitoring Outputs: Maintained secure access, compliance evidence, incident response
Key activities:
- Monitor bastion/broker availability and performance
- Review session recordings for policy violations
- Investigate direct access attempts or anomalies
- Maintain protocol security (update ciphers, patch systems)
- Manage certificate authority and certificate lifecycle
- Review and update access policies
- Generate compliance evidence for audits
Deliverables
- Remote access architecture diagram
- Protocol security specification (approved ciphers, protocols)
- Jump server/bastion hardening guide
- Network segmentation and firewall rules
- PAM connection manager configuration
- SSH CA implementation guide (if applicable)
- User access workflow documentation
- Session recording and review procedures
Risks & Failure Modes
| Risk | Likelihood | Impact | Early Signals | Mitigation |
|---|---|---|---|---|
| Direct access paths bypass controls | M | H | Network traffic analysis shows bypasses; unrecorded sessions | Firewall enforcement; network monitoring; periodic access audits |
| Bastion host compromise | L | H | Anomalous bastion activity; IDS alerts | Hardening; patch management; monitoring; PAW for bastion access |
| Jump server outage blocks all administrative access | M | H | Availability alerts; administrator complaints | HA deployment; break-glass direct access procedures |
| Credential theft during session | M | H | Credential use without vault checkout | Credential injection; never show passwords; keystroke logging |
| SSH key sprawl with direct server access | H | M | Large number of authorized_keys entries; unmanaged keys | SSH CA; key discovery and removal; PAM enforcement |
| VPN compromise provides network access to production | M | H | Anomalous VPN traffic; lateral movement indicators | ZTNA migration; micro-segmentation; bastion enforcement |
KPIs / Outcomes
- Compliant access rate: Percentage of administrative sessions through approved path (target: 100%)
- Direct access attempts: Count of blocked direct access attempts (track trend, investigate)
- Session recording coverage: Percentage of administrative sessions recorded (target: 100%)
- Bastion availability: Jump server/broker uptime (target: 99.9%)
- MFA compliance: Percentage of sessions with MFA (target: 100%)
- Certificate adoption: Percentage of SSH access via certificates vs. keys (track migration)
Workshop Questions
Security / IAM
- What remote access protocols are currently in use, and which can be consolidated?
- What MFA methods are acceptable for remote administrative access?
- How should emergency remote access work when normal paths are unavailable?
- What network segmentation exists between administrative sources and targets?
- How should remote access for third-party vendors be handled?
App Owners
- What administrative interfaces do your systems expose (SSH, RDP, web console)?
- Are there systems that require direct access due to protocol limitations?
- What is your tolerance for remote access path changes affecting your team?
- Do you have systems in DMZ or cloud that require different access paths?
- What administrative tools do your teams use that must work through the new architecture?
Operations / Helpdesk
- What is the current remote access workflow, and what friction points exist?
- How do administrators access systems during off-hours or incidents?
- What support do administrators need when remote access fails?
- How should new administrators be onboarded to remote access systems?
- What training do administrators need for new remote access workflows?
Requirements Gathering Checklist
- [Security] Inventory current remote access protocols and paths
- [Security] Define MFA requirements for remote administrative access
- [Security] Document protocol security requirements (ciphers, versions)
- [Security] Specify session recording requirements
- [Architecture] Design jump server/bastion architecture with HA
- [Architecture] Plan network segmentation and firewall rules
- [Architecture] Define ZTNA scope and migration approach
- [Architecture] Plan SSH certificate authority if applicable
- [PAM] Document PAM connection manager integration requirements
- [PAM] Define credential injection workflows
- [PAM] Specify session recording integration
- [Operations] Document administrator workflows requiring remote access
- [Operations] Define break-glass procedures for access outage
- [Operations] Establish on-call support procedures
- [Compliance] Map remote access controls to regulatory frameworks
- [Compliance] Document audit evidence requirements for remote sessions
References
- NIST SP 800-53 Rev 5 - AC-17 Remote Access - Federal remote access requirements
- CIS Controls v8 - Control 12: Network Infrastructure Management - Network device remote access
- CIS Controls v8 - Control 6: Access Control Management - Privileged remote access
- NIST SP 800-46 - Guide to Enterprise Telework - Remote access security guide
- Microsoft - Secure Administrative Hosts - Bastion host guidance
- OpenSSH Certificate Authentication - SSH CA implementation
- Cloudflare Access / Zscaler Private Access - ZTNA reference implementations
- BeyondTrust Privileged Remote Access - PAM remote access capabilities
- CyberArk PSM for SSH/RDP - Connection broker implementation