In a recent HTN Now session, we heard from Sarah Gay, cyber security manager at the University Hospitals of Derby and Burton NHS Foundation Trust (UHDB) and Martin Knight, international sales manager for privileged access management at Imprivata. They took us through a case study, exploring UHDB’s approach to access management and managing third-party vendors.
The presentation covered a range of key areas, including why the trust needed a solution for vendor access, the process of finding a solution, how they decided on Imprivata and the implementation process, along with benefits and challenges seen along the way.
Imprivata: an overview
Martin began by giving us an overview of Imprivata and their vendor privilege access management system (VPAM), formerly known as Securelink Enterprise Access, which he described as “a remote access platform that enables organisations to securely provide and manage vendor access to their internal critical systems while increasing the team’s efficiency and productivity”.
He then explained some of the common challenges and risks that are often faced by organisations when it comes to third-party access: “While most organisations understand there are risks associated with any privileged access, especially for external users, it may be surprising to hear how prevalent and great the risks actually are. Around 56 percent of organisations have experienced a third-party data breach.” Speaking on why this number is so high, Martin said it’s usually because “most organisations don’t have a standardised, purpose-built solution to manage vendor access”.
One of the most common ways of giving vendors access in the past has been through VPNs and accounts that are created in Active Directory, Martin said, before explaining how this creates a “variety of security vulnerabilities” while also being “very manual to manage, imposing a high burden on the IT team”. He added that this can also take days to set up, leading to helpdesk teams being inundated with password resets or troubleshooting requests.
Delving deeper into the statistics, he went on to share that “67 percent of organisations find managing third-party admissions and access overwhelming and a drain on internal resources”, with a further 51 percent of organisations lacking the comprehensive inventory and visibility of all the third parties that have access to their network, meaning “they don’t actually know who has access”.
Because of this, most organisations are in the dark when it comes to what the vendors are actually doing, Martin added and also have “very little control over what they can access, so most vendors have more privileged access than they actually need to do their job”. For Martin, “trusting the vendor to only access what they should, when they should, isn’t a solid security practice”.
Case Study: University Hospitals of Derby & Burton NHSFT share their approach to access management
Sarah gave some background to her role and the cyber security team at UHDB. “I’ve worked in the NHS for over 20 years. I spent many years working in the server team before starting my current role, leading the cyber security team. The team itself is responsible for monitoring the network, endpoints, servers and systems. We respond to alerts and work on improving our security posture by managing software vulnerabilities and liaising with our internal technical teams and suppliers.”
With multiple clinical systems throughout the trust, supported both internally and by third-party suppliers, Sarah explained that remote access was essential, adding how it’s now one of the many systems managed by the cybersecurity team and the infrastructure team.
Challenges with the previous remote access solution
Having had a previous remote access solution, Sarah noted some of the key challenges she and the team had been faced with when using it: “It was approaching the end of its life and it had no upgrade path. It was becoming slow and unreliable and the support contract had expired, so if the appliance failed, we would be left with no remote access solution for suppliers.”
Sarah also shared how this previously worked: “The third-party suppliers would connect to on-site servers throughout the day for support. Some suppliers only had one or two users configured, while others had several working on upgrades or daily support tasks. Some users would log in frequently, but others were logging in less regularly and hence would quite often not remember their credentials and need to be reminded of their usernames, requiring their details to be reset. Each user login required an active directory and multi-factor authentication account.”
Because of the number of third-party suppliers using this system, the team wanted to reduce the number of accounts that needed to be created in order to help reduce the administrative workload for the accounts team. “For every account we created, we had to communicate the login details, passwords and MFA setup process to the third-party support user,” Sarah said. “Requests for new accounts would come in via several routes and sometimes a batch of users would be requested by one person.”
To tackle all these challenges posed, the team looked towards getting a replacement system that would “require each individual account request to go through an approval process, so we could verify their identity before allowing access and granting them access to any systems”.
The solution
Sarah and the team looked around for a solution and trialled a few before considering Imprivata’s VPAM system. “We were already an Imprivata customer, using their single sign-on solution. So, we had a demo of the VPAM solution, which has a virtual Linux box acting as the enterprise server in our DMZ network and talks to a gateway server on the internal network.”
Speaking on how this partnership with Imprivata evolved during implementation, Sarah shared: “We worked with them to configure the settings for our environment. We then booked the VPAM admin course to learn how to set up the applications and permissions to set up access.”
Explaining how this works, she said: “We create a vendor (supplier) and an application. A vendor will have a list of allowed domain names attached to their email address. The application will have a list of hosts and ports to connect to, so they may be RDP or SSH connections, for example. Credentials to the application are created, then saved in VPAM to be injected into the application, with the option for credential pools to be created if concurrent access is required.” Sarah highlighted that the vendor never needs to know the credentials that have been created because “they are stored securely and injected into the application at the time of access”.
Once the vendor has been created within the system, they can then self-register from the login page, Sarah shared, which means “they can click on a link to create a new account, registering with their own email address but they will only be allowed to register using an account that matches the pre-defined email domain name”. After this, a request is sent for approval by a UHDB admin, who will “cross-reference the request with a list of vendor representatives or support staff names that we know are approved for remote access. We always set up a primary contact for each vendor so we can check with the primary contact if necessary that any new requests are expected.”
When it comes to authentication, Sarah noted how this can be “restricted from authorised networks and MFA can be enforced using an email verification code or mobile authenticator”, with admin logging details for each login, with audit logs and recordings available for each user session.
Results and key findings
Next, Sarah took us through some of the ways implementing the VPAM solution has improved processes within the trust, first noting how users have reacted to this new system: “They find it easy to set up using the self-registration process. We provide guided screenshots so that they can register themselves without needing any additional support.” She went on to explain how by enforcing email verification and MFA, “UHDB no longer has to provide an authentication app solution, so the user can use the app of their choice”.
In terms of the approval process, Sarah outlined key upgrades, stating: “By setting up a primary contact for each vendor, we can make sure there are checks in place to verify identity at initial registration. The approval process ensures that only authorised domain names can create logins and there is also the ability to add a list of disqualified email addresses.”
There’s no need for users to request password resets if they forget their login details, Sarah added, as VPAM has a link on the login page, allowing them to click and reset their own password. “Accounts are automatically disabled after 90 days of inactivity and once set to disabled, the account must be reenabled by an administrator,” Sarah said, before emphasising how the platform “is designed for ease of use, allowing users to register effortlessly via a user-friendly interface and straightforward self-registration process”.
When asked about how long it takes to set a new vendor up, Sarah shared: “It’s a really quick process, to be honest. We could do it in under an hour, easily. It’s just a case of setting it up, creating the vendor screen and then the applications. Finding the host details is probably the most time-consuming part, but the actual setup of the vendor access and their application is very straightforward.”
Benefits of using the Imprivata VPAM solution
Martin covered some of the main benefits when it comes to using the VPAM solution, starting out by highlighting how it “increases the security of your vendor’s access and increases the efficiency of your team by reducing time spent managing that vendor access”. He added that when looking at the wider picture, it also helps with “reducing the number of active directory accounts needed”, which ultimately means you end up “reducing the risk of elevated access being shared to everybody”.
Explaining the reason Imprivata created the VPAM solution, Martin stated that “it’s a solution that was purpose-built to secure third party access, offering a simple way to standardise access methods”. Because of this, “you can identify and validate every user, having full control over their access, which you can use to demonstrate compliance with things like the DSPT and NIST’.
Martin then went on to discuss the way VPAM operates, noting how it works on a principle of “zero trust access”, which means that it’s always defined to the specific host and port to eliminate the opportunity for any lateral movement inside the network. “We can define when a vendor has access,” he explained. “This could be Monday to Friday between three pm and five pm, to control any changes or updates. But we know that a number of these services and these vendors will need 24-hour access, so for your production environment, there’s a workflow for that time access as well.”
However, there are some suppliers that still use their own solution, which Martin addressed, noting how this tends to be because they’ve always used that solution. To work with the supplier, he shared how they “carefully review their remote access and check that they are using extra layers of security” before making sure the supplier uses some form of MFA to get onto the system, as “we wouldn’t just let them in”.
Finally, Martin shared benefits around comprehensive connectivity, stating: “All this is great, but if VPAM didn’t meet the vendor’s connectivity requirements, we’d still be facing gaps. So, we eliminate the need for any jump boxes and facilitate enterprise-grade remote access by supporting any TCP or UDP protocol to meet those customer connectivity requirements from vendors and to also support the use of their own native or proprietary tools within their solution as well.”
Next steps and future plans
To finish things off, both Sarah and Martin shared details of their future plans, with Sarah stating: “We’re still working on a few vendors that we want to migrate across, so there’s just a couple left to do. After that, all our future requests will go through this process.” As a result, Sarah and the team have written their own standard operating process, which shows how it’s all set up and how it works, so they can “distribute the workload out among the technical teams and get everyone up to speed on it as well”.
As for Martin and the team at Imprivata, they have plans to move towards bringing their internal privileged access platform (PAM) and the VPAM into a single platform, “where your teams can manage both your internal IT administrators as well as your vendors within the same screen”. He added how this has already brought a number of changes and enhancements to the current VPAM platform: “Things that have been recently added include password rotation, which means if you had a vendor rep that joined and logged a session, once they’ve completed that session, we can actually rotate that password that was used, removing the risk of it being cloned.”
He finished by sharing: “We’ve got a lot more enhancements coming. We’re trying to gain more information from these systems. The more data we have, the more power we’re going to have both from a customer and a vendor standpoint.”
We’d like to thank both Sarah and Martin for sharing the details of this case study and giving their insights into remote access management.
Learn more here Privileged Access Security | Imprivata UK
