Privileged Remote Access and the Power of the Browser

Oct 18, 2024
7 minutes
... views

Several months ago CISA (Cybersecurity and Infrastructure Security Agency) reported that threat actors exploited multiple vulnerabilities in Ivanti Connect Secure and Ivanti Policy Secure gateways. In this case, attackers were able to gain unauthorized access to critical enterprise systems. Despite deploying tools to detect advanced threats, the attackers were able to bypass authentication mechanisms, execute arbitrary commands with elevated privileges, and even establish root-level persistence.

The lesson here is clear: standard approaches to securing remote access fall short, especially against modern, sophisticated threats. Robust security controls are critical in securing remote access for any enterprise. In the modern distributed and web-first work environment, it is imperative that businesses rethink how they secure all forms of access.

Today, the browser is where the majority of work happens. While the majority of employees' interactions are with web-based applications, work doesn’t stop there. There’s also a significant portion that relies on remote management via SSH (Secure Shell) and RDP (Remote Desktop Protocol), very commonly used by privileged users and OT (Operational technology). This diversity of work environments calls for a security solution that can handle every type of interaction in a seamless and controlled manner.

With the introduction of SSH and RDP support in Prisma Access Browser, you can secure all types of work through the browser. Users can do everything they need using one secure and familiar workspace, while IT and security teams get control and visibility to both web and non-web applications under a single pane of glass.

The Challenges of Securing SSH and RDP Protocols

SSH and RDP are integral to maintaining enterprise operations, particularly in environments where remote management is needed to access servers, systems, or resources in a secure manner. Providing direct access to critical systems and administrative privileges, makes these protocols high-value entry points for gaining control over IT infrastructure. For example, in industrial operations they provide secure remote access for managing, configuring, and troubleshooting critical systems, ensuring minimal downtime and continuity. However, 93% of ransomware incidents revealed insufficient controls on privilege access and lateral movement, according to Microsoft report. Securing these protocols pose various challenges:

  • Lack of least privilege access controls: Overly broad access permissions are common, leading to a lack of granular policy enforcement that can safeguard sensitive resources.
  • Weak authentication mechanisms: Traditional password-based access and the lack of multi-factor authentication (MFA) increase the risk of unauthorized access.
  • Contractor and BYOD risks: Contractors using unmanaged or untrusted devices create vulnerabilities that can compromise sensitive systems.
  • Exploitation by attackers: Attackers often target SSH and RDP through brute force attacks, credential theft, and by scanning for open default ports, which exposes enterprises to constant threats.
  • Man-in-the-Middle (MITM) attacks: MITM attacks are a prevalent risk during remote sessions, as attackers intercept communications between clients and servers.
  • Insufficient monitoring and auditing: Without proper logging and monitoring of SSH/RDP sessions, detecting unauthorized activities or threats becomes extremely difficult.
  • Key and certificate management: Managing keys or certificates for SSH can become cumbersome, leading to mishandling that opens up vulnerabilities.

From Vulnerability to Visibility with Palo Alto Networks’ Prisma Access Browser

With Prisma Access Browser, you can now manage privileged remote access securely regardless of the application type. Incorporating both web and non-web protocols under the same policy, generates new possibilities to securely work and collaborate inside a protected work environment, including:

  1. A secure and isolated workspace: All remote sessions take place in an environment isolated and protected from both endpoint-based and external threats. This makes it harder for malicious actors to exploit vulnerabilities in remote access protocols. For example, in Prisma Access Browser browser assets are encrypted to prevent credential theft, a common tactic for these attacks.
  2. Granular access and identity controls: Prisma Access Browser enforces MFA and continuous authentication, implementing least privilege access controls to ensure that only the right individuals access enterprise resources and systems, with policies tailored specifically to their role and need. Granular access prevents overly broad privileges from being granted. With Prisma Access Browser’s Account Protection you even have the ability to provide users with access to sensitive resources without exposing them to the credentials to guarantee the highest level of security.
  3. Centralized monitoring and auditing: With full visibility into every SSH and RDP session, enterprises can audit all remote activity. Strata Cloud Manager allows centralized monitoring which is key to spotting abnormal behavior and responding to potential threats quickly. For privileged users and high-risk activities, enterprises can further enhance visibility with session recording and co-browsing capabilities, allowing the admin to supervise the end user actions over critical infrastructure.

Top use cases for SSH/RDP support in the Browser

The addition of SSH/RDP capabilities to Prisma Access Browser is a game-changer for many organizations that require secure and seamless access to remote systems. Let’s explore who stands to benefit the most from these new capabilities:

  • VDI reduction - Many businesses rely on virtual desktop infrastructure (VDI) just to provide remote access via SSH or RDP, which often leads to high costs and management complexity. With SSH/RDP support directly in the browser, organizations can significantly reduce their reliance on VDI solutions, retaining full security control while cutting down on infrastructure expenses.
  • Secure third party access - Businesses often use RDP to provide remote workers access to their office desktops or applications. This helps maintain productivity while working from home or during travel, with secure access to business resources. SSH is used to securely grant remote access to vendors or contractors who need to manage servers or applications without exposing sensitive infrastructure to external threats.
  • Privileged users and knowledge workers - SSH and RDP are essential for knowledge workers and privileged users to securely access remote systems, perform administrative tasks, and manage IT infrastructure without being physically on-site; SSH is used to execute commands, manage servers, and configure environments, while RDP provides a full desktop experience, allowing them to troubleshoot and maintain systems. These protocols accessed in Prisma Access Browser ensure that privileged users have controlled access to critical resources, enabling them to perform their roles efficiently while maintaining security and compliance standards.
  • OT environments - Teams managing operational technology can now access remote systems in a secure and straightforward manner—without the need for dedicated hardware or VPN. This makes it easier for OT teams to maintain and manage critical systems, no matter which device they are using.

A Step Forward for Securing Work in the Browser

This development isn’t just another feature—it’s a major step toward securing all facets of work, regardless of whether it happens in a web application, desktop app, or remote management console. With these innovations, Prisma Access Browser is making it easier than ever for enterprises to provide secure access to all applications while reducing the complexity and costs of deployment.

The ability to support SSH and RDP directly through the browser means that you can unify your security approach under a single platform—extending the same SASE-native security posture to all types of remote access and making Prisma SASE the definitive solution to secure all enterprise work on any device.

As the way we work continues to evolve, Prisma Access Browser remains at the forefront of defining what secure work on any device looks like. From enabling seamless and secure third-party contractor access to reducing the need for resource-intensive VDI setups, our commitment is to simplify security while enhancing productivity. The browser is not just a tool—it’s the last mile of work where users, data, and security meet. With SSH/RDP support, Prisma Access Browser ensures that this critical space remains secure for all types of work.

Interested in learning more about how Prisma Access Browser supports these key protocols? Join us at SASE Converge, the industry’s premier virtual event on browser security.


Subscribe to Sase Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.