How to Modernize Secure Remote Access: Adding Control and Agility to Jump Servers

Now is the Time for Stronger, Safer SRA

Forty-nine percent of respondents to a recent Ponemon Institute survey reported that their organization uses Secure Remote Access (SRA) tools to allow employees and/or third-party vendors to connect remotely to operational technology (OT) environments. An additional 48% reported using Virtual Private Networks (VPNs) for this same function, and 35% reported using jump servers. If current trends continue, it won’t be long before a clear majority of industrial organizations are permitting remote access to industrial control systems (ICS), critical infrastructure, and other OT systems.  

Unfortunately, traditional SRA tools – like VPNs and jump servers – provide neither the operational agility nor the level of security that modern industrial organizations require. Analyst firm Gartner® acknowledged this problem in a recent report, entitled Innovation Insight: CPS Secure Remote Access Solutions. The report states, “Historical VPN and jump-server-based approaches have proven increasingly unsecure and complex to manage.”¹   

In part one of this blog series, we examined the security shortfalls of the virtual private network (VPN). VPNs have long been used to enable remote access to information technology (IT) services and applications. However, as numerous cyberattacks have demonstrated, VPNs can be relatively easily exploited to provide threat actors with unauthorized network access. This is far from ideal in the IT context, but it becomes potentially catastrophic when attackers are able to access and take control of the OT systems that control production lines, electrical grids, water treatment facilities, and other vital processes. 

In this blog, we will take a deeper look at the remote access solution known variably as a jump server, a jump box, and a jump host. Whichever name you use (we’ll continue from here with “jump server” for the sake of clarity), this technology faces serious security limitations and requires substantial overhead in terms of both cost and manpower. 

What is a Jump Server and How Does It Differ from a VPN?  

Jump servers and VPNs are both tools used to enable remote access, but the way they create a connection differs and they are generally used for different purposes. VPNs create a private tunnel between a user’s device and the network, allowing the user to work as if they were directly connected to the network. Jump servers, by contract, are typically used as a gateway for managing and performing tasks on internal servers. 

Most simply put, a jump server is a hardened and monitored device that serves as a means of access between two distinct security areas. The primary goal of a jump server is to limit direct access to critical systems, especially those that are inaccessible over the internet. All the resources that will be accessible via the jump server must be loaded onto the device and managed accordingly. 

Interestingly, jump servers are frequently used in conjunction with a VPN. To provide external access to a jump server, one either directly exposes the protocol (RDP, SSH, VNC, telnet) to the outside world, or “hides” it behind a VPN. In the latter scenario, the VPN provides the initial connection to reach the jump box, and then the jump server provides the last mile of access to the desired resource. Organizations may use the combination of jump server and VPN in an effort to enhance control over the connection, but as we shall soon see, jump servers simply do not offer the level of granular control required to ensure secure access to sensitive OT environments.  

The only real security advantage of using a jump server is that users are connected to the jump server and not the organization’s own server; however, the jump server itself must be treated like another device and updated accordingly. If updates and patches are not properly applied, the jump server can quickly become a vulnerability.

Now, let’s explore some additional shortcomings of jump servers and see why the Cyolo PRO (Privileged Remote Operations) solution is a better choice for organizations looking to ensure secure remote access to critical assets. 

5 Security Problems with Jump Servers – and How Cyolo Overcomes Them  

 1. Jump Servers Cannot Enforce Least Privilege Access 

The principle of least privilege states that users and devices should have access only to the resources they need to do their jobs – and nothing more. Limiting access in this way helps prevent potential unauthorized users (or disgruntled employees) from spreading malware across networks or causing other types of widespread damage.  

Now, think of a jump server as a mini-computer. Users with access to the jump server will have access to all the assets and resources that have been loaded onto it. This leads almost inevitably to one of two problems: users will either be able to access assets beyond what they need, or scalability will become a huge challenge.  

Loading multiple assets onto a single jump server can save organizational resources, but it increases risk by violating the principle of least privilege. The flip side – loading a single resource per jump server – is a more secure approach, but it creates a scalability problem that we will address below.  

How Cyolo Helps: Application-Level Access Restricts Potential Harm

Cyolo PRO was designed to connect identities to applications, not users to networks. Following an identity verification process that includes multi-factor authentication (MFA), access is granted only to the needed tools and resources, in accordance with the principle of least privilege.

Cyolo PRO allows admins to quickly and easily set granular access policies far beyond what is possible with jump servers. This means not only that the organization retains greater control over access but also that if an unauthorized actor gains access, their movement would be restricted and the amount of harm they could cause severely curtailed.  

2. Jump Servers Offer Minimal Controls Around Access, Connectivity, and Supervision 

Jump servers typically require MFA, and they often also have logging capabilities to ensure that access is auditable and limited only to authorized personnel. However, like VPNs, jump servers provide no visibility into or control over what users can do once they are connected to the desired resource. So, jump servers cannot detect or respond to unusual activity, nor can they block behaviors that could heighten risk (such as uploading and downloading files). There is also no possibility to monitor sessions in real-time or to provide temporary just-in-time (JIT) access that expires once the desired task is complete.

How Cyolo Helps: Granular Controls at All Levels of the Connection Lifecycle 

In addition to granting access according to the principle of least privilege and enforcing MFA as well as continuous authorization, Cyolo PRO provides an extensive range of crucial connectivity and supervisory controls. These include session recording, control over what specific actions may or may not be performed during a session, and the ability to terminate a connection in real time if suspicious behavior is detected. Supervised access or just-in-time (JIT) can also be enabled as an added security protection for potentially risky users or those connecting to critical systems. And of course, all activity is fully logged and audited for compliance and incident response purposes.    

3. Jump Servers Pose a Substantial Operational Burden

Jump servers are not a “set it and forget it” type tool. Quite the opposite, they require substantial and continuous management. Admins must not only load the required content onto each jumper server, but they also need to regularly apply all patches and updates to ensure the jump servers themselves do not become a vulnerability. While these tasks can theoretically be automated, most OT environments will not prioritize this type of automation.  

How Cyolo Helps: Improve Security and Operational Agility 

It’s too often accepted as fact that improving security means adding operational overhead. The team at Cyolo is committed to showing not just that this isn’t the case, but that an ideal security tool should actually reduce the burden on admins and security teams. As an agentless solution that’s simple to deploy, configure, and manage, Cyolo PRO is built to enhance operational agility and let admins work smarter, not harder.  

4. Jump Servers Face Serious Scalability Challenges 

We have already mentioned that jump servers face a trade-off between security and scalability. If security is the top priority, then jump servers should provide access to a single asset or resource. The problem is that for large organizations, this means building, updating, patching, and overseeing tens or potentially even hundreds of jump servers. It is easy to see how this could quickly become both a financial and administrative nightmare, and it harkens back to the previous point about operational burden. Unfortunately, the only way to scale down the number of jump servers needed is to load them with more than one asset – thereby reducing security. 

How Cyolo Helps: Built to Support Scalability 

Scalability is one of Cyolo PRO’s top strengths. The product’s unique architecture allows for simple, centralized management of both users and applications, and its multi-tenancy structure enables admins to easily manage, control, and standardize access and actions policies in multi-site global organizations as well as smaller ones. Deployment across even dozens of sites is fast and easy, and admins can set access and actions controls at both the application and user group levels, effectively taking the pain out of configuration and set up. 

5. Shared Accounts on Jump Servers Obscure Unique Identities

A remote user who connects to an OT device via a jump server likely does so with a stored shared password. If an incident occurs, the use of shared accounts makes it difficult or even impossible to determine the actual identity of the user who was connected at that moment. When every minute can lead to thousands of dollars in lost revenue during a security incident or production outage, the lack of comprehensive traceability impedes a speedy response and negatively impacts the bottom line.   

An additional risk of shared accounts is that all former employees, not to mention every one-time technician or contractor, potentially retain the ability to log in and access critical systems even after their affiliation with the organization has ended.  

How Cyolo Helps: Identity-Based Access Removes the Risk from Shared Accounts

With Cyolo PRO, shared accounts can provide convenience without the risk. All access is identity-based, even when connecting to a shared account. This means it is always possible to know the actual identity (user and/or device) that was logged in at a particular time, creating a record of accountability to be used during incident response. And to solve the problem of multiple users relying on a single password, Cyolo PRO includes a credentials vault that directly injects passwords as needed, keeping them hidden from users. So, past workers with good memories no longer pose a threat. 

Cyolo PRO: An Advanced SRA Solution for OT   

Traditional methods of enabling remote access like jump servers and VPNs are likely creating a false sense of security for industrial organizations. Beyond the shortcomings we’ve already highlighted in the first two blogs of this series, both jump servers and VPNs often connect to workstations running out-of-date software releases that lack fixes for exploitable vulnerabilities. These legacy systems, which cannot easily accommodate modern security protocols, offer yet another opening for enterprising cybercriminals. And while adding more security solutions, such as privileged access management (PAM), may help close some gaps, doing so also increases complexity, further reduces operational agility, and creates even more work for overburdened security teams.   

Cyolo PRO, by marked contrast, is built for the realities of OT and can even retrofit legacy systems with the ability to support modern identity authentication protocols like MFA. Stay tuned for the next blog in this series on how to modernize secure remote access and, in the meantime, learn more about Cyolo PRO. 

¹ Gartner, Innovation Insight: CPS Secure Remote Access Solutions, Katell Thielemann, Abhyuday Data, Wam Voster, 18 April 2024.  

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.  

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.