The Cleanroom concept for a safe and secure administration

A bastion is a military structure projecting outward from the wall of a fortress. In computer science, we can extrapolate the term “bastion” to a host deliberately exposed to an external, not trusted, network. In general, the purpose of a “cyber bastion host” is to protect a network or part of a network from external threats; it is therefore the most exposed element, the one that is most likely to be attacked . If a bastion “falls down”, the whole organization will be impacted.
Privileged access to an organization’s information system have always been critical. However, practices have changed due to the evolution of constraints and challenges. Today, administration tasks are not always carried out on an internal or dedicated network but potentially remotely. Moreover, they can be performed by an external service provider whose environment (technical and operational) is not necessarily under the customer’s control.
First, this article will present responses provided by traditional Privileged Access Management (PAM) solutions to the security challenges of privileged access. Secondly, it will introduce the innovative solution offered by Systancia through IPdiva Cleanroom – a product securing administrators’ access via a single-use, isolated and controlled work environment.
PAM solution – also known as bastion host solution
It is necessary for any organization to log the actions of privileged users (to prevent accidental or deliberate misuse), no matter if they are on an external or an internal network ([01]). In order to solve the problem of controlling and monitoring these types of actions, it is necessary to deploy a PAM solution.

A PAM solution can be seen as a “cyber bastion host” allowing to log and monitor privileged users (with or without video recording). It can also analyze data and behaviors in real time in order to detect suspicious or abnormal actions. PAM products can provide a password vault; manage credentials and secondary authenticators (related to the managed resources). With a PAM solution, it is also possible to detect cyber-attacks from their first attempt in addition to a post-mortem analysis.
In summary, a PAM solution is technically interesting for the management and monitoring of privileged accounts (internal and/or external). But how to handle remote administration from an uncontrolled workstation or service provider? Indeed, it is unrealistic to think that a service provider will use a dedicated workstation for each different administered network. As mentioned in the article [01] a virus could spread between two different networks administered by the same service provider.
The Cleanroom concept
Systancia, a specialist in virtualization, information systems security and digital trust, has combined VDI (Virtual Desktop Infrastructure), VPN (Virtual Private Network), PAM (Privileged Access Management) and SSO (Single Sign-On), to provide an innovative and global security solution that goes beyond a traditional bastion host product: IPdiva Cleanroom.
IPdiva Cleanroom is dedicated to the security of administration workstations; in particular, it separates the administration environment from the usual work environment. Systancia’s IPdiva Cleanroom solution allows a secure administration of an information system by offering the following features:

  • Providing a virtualized workstation, completely sealed (i.e. without any contact with the workstation on which it is run), totally controlled by the administered organization and, even more important, of single use;
  • Monitoring of the actions performed by the administrator, and video recording for post-mortem analysis as well as real-time analysis of behaviors (with alerts and protective actions);
  • Strengthening of the security of the connections to resources (by hiding credentials and authenticators) and password policy (by managing secret elements);
  • Meeting the secure mobility expectations of an administrator with a connection that guarantees the privacy and integrity of flows.

Systancia’s IPdiva Cleanroom solution is disruptive as its single-use work environment approach breaks with the deployment of PAM solutions. Indeed, the virtualized workstation is generated at each connection based on a master defined by the organization. Thus, it is possible to define different masters with the appropriate tools for the administration of databases, business applications, servers, etc. When the privileged user finishes his work, the workstation is deleted and, at the next connection, a new environment (based on the master) is provided, without containing any previous work.
By combining virtualization (VDI), cybersecurity (VPN and PAM) and digital trust (SSO) modules, IPdiva Cleanroom provides a technical solution to the separation of tasks performed by user and administrator (it is the administered organization that makes the administration workstation(s) available via customizable masters). This solution also provides an answer to the abusive opening of external access to an information system (unique access allowing to login and authenticate the privileged user, then to protect his flow). Finally, the SSO module implemented in IPdiva Cleanroom avoids the risks inherent to the turnover of privileged users as well as those related to the “Post-it” phenomenon. Indeed, a privileged user using IPdiva Cleanroom does no longer know the passwords to access the administered resources, but only the password necessary to login and authenticate himself to IPdiva Cleanroom.
Sun Tzu states that “The art […] consists in keeping the enemy away from the place you have chosen for your camp, and from all the posts that you consider to be of any consequence.” IPdiva Cleanroom follows this approach by providing a single solution that meets the growing security requirements of administrators’ workstations.

[01]        How to secure IT administrators’ desktops? Antoine Coutant, February 2018