PAM Training Series — Module VRA
Training Active
Vendor Remote Access

SECURING
THIRD-PARTY
ACCESS

How Privileged Remote Access (PRA) closes the most dangerous gap in enterprise security — unmonitored, over-privileged vendor connections — with a deep focus on Delinea PRA.

01
The Problem
02
What is PRA
03
Delinea PRA
04
Simulator
05
Implement
06
Assessment
01
Module 01 — Context

The Vendor Access Problem

Third-party vendors represent the fastest-growing attack surface in enterprise environments — yet remain the most poorly governed category of privileged access.

63%
Of breaches trace back to third-party vendor access
182
Average days vendors have active but unreviewed access
More identities are non-human or vendor vs. employee
$4.7M
Avg. cost of a breach involving third-party access (IBM 2023)
🚨
The Core Problem: Organisations grant vendors, contractors, and managed service providers (MSPs) remote access to critical infrastructure. This access is frequently over-privileged, never expires, uses shared credentials, and bypasses the organisation's own PAM controls — creating a persistent blind spot that attackers systematically target.
⚡ Threat Landscape

How Attackers Exploit Vendor Access

Critical

VPN Credential Theft & Reuse

VPN credentials shared across vendors or left active after contract end are harvested via phishing or dark web purchases. Attackers use legitimate credentials, making detection extremely difficult.

Critical

Supply Chain Compromise

Attackers compromise a vendor's own infrastructure first (e.g. SolarWinds-style), then pivot into customer environments via the vendor's legitimate, trusted remote access channel.

High

Shared Privileged Credentials

Support teams share a single admin account across technicians. There is no accountability — when misused, forensics cannot determine which individual performed which action.

High

Orphaned Vendor Accounts

Contractor access is provisioned for a project and never deprovisioned. Accounts remain active for months or years after the vendor relationship has ended, silently awaiting exploitation.

Medium

Unmonitored & Unrecorded Sessions

Even when vendor access is legitimate, there is no visibility into what is being done. Remote access sessions are unrecorded, making breach investigation impossible and compliance audits a manual nightmare.

🔒 The VPN Problem

Why VPNs Fail for Vendor Access

Traditional VPN grants vendors full network access — the same level as an employee — rather than scoped access to specific systems. Once inside the VPN tunnel, lateral movement is trivial. VPNs provide no session recording, no activity monitoring, no automatic timeout, and no per-session authorisation workflow.

No Least Privilege No Session Recording No Auto-Expiry No MFA Per-Session Full Network Access
✅ The PRA Solution

What Privileged Remote Access Solves

PRA replaces VPN for vendor access with a zero-trust, agentless, application-level gateway. Vendors connect only to the specific systems they are authorised for, via a broker that controls, records, and can terminate every session in real time.

Least Privilege Full Session Recording Auto-Expiry MFA Enforced Zero Network Access
Section 1 of 6
02
Module 02 — Concepts

Privileged Remote Access Explained

PRA is the PAM discipline of governing all third-party, vendor, and contractor access to internal systems through a controlled, monitored, and auditable broker — with no VPN required.

📡
Definition: Privileged Remote Access (PRA) is a security control that provides vendors and contractors access to specific internal systems through a browser-based or thin-client gateway, without granting them network access, without installing agents on endpoints, and without exposing credentials — while recording every action for audit.
PRA Architecture — Agentless Vendor Gateway Model
Zero Trust · No VPN · No Agents
🧑‍💼
Vendor
any device
🌐
Browser
no VPN/agent
🔐
PRA Gateway
Delinea PRA
⚖️
Policy Engine
authorise
🎥
Session Proxy
record+monitor
🖥️
Target System
scoped only
📊
Audit Vault
immutable log

The vendor's device never touches your network. The PRA gateway proxies the session — injecting credentials, recording activity, enforcing policy, and providing a live killswitch.

📋 Comparison

VPN vs PRA vs PAM Jump Server

Capability Traditional VPN PAM Jump Server Privileged Remote Access (PRA)
Network Access Scope Full network segment Network to jump host only Zero — application-level only
Requires Agent on Endpoint Yes (VPN client) Often yes No — browser-based
Credential Injection No — vendor sees password Partial — depends on platform Yes — vendor never sees credential
Session Recording None Varies by config Full keystrokes + screen capture
Live Session Termination No Partial Yes — instant killswitch
Vendor Onboarding Manual, IT-heavy Manual Self-service with approval workflow
Per-Session Approval None Sometimes Yes — full workflow
Works for Third-Party Devices Risky Limited Yes — by design
Core Principle

Zero Trust for Vendors

Every vendor session is treated as untrusted regardless of history. Identity is verified, access is scoped to a specific resource, and every action is recorded. Trust is never implicit.

Key Control

Credential Injection

The PRA gateway injects privileged credentials into the target session on behalf of the vendor. The vendor never sees, copies, or stores the actual password — eliminating credential theft from the vendor side.

Key Control

Agentless Architecture

No software needs to be installed on the vendor's device. Access is delivered via a secure browser session or thin client, removing the dependency on endpoint management of uncontrolled third-party devices.

03
Module 03 — Product Deep Dive

Delinea Privileged Remote Access

A feature-by-feature breakdown of Delinea PRA — how it addresses vendor access governance across identity verification, session control, and compliance.

🏢
About Delinea PRA: Delinea (formerly Thycotic/Centrify) Privileged Remote Access is an enterprise PAM solution that provides VPN-less, agentless, browser-based remote access for vendors, contractors, and MSPs. It integrates with Delinea Secret Server and PAM Platform for unified identity governance — or can be deployed standalone.
🌐
Browser-Based Gateway
Vendors access systems via a secure HTML5 web portal — no VPN client, no RDP client installation required. Works on any OS, any device. The connection is proxied server-side through Delinea's gateway.
🆔
Vendor Identity Verification
Vendors authenticate using MFA (TOTP, push notification, SMS, or FIDO2). Delinea PRA supports integration with enterprise IdPs (Azure AD, Okta, Ping) and can enforce device health checks before granting access.
🎫
Self-Service Access Requests
Vendors submit access requests through the PRA portal specifying the target system, required duration, and business justification. Requests route to an internal approver — no IT helpdesk ticket required.
🔑
Credential Vault Integration
Integrates natively with Delinea Secret Server to retrieve and inject credentials. Vendors never see the actual password — the gateway performs the authentication on their behalf using a vaulted secret.
📹
Session Recording & Playback
Every privileged session is recorded — full screen capture at configurable frame rate, keystroke logging, and command indexing for searchable audit trails. Recordings are tamper-proof and stored with metadata (who, what, when, from where).
👁️
Live Session Monitoring
Security teams can shadow (observe) any active vendor session in real time. A single click terminates the session instantly. Alerts can be configured for suspicious commands (e.g. mass file deletion, privilege escalation attempts).
⏱️
Time-Limited Access Windows
Access windows are set during approval — sessions automatically expire at the defined time. Vendors can request extensions, which trigger a new approval workflow. No standing access, no forgotten active accounts.
🗂️
Vendor Lifecycle Management
Full onboarding and offboarding workflows. Vendors are associated with contracts, expiry dates, and sponsoring employees. When a contract ends, access is automatically revoked without requiring manual IT intervention.
📋
Compliance & Audit Reports
Pre-built reports for PCI DSS, HIPAA, SOX, GDPR, and ISO 27001. Reports include vendor access summaries, session activity logs, approval audit trails, and anomaly flags — directly exportable for audit purposes.
🏗️ Deployment Architecture

Delinea PRA Components

🔒 PRA Gateway / Jump Box Service
The core component — a lightweight gateway service deployed in your DMZ or cloud. It proxies all vendor sessions, performs credential injection, enforces time limits, and records session data. Can be deployed on-premises, in Azure, AWS, or GCP. High-availability clustering is supported for enterprise environments.
🗃️ Secret Server Integration (Credential Vault)
Delinea PRA integrates with Secret Server to retrieve credentials at session start. The PRA gateway checks out a credential, injects it into the session, and checks it back in (triggering rotation) when the session ends. Vendors never interact directly with the vault.
🌐 Web Portal & Vendor Self-Service
The vendor-facing HTML5 portal. Vendors log in, see only the systems they are authorised for, submit access requests, and launch sessions — all from a browser. The portal enforces MFA, device posture checks (optional), and displays active session timers.
📡 Connector / Relay Architecture
For environments where the target systems cannot be directly reached by the gateway, Delinea PRA uses lightweight connectors deployed inside the network segment. Connectors communicate outbound to the gateway (no inbound firewall rules required) using encrypted tunnels — allowing access to air-gapped or segmented environments.
🔗 SIEM & SOAR Integration
Delinea PRA supports syslog and webhook output to SIEM platforms (Splunk, Microsoft Sentinel, IBM QRadar). Session events, approvals, anomaly alerts, and session terminations are streamed in real time, enabling automated SOAR playbooks to respond to suspicious vendor behaviour.
04
Module 04 — Interactive Exercise

Vendor Session Simulator

Walk through a complete Delinea PRA vendor access request — from vendor login through approval, active session monitoring, and session expiry.

🎮
Scenario: A network hardware vendor (Cisco SE) needs access to your core network switch to apply a firmware patch during a maintenance window. Walk through how Delinea PRA controls, monitors, and records this session end-to-end. Try different scenarios — including an unauthorised access attempt.
Delinea PRA — Vendor Access Portal
Connected
Step 1 of 5 — Vendor Authentication & Access Request
Step 2 of 5 — PAM Policy Evaluation & Approval Workflow
🆔
Identity Verification — MFA token validated, vendor account active
Queued
📋
Contract Check — Vendor authorisation & active engagement verified
Queued
🤖
Risk Engine — Device posture, geo-location, behavioural baseline
Queued
👤
Human Approval — J. Reeves (Network Operations Lead) reviewing
Queued
🔑
Credential Checkout — SSH key retrieved from vault, session provisioned
Queued
Initialising policy engine...
✓ Step 3 of 5 — Active Vendor Session [LIVE MONITORING]
Session Timer — CORE-SW-01 ⏺ RECORDING
60:00
SSH · CORE-SW-01 · CHG-20941 · m.torres@cisco-partner.com
[T+00:00]SESSION START — Credential injected, SSH tunnel established to CORE-SW-01
[T+00:00]Screen recording active · Keystroke logging active · Command indexing active
⏱ SESSION EXPIRED — ACCESS REVOKED
Credential checked back into vault · SSH key invalidated · m.torres removed from access group
Post-Session Audit Record:
⛔ Access Request Denied
Policy violation detected. Request blocked.
This event has been logged and the security team notified. If access is legitimately required, escalate via your internal sponsor with additional justification and out-of-band manager authorisation.
👁 Security Observer Mode — Live Session Shadow [READ-ONLY VIEW]
You are observing m.torres@cisco-partner.com in real time. The vendor is NOT notified. You can terminate the session at any time.
[T+00:43]show version
[T+00:58]show running-config
[T+01:12]copy tftp://192.168.10.5/nxos-9300.10.3.2.bin bootflash:
[T+01:15]⚠ Anomaly flag: File transfer to external TFTP — reviewing...
[T+01:16]✓ TFTP source is pre-approved vendor file server (192.168.10.5)
05
Module 05 — Implementation

Implementation Guide

Practical steps for rolling out Delinea PRA in your environment — from pre-deployment checklist to governance best practices and operational workflows.

✅ Pre-Deployment Readiness

Implementation Checklist

Complete Vendor Access Inventory
Enumerate all active vendor accounts, VPNs, shared credentials, and remote access methods — including shadow IT connections
Define Vendor Tiers & Access Profiles
Classify vendors by risk (critical infrastructure, business applications, low-risk dev tools) and map access profiles to each tier with appropriate approval workflows
Deploy Delinea PRA Gateway in DMZ
Gateway deployed in network DMZ (or cloud) with outbound-only connector traffic — no inbound firewall rules to internal segments required
Integrate with Secret Server / PAM Vault
PRA connected to Secret Server for automated credential checkout/injection and post-session rotation. Vendors never access the vault directly
Configure MFA for All Vendor Identities
Enrol all vendor accounts in MFA — TOTP minimum, FIDO2 recommended. Block access for any vendor account without MFA enrolled
Enable Session Recording for All Privileged Systems
Screen recording + keystroke capture enabled for all Tier 1 and Tier 2 vendor access. Retention policy defined (minimum 12 months for compliance targets)
Establish Vendor Lifecycle Governance
Each vendor account linked to a contract expiry date, internal sponsor, and periodic access review cadence (quarterly for high-risk, annual for low-risk)
Integrate PRA Events with SIEM (Splunk/Sentinel)
PRA session events, approvals, anomalies, and terminations streamed to SIEM. Alerting rules configured for high-risk commands and after-hours access
Migrate Vendors Off VPN — Sunset VPN for Third Parties
Define a VPN sunset timeline for vendor access. Communicate change management plan to vendors. Set a hard cutover date with no exceptions
⚠️ Common Pitfalls

What Goes Wrong

High

Keeping VPN Running in Parallel

Leaving VPN active "just in case" means vendors continue using it, bypassing all PRA controls. Set a firm VPN sunset date.

High

Over-Permissive Access Profiles

Granting vendors access to entire server tiers rather than specific systems. PRA's value comes from scoped, per-resource access — configure it properly.

Med

No Vendor Lifecycle Reviews

Vendor accounts created during onboarding but never reviewed. Without periodic access reviews, PRA becomes another source of orphaned accounts.

🏗️ Phased Rollout

Recommended Approach

Phase 1 — Weeks 1–4
Deploy & Pilot
Deploy PRA gateway, integrate with Secret Server. Pilot with 2–3 low-risk vendors. Validate workflow, recording, and vault integration.
Phase 2 — Weeks 5–10
Critical Vendor Migration
Migrate Tier 1 vendors (network, infrastructure, cloud MSPs). Enable session recording. Set initial session time limits. SIEM integration goes live.
Phase 3 — Weeks 11–16
Full Migration & VPN Sunset
All vendors migrated. VPN access for third parties disabled. Governance reviews scheduled. Compliance reports generated and reviewed.
06
Module 06 — Knowledge Assessment

Vendor Remote Access Assessment

Eight questions covering the vendor access threat landscape, PRA concepts, and Delinea PRA capabilities. Immediate feedback on every answer.