Use an outbound-only access model where the device initiates a reverse tunnel to a broker or proxy you control. That avoids dependence on inbound ports, customer firewalls, and carrier translation layers. The key is to bind sessions to identity and policy, not to a public IP address that may change or never exist.
Why This Matters for Security Teams
Remote access behind NAT and CGNAT is not just a connectivity problem. It is an identity and control-plane problem. If access depends on a routable public IP, inbound firewall exceptions, or customer-managed port forwarding, operations will fail as soon as the device moves networks, loses its address, or sits behind carrier translation. The safer pattern is an outbound-only session that the device initiates, then binds access to identity, policy, and time-limited authorization.
This matters because remote support, fleet management, and recovery workflows often involve privileged actions on devices that cannot be assumed to be continuously reachable. Current guidance suggests treating the access path as a brokered session, not a permanent network route, and pairing that with strong device identity and explicit approval logic. The OWASP OWASP Non-Human Identity Top 10 is useful here because it frames devices and service components as identities that need governance, not just connectivity.
The broader NHI challenge is well documented in the Ultimate Guide to NHIs, which shows that 71% of NHIs are not rotated within recommended time frames, and that weak lifecycle control is a recurring failure mode. In practice, many security teams encounter broken remote access only after a device is already deployed behind CGNAT and no inbound path exists.
How It Works in Practice
The workable model is outbound-only and session-based. The device initiates a reverse tunnel or persistent connection to a broker you control, typically over TLS, mTLS, or a similar authenticated channel. The broker then mediates operator access, records the session, and enforces policy before any shell, file transfer, or admin action is allowed. That is the key shift: access is established by authenticated identity and runtime policy, not by a static network location.
Use device identity as the anchor. A certificate, workload token, or enrollment credential proves what the device is, while the broker decides what it may do right now. That aligns with Zero Trust principles in the OWASP guidance and with the Ultimate Guide to NHIs — Key Challenges and Risks, which emphasises that identity sprawl and weak governance are what turn remote access into a standing privilege problem.
- Issue short-lived credentials for the tunnel and revoke them when the session ends.
- Bind each session to device identity, operator identity, and ticket or change context.
- Prefer per-session approval and recording over permanent listener ports.
- Separate maintenance access from application traffic so a remote support path cannot become a general backdoor.
- Log connection setup, command activity, and revocation events for later review.
For implementation patterns, the OWASP Non-Human Identity Top 10 and 52 NHI Breaches Analysis both show how ungoverned machine access becomes exploitable when credentials are long-lived or reused across environments. These controls tend to break down when field devices must survive long offline periods because tunnel renewal, certificate expiry, and broker reachability can all fail at the same time.
Common Variations and Edge Cases
Tighter access control often increases operational overhead, requiring organisations to balance support speed against device autonomy and outage recovery. That tradeoff is especially visible in industrial, retail, and edge environments where devices may be intermittently connected, battery-constrained, or managed by third parties. Best practice is evolving, and there is no universal standard for every remote-access topology yet.
One common variation is a staging model in which a device establishes an outbound tunnel only during a maintenance window, then tears it down automatically. Another is a jump-host design where the broker exposes only a controlled operator workspace, not the device directly. For highly regulated environments, the access broker may need to integrate with PAM, JIT approvals, and session recording so that access is both time-boxed and attributable. The JetBrains GitHub plugin token exposure and the Schneider Electric credentials breach are reminders that once machine credentials leak, remote access paths become a direct pivot point.
Some teams also ask whether VPNs are enough. In CGNAT-heavy deployments, a VPN may still work if the device initiates it outbound, but the security question remains the same: who can reach the device, under what conditions, and for how long? That is why many teams now treat brokered remote access, JIT authorization, and revocation on disconnect as the baseline. The exception is unmanaged legacy equipment, where vendor lock-in, fixed firmware, or unsupported agents can limit adoption and force a phased migration.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST Zero Trust (SP 800-207) and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | NHI credential lifecycle and rotation are central to brokered remote access. |
| NIST Zero Trust (SP 800-207) | PR.AC-3 | Zero Trust requires authenticated, policy-checked access instead of network trust. |
| NIST CSF 2.0 | PR.AC-1 | Access is governed by identity and least privilege, not by IP reachability. |
Require every remote session to prove identity and pass policy checks before device reachability is granted.
Related resources from NHI Mgmt Group
- How should security teams decide whether JIT access is safe for non-human identities?
- How should security teams implement just-in-time access without leaving standing privilege behind?
- How should security teams reduce ransomware risk from remote access credentials?
- How should security teams evaluate a credentials vault for recovery use cases?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 3, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
