Worker mobility and technological complexity in today’s enterprise are driving the increased demand for IT support departments. Even though IT has used remote control tools to troubleshoot PC issues for some time, there is a renewed interest in the technology to provide anytime, anywhere support to both disparate users and backend systems-regardless of firewalls.
However, a significant concern has emerged around whether traditional remote access software (such as pcAnywhere and RDP) can be locked down to ensure optimal levels of security. Consider this: the Verizon Business RISK team issued a report in 2008 detailing its forensic investigation into over 500 actual data breaches between 2003 and 2007. A key area examined was the attack pathways hackers used to gain access to confidential data. The report discovered several areas of concern that IT security administrators typically expect to see (such as Website vulnerabilities and unsecured wireless hot spots).
But it also uncovered an overlooked attack pathway: remote control and remote access tools. According to the report, in “over 40 percent of the breaches investigated during this study, an attacker gained unauthorized access to the victim via one of the many types of remote access and control.” This method was implicated in a higher percentage of data breaches than any other vulnerability analyzed.
And in 2009, the Verizon Business RISK team told a similar story with its updated report that examined 90 data breaches that occurred in 2008. The report found that in “approximately four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software.”
Despite the IT security concerns surrounding remote access tools, today’s technology users are quickly becoming less tolerant of the “you can’t see my screen” tech support conundrum. As a result, it’s not an option for IT departments to avoid using remote control technologies, as they seek to keep customers and employees as satisfied and productive as possible by providing 24/7 remote support. It’s important to maintain security and corporate governance policies while relying on remote access technology to support off-site computing devices. To do this, here are five key considerations:
Develop a Remote Control Strategy
Consideration No. 1: Develop a remote control strategy
A strategy is vital if you are going to mitigate your company’s remote access risks in a logical and effective manner. The ideal strategy will identify the demand for remote troubleshooting and maintenance requests, analyze the appropriate amount of money allocated to remote support services based on the level of demand, and comply with the necessary specific security regulations.
The ideal strategy will also list specific criteria to guide IT through the selection process of finding a solution designed with best-of-breed security practices. Without a strategic vision for remote control security, organizations will continue to easily fall prey to the hackers who take advantage of the growing use of remote access tools.
Consideration No. 2: Deploy an on-site solution
Selecting a solution that is deployed on-site gives you more control over security, as the solution resides at your facility under the security measures already in place. Additionally, access to the administration interface for on-site appliances will occur over an encrypted Web connection and can be restricted to the local console port and/or a specified network segment. This design protects against a remote attacker with network access to the appliance gaining unauthorized access to administration functions.
According to a recent security vendor review, this arrangement is associated with best-of-breed security practices, given that the operating system layer vulnerabilities were sufficiently mitigated by compensating controls that limited possible attack vectors. In addition, the appliance model is gaining traction, especially among large organizations and clients in regulated industries.
Another factor to consider at the architectural level is the business model of your solution provider. If you use an application service provider (ASP), you inevitably route your data and your customers’ data through a third party. Doing so expands the scope of your compliance liability. Secure use of an ASP will involve strict service-level agreements (SLAs) and regular and rigorous audits of the service provider by a third-party auditing organization. These audits should also be weighed when calculating the unapparent expense of a solution.
Review Third-Party Validations
Consideration No. 3: Review third-party validations
While researching the security of a clientless remote support solution, you will also want to weigh third-party validation. Some providers have submitted their software to security-auditing organizations. Results of these assessments can usually be found on the provider’s Website. If you cannot find a third-party security audit of the solution, ask the company to send you one. Due diligence regarding the security of your solution cannot be taken lightly.
Consideration No. 4: Ensure audit-ability
Be sure that every detail of every remote support session is automatically logged and recorded for compliance auditing purposes. Having a record of chat transcripts and file transfer details will simplify the audit procedure tremendously.
In addition, keep an ongoing record of all specific system and IP information, as this will indicate which device was accessed and when. Ideally, the remote control solution can also record videos of each session’s activity to give a visual representation of each transaction.
This level of visibility, combined with granular, centralized logs of all session details will create a strong measure of accountability for what happens during each and every session. This is especially important in the event of an allegation, given that the audit trail and session recording will decide the matter conclusively.
Consideration No. 5: Tier access privileges
When the number of technicians scales into the hundreds, keeping track of who has remote control privileges and who doesn’t becomes difficult to manage. In addition, the combination of the relatively high turnover rate of support technicians, the security demands of particular customers and the growing list of regulatory requirements around sensitive data complicates the challenge of strategically securing remote support even further.
Giving every support technician the same log-in info and privileges is not the answer. Instead, tiering the access privileges will ensure that only the most qualified and trusted technicians can access the most confidential information, altogether reducing exposure to risk and keeping security under control.
Nathan McNeill co-founded Bomgar Corporation in 2003. Nathan leads technology and product strategy. He monitors market trends to align the company’s solutions with critical needs, contributing regularly to Bomgar’s blog on the issues. Nathan has spoken at industry events including SSPA 2007 and Demo Conference 2006. Nathan is ITIL v3 Foundation Certified. He may be reached at nmcneill@bomgar.com.