Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
This document outlines 1) the factors that most impact the security of remote support products
and processes and 2) how the available deployment models address those factors.
Architecture
The physical and technical architecture of a product can have a significant impact on data
security. For instance, encryption and firewall compatibility are vital to data security, but other
factors, such as how data is routed and stored, can be even more important. To evaluate the
architecture, step back from check boxes and see how the product actually works.
Access Management
Centrally controlling who has access to information and restricting access to those who require
it is an absolute must, especially for larger companies. The Verizon Business Risk Team’s 2009
Data Breach Investigations Report reveals that 32 percent of data breaches were caused at least
in part by partners, and 20 percent were caused by company insiders.3 Unmanaged access, even
from trusted parties, can weaken security.
Auditing
Keeping an audit trail of who has accessed what and when is an essential element of regulatory
compliance, protecting your company from internal attack and excess liability.
However, according to IDG, 67 percent [of CIOs] are unable “to ensure that all remote interactions
meet security and compliance requirements”.1 Support managers and CIOs have to know what is
happening on the front lines in order to ensure security.
Architecture
Point-to-Point
Point-to-point remote support tools connect technicians directly to remote “Legacy remote control tools are
computers using a local application such as RDP, VNC or pcAnywhere. Supporting incapable of supporting increasingly
users outside of the company network usually requires the configuration of port complex environments, and companies
forwarding on the network firewall to establish a direct connection between the
must find new ways to provide support
support rep and a pre-installed software client on the remote computer. Point-to-
point tools also have no central repository for session data. services to users.”
PC Remote Control Security:
According to a Gartner’s 2009 report, PC Remote Control Security: Risks and Risks and Recommendations
Recommendations, these solutions “run the risk that anyone outside the company Gartner
firewall can enter, if they have obtained the user’s credentials”.4
Hosted
Hosted services connect technicians to remote computers through applications
hosted by a 3rd party. These solutions [also known as cloud-based or software as
a service (SaaS)] typically do not require port-forwarding or other firewall changes
because connections are outbound.
Hosted services typically encrypt data and store it centrally. This and their firewall-
friendliness makes them more secure than point-to-point solutions.
On-Site
On-site solutions connect technicians to remote computers through an internet-
facing application hosted internally on company hardware. Like hosted services,
on-site systems typically work through firewalls, encrypt support session data, and
store it centrally, making them more secure than point-to-point tools.
In the past, on-site systems existed in software form and had to be installed on
company servers. However, today’s appliance and virtual appliance models have
implementation times comparable to that of a hosted service.
Access Management
Controlling who has access to information and systems is a key component of data
security. Secure remote support products are able to conform to how companies
already manage access authentication by connecting to internal directories.
Point-to-Point
The decentralized architecture of most legacy remote control tools severely limits
access management capabilities. With software on each system, managing which
rep has access to which end system can be difficult or impossible. With many of
these tools, control is all-or-nothing, and does not require the user’s permission
before control begins.
No LDAP, No client
AD, etc. permissions
Hosted
Hosted services usually allow administrators to manage technicians centrally. Most When considering a hosted support
are permission-based and give clients means of overriding control. While integration solution, find out whether “the
can become costly, some hosted services are able to connect to internal directories vendor assumes liability for failure
to tie access management and authentication with methods already in place. This
of authentication protection and for
makes hosted services more secure than point-to-point tools.
any connections that aren’t properly
Before integrating hosted solutions with internal directories, however, companies blocked.”
must weigh the consequences of giving an external 3rd party access to such PC Remote Control Security:
sensitive information as company-wide usernames and passwords. Risks and Recommendations
Permission- Gartner
based
access
LDAP, AD,
etc.
On-Site
Like many hosted services, most on-site systems enable centralized access
management and permission-based remote control. Some can be integrated with
internal directories such as LDAP and Active Directory.
Unlike hosted services, integrating an on-site system with internal directories can
strengthen, rather than compromise, security.
Permission-
based
access
LDAP, AD, etc.
Auditing
Managing access to systems and ensuring data is stored or routed securely is not
enough for most companies. Most organizations must also verify how sensitive data
is handled by providing a detailed audit trail. A secure remote support product will
keep detailed records of support sessions, protect these records from tampering,
and make the records easily accessible by the administrator.
Ideally, the audit trail from remote control sessions should be integrated with that
of other support processes to avoid creating unnecessary silos of information.
Products that allow logging to be turned off by the individual technician should be
approached with caution, as this limits visibility into the support process.
Point-to-Point
Most point-to-point remote access tools do not log or record support sessions. If a “In approximately four of 10 hacking-
particular point-to-point solution does produce a log of session data, it probably still related breaches, an attacker gained
should not be considered for business use, as the absence of a centralized data unauthorized access to the victim via
repository makes the data difficult to mine for auditing. In addition, session logs that
one of the many types of remote access
reside on a technician’s system are able to be tampered with and changed.
and management software.”
? 2009 Data Breach Investigations
Report
Hosted
Most hosted services have logging and recording capabilities, although the
extensiveness of logging detail varies by product. Also, hosted services typically
store session data in a central repository. Nonetheless, because many hosted
services use proprietary APIs and interfaces, extracting auditing data may become
expensive, even requiring yet another 3rd party.
On-Site
Like hosted services, most on-site systems also have varying levels of logging and
recording capabilities and centrally store auditing data. Some on-site systems can
be integrated with internal databases and file systems; however, companies will
want to verify that the product’s integration APIs are standards-based.
Conclusion
Ultimately support organizations can only secure the technology and data they can control. A secure
remote support product gives organizations more control over and visibility into what happens at the
service desk or help desk. This control includes not only the means of authentication, levels of access
and details of an audit trail, but also the storing and routing of sensitive data.
Consequently, the use of point-to-point remote control tools should be severely limited if not avoided in
business environments because of their high vulnerability to data breach. Hosted and on-site solutions
offer better security and features that are tailored to the needs of the help desk.
For many companies, on-site solutions satisfy security requirements more effectively than hosted
solutions because they give companies more control over data. Ultimately, companies must ensure that
remote support adheres to their specific security requirements, in addition to general best practices,
without undue cost and overhead.
1. The New Service Desk: Anywhere, Anytime Incident Response, CIO, 2009
2. Fourth Annual US Cost of Data Breach Study, Ponemon Institute, 2009
3. 2009 Data Breach Investigations Report, Verizon Business RISK Team, 2009
http://securityblog.verizonbusiness.com
4. PC Remote Control Security: Risks and Regulations, Gartner, 2009