3 Ways to Secure Remote Support

ENTERPRISE REMOTE SUPPORT

Published May 2009

3 Ways to Secure Remote Support

According to IDG, “54 percent of [CIOs] claim that one of their top strategic initiatives for
improving customer support is associated with decreasing operational and security risks with
compliance-enabling tools for remote support”.1 Unfortunately, not all remote support tools are
“compliance-enabling”. And with the cost of a data breach averaging over six million dollars and
increasing by hundreds of thousands of dollars per year according to Ponemon Institute, security
is a concern for CFOs as well.2

This document outlines 1) the factors that most impact the security of remote support products
and processes and 2) how the available deployment models address those factors.

Factors that Influence Remote Support Security

Three of the most crucial elements of remote support security are architecture, access
management, and auditing. Neglecting one of these elements could expose your organization to
a costly attack or data breach.

Architecture
The physical and technical architecture of a product can have a significant impact on data
security. For instance, encryption and firewall compatibility are vital to data security, but other
factors, such as how data is routed and stored, can be even more important. To evaluate the
architecture, step back from check boxes and see how the product actually works.

Access Management
Centrally controlling who has access to information and restricting access to those who require
it is an absolute must, especially for larger companies. The Verizon Business Risk Team’s 2009
Data Breach Investigations Report reveals that 32 percent of data breaches were caused at least
in part by partners, and 20 percent were caused by company insiders.3 Unmanaged access, even
from trusted parties, can weaken security.

Auditing
Keeping an audit trail of who has accessed what and when is an essential element of regulatory
compliance, protecting your company from internal attack and excess liability.

However, according to IDG, 67 percent [of CIOs] are unable “to ensure that all remote interactions
meet security and compliance requirements”.1 Support managers and CIOs have to know what is
happening on the front lines in order to ensure security.

Remote Support Deployment Models

We will apply these security factors to three basic deployment models for remote support
products: Point-to-Point, Hosted and On-Site.

Point-to-Point: Technicians connect directly to remote computers using

a local software client [ex. RDP, VNC, pcAnywhere]

Hosted: Technicians connect to remote computers through an

application hosted on 3rd party servers [hosted, SaaS, or cloud-based]

On-Site: Technicians connect to remote computers through an

application hosted on internal hardware [appliance, virtual appliance]

Contact Bomgar | www.bomgar.com | info@bomgar.com | 866.652.3177

 3 Ways to Secure Remote Support
ENTERPRISE REMOTE SUPPORT
Published May 2009

Architecture

An initial examination of a product’s architectural security will evaluate both how it

routes and stores data and how it conforms to existing security measures.

Point-to-Point
Point-to-point remote support tools connect technicians directly to remote “Legacy remote control tools are
computers using a local application such as RDP, VNC or pcAnywhere. Supporting incapable of supporting increasingly
users outside of the company network usually requires the configuration of port complex environments, and companies
forwarding on the network firewall to establish a direct connection between the
must find new ways to provide support
support rep and a pre-installed software client on the remote computer. Point-to-
point tools also have no central repository for session data. services to users.”
PC Remote Control Security:
According to a Gartner’s 2009 report, PC Remote Control Security: Risks and Risks and Recommendations
Recommendations, these solutions “run the risk that anyone outside the company Gartner
firewall can enter, if they have obtained the user’s credentials”.4

In addition, many of these tools do not encrypt

? data, making them unsuitable for widespread
corporate use. Most companies should avoid or
severely limit the use of point-to-point tools.

Hosted
Hosted services connect technicians to remote computers through applications
hosted by a 3rd party. These solutions [also known as cloud-based or software as
a service (SaaS)] typically do not require port-forwarding or other firewall changes
because connections are outbound.

Hosted services typically encrypt data and store it centrally. This and their firewall-
friendliness makes them more secure than point-to-point solutions.

However, because hosted services route and

store sensitive data outside the company,
they are not an option for many government,
healthcare, and financial organizations.

On-Site
On-site solutions connect technicians to remote computers through an internet-
facing application hosted internally on company hardware. Like hosted services,
on-site systems typically work through firewalls, encrypt support session data, and
store it centrally, making them more secure than point-to-point tools.

Unlike hosted services, on-site remote support

applications allow companies to control the
routing and storage of sensitive data.

In the past, on-site systems existed in software form and had to be installed on
company servers. However, today’s appliance and virtual appliance models have
implementation times comparable to that of a hosted service.

Contact Bomgar | www.bomgar.com | info@bomgar.com | 866.652.3177

 3 Ways to Secure Remote Support
ENTERPRISE REMOTE SUPPORT
Published May 2009

Access Management

Controlling who has access to information and systems is a key component of data
security. Secure remote support products are able to conform to how companies
already manage access authentication by connecting to internal directories.

Additionally, secure remote support products ensure access is permission-based at

every level, so that only the necessary parties have access to remote systems. It is
also crucial that end-users have means of overriding control.

Point-to-Point
The decentralized architecture of most legacy remote control tools severely limits
access management capabilities. With software on each system, managing which
rep has access to which end system can be difficult or impossible. With many of
these tools, control is all-or-nothing, and does not require the user’s permission
before control begins.

No LDAP, No client
AD, etc. permissions

Hosted
Hosted services usually allow administrators to manage technicians centrally. Most When considering a hosted support
are permission-based and give clients means of overriding control. While integration solution, find out whether “the
can become costly, some hosted services are able to connect to internal directories vendor assumes liability for failure
to tie access management and authentication with methods already in place. This
of authentication protection and for
makes hosted services more secure than point-to-point tools.
any connections that aren’t properly
Before integrating hosted solutions with internal directories, however, companies blocked.”
must weigh the consequences of giving an external 3rd party access to such PC Remote Control Security:
sensitive information as company-wide usernames and passwords. Risks and Recommendations
Permission- Gartner
based
access
LDAP, AD,
etc.

On-Site
Like many hosted services, most on-site systems enable centralized access
management and permission-based remote control. Some can be integrated with
internal directories such as LDAP and Active Directory.

Unlike hosted services, integrating an on-site system with internal directories can
strengthen, rather than compromise, security.
Permission-
based
access
LDAP, AD, etc.

Contact Bomgar | www.bomgar.com | info@bomgar.com | 866.652.3177

 3 Ways to Secure Remote Support
ENTERPRISE REMOTE SUPPORT
Published May 2009

Auditing

Managing access to systems and ensuring data is stored or routed securely is not
enough for most companies. Most organizations must also verify how sensitive data
is handled by providing a detailed audit trail. A secure remote support product will
keep detailed records of support sessions, protect these records from tampering,
and make the records easily accessible by the administrator.

Ideally, the audit trail from remote control sessions should be integrated with that
of other support processes to avoid creating unnecessary silos of information.
Products that allow logging to be turned off by the individual technician should be
approached with caution, as this limits visibility into the support process.

Point-to-Point
Most point-to-point remote access tools do not log or record support sessions. If a “In approximately four of 10 hacking-
particular point-to-point solution does produce a log of session data, it probably still related breaches, an attacker gained
should not be considered for business use, as the absence of a centralized data unauthorized access to the victim via
repository makes the data difficult to mine for auditing. In addition, session logs that
one of the many types of remote access
reside on a technician’s system are able to be tampered with and changed.
and management software.”
? 2009 Data Breach Investigations
Report

Hosted
Most hosted services have logging and recording capabilities, although the
extensiveness of logging detail varies by product. Also, hosted services typically
store session data in a central repository. Nonetheless, because many hosted
services use proprietary APIs and interfaces, extracting auditing data may become
expensive, even requiring yet another 3rd party.

To ensure data integrity, companies using

a hosted service for remote support should
regularly audit the vendor.

On-Site
Like hosted services, most on-site systems also have varying levels of logging and
recording capabilities and centrally store auditing data. Some on-site systems can
be integrated with internal databases and file systems; however, companies will
want to verify that the product’s integration APIs are standards-based.

Because they store session data internally, it is

generally easier to validate the data integrity of
an on-site system than a hosted service.

Contact Bomgar | www.bomgar.com | info@bomgar.com | 866.652.3177

 3 Ways to Secure Remote Support
ENTERPRISE REMOTE SUPPORT
Published May 2009

Conclusion
Ultimately support organizations can only secure the technology and data they can control. A secure
remote support product gives organizations more control over and visibility into what happens at the
service desk or help desk. This control includes not only the means of authentication, levels of access
and details of an audit trail, but also the storing and routing of sensitive data.

Consequently, the use of point-to-point remote control tools should be severely limited if not avoided in
business environments because of their high vulnerability to data breach. Hosted and on-site solutions
offer better security and features that are tailored to the needs of the help desk.

For many companies, on-site solutions satisfy security requirements more effectively than hosted
solutions because they give companies more control over data. Ultimately, companies must ensure that
remote support adheres to their specific security requirements, in addition to general best practices,
without undue cost and overhead.

Point-to-Point Hosted On-Site

Architecture • Requires firewall • Does it require firewall • Does it require firewall
changes configuration? configuration?
• Typically does not • Does it encrypt data? • Does it encrypt data?
encrypt data • Where does it route and • Are you able to install it
• No centralized data store data? internally?
repository • Are you able to audit the
vendor?

Access Management • No centralized access • Can administrators • Can administrators

management
• Not permission-based
• No tiered access
privileges
Auditing • Typically does not log
activity
• Logs are local and can
be modified
• Logs are decentralized
and cannot be audited
define access rules? define access rules?
• Is access permission- • Is access permission-
based? based?
• Does it integrate with • Does it integrate with
internal directories? internal directories?
• What are the
consequences of
directory integration?
• Are you able to audit the
vendor?
• Does it log activity? • Does it log activity?
• What details are • What details are
recorded? recorded?
• Can logging be • Can logging be
disabled? disabled?
• How easily can data be • How easily can data be
extracted? extracted?
• Are you able to audit the
vendor?

1. The New Service Desk: Anywhere, Anytime Incident Response, CIO, 2009
2. Fourth Annual US Cost of Data Breach Study, Ponemon Institute, 2009
3. 2009 Data Breach Investigations Report, Verizon Business RISK Team, 2009
http://securityblog.verizonbusiness.com
4. PC Remote Control Security: Risks and Regulations, Gartner, 2009

Contact Bomgar | www.bomgar.com | info@bomgar.com | 866.652.3177