Tweet this: These main #security criteria will help you re-examine how secure your #remoteaccess software is http://goo.gl/Tzuy2h
As 90.1% of IT organisations are using remote control tools, the big question here is whether the selected remote desktop control tool ensures the best level of security needed to prevent unwanted data breaches and theft. Is your sensitive business information exposed by remote access? Or your network vulnerable? We look at the main security criteria to help you re-examine just how secure remote PC access software you have.
Ten years ago, only a privileged few were lucky enough to get their hands on secure remote access. The explosive growth of high-speed Internet access, coupled with the arrival of mobile devices, globalisation of businesses and constant efforts to contain support costs, accelerated the demand for remote access tools. As a result, remote support solutions have risen to the top three must-have technologies and are also described as the most important tool for a desktop support team to have.
These tools have become very complex and as such enable remote desktop analysts and technicians to easily provide the same level of service remotely as they once provided in person. Furthermore, remote tools eliminate the need to collocate support staff at every business location. A study shows that support teams have their hands full supporting end users in multiple locations nationwide (77%) and end users in multiple countries worldwide (26%) (www.thinkhdi.com). And while most people use it for remote troubleshooting and support, a quickly emerging ever diverse population use it for remote access to personal and office devices. In either case, it is important to ensure your equipment and connection is secure so that your network is not vulnerable or your sensitive business information exposed. Here’s a look at the main security criteria under which you should be evaluating remote PC access tools.
Basic security features
According to GetVoIP.com, who also features ISL Online as one of the most secure remote PC access software products of 2014, the 10 most critical security features are the following:
• Data level encryption
• Multi-level authentication
• IP filtering
• Keyboard locking
• Screen blanking
• Inactivity time-out
• Lockout after unsuccessful logins
• Desktop access notification
• Complex password requirement
• Expiring or one-time passcode
As GetVoIP.com claims, these security features should be the standard of remote access software in today’s tech-saturated world, and should in turn ensure satisfactory security level for 95% of users.
Advance security standards for corporations
While most businesses find basic security mechanisms listed above more than adequate, there are always the more demanding few who require more. Through constant functionality requests on the software developers’ side these businesses contribute to setting new security standards. Let’s take a look at a detailed list of high-level security requirements, entirely met by ISL Online remote desktop software and applicable to most corporate (telecoms, banks) and government users that leave practically no room for failure.
Remote support process
- Multiple options to start a session
More than one means of communication supported (a phone call, an email, a live chat) to start a new remote desktop control session.
- Process control
Start, stop and finish options for tasks like file transfer, audio, video communication, desktop control, application sharing.
The remote user needs to confirm all major tasks like session start, desktop view, desktop control, application sharing, file transfer and enabling unattended access.
- Session recording
Session recording enabled throughout the assistance process.
- Sessions details log
The system saves all records throughout the assistance process, e.g. session start, chat input and duration.
- Session ending
When the session is closed, it cannot be re-established without the remote user’s permission.
Data level security
- Standard digital certificates
Enforcing mutual identification with a standard international certificate for end-user applications.
- Strong traffic encryption
256-AES end-to-end encryption.
- PKI support
Industry standard digital certificates (X.509) should be used to guarantee authenticity of transmission.
- RSA 1024 Bit Public / Private Key Exchange
- Firewall connection ports
No firewall adjustments are needed to start a remote desktop support session.
Denial of uncontrolled connections
A system should reject all connections when it is not able to enforce access control.
Connection time out
Connection sessions to and from a system should be limited in time and automatically closed when the time-out limit is reached.
When a system contains “Personal” data, it should also describe their intended use.
The software should protect the confidentiality of the data that it stores or it sends to other systems.
The software should protect the integrity of the “Sensitive” data it stores or sends to other systems.
Users and systems should be authenticated before each access to a system.
- Authentication time out
The validity period of authentication should be limited in time.
- Authentication security events
User defined security events related to authentication should be recorded, e.g. successful, unsuccessful authentications and logoffs.
- Password verification mechanism
Authentication mechanisms should be designed in a way that protects the confidentiality of the password when submitted, transmitted, and stored.
- Password quality check
The quality of the password should be automatically checked by the system before it is set or changed.
- Password storage
User logon passwords must always be encrypted before being stored. Access rights to the password storage area should be strictly limited to the processes needing this access to perform authentication or to manage the passwords.
Each use of data and service should be authorised by access rights.
- Access rights of users
A system should manage the access rights in a way that allows granting access independently for each user account.
- User groups
The system should provide the capability to organise users into groups.
The software should clearly indicate for which actions on the system a user should be held accountable.
The availability rate of the hosted service should be stated.
Multiple users should be managed centrally by the admin user, e.g. creation and deletion of a user account, lock and unlock of a user account as well as reset of a password.
The system should inform the owner of the computer in real time when being accessed remotely. The system should also inform managers about defined non-compliance with information security policies.
The documentation of the configuration of a system should contain an exhaustive list of the data flows starting, ending or going through the system.
Although the list could go on and on, depending on the level of detail you are interested in, we need to draw the line somewhere. The bottom line is that today’s support teams have access to amazing levels of technology. Regardless of the size of business, remote access tools make the work we do easier and more efficient. As technology evolves, it’s critical that our tools evolve at the same pace to cope with new challenges, let those be security-related or other.