Data breaches are more prevalent and more costly than ever. Smarter technologies seem to breed smarter hackers, making it difficult for IT to keep up. But sometimes IT unwittingly helps the bad guys by improperly using core tools, such as remote support mechanisms.
According to a Verizon report which examined more than 700 data breaches from 2010, a whopping 71% of all attacks were conducted through remote access and desktop services pathways.
Given the cost and efficiency benefits of fixing a system remotely versus dispatching a tech, remote support isn't likely to lose favour anytime soon. So how can companies take advantage of remote support while maintaining security and keeping data safe?
One important factor in remote support security is who is in control of the data. There are many choices of remote support technologies, but they mainly fall into two categories: software as a service (SaaS) and on-premise.
By design, any data that is accessed through a SaaS remote support tool is automatically passed through a third party server, which means the third party provider or anyone who breaches that vendor may be able to access the data.
SaaS is a great option for certain situations, and many SaaS solutions offer numerous benefits. But consider again that remote support tools generally allow access into every employee's computer and a majority of company systems, and the obvious dangers of passing data through a third party become clear. Essentially, when you put your remote support system in the cloud, you're agreeing to put all of your company's data in the cloud.
With an on-premise model all of the data, and a formal audit trail, remains behind the firewall, leaving the company in control. This is a significant benefit for companies that must, for example, conform to the requirements of the Payment Card Industry (PCI) Data Security Standard (DSS), which holds the customer responsible for payment card data even when third-party hosted solutions are used. The customer is liable for any data breach even if the breach occurs at the remote support vendor.
A named-seat licensing model, which is used by a number of popular remote support software vendors, presents an inadvertent threat to data security.
In this model each licence is associated with one set of login credentials. In order to cut costs, the named seat model encourages the use of shared credentials and generic remote control login identities such as "Tech001," "Tech002," and so on. When a support representative needs remote control/access, they simply use an available credential.
This leads to two liabilities. First, accountability is lost between the actions that occur in a support session and the specific support rep that took those actions. Second, passwords associated with the shared credentials are rarely updated, introducing an enormous vulnerability as individuals change responsibilities or leave the company.
To prevent this, organisations should employ a concurrent licensing model, in which licences are purchased based on how many help desk reps are active at a given time, and all reps use their own login credentials.
It doesn't matter how many service desk reps an organisation has, if only 100 reps log in at any one time then the customer needs to purchase only 100 licences. Beyond the additional security aspect, this approach can provide significant cost savings for support centres delivering 24/7 service. Plus, because all reps have their own login, granular access permissions can be tailored for each rep versus a one-size-fits-all access profile.
Enterprise directory authentication
The concurrent licensing model provides an even stronger bulwark against data breaches when coupled with credential authentication through an enterprise directory such as Microsoft Active Directory. Enterprise directory allows the rep to authenticate to the remote support solution using the same credentials they use when they log into their workstations, eliminating the need to remember a separate password and credential sharing between reps.
Also, with directory integration, support rep privileges within the remote support solution can be managed through the centralised enterprise directory. So, for example, if a support rep leaves the company, that person's enterprise directory credential would be disabled as part of the exit process, immediately removing access to the remote support tool.
Contrast this process with the named seat model where credentials must be managed manually, and a former employee could still access the system via a generic login. Not surprisingly, failure to remove named seat access for former employees is a major attack vector.
There are multiple ways to create a remote control connection between a support rep and an end user. For optimum security, companies should make sure the remote control connection is not maintained through an open listening port on the client computer. Open listening services that can be accessed through an Internet connection are a source of compromise because hackers can easily exploit that open pathway to access secure data.
Additionally, companies should make sure they aren't using a peer-to-peer connection that allows the support rep to establish a direct, unsupervised, unaudited connection to a remote customer.
Regardless of the preventative steps a company might take, there is no way to completely protect your organisation from data breaches. The best defence lies in identifying all of the potential risk factors and developing a strategy for mitigating those risks to the best of your ability.
Remote support offers numerous cost and efficiency advantages for organisations and, by following the tips outlined above, companies can reap all of its benefits without leaving doors open to harmful hackers.