Today's IT departments continue to be asked to do more with less, and to act more quickly and with greater impact on business success. Often this means supporting a growing number of users, many working remotely, who are using increasingly complex hardware and software. Remote control software, which allows a help-desk technician to assume control of a user's PC or an unattended server over a network, has proven to be a cost-effective way of providing support. Even so, some organizations worry that remote control software could expose their data to unauthorized use. This article looks at the continuing importance of remote control software in today's computing environment, as well as some of the security requirements this software must address in order to overcome concerns about its deployment.
How formidable are the challenges facing today's help desks and call centers? Consider: these groups must support a growing number of users across multiple remote locations (in many cases, involving multiple organizations and/or customers), which typically employ varied security policies, heterogeneous software and device platforms, no consistency or standardization across locations/environments, and varying degrees of access to the network. All of these complex environments and infrastructures impose new barriers to connectivity.
To continue to play an integral part in any IT infrastructure, a remote control solution must provide secure connectivity consistently across all of these environments. By addressing security requirements in the areas of authentication, authorization and access control, perimeter and data-transfer security, and administration, a remote control solution can provide IT departments with a secure and cost-effective help-desk tool. With such a solution, organizations have a powerful tool for helping to keep their environments up and running, no matter what. Key considerations include:
- Authentication. While no authentication technique is foolproof, requiring the use of passwords or other form of authentication before a remote session commences discourages unauthorized access. When evaluating a remote control solution, make sure it supports authentication methods that your organization is already using. Support of multiple, standard authentication methods allows IT staff to leverage existing user/password lists. RSA SecurID is a popular two-factor authentication process that presents the legitimate user with a security code that changes every 60 seconds. RSA SecurID support is of particular interest to the federal government and the financial services industry.
- Authorization and access control. Remote control software should be able to limit access to computers within a specific subnet or to specific TCP/IP addresses. Another effective way to block unauthorized access is by embedding a "serialization" code into the host and remote portions of the remote control product. A host that has been serialized will accept connections only from a remote computer with the same serialization number. If the serialization number does not exist, the connection cannot be established. In support situations, the host user should be able to confirm or deny access. Callback capabilities, in which the host disconnects the call and then calls the remote back at a specified number, also help prevent unauthorized access.
- Perimeter and data-transfer security. Remote control software should support Virtual Private Network (VPN) technology to permit secure Internet connections through a firewall as well as over a corporate intranet. Securing the data stream in transit is just as important as preventing unauthorized access. The software should support encryption services and public key encryption to prevent eavesdroppers from intercepting data during transmission.
- Administration. The software's administration tools should help IT professionals plug security holes by scanning network and telephone lines to identify unprotected remote access hosts. In addition, since thorough alerting, logging, and reporting are essential to a secure environment, the remote control software should generate an audit log of all remote control transactions, including disallowed attempts at connection. This enables administrators to monitor activity and detect unauthorized attempts to access systems. Integrity checking, meanwhile, can ensure that the host and remote objects, DLL files, executables, and registry settings have not been modified since the original installation.
In addition to these security requirements, an effective remote control solution should address the latest security developments, including:
- AES encryption algorithm. AES (or Rijndael) is one of only four symmetric key encryption algorithms approved against the National Institute of Standards and Technology's FIPS 140-2 standard. It provides encryption at the 128-bit, 192-bit, or 256-bit cipher strengths. AES is exponentially stronger than the previous DES and 3DES algorithm standards, and is considered to be faster and less resource-intensive as well. It should be set as the standard across all product components of a remote control solution.
- FIPS 140-2 Level 1 validation. Federal Information Processing Standard (FIPS) 140-2, Level 1 validation from the NIST allows products to be deployed by federal agencies and other organizations that require stringent security standards to protect sensitive information. FIPS 140-2 is also required by federal agencies in Canada, is recognized in Europe and Australia, and is being adopted by numerous financial institutions worldwide.
It should be noted here that remote control is now available as a hosted Web service, giving users access to a host PC from remote devices that have public Internet access via a third-party service. However, as Mike Baldwin, Senior Product Manager at Symantec, has observed, "the hosted service model may pose security concerns, especially for businesses faced with demonstrating compliance with industry or government regulations for information security. Hosted remote access is also usually offered as a service rather than a product, which may mean recurring subscription fee headaches for some."
Another reason for remote control software's continued importance has to do with the IT environment typically found in today's enterprise. That environment is likely to include everything from Windows desktops to Linux servers, Mac OS X-based machines, handheld computing devices, and more. And it's up to the IT department to keep this heterogeneous infrastructure functioning at all times. As a result, a growing number of organizations are turning to remote control solutions that offer true cross-platform support. By choosing a remote control solution that works across all platforms, IT administrators can manage their entire environment as seamlessly as they do on a single Windows system. What's more, a platform-independent, browser-based remote component can be used for secure remote control management from non-Windows machines.
Finally, the financial benefits of remote control software can be significant, in some cases lowering help-desk costs by six to 13 percent, according to Symantec. Cost savings can result from reducing the number of help-desk staff, solving problems faster, and fielding fewer support calls. Perhaps most important of all, an effective remote control solution frees up an IT department's time for other, more important tasks.
Remote control solutions continue to help organizations manage remote computers securely across multiple platforms to resolve issues quickly. However, as the number of remote users grows, maintaining security becomes an even more critical requirement for these solutions. An effective remote control solution, such as Symantec pcAnywhere 12.0, addresses key security requirements in the areas of authentication, authorization and access control, perimeter and data-transfer security, and administration. The result is a solution that can detect, diagnose, and resolve critical issues with minimal impact to business operations.