The Future of Remote Control and Security

By | March 16, 2006

Today’s IT organizations are expected to support a growing number of users, many working remotely, who are using increasingly complex hardware and software. At the same time, IT budgets are being curtailed. Therefore, IT organizations must find a way to handle the increased workload securely and effectively. Remote control software, which enables a help desk professional to assume control of a user’s PC over a network, provides a way for a help desk to handle more calls without additional resources. But in order to allay fears that it could expose data to unauthorized use, remote control software must address security requirements in the areas of authentication, authorization and access control, perimeter and data-transfer security, and administration

How does remote control differ from remote access or remote support?

The terms remote access, remote support, remote management, and remote control are often used interchangeably to denote the process (or some subset of the process) of taking full keyboard, video and mouse control of a distant computing device. This is typically done for the purposes supporting the hardware, the software and/or the end user. Specifically, remote management or remote support software applications are used by helpdesks or IT administrators to access and control a user’s machine in order to resolve an issue. The term remote access is typically used when there is no additional end user and no troubleshooting taking place; meaning the person gaining access is the primary owner or user of the machine being accessed and the purpose of the access may be simply to get to certain files, folders or applications. Regardless, the core technology in these cases is called remote control, and will be fairly similar in each instance regardless of what other features are included or how the software product is positioned. Often, file transfer capability will be built into the software as well.

How does remote control work?

Remote control allows a user to take full control of a machine by connecting to that machine, passing through keyboard and mouse commands, and returning video information across the connection. This means the user can see everything on the end machine desktop, and interact with it as if physically sitting directly in front of the device.

The connection itself is the first step, and there are multiple options available today. Traditional remote control programs offer a point-to-point solution, creating a direct link between two computers. This connection could be TCP/IP based over a public or private network, it could be a modem-to-modem (direct dial) session, or it could even be a local cable connection. This point-to-point type of connection model is often considered the most secure, as it enables administrators to retain the ability to control traffic as needed based on corporate IT policies.

Remote control is also now available as a hosted Web service, giving users access to a host PC from remote devices that have public Internet access via a 3rd-party discovery service. These services are typically easy to use and require minimal effort to configure. However, the hosted service model may pose security concerns, especially for businesses faced with demonstrating compliance with industry or government regulations for information security. Hosted remote access is also usually offered as a service rather than a product, which may mean recurring subscription fee headaches for some.

Why is remote control important for today’s business environment?

Remote control solutions remain vital for enterprise help desks and desktop management environments. Just as administrators can leverage remote control to help manage and support their multiplatform IT infrastructures, IT professionals can use it to provide customer support without leaving their offices. At the same time, organizations demand tools that offer the advanced security they need to protect their information assets and meet industry and government regulatory requirements. To continue to play an integral part in any IT infrastructure, remote control programs must provide a secure environment for resolving helpdesk issues, managing remote computers, and working across multiple platforms. With a secure remote control solution, organizations have a powerful tool for helping to keep their environments up and running, no matter what.

How do organizations decide whether or not to implement remote control?

As most IT organizations know, security is often the most important factor in determining whether to implement remote control technology in the corporate environment. That’s because remote control is often viewed as a backdoor to bypass security and gain access to a computer and the network. For remote control to be widely and effectively adopted within any organization, it must provide multiple levels of security to ensure that only authorized users can connect. Despite the frequently cited benefits of remote control software – such as increased productivity and reduced support costs – some IT organizations have been reluctant to install it out of concern for potential security risks. By addressing necessary security requirements in the areas of authentication, authorization and access control, perimeter and data-transfer security, and administration, a remote control solution can provide IT organizations with a secure and cost-effective helpdesk tool.

What are some features that improve security within remote control?

Integrity-checking is critical. Remote control software with integrity checking features identifies changes since the original installation. If changes are detected, indicating potential rogue installations, the program will not function. Other administrative features such as alerting and logging are also essential to a secure environment. Secure remote control programs generate alerts when a number of unsuccessful attempts to connect to a host PC are detected; this permits real-time monitoring of suspicious activity from a network management console. A secure remote control program also generates audit logs of all remote control transactions, enabling the administrator to monitor activity and detect unauthorized attempts to access systems. Some programs also enable these audit logs to be secured to prevent hackers from altering them in order to hide their tracks.

Authorization and access controls are also effective deterrents to security breaches. Mandatory authentication measures help thwart unauthorized access by verifying a user’s credentials against a directory or access list to determine if that user is authorized to connect to the system. Flexible remote control software can leverage either its own features or existing OS policy to further limit users rights to certain drives on the host, or specific application functionality.

Also, secure remote control programs will enable administrators to limit access to computers within a specific subnet or to specific TCP/IP addresses, or conversely prevent connections from specific addresses. Serialization also protects remote control sessions by allowing IT administrators to embed a security code into the host and remote components of a remote control solution. Serialization ensures that connections are only accepted between computers containing matching serial numbers. In support situations, the host user should be able to confirm or deny access.

What about encryption?

Securing the data stream in transit is just as important as preventing unauthorized access. The software should support both symmetric and asymmetric (public key) encryption services public key encryption to prevent eavesdroppers from intercepting data during transmission. Remote control users should take heed of current industry and government data encryption standards, and therefore the AES encryption algorithm is something to look for in a remote control product.

AES (or Rijndael) is one of only four symmetric key encryption algorithms approved against the National Institute of Standards and Technology´s Federal Information Processing Standard (FIPS) 140-2 standard. It provides encryption at the 128-bit, 192-bit, or 256-bit cipher strengths. AES is by definition exponentially stronger than the previous DES and 3DES algorithm standards, and is considered to be faster and less resource-intensive as well. It should be set as the standard across all product components of your remote control solution.

The NIST FIPS 140-2 validation allows products to be purchased by federal agencies and other organizations that require stringent security standards to protect sensitive information. FIPS 140-2 is also required by federal agencies in Canada, is recognized in Europe and Australia, and is being adopted by numerous financial institutions worldwide. It is a tremendous indicator of product encryption security. Secure remote control products will support encryption of both the data stream as well as authentication credentials. Remote control software should also support Virtual Private Network (VPN) technology to permit secure Internet connections over an extended corporate intranet.

What about the performance vs. security trade-off?

Of course, to be effective, even the most secure cross-platform remote control solutions must also offer high performance in an enterprise environment. To that end, features such as bandwidth auto-detection can be used to enable users to detect the actual connection speed or bandwidth of each connection and then adjust settings that impact performance in lower-bandwidth connections.

How have compliance and regulatory standards affected remote control?

Security has become a boardroom issue in organizations of all sizes and in all industries. Key business regulations and standards have brought information protection to the forefront, from the Sarbanes-Oxley (SOX) of 2002 to the Health Insurance Portability and Accountability Act (HIPAA) of 1996, California’s Security Breach Information Act, and more. These regulations call upon organizations to evaluate and address critical issues with respect to data reliability, integrity, and security even as government institutions face mandatory requirements for security (for example, the cryptographic module requirements outlined in FIPS140-2 as noted above). To maintain the security of their data and network resources and meet such industry and government requirements, organizations are opting for remote control solutions that support their existing security infrastructure and provide advanced security functionality and features. Support for a variety of strong encryption helps mitigate the risk of information exposure and brings organizations closer to regulatory compliance.

What are the motivations for organizations to take a second look at their remote access tools?

Security concerns, driven in part by regulatory compliance issues, are causing some organizations to reevaluate their remote access tools. Recognizing the possibility that remote access software might inadvertently put the confidentiality of sensitive corporate data at risk, organizations are demanding more sophisticated remote control solutions that offer an expansive set of security provisions, including authentication, authorization and access control, perimeter and data transfer security, and administration tools. The incorporation of critical security functionality enables remote control solutions to adapt to the enterprise environment and become an integral component of a helpdesk or desktop management infrastructure.

How do different platforms, such as Linux or Mac OS X, affect the remote control environment?

The typical IT environment today is comprised of everything from Windows desktops to Linux servers, handheld computing devices, and more. And IT organizations are responsible for keeping this heterogeneous infrastructure functioning at all times. That’s why a growing number of organizations are turning to remote control solutions that offer true cross-platform support. After all, many enterprises have at least one machine or device that runs on Linux. They might even have a customer or vendor with a Linux environment. Many users or clients may require access to or from a Mac OS X-based device. And as more Linux or Mac machines are being found in traditional Windows environments, administrators must manage those devices without the added learning curve of mastering the additional operating systems. By choosing a remote control solution that works across all platforms, IT administrators can manage their entire environment as seamlessly as they do on a single Windows system. What’s more, a platform-independent browser-based remote component can be used for secure remote control management from non-Windows machines.

Handheld devices have also gained a foothold in the enterprise. Personal digital assistants (PDAs) and smartphones are increasingly being used to conduct business away from the office. As these mobile devices become more popular, it is important to have a remote control solution that supports these devices—one that enables remote control not just from another PC or laptop but from a handheld device as well.

Are there any financial benefits to implementing remote control?

While the security issues related to remote control software cannot be overstated, it should also be noted that the financial benefits of this software can be significant, in some cases lowering helpdesk costs by six to 13 percent, according to Symantec Corporation. Cost savings can result from reducing size of the help desk staff, solving problems faster, and fielding fewer support calls. Forrester has found that an organization with 20,000 end users and a $2.9 million helpdesk budget could save approximately $338,000 through the use of desktop remote control software.

Leave a Reply