Remote maintenance: Which tools should you choose? Although remote maintenance is essential to the proper operation of organizations, it has certain cyber risks related to remote accesses. These risks can be reduced or even eliminated by using the right IT tools. Several solutions are commonly used for remote maintenance, such as remote-control software, VPNs, ZTNAZero Trust Network Access. The ZTNA is a name describing products that apply a “Zero Trust”, or lesser privilege, policy in the area of external access. The objective is to… More (Zero Trust Network Access) or PAMPrivileged Access Management. PAM is a technology for managing access and authentication of authorized users, usually information system administrators, to administrative resources or applications. The main objective is to secure… More (Privileged Access Management) solutions. However, these solutions are not equal in terms of cyber security. Remote maintenance: a performance challenge but also a cyber risk The remote maintenance is intended to solve an IT issue or perform operations by taking control of a system or a network remotely. It is a guarantee of reactivity and practicality to ensure business continuity. The term, which is quite broad, can include helpdesk issues for solving isolated problems on a workstation, or even remote administration issues where a service provider will have to intervene on his customer’s information system to administer it. It is this second case that is likely to present the most risks for the security of the information system. In the context of a remote control by a service provider, there are several challenges to consider, including the traceability of accesses and actions carried out. The organization must be able to find the source of any problems that may arise. Another issue is the authentication which must be strengthened to prevent identity theft attempts, or the issue of reducing the possibility of lateral movements within the information system. Solutions to avoid Although they are perfectly suited to helpdesk actions, between the IT department and employees of the same organization, remote-control software does not have the security features required for remote access by service providers for remote maintenance of the information system. In this case, an agent allowing external access must be installed on the workstation. This agent, which can be detected by tools that analyze all ports opened from the outside, becomes a potential entry point for a hacker. Furthermore, a service provider accessing the remote workstation has all the access rights related to it, whereas his access rights should be adapted to his specific profile as an external service provider. Moreover, these tools do not offer reinforced authenticationPrimary or secondary authentication Authentication allows a user to guarantee his or her identity before accessing a resource or service. Primary authentication will give user access to the workstation (Windows… More allowing to increase the security level of the person accessing the workstation and the traceability is limited to logs information present on the workstation only. VPNs, which are also used by many companies to provide remote access to their service providers, do not meet all the security requirements either. The original role of the VPNVirtual Private Network. VPN is a technology that simulates a local area network between two trusted networks. In practice this allows two elements (workstations, servers, printers, etc.) to communicate with… More is to make two trusted networks communicate with each other, i.e. intra-organization networks. From the organization’s point of view, the provider cannot be considered as trusted since the company has no control over the provider’s network. For example, the VPN does not allow the implementation of the principle of least privilege, which is essential for the security of information systems. Moreover, like remote-control software, VPNs require the installation of agents on workstations. However, agents require regular updates to correct vulnerabilities. Knowing that it takes an average of one month for the editor to release the correction of a vulnerability and an average of one month for the company to deploy it on all its agents, the organization is then exposed to these vulnerabilities for an incompressible period. Solutions to privilege In the context of remote maintenance of the information system by external service providers, the ZTNA should be preferred because its security features are compatible with remote access that is not qualified as “trusted”. Systancia Workroom Session Service, Systancia’s “zero trust” secure remote access solution as cloud services, allows agentless access and the implementation of the principle of least privilege which, in this case, limits the rights and authorizations of these external service providers to only those applications and data that are necessary for their work. The resources accessed are “hidden” from the Internet network. The connection to the resource is made by the internal gateway, so there is no exposure of the resource on the Internet. The resource is isolated from the Internet while being accessible from the Internet via the ZTNA solution. Access to the resource is only opened when needed and used, via ephemeral and random ports. In addition, the solution offers a fine traceability (which allows to know who connected to what) and allows to check the integrity and conformity of the workstation and to authenticate the user in a strong way with a panel of supported solutions, and even offering the SSO (Single Sign-On) for the resources in backend. As for the PAM, it allows you to go even further in terms of information system security, in particular by monitoring the actions carried out by service providers via real-time or a posteriori monitoring (which allows to know who has connected to what to do what). Systancia Cleanroom Session Service, Systancia’s Privileged Access Management solution as a public cloud service, can, for example, record administration sessions in video format and automatically analyze their content to quickly find the context and the changes made. It allows to protect the access to resources by reinforcing the authentication before the connection, and by injecting the privileged accounts used on the administered resources. In addition, it also offers the ability to implement a continuous authentication feature that guarantees the identity of the connected service provider in real time.