In light of recent security issues involving remote desktop access software, we've been asked to audit the authentication capabilities of any remote access software used in our organization. What's your advice in terms of drawing conclusions on what is or isn't acceptable, especially since any application that fails would simply be banned?
This is a difficult question to answer because there are many determining factors in drawing a conclusion on whether to allow remote desktop access.
Ask the Expert
Randall Gamby, SearchSecurity.com's resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)
Before you proceed with a remote access audit, you must initially answer two questions that will influence any conclusion. First, what is the value for workers to have the ability to remotely connect to their desktops when away from the office? In the past, organizations have struggled to determine this number, but an estimate must be decided upon before proceeding. While it is obvious that there is value for a worker to be able to get to files and applications while remote, it's hard to determine if it is worth the risk of exposure.
This leads into the second question: Is the risk of data exposure during remote access greater than the value of the data itself? If a worker has remote access to financial, PHI, intellectual property or other highly sensitive information, then the risk of data loss, severely damaging the organization's reputation, or even loss of customer confidence may override the convenience and/or necessity of using remote desktop access software.
Once it's been determined that the value of remote access is worth the risk, an organization can then evaluate the authentication capabilities and other mitigating controls along this same value curve. For example, an evaluation of an organization's remote access security should contain these parameters:
- The level of authentication to be used -- Username/password, two-factor authentication, biometrics, and the like.
- Other risk-mitigation factors -- Geo-tracking, workstation setup, current antivirus signatures installed, and so on.
- Trustworthiness of the employee -- Background checks have been run on key executives.
- Days/times authorized for access -- Times/dates are valid for executing remote access.
Once these parameters have been assigned a value it is then possible to derive a conclusion by adding the risk and data value and subtracting the mitigating controls from the sum. While this may sound like a strong practical evaluation, the values and variances will be subject to a certain modicum of subjectivity that only the organization can assess.
This was first published in August 2012