Remote access services enable workers of a company to access corporate IT services and their work files anytime, anywhere. When opting to use remote access services, a company must consider the security strength and weakness of different solutions, besides their user-friendliness and cost. Otherwise, its data assets will be at risk. This guideline aims to give companies some useful tips in identifying a remote access service sufficient enough to fulfil both their operating and security needs.
Remote Desktop Control
Remote Desktop Control is the opening of a corporate PC in internal network to the Internet, allowing the remote users to take control of it from almost anywhere. Its attraction is low cost, convenience and easy-to-use.
The security downside of this solution is that it bypasses the firewall control by opening a fixed outgoing connection to the server of the service provider, which will establish a reverse connection of the remote user through the server. This technology does not possess strict security controls, logging and audit functions as required by enterprises. The user must fully trust the service provider’s security and presume any security compromise will have minimal impact. There are some use cases for this technology. For example, a user with only one computer in the office may prepare to take the risk as the security compromise will just affect his own computer. Another use case is a user opening his remote desktop control to IT support personnel and accompanying them in the whole session.
There are various remote desktop control products in the market. A company should choose a software that supports two-factor or multi-factor authentication and set a strong password. It must also keep the remote desktop control software up to date and turn off the remote desktop control software on the controlled PC when not in use to reduce the security risk.
Virtual Private Network (VPN)
VPN is a technology for users to securely access corporate network services through public network as if their computing devices are directly connected to the private network. This technology gives users secure access to corporate network resource such as central storage and printer. But the processing is still done on client machine.
VPN requires a company to have a firewall or VPN appliance that support SSL VPN or IPSec VPN. Users also need to install the VPN client application or setup VPN configuration supported by their device. This may require assistance from the IT support team. If the company already has that kind of firewall, then VPN is generally a cost-effective solution.
From security perspective, the end user’s device behaves as if it is located inside the corporate network, so runs the risk of malware attack. Therefore, end user’s device must be installed with endpoint security software. Also, the VPN client should use two-factor authentication or certificate to sign in.
Virtual Desktop infrastructure (VDI)
VDI is the technology for providing and managing virtual desktops. VDI hosts desktop environments on a centralized server and deploys them to end clients on request. These virtualized desktops are created by a virtual machine controlled by a hypervisor. All computing activity on the virtual desktop occurs on the centralized server. The cost for VDI is expensive since VDI requires an extra layer of software to host a VDI system.
With VDI solution, end users access their full desktops via a client or web browser via SSL and the devices they are using never actually touches desktop, so the security risk is mitigated. While many VDI solutions offer features such as antivirus and malware protection for the desktop, those security elements are not necessary on the end user’s device.
To further enhance security, users can apply two-factor authentication in VDI solution to avoid password bruteforce attack. Also, IT administrator should control the access of critical systems in the corporate intranet via the VDI.
Solution Type | Remote Desktop Control | Virtual Private Network (VPN) | Virtual Desktop Infrastructure (VDI) |
How It Works |
|
|
|
Cost | Low | Moderate [Most of the existing security appliance (e.g. next generation firewall) comes with VPN functionality. Some may require additional license to enable this function.] |
High |
Preparation Time | Less | Moderate | More |
Pro |
|
|
|
Con |
|
|
|
Security Advice |
|
|
|
Example* |
|
|
|
*Disclaimer:
HKCERT does not endorse specific vendor products. Inclusion of products in this reference list does not indicate endorsement by HKCERT. Tools are listed with no quality rating. The tools in this list are owned by tool developers or vendors and they can be modified any time. HKCERT does not verify the accuracy of these tools. If you have any question about these tools, please direct contact tool developers or vendors.
Source Link: https://www.hkcert.org/my_url/en/guideline/20040302