The adoption of cloud computing has grown significantly in recent years, and it's really no wonder why. Cloud-based applications often offer more flexibility and lower overhead costs, and can even make complex solutions easier to set up, manage, and use. But with those pros come some serious security cons.
Recent large-scale hacks (like those on LinkedIn and Yahoo) have raised awareness about the risks of using insecure passwords. As a technology solution provider (TSP) and trusted advisor to your customers, it's more important than ever to consider the security options of cloud-based solutions– particularly when it comes to remote support tools.
Most cloud-based solutions come equipped with a variety of security features, but which ones really count when it comes to remote support? In a nutshell, you should be looking for:
A password is the first line of defense in any cloud solution. You probably know someone who uses 12345678 or the infamous password, but unlike them, you know how crucial it is to put thought into creating a strong, complex password.
Look for a remote solution with a system in place that measures the strength and complexity of passwords, and enforces their usage, in addition to other password creation safeguards. It may be an annoyance for users at first, but not allowing the use of vulnerable passwords from the start will protect their systems from attacks later–and they'll certainly appreciate that!
The solution should allow configurable password options that dictate the length of the password and the types of characters required. Requiring an eightcharacter password that incorporates special characters (e.g.: ! @, #, %,*, etc.), in addition to numbers and letters, is inherently stronger than a six-character password that uses just letters and numbers.
This feature requires users to change passwords on a schedule (every 45 or 90 days) and will limit the amount of time a compromised password can be used to gain unauthorized access to a system.
One common way hackers try to access an account is a brute-force attack. This occurs when an attacker guesses the account password. A hacker could pass millions of attempts in a very short amount of time by using special scripts and programs that are designed to expose weak passwords–all in a matter of seconds!
The solution you choose should have a feature that automatically locks an account after a set number of failed password attempts to effectively prevent this type of attack.
Two-Factor Authentication requires a user to use two different methods to authenticate into an application, thereby adding a layer of security. A one-time password is an example of a 2FA method.
After a user enters their User ID and password, a one-time password is delivered via text message, email, through devices such as YubiKey, and via mobile apps like Google Authenticator or Microsoft Authenticator.
To further protect data, controlling access by IP address ensures that technicians are connecting from known locations. Administrators can restrict access to specific IP addresses, and administrators can also block a list of IP addresses outright.
Cloud solutions transmit data which must be protected between the user's browser and the cloud servers. Protection like HTTPS/SSL (Secure Socket Layers) encrypts the data that is being passed between the user's browser and the web server.
When web applications use desktop tools to communicate to the web server, it's paramount to have vetted, strong encryption and cryptographic modules in place, such as AES-256 and Microsoft® FIPS 104-2.
To ensure accountability and to comply with privacy regulations (HIPAA and PCI), there should be logging that tracks who connected to the remote machine, what actions they performed, when they connected, and where they connected from. Do yourself a big favor in advance, and find a solution that provides video auditing that can be retrieved easily and stored for a specified amount of time.
Role-based security defines permissions according to the role that a user performs, and can also specify which machines, or group of machines, can be accessed by users. A worthwhile remote solution should be flexible enough to offer user permissions that are clearly defined and can scale within an organization.
A secure cloud-based remote solution should allow a remote party to accept or refuse incoming remote connections. Requiring consent is imperative to ensuring HIPAA compliance by giving the end-user time to clear their workspace of any sensitive data before the remote technician connects. This addition isn't just a security measure; it's also a courtesy and can boost your business' reputation for unmatched customer service.
How is the user going to know their device is currently under remote control after accepting the session invitation? Look for a solution that offers a banner notification that lets a user know a technician is currently connected to their machine. This type of notification should make it clear that the computer is being accessed and should also allow the guest user to exit the session.
Cloud-based remote solutions and resources are going to be a mainstay in our computing lives from here on out. So making sure they're secure is absolutely essential. The same goes for the tools TSPs will use to manage and support those environments.