Remote maintenance as a risk. Food for thought for decision-makers

Auditor views VISULOX Cockpit Audit Trails

Daily news, advertising flyers from large insurance companies, certification projects according to ISO 27001, NIST, PCI DSS or recommendations from data protection authorities as well as annual audit results from auditors - the flood of requirements and recommendations regarding cyber security is never-ending. In contrast, the wink and the "it'll be fine" mentality is noticeably weakening. And all of this, for good reason.

All current recommendations for measures give the topic of remote maintenance a special place. Not without reason. The risks of access via data communication lines are often underestimated by those responsible. These are not tangible, quasi invisible, are covered "one way or another" by SLAs and contracts with service providers and the return on investment is not a driver for the future.

Find out on an ongoing basis what needs to be taken into account from a risk and management perspective when it comes to remote maintenance and access to assets and company secrets that require protection. Often unnoticed, this is one of the biggest triggers for serious cyber security incidents.

Two supporting facts are:  

  1. Remote maintenance opens the door to information leakage. 
  2. The actions of remote users are uncontrolled and take place in secret.

The requirements in the relevant external regulations, as well as internal information security officers, address exactly these points like a prayer mill.

Control and transparency of authorised, privileged users accessing IT and OT systems. 

The classic type of remote maintenance (remote gateway with VPN and end-to-end communication) always takes place in the back room. Control of the communication path is possible, but not control of the communication content. 

The use of firewalls, VPNs, jump-serves and detection systems fundamentally help to avoid or at least detect dangers emanating from third parties and unauthorised access - but they do not help to control and document authorised access.

Depending on the access granted and the function of the user, he or she receives the required authorisations. These range from the pure use of information by applications to administrative access at database or operating system level. In the latter case, we speak of access with privileged rights and it is a necessity in the context of IT operations. 

IT security is a leadership discipline of the networked future

As part of their mandate, decision-makers need to know the answers to the following questions:

  1. What does "access with privileged rights to corporate data" mean for my organisation?

2) What are the different strategic and operational risks? 

What preventive measures does the IT department take and what compliance requirements are the current state of the art?

4. are specific risks identified and realistically assessed in the company's internal risk management? 

Real risks must be transferred to the logical world

Physical access to business premises, for example, naturally involves recognisable methods of control and transparency: e.g. proof of identity through ID cards, access controls, video surveillance or escort regulations. Through these methods, the central questions are answered: When did who let whom into the building? When was who in which room? Who did what in which room when.

It's perfectly normal for us to be video recorded at the ATM, isn't it? 

But who asks these questions with logical access? Access to remote maintenance must be subject to equivalent rules and produce the same results: Who gave access to whom? What was done when and how? Who worked on which data when at what time? Whereby here the "who" must represent a unique identity just as in the physical space - designations such as "root", "administrator" must not be accepted. These are professional identities such as "caretaker" or "technician of company xyz" and are not individual identities and thus cannot be traced.

In the context of remote maintenance, a privileged user has to perform his or her tasks. In practice, the user has a standardised set of authorisations at his disposal. His or her rights always allow him or her more than is necessary for the actual task. This "more" cannot be prevented by the system, as otherwise parts of the task cannot be completed. For example, the service provider needs privileged rights to administer the e-mail server. These privileges allow the service provider to view e-mails even though this is explicitly not part of the assignment. 

Consequently, multi-dimensional high risks arise:

The strategic risk: Based on the possibility of insight or leakage of mission-critical information.

The operational risk: Based on the sabotage of IT processes around the email server.

The aim is to identify and reduce the risks. 

Measures to reduce risks from uncontrolled remote maintenance accesses

VISULOX. addresses precisely this problem area. Reduce and avoid risks during remote maintenance: 

  • The identity of the user is stored and is confirmed, for example, by an ActiveDirectory Server and integrated Multi Factor Authentication confirmed.
  • Registration only takes place within the framework of allocated registration windows. The user only has access to the components that are necessary for his task
  • Live, the current activities are visible in a Cockpit visible and can be controlled
  • The external user can be accompanied in his work
  • The user's activities with the data are fully logged in a film
  • File transfer is configurable both inbound and outbound, according to the task. This also applies to the use of copy & paste (avoids data theft). 

Since 2003, amitego has been involved in controlled, logged access to IT infrastructures, their management and security. 

VISULOX is a proven solution that is optimally adapted to this vector. Unlike many other products on the market, VISULOX combines all requirements in one solution for audit-proof access to IT infrastructures. At the same time, VISULOX is to be implemented in agreement with the applicable rules regarding data protection and works constitution law. 

VISULOX is used globally and, on the one hand, fulfils the tasks required by the actual operation. On the other hand, it provides the evidence required by laws or regulations. Especially the transparency of activities by third parties is imperative to ensure control over the actual user activities when accessing the IT infrastructure. 

Die Lösung wird heute bei einer Vielzahl von Unternehmen aus verschiedensten Branchen in vielen Ländern eingesetzt. Von Installationen mit 5 Usern bis hin zu Enterprise Installationen mit < 7.500 gleichzeitigen Anwendern, bei KMUs und Dax30 Unternehmen. Alles zu implementieren ohne Änderungen an Clients oder Servern.

Our experience shows that we are good listeners. A short personal conversation can very often save long distances. We would be happy to meet you in a short 15-minute appointment. Please feel free to register below. We will be in touch.

We have more topics we like to write about.

3 good reasons to say goodbye to VPN

3 good reasons to say goodbye to VPN

VPNs are more widespread, but they pose a high risk. 3 reasons why VPN should be replaced with a PAM solution with Remote Support should be exchanged.

Cookie Consent with Real Cookie Banner