Teleworkers
Uninterrupted access to teleworker's workstation
How IT support manages remote laptops anytime and without the risks of a VPN or RMM
Teleworking is here to stay. Employees, and more so candidates, see the ability to work from home an important factor to consider when selecting an employer. For many, it is more valued than basic salary. For an organization, it is important to embrace this shift in the work paradigm by maximizing its positive aspects but as well by minimizing it bad sides. The IT support group, in troubleshooting but as well in managing and monitoring this important work tool that computer became, plays a essential role in the employee's satisfaction at work.
The case for permanent access to the remote computer
Wouldn't it be a dream that problems are detected, analyzed and corrected even before the user take notice? Or, should the user calls for help, that an initial assessment is automatically performed even before the help expert starts working on the issue? All this, while your security tools check, test, or otherwise asses the compliance of the remote workstations. But for this to be possible, the computers must be accessible all the time from a myriad of tools, most of which were carefully selected for supporting computers located at the office. A permanent access method is thus necessary.
This permanent access must have the following attributes:
- Must be established by the remote computer anytime the computer is up and running
- Must not require the user to login into the device
- Must support operation at any location the user might bring the laptop to
- IT tools requiring access to the remote machine must be able to do so natively and without modification
Cyber security considerations
A typical, VPN based, continuously running tunnel would pose an unacceptable risk. More so if it is established by the remote device without the user having to login into the device. Login out of a compromised or hacked computer would not stop exposing central resources to a malicious software running in the computer. To eliminate all risks, the access transport mechanism shall:
- Be constructed in a way that does not enable the remote machine to access central resources
- Only allow access to select resources in the remote computer
- Not expose transported traffic to Internet based access servers
When the above characteristics are met, a secure permanent access can be setup without increasing the cybersecurity risks.
Alternatives
The first solution that comes to mind is obviously using a VPN. Another alternative is desktop sharing tools, such as logMein. All these tools are great and play essential roles but do not meet the criteria that must be met to be used as a permanent access methodology.
- VPN - By its nature, a VPN unlocks ALL communication between a site and a remote computer (or a remote site). Sure it can be cut down by using a firewall (which may be builtin the VPN solution) but failures or misconfiguration of the firewall is a permanent risk.
- Desktop sharing - In fact, this category of tool falls short on many aspects
- It is not permanent
- Does not enable IT tools to access the remote computer
- Typically exposes traffic to an Internet based access server
How do we do it
Our solution sets up a permanent Websocket based transport connection, running over HTTPS. This connection runs between the remote workstation and an access gateway, which typically runs at the IT central site. No Internet based access gateway is used or necessary.
Central tools, including command line and remote desktop tools, natively use this transport connection. The data is simply carried between these tools and the remote devices without the risks associated with a traditional networking solution, such as a VPN. Software running at the remote device can not initiate communication toward anything using this transport mechanism.