Skip to content

Digitally Enabling Workers with Secure Access to Web Applications through Zero Trust

One of Canada’s smartest cities is using the Agilicus AnyX platform to digitally enable mobile workers with secure access to web applications through a Zero Trust framework. Our customer provisioned a series of web applications to digitise analog processes, achieve compliance requirements, and deliver secure access for its diverse workforce, but faced a number of security and deployment challenges.

Read the case study and learn how Agilicus AnyX has been used to onboard over 1000 users and deliver frictionless secure access to custom web applications without the need for a VPN, new users names, passwords, or active directory licences.

Contact Us

Fill out the form to reveal the case study.

First Name
Last Name
Email
Read the Case Study below. ↓
There was an error. Please try again. Or email info@agilicus.com

Enabling the Modern Workforce with Secure Access to Web Applications through Zero Trust

Summary

Situated outside of the Greater Toronto Area, our customer is recognised as one of Canada’s smartest cities and is home to many leading technology companies and universities. With a shared mandate of workplace health and safety, leadership, compliance, and fiscal responsibility, our customer is dedicated to ensuring service excellence for its citizens and employees. Our customer’s IT organisation provides technology support to the team of elected officials, staff, and volunteers to help achieve these mandates and deliver municipal services. 

In order to deliver on these mandates, our customer commissioned several productivity and compliance applications from a third party, but faced considerable challenges in securely deploying them to the workforce.

smart-city-web-application

Application deployment challenges

  • Firewall could not handle inbound traffic as reverse proxy for multiple sites/apps
  • Needed to keep app data in existing on-site system
  • Wanted to get app in hand of users without new logins to existing system, new passwords, or active directory licences 
  • Users needed to be able to access the applications from anywhere, without a VPN

Leveraging Web Applications to Digitally Enable Mobile Workers and Improve Productivity

Our customer commissioned three business applications from a third party to improve productivity and help meet compliance requirements by digitally enabling end-user employees, contractors, and other personnel who are mobile and have no fixed workspace or location. These applications were critical for the organisation to digitise analog processes, streamline record keeping, manage costs, empower mobile users, improve productivity, and achieve various compliance requirements such as hours of service for commercial vehicle operators.

In order to achieve this objective, the IT organisation at our customer had to overcome several key implementation roadblocks and end-user challenges:

weak-vpn-server-security

Deployment

The existing firewall was not capable of handling inbound traffic as a reverse proxy for multiple sites and applications.

cyber-attack-vpn-compromise

Data Custody

Requirement to keep data and application hosting on-site at the town hall.

pam-multi-factor-authentication

User Security

There could be no new passwords, usernames, or active directory licences involved in the application deployment to avoid costs and weak credentials.

federated-identity-login

End-User Challenges

Nomadic, mobile, and deskless workforces without a fixed location where work is conducted needed to be able to connect without a company issued device or a VPN.

End-User Challenges

Many staff at the city are part of a mobile workforce that does not require a company issued device or they do not have tasks that require regular access to computers. However, the ability to leverage technology and productivity applications would significantly streamline the administrative duties that they must comply with.

Commercial Vehicle Operators

These users are off-premise and mobile. They do not have or require corporate issued devices to perform their duties and some may work as part-time contractors for the city. All commercial vehicle operators must log their driving hours for compliance with the Ministry of Transportation of Ontario. Our customer developed an application that would modernise this record keeping and better ensure compliance without burdening the end user operator.

Seasonal Workers

Seasonal workers such as the lifeguards, park workers, and city maintenance personnel for our customer are required to complete online safety training. This compliance requirement is in place to help create a safe environment for staff and citizens. It is impractical to issue corporate devices or active directory licences to seasonal workers.

Volunteers and Extended Teams

The workforce for our customer comprises part-time employees, contractors, and volunteers in addition to the full-time staff. Technology solutions ensure that organisation resources could be digitised, preserve the privacy of city personnel, and help the volunteers and extended team members be more effective in their roles. The volunteers and extended team members do not require active directory licences or company issued devices to support the city.

Taking a digital first approach was only natural for our customer, but getting their users onboarded to the various productivity web applications was met with several implementation and cybersecurity roadblocks.

Implementation Roadblocks

Stakeholders from the IT and Business Applications teams would be involved in the deployment process, each with their own unique requirements. In working with the IT organisation at the city there were several unique needs that were quickly identified, which had to date prevented the organisation from adopting web applications for productivity:  

  1. “We think to keep our data we must host it. But, that means our firewall needs to handle multiple unique systems behind it by host name, which is a type of reverse proxy. It doesn’t handle that, our team doesn’t know how to make that happen, so we are blocked.”
  2. “We don’t want/won’t allow new usernames or passwords, they get written down.”
  3. “We must hold our data.”

While the applications created by the third party were built to spec and capable of driving new efficiency and productivity for the city, there were a number of implementation roadblocks that had to be overcome in order for deployment to the end users.

data-custody

Data Custody

Like all municipalities, our customer must adhere to the Municipal Freedom of Information and Protection of Privacy Act and retain data to meet regulatory obligations. As a result, the city has chosen to be the custodian of its own data which also aligns with the internal backup strategy, need for data integrity, and self management of enterprise applications.

User Security

People are maintaining an incredible number of usernames and passwords. Having end-users manage yet another set of access credentials was viewed as both a burden and a cyber risk. The risk of weak and shared credentials being used would leave private applications open to brute force and credential stuffing attacks. Likewise, enforcing strict password policies would lead to the use of weak passwords, the credentials being written down, or stored insecurely.

user-security
user-management

User Management

The ability to manage user access and privileges was important to the IT team. Unfortunately adding licences to the active directory would be both expensive and impractical due to the transitory nature of some of the users (e.g, seasonal workers, volunteers, etc.). Considering a significant portion of the end-users would be seasonal, volunteer, or in the field, it also didn’t make sense to issue licences that came with business applications such as document editors. However, the team still needed the ability to add or remove users and manage their access privileges without adding new active directory licences.

Digital Workforce Enablement through a Zero Trust Network Architecture

Technology plays a pivotal role in the strategy and execution of municipal services at the city. The ability to extend secure access to remote and mobile workforces would only benefit the city in its mission to deliver service excellence for the citizens while fostering a safe work environment. 

The Agilicus AnyX platform offers a Zero Trust Network Access solution that quickly and easily allowed our customer to onboard users, retain custody of their data, and deliver end to end security, all without the need for new usernames, passwords, or active directory licences. 

By using the Agilicus AnyX platform, our customer would be able to scale adoption of its business and productivity applications, getting them into the hands of their remote and mobile end users.

vpn-replacement-solution

What is Agilicus AnyX

AnyX removes the complexity of extending secure access to web applications for authorised employees and non-employees. The platform puts organisations in full control with role-based access controls and granular auditing logs. 

Users can easily self-onboard as the platform federates identity and enables single sign-on. Organisations can maintain their native active directory and preferred identity providers of their partner organisations.

The AnyX platform ensures any user can securely connect to any application, resource, or desktop from any device while bolstering defences with a modern approach to cybersecurity.

No VPN – No Hardware – No Client

Data Custody

To ensure our customer could be the custodian of its data and be in control of their own fate, Agilicus introduced a hybrid cloud architecture through a three-tier approach to hosting the applications.

The web application runs in the web browser, while a database is hosted on site at our customer and serves as the ultimate data repository. A web server sits in the middle and acts as an API (application program interface), connecting the end user’s application with the hosted database.

These connections are each secured through Agilicus’ unique, identity aware web application firewall which sits between the end user and the web server. Another sits between the web server and the database backend ensuring the city could self host the databases. In this hybrid model where the backend data stays on premise, a workload firewall that uses mutual TLS and SPIFFE ensures only the specified application can access only the specified resources in the database.

User Security

The AnyX platform easily federates identity so that organisations like our customer can quickly onboard users and link an electronic identity with a given user’s privileges to specific applications and resources. Our customer was able to extend secure, convenient access via single sign-on to its users without having to add active directory licences by enabling social login.

That means, when a seasonal worker, part-time hire, or volunteer joins the organisation, they simply have to provide a Gmail or other such ID to be given access. Every user that needed to onboard was able to do so without requiring a single new password or username. This is an integral function of the Agilicus AnyX platform where by design no user names or passwords are stored.

In addition to Agilicus being able to federate identity, the AnyX platform provides administrators with the capability to enforce multi-factor authentication for any resource or application. Our customer’s users could easily be required to authenticate through a second factor to prove their identity and gain access to their business and productivity applications.

User Management

By leveraging a user’s electronic identity to provide access, our customer is able to benefit from role-based access controls and fine-grained authorisation capabilities. The result is simplified user management, where administrators can easily add or remove end-users from any application, instantly.

role-based-access-controls

Role Based Access Controls

Role-based access controls allow administrators to grant privileges to users so that they may access information and resources they need for their jobs while preventing them from accessing unrelated resources that they do not have permissions for.

least-privilege-access

Simplified User Management

Users can be added or removed from any application instantly (seasonal workers, part-time employees, contractors, or other job actions). 

Business Impact

user-onboarding

1000+ Users

The city quickly scaled the adoption of web applications onboarding over 1000 users without requiring new usernames, passwords, or active directory licences.

fast-deployment

10 Applications

The zero trust framework through Agilicus AnyX was so effective the IT organisation soon delivered secure access to 10 web applications across city workers.

seamless

$100K Savings Per Year

Our customer was able to find considerable cost savings of at least $100 per user, per year by not having to purchase additional active directory licences or adopt another identity provider.

no-network-configuration

Digitising Analog Process

Additionally, shifting analog record keeping to digital better equipped city team members for meeting compliance requirements.

friction-free-user

User Privacy

Some use cases included phone lists and directories, which when delivered via web application through AnyX enhanced individual personal privacy and data security without limiting accessibility to authorised staff and volunteers.

Our customer was able to quickly scale adoption of web applications across the city and onboard over 1000 mobile users and enable secure access to the respective business and productivity applications. That has allowed the city to accomplish compliance requirements, streamline administrative tasks, and drive productivity by leveraging technology and web applications. Most significant was the ability to achieve those objectives without compromising on cybersecurity standards and without having to purchase and issue new active directory licences.

The value of getting these mobile workforces online quickly became apparent with demonstrable business impact. The various teams at the city were suddenly able to shift from analog and in person methods of performing specific job functions to entirely digital, 24/7 accessible resources that would be available on any device. After the adoption of the initial run of applications and due to the scalable nature of the Agilicus AnyX platform, our customer quickly went from three productivity applications to 10

Agilicus AnyX allowed the IT team to introduce web applications across departments with use cases varying from administrative services (payroll, HR, training, inventory management, directories and phone lists) to more tactile use cases such as fire services and bylaw enforcement. In fact, the Agilicus AnyX platform became a marquee solution for the Bylaw Department within the city and allowed this organisation to retire legacy handheld devices in favour of modern smart devices. This significantly reduced the cost of delivering bylaw services for the city while adding increased flexibility for the bylaw officers.

Get in touch with our team to learn more about leveraging Zero Trust to adopt and deliver secure access to productivity applications and streamline the workforce.

Talk to Our Experts

Quickly Meet Cyber Security Insurance Requirements with Agilicus AnyX

Accelerate cyber readiness and reduce risk by adopting a network access and security strategy that meets compliance criteria while bolstering cyber defences organisation wide.

Learn More

Cyber Insurance Eligibility in the Modern Threat Environment

The number of cyber attacks being perpetrated on a daily basis is reaching new heights and it is no surprise that cyber security has become a top of mind priority for business leaders everywhere. Each successfully executed attack on an organisation can have a devastating impact from loss of revenue or compromised company data, to public safety risks and economic ramifications. That is where a strong commercial cyber insurance policy can help protect organisations when a security or data breach happens.

In this new era of heightened cyber risk, zero day exploits, and an uprising of sophisticated and state-sponsored malicious actors, limiting the blast radius of a cyber attack has never been more important. To combat this new threat environment, cyber security insurance providers are tightening the terms of their policies and requiring organisations adopt and apply modern security policies across their entire organisation. 

ransomware-cyber-attack

A key component of compliance for cyber insurance is adopting and enforcing security policies and tools organisation-wide, such as multi-factor authentication, detailed auditing, and role-based access controls. When organisations take a proactive approach to security they can not only comply with cyber insurance requirements, they benefit from a matured cyber posture as well as the opportunity for more comprehensive coverage and protection from cyber risks and liabilities.

About Agilicus

At Agilicus we are helping our customers transform their network access and security strategy through a Zero Trust Network Architecture to become more agile, efficient, and secure. We deliver a dependable security solution without sacrificing the end-user experience. The result, better protection against cyber threats, simply and affordably. 

The Agilicus AnyX platform equips organisations with a cloud-native, enterprise-grade Zero Trust Network Architecture that delivers simple, secure access for any authorised user, on any device, anywhere in the world. Zero Trust shifts network access from the perimeter to an identity-based access boundary and has become the new, internationally recommended network and security standard for securing organisation resources and data. 

Top Cyber Security Insurance Requirements

Cyber security insurance providers all have specific requirements for their commercial policy holders. However, there are several common requirements that every organisation could implement to help meet cyber insurance compliance requirements, become eligible, reduce risk, and significantly improve cyber resilience.

secure-access

Multi-factor Authentication – A strong Multi-Factor Authentication policy helps secure your organisation against attacks that stem from compromised credentials. That makes it a necessary component of obtaining or renewing commercial cyber insurance and could be required on everything from emails and web applications to operational technology.

identity-firewall

Data Hygiene and EncryptionAs stewards of customer data, personally identifiable information, and confidential corporate information, every organisation needs a strong data security and encryption policy. Data hygiene policies are important for limiting the blast radius and severity of an attack and are often a key consideration for cyber insurance eligibility.

role-based-access-controls

Privileged Access ManagementPrivileged Access Management, or PAM, is a common network security policy that helps organisations manage user access privileges and access rights. Access privileges, user restrictions, and user management are central to a strong cyber posture and can also affect your eligibility for cyber insurance.

granular-auditing-capability

AuditingA mechanism to perform detailed security analysis and user activity auditing has become increasingly important for cyber security insurance. Detailed auditing means in the event of a breach or an incident organisations can evaluate the extent of compromise, identify affected resources, and fix problem areas for the future.

Agilicus AnyX

A secure alternative to perimeter-based network access, the Agilicus AnyX platform provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges. The entire platform can be deployed in a single afternoon without the need for VPNs, gateways, appliances, or end-user clients.

With the Agilicus AnyX platform, end-to-end security, multi-factor authentication, role-based access controls, and fine-grained auditing can be applied to any user and resource. Meanwhile, end-users benefit from a friction free experience while accessing only the resources they need to do their job.

cyber-security-policies

Enhanced Security Policies

Whether it’s to access remote files or a remote desktop hosting a Legacy Application or SCADA System, easily enable Multi-Factor Authentication for every user, no matter the device.

role-based-access-controls

Role-Based Access Controls

Enable secure, permission-based  access policies for any user, user groups or application with Role-Based Access Controls to manage user, resource privileges.

identity-aware-web-application-firewall

Identity Aware Web Application Firewall

Enable web application access with an Identity-Based Web Application Firewall (WAF) that enhances cybersecurity and control, offering DDOS and ransomware protection.

detailed-auditing

Detailed Auditing

Improve Risk and Security Analysis with per user, per application auditing capability. Get visibility with accurate information on who accessed what, when, and for how long.

end-to-end-encryption

Data Security and Encryption

With Agilicus there is no requirement for new passwords and credentials. All traffic that happens through Agilicus is end-to-end encrypted.

authorisation-management

Centralised Authorisation Management

An automated access request workflow means no more micromanaging access and making modifications to individual applications.

Customer Story – Secure Remote Access at a Water Treatment Facility

Summary

Our customer is the IT organization for a municipal government and is responsible for supporting key services at the city including critical infrastructure such as the SCADA system at their water treatment facilities. 

Problem

Multiple user groups needed secure online access to the SCADA systems at remote water treatment facilities. Limited by the physical locations, our customer installed a remotely accessible machine that can monitor operations, control the system, and transmit data back to the town hall. This machine can never turn off or receive security patches and updates.

Because the users who needed access to the system included external, non-employees, adding client software (VPNs) and dictating new workflows, practices and protocols was not a feasible solution. With so many different user groups needing access and the inability to implement traditional security mechanisms was creating immense cyber risk.

It was critical for our customer to solve these problems securely to maintain their cyber security insurance eligibility.

Solution

The Agilicus AnyX platform allowed our customer to deliver third party access, maintain continuous connectivity to transmit data to the town hall, and enable secure remote access to their broad user groups and third party partners.

To avoid disruption, the Agilicus AnyX platform was deployed in parallel and integrated with the municipalities native active directory and that of their partner organisations to institute single sign-on and enforce multi-factor authentication for access.

Or customer is using the AnyX platform to: 

Secure access to the SCADA system web application interface.
Block all inbound and outbound traffic to the host machine unless authorised.
Disable the use of peripheral devices on the host machine.
Enact strict, least privilege and role-based access controls.
Maintain a granular audit trail of user activity.

Outcome

Cyber insurance is mandatory for municipalities but difficult to obtain when it comes to operational technology and SCADA systems, a challenge our customer was able to overcome by implementing the AnyX platform. 

AnyX is used to allow remote access for authorised personnel to securely manage the SCADA systems, harden cyber defences at the water treatment facility, and drastically improve workflow for the end user operators.

user-onboarding

Onboarded all internal users and 14 third parties

fast-deployment

Deployed in a Single Afternoon

parallel-implementation

Parallel Implementation for Seamless Migration

seamless

No Network Changes, Appliances, or New Licences

friction-free-user

Friction-Free User Experience

Read the Full Case Study »

How AnyX Works

Agilicus AnyX is uniquely capable of federating identity to integrate with an organisation’s native active directory and that of partner organisations to enable single sign-on. Users can easily onboard while administrators and IT teams are outfitted with fine-grained authorisation management and role-based access controls. The entire Agilicus AnyX platform can be deployed at your own pace without a VPN, client, or configuration.

digital-workforce-enablement-remote-access

AnyX helps organisations provide simple, secure, access for any user, on any device, anywhere in the world without compromising on cybersecurity. The result:

Any application, any desktop, any share or other resource can be securely accessed from anywhere without being exposed to the public internet.
All authorised users must authenticate by providing a second factor in order to gain access to specified resources.
East-West connections are eliminated, reducing the possibility of lateral network traversal.
All users, resources, and privileges are micro-segmented
Access is no longer a function of network permission, but bound to a users electronic identity
Access can be securely extended to employees, non-employees, partners, third parties, contractors, and vendors.

Get in Touch

Harden your cyber posture and meet your cyber insurance compliance requirements quickly and affordably.

First Name
Last Name
Email
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.
Lateral Network Traversal

570 News Agilicus Interview

Interviewed on 570 News Tech Spotlight. listen to the interview here, I talk through some of the simple risks and how we help. And a bear joke.

White Paper

Remote Desktop Access

Managing Cyber Risk with Zero Trust Network Access

Abstract

For many businesses and organizations around the world, Remote Desktop Access has become an essential tool for both providing and maintaining services. IT personnel and other technical workers depend on the ability to remotely access certain machines to perform their job function. However, without adequate modern security systems and practices it is no longer a minor inconvenience when a cyber breach occurs on these remotely accessed devices. The damage can be immeasurable and even ruinous for people and businesses. 

It is becoming increasingly important for businesses and organizations to implement modern, cybersecurity tools that mitigate threats and turn the tables on the unmanaged cyber risk that can result from Remote Desktop Access. A future-forward approach to cybersecurity practices can help protect businesses, organizations, and public and shareholder interests.

Overview

Most organizations are still using antiquated technology solutions to enable Remote Desktop Access and are increasingly unable to contend with sophisticated malicious actors. Even more problematic is the way most conventional security solutions are unable to accommodate Remote Desktop Access in a manner that ensures only authorized and authenticated access can be gained. 

When Remote Desktop Access is performed via a corporate Virtual Private Network (VPN), the risk increases with inbound and outbound network gateways wide open. In this case, there’s nothing stopping a local attack or breach from becoming widespread. 

Implementing secure processes and protocols for Remote Desktop Access has historically increased the burden on IT resources or required increased technical capability from the end-user or operator. Adopting a modern approach to cybersecurity can help ensure only the authorized person or persons are able to gain Remote Desktop Access while balancing convenience, control, and security.

What is Remote Desktop Access

Methods and Tools for Remote Access

Remote Desktop Services and Solutions have had many iterations over the years but were first introduced to the world in the late 90s with Microsoft’s Remote Desktop Protocol (RDP) as part of the Windows NT 4.0 Server, Terminal Server Edition1. One of the original intentions of RDP was to allow less powerful machines to remote into more powerful Microsoft Servers to perform tasks. 

There are now many common tools for achieving remote access. Windows RDP is a widely adopted method of Remote Desktop Access that works on both Windows and Linux operating systems. Other tools that enable Remote Desktop Access include remote access via VPN, Desktop Sharing, and other remote control and systems management tools. TeamViewer, RemotePC, and LogMeIn are all examples of the various types of Remote Access Software and Tools (RATs) for commercial use that exist today. Each method of Remote Desktop Access brings with it a tradeoff between security and convenience. 

Today, being able to remotely access machines brings with it immense cost savings and efficiency for many organizations, especially in a 24/7, global society. However, this constant connectivity also presents numerous risks and challenges, especially in the context of cybersecurity.

How Does Remote Desktop Access Work?

Remote Desktop Access enables someone to connect to a host machine from their client machine located anywhere in the world over the internet, gaining control of the interface and access to applications and file systems. 

Whether it’s 5, 500, or 5000 miles away, connecting from a home or office device lets a user access the host machine without having to physically be there. The host machine could be a desktop, computer system, server, or virtual environment.

remote-desktop-security

Business Application of Remote Desktop Access

Remote Desktop Access is a now widely adopted concept and network functionality, especially for it’s obvious business applications (most recently being leveraged by IT organizations in response to the COVID-19 pandemic2). The network functionality is being put to work across industry verticals. Remote Desktop Access helps technicians gain access to the machines they need to perform their duties without having to physically be on-premise.

Remote Technical and Customer Support

People most commonly associate Remote Desktop Access with providing remote technical support to employees or customers. That means an IT, technical, or other support representative gains access to a customer’s host machine over the internet. From their own machine, the IT or technical support person now has control over the customer host device and can provide any necessary support or maintenance. In gaining Remote Desktop Access, the support representative also has access to the applications, file system, and data stored on the host machine.

Remote Desktop Access for Server Applications, Maintenance, and Deployment

The host device does not always have to be a PC and in fact, Remote Desktop Access is commonly used by IT technicians as a way of accessing servers or virtual desktop environments without having to physically be in the server room. These machines can be critical to corporate infrastructure, host data and applications, or they can be virtual environments used to develop, test, and deploy new applications.

Remote Desktop Access for Legacy Applications

Legacy applications are typically obsolete or outdated systems that either perform a critical function or are embedded within critical infrastructure. These applications or the systems they can run on are typically unable to stay up to date with the latest operating systems or security software. While a suitable replacement could be under development for a legacy environment, the current instance performs a specific function and may need to be securely accessed by remote technicians and employees.

Remote Access for SCADA Systems

Remote Desktop Access can be an essential tool for technicians to interact with Supervisory Control and Data Acquisition (SCADA) systems, be it in industrial, energy, manufacturing or the public sector. Remote access to a SCADA system by employees, vendors, partners, or third parties is often operationally important. These SCADA systems can be found in public utilities like energy or water treatment and provide a control system architecture that enables the supervision and control of machines and processes by technicians.

Remote Desktop Attacks

There are numerous cyber attack vectors and vulnerabilities that come with Remote Desktop Access and other Remote Access Software and Tools. One of the most prominent cybersecurity issues is the use of shared accounts and access credentials. For example, when Remote Desktop Access is achieved using a RAT, the attack is direct remote access and the shared credentials are compromised. If Windows RDP is used, it can lead an attacker to accessing an entire network, especially when the system is exposed to the internet.

No matter the type of tools used to achieve Remote Desktop Access, the variety in the type of cyber attacks that can be mounted presents a persistent threat.

credential-stuffing-attack

Credential Stuffing Attacks

When a credential stuffing cyber attack is performed, the malicious actor uses a list of stolen account credentials to try and gain access to a system. The lists can contain usernames, emails, passwords, or other login credentials, which are used to gain unauthorized access to the targeted system or account. The process of mounting this type of attack is usually automated through the use of bots. This type of attack is possible as many users tend to reuse credentials across both personal and work accounts.3

A Lack of Password Protection and Authentication

Whether a malicious actor has guessed a password, intercepted it, or retrieved it from a database or through a brute-force attack, the absence of Multi-Factor Authentication could allow free reign over a system. Weak passwords could be anything from something simplistic, common across accounts, shared with other users (technicians and employees), or previously compromised in a data breach. A strong Multi-Factor Authentication policy could be the difference between getting hacked or not.

employee-vulnerability

Employee Vulnerability

Employees can unintentionally present security risks, whether they fall victim to social engineering, introduce a small oversight, or they themselves become the victim of compromise, such as through a data breach.

man-in-the-middle-attack

Man-In-The-Middle Attacks

During a man-in-the-middle attack4 on a remote session, a malicious actor will try to intercept communication between systems. The intent could be anything from intercepting or harvesting credentials, to spreading malware or ransomware within an organization.

Denial of Service Attacks

Another Remote Desktop Access attack method used by malicious actors is to determine the IP address and open ports on a host machine where a brute-force attack5 is mounted and designed to reveal credentials for remote access. Often, the byproduct of mounting such an attack, intended or not, is a denial of service (DOS)6, which not only disrupts the function of the host machine, but can prevent authorized users from accessing it.

permissions-based-vulnerability

Software Based Permissions Vulnerabilities

Applications require permissions7 that are granted by the administrator of a machine, this includes RATs. From time to time there are bugs in these permissions that result in vulnerabilities that can be exploited by malicious actors. One of the most recent and relevant examples was a critical exploit discovered in TeamViewer’s administrator permissions8 that could have allowed malicious payloads to be persistently executed every time the service ran. Fortunately, this vulnerability in TeamViewer has since been patched.

common-vulnerability-exposure

Remote Access Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposure (CVE) is a list of publicly-known security vulnerabilities, exposures, and exploits.9 This list provides a common point of reference for IT administrators to help secure systems. The list of CVEs is constantly expanding and regularly updated as new vulnerabilities and exploits are discovered. Remote Desktop Access exploits through Windows RDP, Desktop Connection, and more are included in this list. For example a number of Denial of Service CVE’s for Windows RDP were discovered in 2020.10

There is a pressing need to mitigate threats against remotely accessed machines and the risk and consequences that go along with them.

Remote Desktop Access in a Corporate Environment

In most enterprise and business corporate network environments, Remote Desktop Access tasks are actually performed over a corporate VPN which can amplify cyber risk. Traditionally the VPN served as a way to create a secure tunnel to the host machine that needed to be accessed. However, the method of attack and risk climate has changed significantly over the years and if remote access is achieved through a VPN the client machine, host machine, or network, the risk is no longer localized and can spread across environments. 

When an attacker gains access to a client machine, remote host machine, or corporate VPN, that access may be trusted by default, which means the infiltration can go undetected. The VPN by its very nature is an all-or-nothing perimeter-based security solution. It’s either access to the entire network or none of the network, which is why lateral traversal within an organization’s network is possible.

Securing Remote Desktop Access to Manage Cyber Risk and Mitigate Threats

Remote Desktop Access has become an essential function for most organizations, however, with the frequency of cyber attacks only accelerating,11 exceptional security around Remote Desktop Access is not discretionary. Legacy applications and SCADA systems for example have come under frequent attack. The breach of the Florida water treatment plant in 202112 is an example of the security and public risk unsecured Remote Desktop Access presents.

IT Organizations need to provide Remote Desktop Access to specific host machines for specific users, even those outside the organization like contractors, vendors, and third parties. In order to secure these environments an authorization, authentication, access approach can help manage cyber risk more effectively through Zero Trust Network Architecture.  

What is Zero Trust Security

Zero Trust Network Architecture and Security means switching from outdated perimeter-based (firewall and VPN) models of access to an identity-based model of access. That means authorization, authentication, and access privileges are determined based on the identity of a person (user) and the identity of a resource (device/machine). 

Identity-based access means decoupling identity from a corporation or organization and binding it to the user, creating a single identity. This allows IT administrators to enforce entitlements and authorizations within the network, effectively segmenting access.

Segmentation of access is simple, more secure, and doesn’t inhibit the accessibility of employees to their work. It does however significantly mitigate the risk of cyber attacks like lateral-traversal within a network, malware, and ransomware. Adopting a modern cloud-native security platform empowers users to work from any device, anywhere in the world while ensuring the organization has granular auditing capabilities, Role Based Access Controls, Privilege Management, and the ability to restrict access with Multi-Factor Authentication.  

Zero Trust Network Architecture is economical, scalable, and most importantly more secure than conventional methods of network cloaking and inflexible, restrictive policy.

Remote Desktop Access Via Zero Trust

Zero Trust Network Access (ZTNA) ensures IT organizations and administrators have the granular security controls needed to manage per-user authorizations. Limiting end-user, authenticated access to the specific resource, application, or work they need protects the broader corporate network and machines from being exposed to attackers, keeping compromises localized. 

When Zero Trust is applied to Remote Desktop Access the risk profile and exposure of applications, systems, networks, and corporate resources is significantly reduced without inhibiting the productivity of the employee or technician who requires access to the host machine. In essence, Zero Trust allows the IT organization to require authentication and authorization from both the user and the designated device. That means a technician must prove their identity before being allowed to gain Remote Desktop Access.

Users are commonly identified via OpenID Connect and SAML, where resources are commonly identified by Client Certificates. Single Sign-On and Multi-Factor Authentication paired with these core tenants of Zero Trust (Authorization, Authentication, and Access) means that strong password policies and authentication methods are innate to the security equation.

Zero Trust ensures that Remote Desktop Access is available to any authorized employee using any designated device without risking the entire network. This method of secure access will also prohibit any unauthorized access to the host machine, by unauthorized users or devices.

Securing Remote Desktop Access Through Agilicus’ Any X Platform

You can set up 1-click remote access from client to host machine within minutes through Agilicus’ Any X platform. You can enable Remote Desktop Access via Zero Trust Network Architecture without configuration on-site and with no change to the host machine or firewall. A detailed step-by-step guide on setting up Agilicus’ Zero Trust platform is available here.

This means that the cyber risk and threats can be heavily mitigated for any resource that must be accessed remotely, whether it’s a server, virtual environment, or physical desktop device hosting a legacy application, or a SCADA system.

How Zero Trust Remote Desktop Access Works with Agilicus

Zero Trust Remote Desktop Access allows any user to connect from any device to the host machine they need to perform their job. The Zero Trust framework ensures access is granted on the basis of identity. Agilicus’ Any X platform features fine-grained controls and authorization for Remote Desktop Access and allows any device to remotely access machines using Windows RDP (Windows and Linux OS). Any X also features Single-Sign On, Multi-Factor Authentication, full-audit trails, and end-to-end encryption, which only enhances the security surrounding Remote Desktop Access.

zero-trust-remote-desktop-access-agilicus

Reign in Unmanaged Cyber Risk with Zero Trust Remote Desktop Access

While most applications are modern and accessible through web browsers, there is still a need for native desktop applications and therefore Remote Desktop Access to various machines and resources around the world, whether it is through civilian networks or over corporate VPNs. Remote Desktop Access is widely used by IT professionals and technicians across industry verticals to access servers, perform maintenance, access on premise machines, perform maintenance, and other operational tasks.

Without adequate security or a continuation of the status quo of legacy security practices, Remote Desktop Access creates huge unmanaged cyber risks for IT organizations. Those same remote resources can also be critically important to both private and public interests and in the event of a compromise, there could be significant consequences and very real public safety risks.

Some examples of remote resources that a technician or operator must access are: 

• SCADA systems (controlling the power grid, local water treatment facility, etc) 

• Servers or virtual machines that host or perform a business function

• Machines that run legacy applications. 

• Employee or customer machines and devices to provide support or maintenance

Implementing Zero Trust and its core tenets of authorization, authentication, and access to secure Remote Desktop Access puts the IT organization back in control of its cyber risk profile. 

Zero Trust works by trusting no user or device by default and enacts a strict policy that ensures only authorized individuals and devices can gain access to critical resources after authenticating their identity. This differs from a perimeter-based security policy (VPN) where anyone who has gained access to a network is trusted by default. 

The security landscape is rapidly evolving, but your requirements of providing convenient and secure access while managing costs aren’t. Agilicus can help you implement an identity-based secure solution that enables Remote Desktop Access for workers while empowering the IT organization with the controls to manage cyber risk for Any Desktop by implementing Authorization, Authentication, and Access.

Contact Us

Secure Remote Desktop Access at your organization and protect against cyber attacks with Agilicus and empower your workforce with secure access to the resources they need to do their work.

First Name
Last Name
Message
Thanks! Someone will contact you.
There was an error. Email web-info @ agilicus.com if you need assistance.

Works Cited

1 Deland-Han. “Understanding Remote Desktop Protocol (RDP) – Windows Server.” Microsoft Docs, Microsoft, 24 Sept. 2021, docs.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol.

2 Statista. “Remote Access Technology Use Increase 2020, by Region.” Statista, Statista, 15 June 2021, www.statista.com/statistics/1226084/remote-access-technology-use-by-region.

3 “Credential Stuffing Software Attack | OWASP Foundation.” The OWASP® Foundation, 2021, owasp.org/www-community/attacks/Credential_stuffing.

4 “MitM – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/mitm.

5 “Brute Force Password Attack – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/brute_force_password_attack.

6 “Denial of Service (DoS) – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/denial_of_service.

7 “Permissions – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/permissions.

8 SafeBreach Inc. “TeamViewer Windows Client (V11 to V14) – DLL Preloading and Potential Abuses (CVE-2019-18196).” Safebreach, SafeBreach Inc. 2021, 15 Nov. 2019, www.safebreach.com/blog/2019/teamviewer-windows-client.

9 “CVE – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/cve.

10 “Security Update Guide – Microsoft Security Response Center.” Microsoft, 2020, msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16927.

11 Quadros, Sharron. “RDP Attacks on the Rise During COVID-19 Pandemic.” Security Boulevard, Techstrong Group Inc., 6 Jan. 2021, securityboulevard.com/2021/01/rdp-attacks-on-the-rise-during-covid-19-pandemic.

12 Goodin, Dan. “Florida Water Plant Compromise Came Hours after Worker Visited Malicious Site.” Ars Technica, Condé Nast, 18 May 2021, arstechnica.com/gadgets/2021/05/florida-water-plant-compromise-came-hours-after-worker-visited-malicious-site.

Secure Product

Minimum Viable Secure Product

A simple set of controls for a Minimum Viable Secure Product. Open source for us all to use. Implement, ask in RFP, common baseline to follow

telnet

Telnet In Canada: Why?

Telnet. 40 years old, not fit for purpose. Alive and well in Canada. No amount of mitigation or multi-factor authentication makes it OK.