Skip to content

Eliminate Attack Vectors and Stop Cyber Threats in Their Tracks with a Zero Trust Architecture

cyber-attack-vpn-compromise

Reducing Cyber Risk and Protecting Against Attacks

Cyber threats come from all angles these days, yet most businesses are still ill equipped to properly keep the bad actors out when they become the target of an attack. The Open Web Application Security Project (OWASP) produces a list of the top 10 threats that organisations must contend with to keep their web applications secure, but that is only the tip of the iceberg. While there are best practices that can help mitigate cyber risks, some of the most dangerous attack vectors are getting harder to defend against. They include everything from lateral network traversal and ransomware, all the way to employee vulnerabilities and denial of service attacks. 

A modern and proactive approach to access and security is a necessary shift organisations need to take in order to maintain a sufficient security posture, mitigate threats, and stop attackers in their tracks. Zero Trust Architecture offers just that. 

Zero Trust is the preferred way to introduce user resource segmentation while adopting a perimeter-less, “Never Trust, Always Verify” approach to security. That means every resource is isolated and access is only granted when a user has verified their identity and has the correct authorisation for access, effectively keeping bad actors out. 

What are the OWASP Top 10 Web Application Vulnerabilities

Every couple of years OWASP does a revamp of their Top 10 web application security threats. This list has become a standard document and is a great resource for organisations to size up their web application cyber posture and determine their level of vulnerability exposure. In 2021, OWASP updated their list of the top web application threats that businesses face as follows: 

  • Broken Access Control – Access controls enforce user privileges, preventing them from acting outside of their permissions. Failures can lead to unauthorised access, modification, release, and destruction of data or functions outside the user’s intended privileges.
  • Cryptographic Failures – Many web applications and their APIs do not impose strong encryption practices to properly protect sensitive corporate and customer data. This gives attackers an opportunity to intercept or modify data for criminal purposes. Strong encryption must be imposed when data is at rest or in transit.
  • Injection – Attackers will leverage flaws such as SQL, NoSQL, OS, and LDAP injection to try and trick the interpreter into allowing them to access data without proper authorization or execute unintended commands.
  • Insecure Design – In the design and development lifecycle of software and applications, inadequate budget for time and security requirements can allow critical vulnerabilities to pass through into live environments, introducing attack vectors the team never anticipated or addressed.
  • Security Misconfiguration – Ad hoc and insufficient configuration of software and infrastructure can lead to issues like misconfigured dHTTP headers, exposed cloud storage, admin or root access accounts being left in place, and even verbose error messages that leave sensitive information exposed. 
  • Vulnerable and Outdated Components – Vulnerable components, such as libraries, frameworks, and other software modules often lead to severe instances of data loss or server takeover. The inability to address CVE’s (Common Vulnerabilities and Exposures) undermines application security by enabling various attack vectors.
  • Identification and Authentication Failures – When incorrectly implemented, functions related to authentication and session management allow attackers to compromise session tokens, passwords, keys, and user credentials. Multi-Factor authentication is one of the easiest ways to prevent an attacker from assuming a user’s identity.
  • Software and Data Integrity Failures – Software and data integrity failures happen when applications rely on libraries and plugins from untrusted sources and insecure deployment pipelines allow these to be introduced without integrity check and create the potential for unauthorised access or system compromise.
  • Security Logging and Monitoring Failures – No or poor logging and monitoring pair with inadequate tools for incident response can let a breach become pervasive allowing attackers to persist, traverse to more systems, and tamper with or extract data. The average time to detect a breach is over 200 days. Fine-grained auditing and logging capabilities can substantially improve that.
  • Server-Side Request Forgery – Server-Side Request Forgery (SSRF) flaws allow attackers to trick applications into fetching a remote resource from an unexpected destination without validating it. Unfortunately this attack can be perpetrated even when protected by a conventional firewall, VPN, or another type of network access control list (ACL).

Broken access controls moved to the number one spot on the OWASP Top 10 and represent one of the most common vulnerabilities today. In fact, it is theorised by some security researchers that over half of all web applications have at least one OWASP vulnerability. This is where Zero Trust can give organisations an edge against the arsenal of tools malicious actors have at their disposal.

How Zero Trust Principles can Protect Against Web Application Vulnerabilities

Zero Trust as a principle offers enhanced protection against web application vulnerabilities by shifting the domains of access and control to a per user, per resource implementation. That means access and visibility for a given asset migrate from a traditional perimetered, digital moat, where all resources are accessible by default to a micro segmented infrastructure. This principle helps organisations protect resources and users from each other, making them independent. In the event one application, resource, or web server is compromised, the vulnerability is contained.

cloud-native-security

How Does Agilicus AnyX Protect Against the OWASP Top 10 with a Zero Trust Architecture

Agilicus AnyX is a culmination of cybersecurity standards that together deliver defence in depth, helping organisations adopt a Zero Trust Architecture that delivers a robust network security framework and access strategy. A well implemented Zero Trust Architecture can effectively protect organisations, their users, and most valuable assets from the OWASP Top 10 Web Application Vulnerabilities.

Agilicus AnyX is designed to eliminate an attacker’s visibility into the potential OWASP Top 10 web application vulnerabilities that could exist in a given application as resources are completely hidden from non-authenticated users. This is achieved with the patented Identity Aware Web Application Firewall which acts as a proxy server (reverse proxy) and protects web applications and resources by only allowing access on the basis of authenticated (verified) identity. 

Organisations can also leverage this component of the Agilicus AnyX platform to enhance security on the client side by modifying server headers or enforcing SSL (Secure Socket Layer) on all traffic. As a result, the Identity Aware Web Application Firewall ensures all traffic is encrypted and users are able to access designated resources from anywhere without making them accessible  on the public internet.

The Agilicus AnyX platform features that specifically protect against the OWASP Top 10 web application vulnerabilities and deliver a Zero Trust Architecture platform include:

• Role-Based Access Controls – Centralise the management of users and their roles to enact, strict least privilege access through fine-grained authorisation. Prevent (1) Broken Access Controls, (2) Cryptographic Failures, and (7) Identification and Authentication Failures.

• Detailed Audit Trails – All users, connections and actions audited. No more (9) Security Logging and Monitoring Failures that leave you unsure of who did what for how long . 

• Identity Aware Web Application Firewall – Blocks malicious and unauthenticated traffic, while protecting against (3) Injection (5) Security Misconfiguration (6) Vulnerable and Outdated Components (8) Software and Data Integrity Failures, (4) Insecure Design, (10) Server-side Request Forgery

• Multi-Factor Authentication – Second factor authentication requirements are built right into the login flow helping to address (7) Identification and Authentication Failures.

We recently held a webinar on this topic with Agilicus CEO and cybersecurity expert, Don Bowman. Watch the recording for a detailed look at how your organisation can adopt a defense in depth strategy through Zero trust to protect against the OWASP Top 10.

How Does Zero Trust Stand Up Against Other Attack Vectors

Defending against OWASP threats is a good start, but there is still a laundry list of attack vectors that organisations face today. Zero Trust is much more than simply enforcing multi-factor authentication on your users. It is a set of security principles that together work by leveraging an individual’s unique identity to introduce an authentication and authorisation workflow for access to a designated resource. 

By adopting a Zero Trust Architecture, organisations can take a proactive approach to security by default and effectivelyprotect critical resources from threats.

What is Lateral Network Traversal 

Lateral Network Traversal or lateral movement within a network occurs when a malicious actor gains access to a network (usually through a VPN) and moves deeper into the system in search of sensitive information, trade secrets, high-value assets, or to perpetrate a ransomware attack.

cyber-attack-vpn-compromise

How Zero Trust Prevents Lateral Network Traversal

A key principle of zero trust is segmentation of users, resources, and the network(s). In the event of a breach, Agilicus AnyX leverages a Zero Trust Architecture to limit the attack surface by totally isolating organisation resources and users from each other by enforcing user to resource pairings. Without interfering with, or encumbering the end user, organisation resources are seamlessly segmented with explicit control over permissions, privileges, and a precise record of user activity with detailed audit trails: sensitive information and data can only be accessed by designated users and ransomware attacks can be blocked from spreading. With a proper implementation of Zero Trust, there is no available network to move east-west within, unlike a traditional perimeter-based solution (VPN). 

compromised-credentials-cyber-attack

What is the Cyber Risk of Shared or Compromised Credentials

A compromised credential attack occurs when a malicious actor has guessed a password, intercepted it, retrieved it from a database, or mounts a successful brute-force or credential stuffing attack allowing them to gain access to your systems and resources. Many users tend to recycle passwords and share account credentials, increasing the likelihood of those details ending up in a database somewhere on the dark web. 

How to Protect Against Compromised Credentials

Under a Zero Trust framework, any attempt to connect to a resource is treated as a potential breach until the end user proves otherwise. To ensure a seamless workflow that offers protection against compromised credentials, Agilicus AnyX leverages a single form of authentication by federating identity across unlike domains. Users and organisations only need to maintain a single set of credentials instead of an account per resource with multi-factor authentication requirements for access. This login flow and layer of identity verification offers enhanced protection against compromised credentials. Every user or user group has its assigned privileges and permissions that determine what resources they have access to, and what they can do with that access (read, write, admin).

What is an Insider Threat, Rogue Employees, and Employee Vulnerability

Similar to the issue of compromised credentials, employees can present security risks and attack vectors to your organisation. Generally they fall victim to social engineering, or are themselves compromised, but sometimes employees can go rogue and act maliciously against their employer. This attack vector is closely tied to compromised credentials and an over exposure to organisation resources.  

ransomware-cyber-attack

Protect Against Rogue Employees with Precise Authorisation

With centralised authorisation management, multi-factor authentication, and detailed auditing, Agilicus AnyX empowers organisations with fine grained control and visibility of who is accessing their resources, what they are doing with that access, and when. By design, Agilicus AnyX enacts strict, least privilege access and introduces granular user, resource segmentation. In the event that an employee goes rogue, Agilicus AnyX delivers complete visibility and allows you to stop guessing to determine exactly what changes were made to the assets and when. On top of that, fine-grained authorisation controls guardrails users and limits the blast radius in the event of employee vulnerability. Administrators and operators can easily restrict privileges or remove access all through an easy to use web-based portal.

hacked-machine-vpn-trust

What is a Man in the Middle Attack

A Man in the Middle Attack (MitM) is when a malicious actor positions themselves between a user and an application, oftentimes to spy on or intercept communications. A successful MitM could even let a threat actor pretend to be the end user or the application with the goal of stealing credentials, personal information, and even financial data such as credit card numbers.

How to Protect Against Man in the Middle Attacks

A hacker trying to wedge themselves into the traffic will have a hard time both intercepting and following traffic with a Zero Trust Architecture deployment with Agilicus AnyX. Agilicus AnyX ensures all data in transit is always end-to-end encrypted with TLS (Transport Layer Security). With the Identity Aware Web Application Firewall, two outbound only connections (one from the user, one from the resource) meet in the middle, preventing a malicious actor from being able to follow traffic, or emulate the parties involved to trick their way into the network. With Agilicus AnyX, resources are essentially taken off the public internet while all activity is auditable. As a result, traffic cannot easily be followed, stopping attackers in their tracks.

What is a Distributed Denial of Service (DDoS) Attack

A distributed denial-of-service (DDoS) attack is executed when a single target is attacked by multiple machines, or a botnet to flood a network with more traffic than it can handle. A successful DDoS attack will prevent legitimate users from being able to gain access by exhausting system resources, ultimately crashing the target server or the network equipment serving it. This type of attack could be used as a diversion, can lead to a loss in revenue, or even result in tangible safety risks.

weak-vpn-server-security

How Zero Trust Mitigates DDoS Attacks

Under a Zero Trust model, any outside network or traffic is treated as an adversary. A Zero Trust Architecture through Agilicus AnyX can help mitigate Distributed Denial of Service (DDoS) attacks by moving resources behind a secure cloud. Agilicus AnyX keeps vital network resources off the public internet (no ip) without limiting accessibility to authorised users. The platform uses an agent connector to create an outbound-only connection for a given resource and likewise for the authenticated user, allowing them to meet in the middle.

How Does Zero Trust Through Agilicus Work

The Agilicus AnyX platform is designed to balance enhanced security with a frictionless end user experience. Employees benefit from simple, secure access and an invisible IT security experience. Likewise administrators and operators are able to unify authentication and leverage precise authorisation with granular control of privileges and permissions all through a single pane of glass.

With Agilicus AnyX organisations can enact strict, least privilege access for their employees with the ability to centrally manage users and resources. Administrators have the ability to give users access to the applications they need with the ability to monitor and manage all activity through detailed audit logs. Behind the scenes all users and resources are segmented from each other and hidden from the public internet preventing an intruder’s ability to move east-west within a network. Without the ability to hop across resources, organisations benefit from a matured cyber posture and can very effectively limit the blast radius of any breach.

Deploying the Agilicus AnyX to Adopt Zero Trust

Agilicus AnyX is designed to ensure adopting advanced security is both easy and economical. Organisations can incrementally deploy the platform and scale adoption of Zero Trust at their own pace without requiring a VPN, appliance, or client. This incremental deployment approach means organisations can take realistic steps to mature their cyber posture within their means and overcome budget, time, and capability constraints, instead of it being an all or nothing project.

User onboarding through Agilicus AnyX is made simple with federated identity and single sign-on. Federated identity leverages existing individual user identities (Azure, 0365, Gmail, etc.) to assign access privileges. Any user, even from a non-company domain can be given access without having to issue yet another account or username and password. Agilicus doesn’t store credentials and instead employs the token generated via single sign-on to authenticate a user’s identity and align their access privileges. Multi-factor authentication requirements are easily enforced for verification of a user’s identity, requiring not just what a user knows (Account Credentials), but what they have (eg, device, one time password) to perform authentication.

Through a single, web-based portal, administrators are empowered with precise authorisation controls and the ability to pair users and resources. Centralised authorisation management and role-based access controls ensure granular control over user permissions and privileges. Combined with detailed auditing, Agilicus AnyX delivers control and visibility of users and resources, their privileges, and what they are doing with that access. 

cyber-security-policies

Boost security organisation-wide and protect your most valuable assets from cyber attacks by taking your most important resources off the public internet.

cyber-security

Reduce administrative overhead and help your IT or technical teams focus on high impact projects, with less time spent on administrative tasks.

end-to-end-encryption

Provide a safer way to collaborate across teams, departments, and external organisations with secure access to shared resources.

role-based-access-controls

Reduce cyber risk without restricting efficiency or adding friction to your employee workflows.

remote-connectivity

End users are digitally enabled through simple, secure access with a frictionless experience with no changes to login workflows.

identity-aware-web-application-firewall

Organisations benefit from precise control of user and resource permissions with detailed audit trails to perform enhanced security analysis.

There seems to be an endless list of cyber threats that organisations have to face. Starting with the OWASP Top 10 and a slew of others, finding the right protection can be hard. Agilicus AnyX delivers a Zero Trust Architecture that shields your traffic from the public internet with precise control of permissions and privileges. Adopting a Zero Trust Architecture approach could offer your business the best line of defence against cyber threats.

A secure replacement to legacy perimeter-based network access, Agilicus AnyX provides a clear view of who is doing what, when, and for how long with an easy to access web-based portal for managing policies, roles, and access privileges. Your authorised users can get secure, frictionless access to applications, desktops, shares, and other corporate resources and services.

Get in Touch with Our Team

First Name
Last Name
Email
Message
The form has been submitted successfully!
There has been some error while submitting the form. Please verify all form fields again.

White Paper

Remote Desktop Access

Managing Cyber Risk with Zero Trust Network Access

Abstract

For many businesses and organizations around the world, Remote Desktop Access has become an essential tool for both providing and maintaining services. IT personnel and other technical workers depend on the ability to remotely access certain machines to perform their job function. However, without adequate modern security systems and practices it is no longer a minor inconvenience when a cyber breach occurs on these remotely accessed devices. The damage can be immeasurable and even ruinous for people and businesses. 

It is becoming increasingly important for businesses and organizations to implement modern, cybersecurity tools that mitigate threats and turn the tables on the unmanaged cyber risk that can result from Remote Desktop Access. A future-forward approach to cybersecurity practices can help protect businesses, organizations, and public and shareholder interests.

Overview

Most organizations are still using antiquated technology solutions to enable Remote Desktop Access and are increasingly unable to contend with sophisticated malicious actors. Even more problematic is the way most conventional security solutions are unable to accommodate Remote Desktop Access in a manner that ensures only authorized and authenticated access can be gained. 

When Remote Desktop Access is performed via a corporate Virtual Private Network (VPN), the risk increases with inbound and outbound network gateways wide open. In this case, there’s nothing stopping a local attack or breach from becoming widespread. 

Implementing secure processes and protocols for Remote Desktop Access has historically increased the burden on IT resources or required increased technical capability from the end-user or operator. Adopting a modern approach to cybersecurity can help ensure only the authorized person or persons are able to gain Remote Desktop Access while balancing convenience, control, and security.

What is Remote Desktop Access

Methods and Tools for Remote Access

Remote Desktop Services and Solutions have had many iterations over the years but were first introduced to the world in the late 90s with Microsoft’s Remote Desktop Protocol (RDP) as part of the Windows NT 4.0 Server, Terminal Server Edition1. One of the original intentions of RDP was to allow less powerful machines to remote into more powerful Microsoft Servers to perform tasks. 

There are now many common tools for achieving remote access. Windows RDP is a widely adopted method of Remote Desktop Access that works on both Windows and Linux operating systems. Other tools that enable Remote Desktop Access include remote access via VPN, Desktop Sharing, and other remote control and systems management tools. TeamViewer, RemotePC, and LogMeIn are all examples of the various types of Remote Access Software and Tools (RATs) for commercial use that exist today. Each method of Remote Desktop Access brings with it a tradeoff between security and convenience. 

Today, being able to remotely access machines brings with it immense cost savings and efficiency for many organizations, especially in a 24/7, global society. However, this constant connectivity also presents numerous risks and challenges, especially in the context of cybersecurity.

How Does Remote Desktop Access Work?

Remote Desktop Access enables someone to connect to a host machine from their client machine located anywhere in the world over the internet, gaining control of the interface and access to applications and file systems. 

Whether it’s 5, 500, or 5000 miles away, connecting from a home or office device lets a user access the host machine without having to physically be there. The host machine could be a desktop, computer system, server, or virtual environment.

remote-desktop-security

Business Application of Remote Desktop Access

Remote Desktop Access is a now widely adopted concept and network functionality, especially for it’s obvious business applications (most recently being leveraged by IT organizations in response to the COVID-19 pandemic2). The network functionality is being put to work across industry verticals. Remote Desktop Access helps technicians gain access to the machines they need to perform their duties without having to physically be on-premise.

Remote Technical and Customer Support

People most commonly associate Remote Desktop Access with providing remote technical support to employees or customers. That means an IT, technical, or other support representative gains access to a customer’s host machine over the internet. From their own machine, the IT or technical support person now has control over the customer host device and can provide any necessary support or maintenance. In gaining Remote Desktop Access, the support representative also has access to the applications, file system, and data stored on the host machine.

Remote Desktop Access for Server Applications, Maintenance, and Deployment

The host device does not always have to be a PC and in fact, Remote Desktop Access is commonly used by IT technicians as a way of accessing servers or virtual desktop environments without having to physically be in the server room. These machines can be critical to corporate infrastructure, host data and applications, or they can be virtual environments used to develop, test, and deploy new applications.

Remote Desktop Access for Legacy Applications

Legacy applications are typically obsolete or outdated systems that either perform a critical function or are embedded within critical infrastructure. These applications or the systems they can run on are typically unable to stay up to date with the latest operating systems or security software. While a suitable replacement could be under development for a legacy environment, the current instance performs a specific function and may need to be securely accessed by remote technicians and employees.

Remote Access for SCADA Systems

Remote Desktop Access can be an essential tool for technicians to interact with Supervisory Control and Data Acquisition (SCADA) systems, be it in industrial, energy, manufacturing or the public sector. Remote access to a SCADA system by employees, vendors, partners, or third parties is often operationally important. These SCADA systems can be found in public utilities like energy or water treatment and provide a control system architecture that enables the supervision and control of machines and processes by technicians.

Remote Desktop Attacks

There are numerous cyber attack vectors and vulnerabilities that come with Remote Desktop Access and other Remote Access Software and Tools. One of the most prominent cybersecurity issues is the use of shared accounts and access credentials. For example, when Remote Desktop Access is achieved using a RAT, the attack is direct remote access and the shared credentials are compromised. If Windows RDP is used, it can lead an attacker to accessing an entire network, especially when the system is exposed to the internet.

No matter the type of tools used to achieve Remote Desktop Access, the variety in the type of cyber attacks that can be mounted presents a persistent threat.

credential-stuffing-attack

Credential Stuffing Attacks

When a credential stuffing cyber attack is performed, the malicious actor uses a list of stolen account credentials to try and gain access to a system. The lists can contain usernames, emails, passwords, or other login credentials, which are used to gain unauthorized access to the targeted system or account. The process of mounting this type of attack is usually automated through the use of bots. This type of attack is possible as many users tend to reuse credentials across both personal and work accounts.3

A Lack of Password Protection and Authentication

Whether a malicious actor has guessed a password, intercepted it, or retrieved it from a database or through a brute-force attack, the absence of Multi-Factor Authentication could allow free reign over a system. Weak passwords could be anything from something simplistic, common across accounts, shared with other users (technicians and employees), or previously compromised in a data breach. A strong Multi-Factor Authentication policy could be the difference between getting hacked or not.

employee-vulnerability

Employee Vulnerability

Employees can unintentionally present security risks, whether they fall victim to social engineering, introduce a small oversight, or they themselves become the victim of compromise, such as through a data breach.

man-in-the-middle-attack

Man-In-The-Middle Attacks

During a man-in-the-middle attack4 on a remote session, a malicious actor will try to intercept communication between systems. The intent could be anything from intercepting or harvesting credentials, to spreading malware or ransomware within an organization.

Denial of Service Attacks

Another Remote Desktop Access attack method used by malicious actors is to determine the IP address and open ports on a host machine where a brute-force attack5 is mounted and designed to reveal credentials for remote access. Often, the byproduct of mounting such an attack, intended or not, is a denial of service (DOS)6, which not only disrupts the function of the host machine, but can prevent authorized users from accessing it.

permissions-based-vulnerability

Software Based Permissions Vulnerabilities

Applications require permissions7 that are granted by the administrator of a machine, this includes RATs. From time to time there are bugs in these permissions that result in vulnerabilities that can be exploited by malicious actors. One of the most recent and relevant examples was a critical exploit discovered in TeamViewer’s administrator permissions8 that could have allowed malicious payloads to be persistently executed every time the service ran. Fortunately, this vulnerability in TeamViewer has since been patched.

common-vulnerability-exposure

Remote Access Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposure (CVE) is a list of publicly-known security vulnerabilities, exposures, and exploits.9 This list provides a common point of reference for IT administrators to help secure systems. The list of CVEs is constantly expanding and regularly updated as new vulnerabilities and exploits are discovered. Remote Desktop Access exploits through Windows RDP, Desktop Connection, and more are included in this list. For example a number of Denial of Service CVE’s for Windows RDP were discovered in 2020.10

There is a pressing need to mitigate threats against remotely accessed machines and the risk and consequences that go along with them.

Remote Desktop Access in a Corporate Environment

In most enterprise and business corporate network environments, Remote Desktop Access tasks are actually performed over a corporate VPN which can amplify cyber risk. Traditionally the VPN served as a way to create a secure tunnel to the host machine that needed to be accessed. However, the method of attack and risk climate has changed significantly over the years and if remote access is achieved through a VPN the client machine, host machine, or network, the risk is no longer localized and can spread across environments. 

When an attacker gains access to a client machine, remote host machine, or corporate VPN, that access may be trusted by default, which means the infiltration can go undetected. The VPN by its very nature is an all-or-nothing perimeter-based security solution. It’s either access to the entire network or none of the network, which is why lateral traversal within an organization’s network is possible.

Securing Remote Desktop Access to Manage Cyber Risk and Mitigate Threats

Remote Desktop Access has become an essential function for most organizations, however, with the frequency of cyber attacks only accelerating,11 exceptional security around Remote Desktop Access is not discretionary. Legacy applications and SCADA systems for example have come under frequent attack. The breach of the Florida water treatment plant in 202112 is an example of the security and public risk unsecured Remote Desktop Access presents.

IT Organizations need to provide Remote Desktop Access to specific host machines for specific users, even those outside the organization like contractors, vendors, and third parties. In order to secure these environments an authorization, authentication, access approach can help manage cyber risk more effectively through a Zero Trust Architecture.  

What is Zero Trust Security

Zero Trust Network Access and Security means switching from outdated perimeter-based (firewall and VPN) models of access to an identity-based model of access. That means authorization, authentication, and access privileges are determined based on the identity of a person (user) and the identity of a resource (device/machine). 

Identity-based access means decoupling identity from a corporation or organization and binding it to the user, creating a single identity. This allows IT administrators to enforce entitlements and authorizations within the network, effectively segmenting access.

Segmentation of access is simple, more secure, and doesn’t inhibit the accessibility of employees to their work. It does however significantly mitigate the risk of cyber attacks like lateral-traversal within a network, malware, and ransomware. Adopting a modern cloud-native security platform empowers users to work from any device, anywhere in the world while ensuring the organization has granular auditing capabilities, Role Based Access Controls, Privilege Management, and the ability to restrict access with Multi-Factor Authentication.  

A Zero Trust Architecture is economical, scalable, and most importantly more secure than conventional methods of network cloaking and inflexible, restrictive policy.

Remote Desktop Access Via Zero Trust

Zero Trust Network Access (ZTNA) ensures IT organizations and administrators have the granular security controls needed to manage per-user authorizations. Limiting end-user, authenticated access to the specific resource, application, or work they need protects the broader corporate network and machines from being exposed to attackers, keeping compromises localized. 

When Zero Trust is applied to Remote Desktop Access the risk profile and exposure of applications, systems, networks, and corporate resources is significantly reduced without inhibiting the productivity of the employee or technician who requires access to the host machine. In essence, Zero Trust allows the IT organization to require authentication and authorization from both the user and the designated device. That means a technician must prove their identity before being allowed to gain Remote Desktop Access.

Users are commonly identified via OpenID Connect and SAML, where resources are commonly identified by Client Certificates. Single Sign-On and Multi-Factor Authentication paired with these core tenants of Zero Trust (Authorization, Authentication, and Access) means that strong password policies and authentication methods are innate to the security equation.

Zero Trust ensures that Remote Desktop Access is available to any authorized employee using any designated device without risking the entire network. This method of secure access will also prohibit any unauthorized access to the host machine, by unauthorized users or devices.

Securing Remote Desktop Access Through Agilicus’ Any X Platform

You can set up 1-click remote access from client to host machine within minutes through Agilicus’ Any X platform. You can enable Remote Desktop Access via a Zero Trust Architecture without configuration on-site and with no change to the host machine or firewall. A detailed step-by-step guide on setting up Agilicus’ Zero Trust platform is available here.

This means that the cyber risk and threats can be heavily mitigated for any resource that must be accessed remotely, whether it’s a server, virtual environment, or physical desktop device hosting a legacy application, or a SCADA system.

How Zero Trust Remote Desktop Access Works with Agilicus

Zero Trust Remote Desktop Access allows any user to connect from any device to the host machine they need to perform their job. The Zero Trust framework ensures access is granted on the basis of identity. Agilicus’ Any X platform features fine-grained controls and authorization for Remote Desktop Access and allows any device to remotely access machines using Windows RDP (Windows and Linux OS). Any X also features Single-Sign On, Multi-Factor Authentication, full-audit trails, and end-to-end encryption, which only enhances the security surrounding Remote Desktop Access.

zero-trust-remote-desktop-access-agilicus

Reign in Unmanaged Cyber Risk with Zero Trust Remote Desktop Access

While most applications are modern and accessible through web browsers, there is still a need for native desktop applications and therefore Remote Desktop Access to various machines and resources around the world, whether it is through civilian networks or over corporate VPNs. Remote Desktop Access is widely used by IT professionals and technicians across industry verticals to access servers, perform maintenance, access on premise machines, perform maintenance, and other operational tasks.

Without adequate security or a continuation of the status quo of legacy security practices, Remote Desktop Access creates huge unmanaged cyber risks for IT organizations. Those same remote resources can also be critically important to both private and public interests and in the event of a compromise, there could be significant consequences and very real public safety risks.

Some examples of remote resources that a technician or operator must access are: 

• SCADA systems (controlling the power grid, local water treatment facility, etc) 

• Servers or virtual machines that host or perform a business function

• Machines that run legacy applications. 

• Employee or customer machines and devices to provide support or maintenance

Implementing Zero Trust and its core tenets of authorization, authentication, and access to secure Remote Desktop Access puts the IT organization back in control of its cyber risk profile. 

Zero Trust works by trusting no user or device by default and enacts a strict policy that ensures only authorized individuals and devices can gain access to critical resources after authenticating their identity. This differs from a perimeter-based security policy (VPN) where anyone who has gained access to a network is trusted by default. 

The security landscape is rapidly evolving, but your requirements of providing convenient and secure access while managing costs aren’t. Agilicus can help you implement an identity-based secure solution that enables Remote Desktop Access for workers while empowering the IT organization with the controls to manage cyber risk for Any Desktop by implementing Authorization, Authentication, and Access.

Contact Us

Secure Remote Desktop Access at your organization and protect against cyber attacks with Agilicus and empower your workforce with secure access to the resources they need to do their work.

First Name
Last Name
Message
Thanks! Someone will contact you.
There was an error. Email web-info @ agilicus.com if you need assistance.

Works Cited

1 Deland-Han. “Understanding Remote Desktop Protocol (RDP) – Windows Server.” Microsoft Docs, Microsoft, 24 Sept. 2021, docs.microsoft.com/en-us/troubleshoot/windows-server/remote/understanding-remote-desktop-protocol.

2 Statista. “Remote Access Technology Use Increase 2020, by Region.” Statista, Statista, 15 June 2021, www.statista.com/statistics/1226084/remote-access-technology-use-by-region.

3 “Credential Stuffing Software Attack | OWASP Foundation.” The OWASP® Foundation, 2021, owasp.org/www-community/attacks/Credential_stuffing.

4 “MitM – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/mitm.

5 “Brute Force Password Attack – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/brute_force_password_attack.

6 “Denial of Service (DoS) – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/denial_of_service.

7 “Permissions – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/permissions.

8 SafeBreach Inc. “TeamViewer Windows Client (V11 to V14) – DLL Preloading and Potential Abuses (CVE-2019-18196).” Safebreach, SafeBreach Inc. 2021, 15 Nov. 2019, www.safebreach.com/blog/2019/teamviewer-windows-client.

9 “CVE – Glossary | CSRC.” CSRC, 2020, csrc.nist.gov/glossary/term/cve.

10 “Security Update Guide – Microsoft Security Response Center.” Microsoft, 2020, msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-16927.

11 Quadros, Sharron. “RDP Attacks on the Rise During COVID-19 Pandemic.” Security Boulevard, Techstrong Group Inc., 6 Jan. 2021, securityboulevard.com/2021/01/rdp-attacks-on-the-rise-during-covid-19-pandemic.

12 Goodin, Dan. “Florida Water Plant Compromise Came Hours after Worker Visited Malicious Site.” Ars Technica, Condé Nast, 18 May 2021, arstechnica.com/gadgets/2021/05/florida-water-plant-compromise-came-hours-after-worker-visited-malicious-site.