Remote Support Security

Uncompromising Security for Remote Access & Support Sessions

Link copied

With BeyondTrust Remote Support, you can focus on solving user problems, not security concerns. Businesses today must not only meet increasingly stringent company security policies, but many are also subject to industry compliance mandates such as HIPAA or PCI. BeyondTrust Remote Support is designed and built on the principles of a Zero Trust Architecture, along with numerous features that promote secure practices and prevent breaches on a day-to-day basis.

Authentication & Permissions

Link copied

Most remote support solutions require you to create support rep accounts manually or with a convoluted semi-automated process. BeyondTrust seamlessly integrates with external user directories, such as LDAP, for simple and secure user management.

• Active Directory, LDAPS, Kerberos, RADIUS: With BeyondTrust, you can leverage your existing directories (LDAPS, Kerberos, Smart Card, RADIUS) so that if you change a support rep’s account in Active Directory, it is automatically reflected in BeyondTrust Remote Support. BeyondTrust lets you associate group policies in BeyondTrust with groups in your directory, so that if you move a rep from one group to another in LDAPS, their permissions in BeyondTrust are automatically updated to reflect their new role.
• Native Two Factor Authentication: Two factor authentication increases the security of remote access by requiring a second factor (one time passcode) to login, in addition to the password. It’s available for every BeyondTrust Remote Support user at no additional cost. If you are already using a 2FA solution, you can use it with BeyondTrust too.
• Device and Network Authentication: You can enforce the networks and devices on which your support technicians can use BeyondTrust Remote Support.
• Native Password Vault: Store, share, and track the use of privileged credentials by the IT service desk. BeyondTrust Vault for Remote Support fits seamlessly with your service desk workflow and mitigates the threats in your service desk related to stolen credentials and passwords.
• Physical Smart Card Authentication: Within environments where security implementations require smart card use for authentication, Remote Support enables the representative to share a local smart card within a support session so that it can be used as an authentication source on the customer system.

Auditing & Reporting

Link copied

Session logging allows for the review of all customer and support representative interactions, and all the events of an individual support session are logged as a text-based log. This log includes representatives involved, permissions granted by the customer, chat transcripts, system information, and any other actions taken by the BeyondTrust representative.

BeyondTrust also allows enabling video session recordings. This records the visible user interface of the customer screen for the entire screen sharing session. Session logging data is available on the appliance in an un-editable format for up to 90 days, but it can be moved to an external database using the BeyondTrust API or the BeyondTrust Integration Client.

Remote Connection Security

Link copied

Grant access with even more granularity so that just the right levels of access are granted to those who need it, enforcing the concept of "least privilege" in your service desk. BeyondTrust includes a large number of granular permissions that can be granted to manage which features in BeyondTrust a representative has access to and can require end-user prompting so that the user receiving support must approve representative actions.

Policies can be set for users, groups, or sessions, giving administrators significant flexibility and control. Group policies integrate easily with external directory stores to assign permissions based on your existing structures. Session permission policies enable building a security model for each specific support scenario. You can also restrict BeyondTrust use logins to certain times of day.

Robust Security Architecture

Link copied

With BeyondTrust, each customer gets a segmented, single-tenant environment. Your data is never co-mingled with data from any other customer.

• Unique Configuration by Customer: The BeyondTrust software itself is uniquely built for each customer, and each organization has its own unique URL and customer client. To generate further trust, add your logo, a customer watermark, and rep profile photos.
• VPN-less Remote Access: BeyondTrust works through firewalls without VPN tunneling, so your perimeter security can remain intact. Outbound-only session traffic uses TCP Port 443. BeyondTrust's infrastructure has very minimal port exposure, which drastically reduces the potential exposed attack surface of your support site.
• Military-Grade Data Encryption: BeyondTrust can be configured such that it enforces the use of SSL for every connection made to the site. BeyondTrust encrypts all data in-transit using TLSv1.2, and data at rest encryption can be enabled with your organization’s key management solution. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.

Credential Injection

Link copied

BeyondTrust Remote Support includes password vault, allowing users to directly inject credentials into end servers and systems. Injecting credentials directly into sessions obfuscates them from end users, providing another layer of password security. Remote Support also integrates with other password management products, such as BeyondTrust Password Safe, a full-featured privileged credential management solution.