Privileged Remote Access Security

Secure Architecture

BeyondTrust offers the greatest number of deployment options, so you can select the choice that corresponds with the security requirements of your business. From on-premises and virtual appliances to SaaS, get the best deployment option for your business.

We provide each customer a segmented, single-tenant environment for all deployment types. Your data is never shared with data from any other customer.

No VPN

BeyondTrust works with firewalls without VPN tunneling, keeping your perimeter security intact. Outbound only session traffic uses TCP Port 443 protecting your users and endpoints from external threats. BeyondTrust's infrastructure has very minimal port exposure, which drastically reduces the potential attack surface.

Seamless Integrations

BeyondTrust seamlessly integrates with external user directories, such as Active Directory, for simple and secure privileged user management.

With our solutions, you can leverage your existing directories (LDAPS, Kerberos, Smart Card, RADIUS) so that changes to a user’s account in Active Directory are automatically reflected.

BeyondTrust lets you associate group policies with existing user groups in your directory, so that if you move a user from one group to another in LDAPS or Azure AD, their permissions are automatically updated to reflect their new role.

And you can leverage existing security investments such as password solutions, information and event management (SIEM) tools, and Change Management solutions to increase productivity.

Granular Access Controls and Permissions

Grant access with even more granularity so that just the right levels of access are granted to those who need it, enforcing the concept of “least privilege” in your organization. BeyondTrust enables administrators to control which specific functions a privileged insider or vendor can access.

Policies can be set for vendors, users, groups, or sessions, giving administrators significant flexibility and control. Group policies integrate easily with external directory stores to assign permissions based on your existing structures. Session permission policies enable building a security model for each specific session type. Further control access by utilizing approval workflows defining not just who, but when an endpoint is accessed.

• Restrict remote access to defined endpoints
• Schedule when endpoints can be accessed
• Require access notification and authorization
• Prevent unauthorized programs from being viewed with application whitelisting
• Manage your access control policy with group policies

Native Two-Factor Authentication

Two factor authentication increases the security of remote access by requiring a second factor (one-time passcode) to login, in addition to the password. It’s available for every BeyondTrust user at no additional cost, and is simple for the administrator to enable for all users. If you are already using a 2FA solution, you can use it with BeyondTrust too.

Since we allow privileged users to connect from mobile devices, you can create a list of authenticated devices and determine the network locations from which they can connect.

Data Encryption

BeyondTrust enforces the use of SSL for every connection made to the site. We encrypt all data in transit using TLSv1.2, and data at rest encryption can be enabled with your organization’s key management solution. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.

Session Audit and Monitoring

Session logging allows for the review of all end system and network interactions. This log includes users involved, which endpoints they connected to, and system information. In addition to log reports, BeyondTrust also records videos of each session. These video recordings capture every action taken in each remote desktop, SSH, or Telnet session.

Session logging data is available on the appliance in an un-editable format for up to 90 days, but it can be moved to an external database using the BeyondTrust API or the BeyondTrust Integration Client for longer term retention. Or you can track session data and configuration changes with your existing SIEM solutions.