Remote Desktop Access for the Mobile Workforce



Similar documents
High Performance Remote Desktop Access for Mobile Users Without the Pain and Complexity of VPN/RDP

FileCloud Security FAQ

Security Architecture Whitepaper

Copyright 2013, 3CX Ltd.

Ensuring the security of your mobile business intelligence

When enterprise mobility strategies are discussed, security is usually one of the first topics

Mobile Device Management Version 8. Last updated:

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Remote Desktop Gateway. Accessing a Campus Managed Device (Windows Only) from home.

Ensuring the security of your mobile business intelligence

White Paper. BD Assurity Linc Software Security. Overview

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

NetSupport Manager v11

Copyright Telerad Tech RADSpa. HIPAA Compliance

Security Overview Enterprise-Class Secure Mobile File Sharing

CHIS, Inc. Privacy General Guidelines

Dell World Software User Forum 2013

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Sync Security and Privacy Brief

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

LogMeIn HIPAA Considerations

Securing Patient Data in Today s Mobilized Healthcare Industry. A Good Technology Whitepaper

Secure remote access to your applications and data. Secure Application Access

Systems Manager Cloud Based Mobile Device Management

Advanced Configuration Steps

Proof of Concept Guide

How Managed File Transfer Addresses HIPAA Requirements for ephi

Data Loss Prevention Whitepaper. When Mobile Device Management Isn t Enough. Your Device Here. Good supports hundreds of devices.

GoToAssist Remote Support HIPAA compliance guide

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Egnyte Cloud File Server. White Paper

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Secure any data, anywhere. The Vera security architecture

Propalms TSE Deployment Guide

Enterprise Mobility as a Service

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Enterprise Mobility Management Migration Migrating from Legacy EMM to an epo Managed EMM Environment. Paul Luetje Enterprise Solutions Architect

The Security Behind Sticky Password

Symantec Mobile Management 7.1

HotSpot Enterprise Mobile Printing Solution. Security Whitepaper

NCSU SSO. Case Study

Secret Server Qualys Integration Guide

Deploying iphone and ipad Security Overview

Cortado Corporate Server

WICKSoft Mobile Documents for the BlackBerry Security white paper mobile document access for the Enterprise

Research Information Security Guideline

Ti m b u k t up ro. Timbuktu Pro Enterprise Security White Paper. Contents. A secure approach to deployment of remote control technology

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

MaaS360 Mobile Enterprise Gateway

HIPAA. considerations with LogMeIn

The Challenge. The Solution. Achieve Greater Employee Productivity & Collaboration...while Protecting Critical Business Data

Complying with PCI Data Security

Novell Filr 1.0.x Mobile App Quick Start

SECURELINK.COM REMOTE SUPPORT NETWORK

SOOKASA WHITEPAPER SECURITY SOOKASA.COM

Product Manual. MDM On Premise Installation Version 8.1. Last Updated: 06/07/15

Mobile Device Strategy

PULSE SECURE FOR GOOGLE ANDROID

VMware vcloud Air HIPAA Matrix

company policies are adhered to and all parties (traders,

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

MaaS360 Mobile Enterprise Gateway

An Enterprise Approach to Mobile File Access and Sharing

Healthcare Security and HIPAA Compliance with A10

Security White Paper The Goverlan Solution

Did you know your security solution can help with PCI compliance too?

HIPAA Compliance and Wireless Networks

Access Your Cisco Smart Storage Remotely Via WebDAV

Securing Corporate on Personal Mobile Devices

Kaspersky Lab Mobile Device Management Deployment Guide

Salesforce1 Mobile Security Guide

Google Identity Services for work

Architecture and Data Flow Overview. BlackBerry Enterprise Service Version: Quick Reference

itrust Medical Records System: Requirements for Technical Safeguards

ReadyNAS Remote. User Manual. June East Plumeria Drive San Jose, CA USA

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

Lenovo Secure Cloud Access Access your files, applications and reports from any device.

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Dropbox for Business. Secure file sharing, collaboration and cloud storage. G-Cloud Service Description

Policy Title: HIPAA Access Control

Mobile Admin Architecture

Phone: Fax: Box: 230

The Benefits of SSL Content Inspection ABSTRACT

The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency

FileMaker Security Guide The Key to Securing Your Apps

Symantec App Center. Mobile Application Management and Protection. Data Sheet: Mobile Security and Management

BYOD How-To Guide. How do I securely deliver my company s applications and data to BYOD?

Workday Mobile Security FAQ

Transcription:

Remote Desktop Access for the Mobile Workforce Security White Paper March 2015 Splashtop Inc. 1/12

Table of Contents Table of Contents... 2 1. Situation Analysis... 3 2. Architecture... 4 2.1. Splashtop Enterprise App... 4 2.2. Splashtop Streamer... 4 2.3. Splashtop Center... 5 3. IT Security Controls... 6 3.1. End-to-End-Data-Security... 6 3.2. Firewall Configurations... 6 3.3. User Authentication... 7 3.4. Digitally signed Applications... 7 3.5. Encryption... 7 3.6. Device Authentication... 7 3.7. SSL Security Certificate Administration... 8 3.8. Additional Features... 8 4. Conclusion... 9 4.1. Contact Information: Office Locations, Telephone Numbers... 9 5. Appendix... 10 5.1. HIPAA Compliance... 10 Splashtop Inc. 2/12

1. Situation Analysis The Mobile/BYOD revolution is here to stay. Each day, as new devices are released to the market, they are brought into your company and onto the corporate network by employees who use them to access everything from corporate email to line of business applications locked inside customized IE browsers. But if you are like most CIOs, CSOs and IT managers responsible for network security, you re spending countless nights worrying about the security ramifications. One of the biggest challenges most companies face is how to allow mobile devices to access applications and desktops in a secure manner that doesn t impact the user experience such that they simply bypass the network and security measures in place. Splashtop Enterprise solves this challenge. Based on the popular Splashtop Remote Desktop app that has been downloaded by more than 18 million users and one of the Apple AppStore s top 25 best-selling ipad apps of all time, Splashtop Enterprise is used by professionals at 60% of Fortune 100 companies. By replacing poor performing and cumbersome legacy VDI, VPN and RDP solutions, users can now access their applications and data that reside on physical or virtual desktops within the corporate network from their own mobile devices quickly, easily, and securely. This white paper provides server, desktop, network and security personnel with an architectural overview and description of the specific security controls implemented by Splashtop Enterprise. The Appendix addresses how Splashtop can help organizations to meet HIPAA guidelines for the privacy and security of healthcare information. Splashtop Inc. 3/12

2. Architecture Before describing the specific security mechanisms implemented in the Splashtop Enterprise solution, it is important to understand the underlying architecture as seen in Figure 1. The solution is comprised of three components, each residing on different systems within an enterprise network. Together, they provide a secure, end-to-end remote desktop experience. Figure 1: Splashtop Enterprise High Level Architecture 2.1. Splashtop Enterprise App The Splashtop Enterprise App is a lightweight remote client that is downloaded and installed from the appstore available from the user s mobile device. Supported devices include Apple ipad or iphone and Google Android phone or tablet. Macs and Windows-based PCs download the software directly from Splashtop. Users initiate secure remote access requests from their mobile device to their desktop (running Splashtop Streamer software) by entering their credentials into the Splashtop Enterprise App. 2.2. Splashtop Streamer The Splashtop Streamer software must be installed on each Windows PC or Mac desktop that the user will want to access from their mobile device. IT administrators can either install the software onto the employee s desktop computer directly using the management tools already in place, or allow users to download the streamer from the Splashtop Center server. IT can use the email templates provided in the Splashtop Center to distribute activation instructions with links to automate the download process. To enable mobile users to access more than one specific desktop computer, streamers must be installed onto those other systems as well. The streamer software can automatically login using the users AD credentials and enable people to optionally join a group (or groups) as defined by the IT admin in Splashtop Center. Splashtop Inc. 4/12

2.3. Splashtop Center Splashtop Center is service installed behind the enterprise firewall (or in the DMZ) on an existing Windows server. Its primary role is to authenticate, securely broker connections between the user s mobile device (running the Splashtop Enterprise app) and the user s desktop (running Splashtop Streamer software), and log connections. It also offers a walk up management console providing IT administrators with: Active Directory (AD) integration Support existing AD for authentication by importing users Centralized policy-based control - Set user and device access policies, activate/deactivate users and devices, MAC address filtering, create or import SSL certificates, set maximum frame rate per user connection, set idle timeout Reporting - View real-time connections and audit trails Grouping - Allow access to shared pool of physical or virtual desktops Seamless integration with existing Active Directory (AD) domains helps to simplify the process of user authentication to ensure that only authorized users can establish remote sessions. Figure 2: Splashtop Center Console When the mobile device is outside the local network, the Splashtop Center software provides secure relay services to enable cross-firewall connections between the mobile device and the desktop. All cross-firewall connections are encrypted using Transport Layer Security (TLS) with AES-256 encryption eliminating the headache of setting up VPNs, creating per-user firewall policies, configuring mobile VPN clients or supporting multiple RDP apps. For more information please read the whitepaper High Performance Remote Desktop Access for Mobile Users Without the Pain and Complexity of VPN/RDP. Splashtop Center s security controls ensure the protection of sensitive data and so helps improve regulatory compliance. For organizations specifically concerned with HIPAA compliance, please see the Appendix. Splashtop Inc. 5/12

3. IT Security Controls 3.1. End-to-End-Data-Security All communications within the Splashtop Enterprise solution from the app through Splashtop Center and to the Splashtop Streamer and back again are secured over Splashtop s patent-pending streaming technology using the IETF-standard TLS protocol, ensuring the confidentiality and integrity of data. Splashtop Enterprise also prevents eavesdropping on and modification or replay of communications by restricting the cipher suite to 2048 bit ECDHE-RSA with 256-bit AES-CBC and SHA1. In addition to the secured end-to-end session, Splashtop Enterprise leaves the data on the desktop, locked behind the corporate firewall. By streaming only the desktop display and sound, Splashtop Enterprise allows the user to access sensitive data remotely without actually transferring the source data to the mobile device where it may be easily stolen or copied. This not only prevents data from being stolen in flight outside the organization but also secures the data from being stolen when accessed internally. Figure 3: Splashtop Center Deployment in DMZ 3.2. Firewall Configurations Based on the usage patterns and the location of desktops within the enterprise, changes to the firewall configuration file may be necessary in order to enable Splashtop Enterprise to function appropriately: For Intranet-only use of Splashtop Enterprise (e.g., both the mobile device and the desktop are behind the corporate firewall), no changes to the firewall are required. If the Splashtop Center is located in the DMZ and the mobile devices are behind the DMZ, then Splashtop Inc. 6/12

port 443 needs to be opened in each firewall. For internet usage where the external mobile device access and the Splashtop Center is located behind the corporate firewall, port 443 must be opened and port forwarding for Splashtop Center must be configured on the firewall. If port 443 is being used by another service, it can be changed to another port. 3.3. User Authentication Seamless integration with existing Active Directory domains helps IT administrators simplify the process of user authentication and ensure that only authorized users can establish remote sessions. Authorized Splashtop administrators can enable user access either manually, by entering the user s email address, or automatically, through seamless integration with Active Directory. In the latter option, Splashtop Center checks the user s username and password used during windows login against the Active Directory domain for each remote access session initiated by the user. Because Splashtop Center accesses the corporate Active Directory using read-only permissions, the data in the Active Directory remains safe from any rogue attempts to change its contents. Gateway Users (local Splashtop Center users) passwords are stored in a salted hash. Domain User (AD users) passwords are never stored in Splashtop Center (and optionally never stored on the mobile device). 3.4. Digitally signed Applications All software shipped by Splashtop is digitally signed so nothing can be altered or updated by any individual without the private key, ensuring the integrity of the Splashtop software and preventing security risks. 3.5. Encryption Splashtop Enterprise encrypts all data end-to-end using 256-bit Advanced Encryption Standard (AES). AES is the NIST-approved (National Institute of Standards and Technology) successor to DES. 3.6. Device Authentication Only approved devices that have been specifically added by the Splashtop administrator can access the Splashtop solution. Within Splashtop Center, administrators can allow/deny remote access by mobile devices individually using MAC addresses, lock or disable access by device, disable auto-logon (forcing users to enter passwords to connect), and de-activate a mobile device entirely. Splashtop Inc. 7/12

3.7. SSL Security Certificate Administration For additional security, both the Splashtop administrator and Splashtop mobile users themselves can import existing SSL certificates signed by a Certificate Authority (CA) or generate new, self-signed certificates. This additional layer of protection ensures that only the authorized user can initiate Splashtop remote access sessions, even if his/her password is compromised. Only PFX format certificates are supported. On local LAN connections, Splashtop will attempt to connect peer-to-peer to improve performance. The Splashtop administrator can optionally force additional security by prompting users to add an existing, or to generate a new, self-signed SSL certificate. 3.8. Additional Features Blank screen: Automatically blank the screen while a remote session is active, ensuring that an individual near the PC being accessed cannot see the remote user s actions. The admin can optionally force the blank screen for each session. Screen auto-lock: Automatically lock PC after the remote session ends to ensure the PC is not left logged in after a remote session terminates. OS-level Access Control: Splashtop Enterprise can optionally enforce controls already in place on the corporate LAN. In order to select this option, the user must supply his computer credentials in addition to his Splashtop credentials, thereby making it impossible for anyone other than the owner of the system to get access to that computer. Session idle timeout: Logout users when session has no activity for a specified time. Remote connection notification: Notify users on the desktop systems when a remote user connects to the PC with an on-screen message, eliminating stealth connections. Copy/paste prohibited: Prohibit user from copying / pasting from the desktop system to the mobile device. File transfer prohibited: Prohibit user from transferring files from the desktop system to the mobile device. Disable remote auto-login: Force password re-entry for every remote connection. Hide streamer configuration: Non-admin users are unable to view/change configuration options. Invalid SSL certificate warning: Warning displayed to the Splashtop Enterprise app mobile user if the SSL certificate on Splashtop Center is invalid. Proxy Server authentication: The Splashtop streamer supports Basic and NTLM authentication with a proxy server using HTTPS to help prevent password capture, replay attacks and spoofing. MDM/MAM integration: Integration with MDM / MAM partners adds additional on-device security and control. Splashtop Inc. 8/12

4. Conclusion Splashtop Enterprise was designed and created by a team of security and networking experts, leveraging cutting-edge encryption and authentication technologies. This on-premise product is specifically built to give IT teams full control over securing the data while, at the same time, giving employees the flexibility to access it from anywhere. It is particularly applicable to organizations operating in industries with stringent legislative and compliance regulations where controls for data privacy and systems security are mandated. For further details and to start a free trial, visit www.splashtop.com/enterprise Splashtop Inc. delivers the best-in-class, cross-screen productivity and collaboration experience, bridging smartphones, tablets, computers, TVs, and clouds. Splashtop remote desktop services enable people to access and control their favorite apps, files, and data via their mobile devices. More than 18 million people have downloaded Splashtop products from app stores. Prior to Splashtop Enterprise, the team at Splashtop developed the Splashtop Operating System (OS), an Instant ON OS that is pre-installed on more than 100 million desktops and laptops manufactured by HP, Lenovo, Dell, Acer, Sony, Asus, Toshiba, Intel and others. Splashtop Inc s headquarters are in San Jose, California. 4.1. Contact Information: Office Locations, Telephone Numbers Silicon Valley Headquarters Taipei Office Tokyo Office 1054 S. De Anza Blvd, Suite 200 San Jose, CA 95129 U.S.A +1.408.861.1088 5F., No.152, Sec. 1, Zhongxiao E. Rd., Zhongzheng Dist., Taipei City 100, Taiwan, 10049 +886.2.2351.3030 Level 20 Marunouchi Trust Tower - Main 1-8-3 Marunouchi, Chiyoda-Ku Tokyo 100-0005 Japan Splashtop Inc. 9/12

5. Appendix 5.1. HIPAA Compliance Every business that is part of the U.S. healthcare industry must comply with Federal standards regulating sensitive and private patient information. In addition to protecting worker health insurance coverage, HIPAA sets forth standards for protecting the integrity, confidentiality and availability of electronic health information. While no single product or solution can make an organization HIPAA-compliant, Splashtop Enterprise is a solution that can help organizations meet HIPAA guidelines for the privacy and security of remote access to healthcare information and can be used within a larger system to support HIPAA compliance. Although HIPAA compliance per se is applicable only to entities covered by HIPAA regulations (e.g., healthcare organizations), the technical security controls employed in the Splashtop Enterprise solution and associated host and client software meet HIPAA technical standards. Furthermore, the administrative configuration and control features provided by Splashtop Enterprise support healthcare organization compliance with the Administrative and Physical Safeguards sections of the final HIPAA Security Rules. The following table is based upon the HIPAA Security Standards rule published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule). All implementation standards or specifications marked with a capital (R) are required, while those marked with a capital (A) are considered addressable, essentially meaning that the entity is allowed some flexibility in taking reasonable steps to comply with the standard or specification to which it refers. Splashtop Inc. 10/12

NIST Special Publication 800-66[1]. Descriptions. HIPAA Safeguard R=Required / A=Addressable Security Requirements Splashtop Enterprise Security Features Unique User Identification (R): Assign a unique name and/or number for Identifying and tracking user identity. [ 164.312(a)(2)(i) ] Allows the administrator to assign a unique user id/password (ID) to individual users. IDs can be retrieved from Active Directory. Access Control (R): Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). [ 164.312(a)(1) ] IDs can be edited or de-activated/deleted. The Splashtop Center Server authenticates and verifies IDs against Active Directory. Grouping allows users access to groups of physical or virtual desktops on a per user and group basis. Person or Entity Authentication (R): Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. [ 164.312(d) ] Device authentication enables authentication of devices to ensure compromised ID credentials cannot be used from non-authenticated devices. Restrict access from remote locations by limiting access to the local network only. Force password entry for every session by removing automatic login option from remote device. Audit Controls (R): Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronically protected health information. [ 164.312(b) ] Maintains an audit trail of all connections including the devices connecting from/to, session duration, date and time of session. A real-time view of sessions is also displayed. Splashtop Inc. 11/12

Encryption and Decryption (A): Implement a mechanism to encrypt and decrypt electronic protected health information. [ 164.312(a)(2)(iv) ] Transmission Security (R): Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. [ 164.312(e)(1) ] Uses TLS with AES-256 bit encryption for the end to end communication so customer health information is protected during transmission. Code signed components of the software eliminate the possibility of tampering. Option to upload company SSL certificates for additional security. Encryption (A): Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. [ 164.312(e)(2)(ii) ] Splashtop Inc. 12/12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information