Transcription
White Paper: CorporateRemote SupportSecurity for theModern EnterpriseGoToAssist Corporate provides robust end-to-enddata security measures that address both passiveand active attacks against confidentiality, integrityand availability.gotoassist.com
White PaperData Security MeasuresGoToAssist Corporate is a hosted service that provides a way todeliver remote support to Windows-based and Mac computers.GoToAssist Corporate allows a user to request support from asupport representative and then allows that representative to viewand optionally control the end user’s computer remotely.This document focuses on the information security features of GoToAssist Corporate. The reader isassumed to have a basic understanding of the product and it features. Additional materials onGoToAssist Corporate may be found online at www.gotoassist.com or by contacting a representative.GoToAssist Corporate service delivery architectureThe diagram below provides a schematic overview of all major GoToAssist Corporate service deliverycomponents and communication paths.gotoassist.com2
White PaperDefinitionsHelpAlertWin32 executable that resides on the servicerepresentative’s computer and enables therepresentative to receive and reply to incomingcustomer queries.ChatLinkEndpoint application that facilitates text-basedcommunication between a customer and aservice representative.BrowserStandard Internet web browser, such as Chrome,Firefox, Internet Explorer, etc.Replay ViewerEndpoint application that allows companymanagers, team managers and representativemanagers to replay recorded GoToAssistCorporate sessions. Replay viewer can replayremote screen sharing, local screen sharing, chatand remote diagnostics.Data Security MeasuresGoToAssist WebsiteWeb application that provides access to theGoToAssist website and web-based internal andexternal administration portals.GoToAssist Service BrokerWeb application that realizes GoToAssistCorporate account and service management,persistent storage and reporting functions.Multicast Communication ServerOne of a fleet of globally distributed serversused to realize a variety of high-availabilityunicast and multicast communication services.Endpoint GatewayA special-purpose gateway used by variousendpoint applications to securely access theGoToAssist Service Broker for a variety ofpurposes using remote procedure calls.Passphrase ChangerEndpoint application that facilitates the changingof the passphrase used to protectcryptographically-enforced access tosession recordings.gotoassist.com3
White PaperData Security MeasuresApplication securityGoToAssist Corporate provides access to a variety of resources and services using a role-basedaccess control system that is enforced by the various service delivery components. The roles andrelated terms are defined in the table below:RolesAdministrator (or admin)The employee who creates Groups and Portals in a company’s GoToAssist CorporateManagement Center. Admins can create, modify and delete GoToAssist Corporate accounts,portals, company managers and team managers; modify subscription and pricing data; andperform other administrative functions.CompanyGoToAssist Corporate customer for whom portals are set up.Company ManagerA client company’s employee that has access to its GoToAssist Corporate ManagementCenter. Allowed to modify accounts, portals teams and representatives associated with hisaccount.CustomerThe person requesting support from the client company via GoToAssist Corporate.Group/TeamCollection of representatives that are assigned to a specific portal. Every representativebelongs to exactly one group or team; every group or team is assigned to exactly one portal.Groups/teams contain some default settings for representatives.Group Manager/Team ManagerA client employee authorized by a company manager to modify certain aspects of a team,and that team’s associated portal and representatives.RepresentativeThe support person who answers customer queries via HelpAlert.gotoassist.com4
White PaperAuthenticationGoToAssist Corporate administrators, managersand representatives are authenticated using anaccount name and a strong password.Passwords are governed by thefollowing policies:Strong passwords: A strong password is 8-32characters in length and must contain at leastthree of the following four: upper-case alphabet[A-Z], lower-case alphabet [a-z], numbers [0-9],and special symbols [ !@# % &*() - {}[] \:;”’ ,.?/]. Strong passwords must not be thesame as the login name or the actual first nameor last name on the account. Passwords arechecked for strength when initialized orchanged.Password expiration period: Expiration periodof the password is configurable (min: 10 days,max: 120 days, default: 90 days). If the accountholder logs in and the password has expired, theaccount holder is forced to change his or herpassword.Password history: A history of passwords ismaintained. A password cannot be changed to apassword that exists in the password history.Password history depth is configurable (min: 1,max: 5, default: 3).Account lockout: After 3 consecutive failedlogin attempts, the account is put into amandatory soft-lockout state. This means thatthe account holder will not be able to log in for aconfigurable amount of time (min: 5 minutes,max: 30 minutes, default: 5 minutes). After thelockout period expires, the account holder willbe able to attempt to log in to his or her accountagain.Data Security Measureshard-lockout state. This means that the accountholder cannot log in until his or her accountpassword is reset by another privileged accountholder. A hard lockout is enabled after aconfigurable number of attempts (min: 10, max:50, default: 10).Protection of customer computer and dataAn essential part of GoToAssist Corporatesecurity is its permission-based access controlmodel for protecting access to the customer’scomputer and the data contained therein.First, all GoToAssist Corporate sessions must beinitiated by the remote customer. GoToAssistCorporate is not designed for unattendedsupport scenarios.Second, the customer is always prompted forpermission before any screen sharing, remotecontrol, or transfer of diagnostic data, files orother information is initiated.If remote control and screen sharing has beenauthorized, the customer can watch what therepresentative does at all times. Further, thecustomer can easily take control back orterminate the session at any time.Local security controls on the customer’s PC orMac are never overridden; the customer or therepresentative must still provide any Windows orapplication authentication credentials.Finally, all connection activities are logged, andthe screen-sharing and chat session can beoptionally recorded and played back for reviewat any time.Hard-lockout enforcement is an additionalconfigurable option. After a configurable amountof failed login attempts, the account is put in thegotoassist.com5
White PaperData Security MeasuresCommunications security featuresCommunication between participants in a GoToAssist Corporate session occurs via an overlay multicast networking stack that logically sits on top of the conventional TCP/IP stack within each user’scomputer. This network is realized by a collection of Multicast Communication Servers (MCS). Thecommunications architecture is summarized in the figure below.GoToAssist Corporate session participants(“endpoints”) communicate with infrastructurecommunication servers and gateways usingoutbound TCP/IP connections on ports 8200,443 and 80. Because GoToAssist Corporate is ahosted web-based service, participants can belocated anywhere on the Internet — at a remoteoffice, at home, at a business center orconnected to another company’s network.Anytime/anywhere access to the GoToAssistCorporate service provides maximum flexibilityand connectivity. However, to preserve theconfidentiality and integrity of private businessgotoassist.comcommunication, GoToAssist Corporate alsoincorporates robust communication securityfeatures.Communications confidentialityand integrityGoToAssist Corporate provides true “end-toend” data security measures that address bothpassive and active attacks against confidentiality,integrity and availability. All GoToAssistCorporate connections are “end-to-end”encrypted and accessible only by authorizedsupport session participants.6
White PaperScreen-sharing data, keyboard/mouse controldata and text chat information are neverexposed in unencrypted form while temporarilyresident within communication servers orduring transmission across public or privatenetworks.When recording is disabled, the GoToAssistCorporate session key is not kept on the serversin any form. Thus, breaking into a server cannotreveal the key for any encrypted stream that theintruder may have captured.When recording is enabled, chat, screen-sharingand screen-viewing data is stored in encryptedform. The session key is also stored, but it isprotected with 1024-bit RSA public/private keyencryption. A portal-specific public key is usedto encrypt the session key before storage. Forreplay, three items are needed: the sessionrecording, the encrypted session key and theportal’s private key.Communications security controls based onstrong cryptography are implemented at twolayers: the “TCP layer” and the “Multicast PacketSecurity Layer” (MPSL).TCP layer securityIETF-standard Secure Sockets Layer (SSL) andTransport Layer Security (TLS 1.2) protocolsare used to protect all communication betweenendpoints. To provide maximum protectionagainst eavesdropping, modification or replayattacks, the only SSL cipher suite supported fornon-website TCP connections is 1024-bit RSAwith 128-bit AES-CBC and HMAC-SHA1.However, for maximum compatibility with nearlyany web browser on any user’s desktop, theGoToAssist website supports in-boundconnections using most supported SSL ciphersuites. For the customers’ own protection, werecommend that they configure their browsersto use strong cryptography by default whenevergotoassist.comData Security Measurespossible and to always install the latestoperating system and browser security patches.When SSL/TLS connections are established tothe GoToAssist website and between GoToAssistCorporate components, our servers authenticatethemselves to clients using VeriSign/Thawtepublic key certificates. For added protectionagainst infrastructure attacks, mutual certificatebased authentication is used on allserver-to-server links (e.g., MCS-to-MCS, MCSto-Broker). These strong authenticationmeasures prevent would-be attackers frommasquerading as infrastructure servers orinserting themselves into the middle of supportsession communications.Multicast packet security layerAdditional features provide complete “end-toend” security for multicast packet data,independent of those provided by SSL/TLS.Specifically, all multicast session data isprotected by “end-to-end” encryption andintegrity mechanisms that prevent anyone withaccess to our communications servers (whetherfriendly or hostile) from eavesdropping on asession or manipulating data without detection.The multicast packet security layer (MPSL)provides an added level of communicationconfidentiality and integrity and is unique to ourproducts. Company communications are nevervisible to any third party, including both userswho are not invited to a given session.MPSL key establishment is accomplished byusing a randomly generated 128-bit seed valueselected by the service broker that is distributedto all endpoints over TLS 1.2 and used as theinput to a NIST approved HMAC-SHA1-basedkey derivation function. The seed value iserased from the service broker’s memory whenthe session ends.MPSL further protects multicast packet data7
White Paperfrom eavesdropping using 128-bit AESencryption in Counter Mode. Plain-text data iscompressed before encryption using proprietary,high performance techniques to optimizebandwidth. Data integrity protection isaccomplished by including an integrity checkvalue generated with the HMAC-SHA-1algorithm. Because GoToAssist Corporate usesvery strong, industry-standard cryptographicmeasures, customers can have a high degree ofconfidence that multicast support session data isprotected against unauthorized disclosure orundetected modification.Furthermore, there is no additional cost,performance degradation or usability burdenassociated with these essential communicationsecurity features. High performance andstandards-based data security is a built-infeature of every GoToAssist Corporate session.Key Points 128-bit AES encryption is used for sessionconfidentiality Initial session key is chosen randomly byBroker then passed to endpoints over authenticated and encrypted channels Endpoints then negotiate a final sessionkeyjust among themselves Final session key is not known to Broker Communication servers only route encryptedpackets and do not have the session encryption key The GoToAssist Corporate architecture minimizes session data exposure risk whilemaximizing its ability to link agents to thoserequesting helpFirewall and proxy compatibilityLike other GoTo products, GoToAssist Corporateincludes built-in proxy detection and connectionmanagement logic that helps automate softwareinstallation, avoid the need for complex network(re)configuration and maximize user productivity.gotoassist.comData Security MeasuresFirewalls and proxies already present in yournetwork generally do not need any specialconfiguration to enable use of GoToAssistCorporate.When GoToAssist Corporate endpoint softwareis started, it attempts to contact the GoToAssistservice broker via the Endpoint Gateway (EGW)by initiating one or more outbound SSLprotected TCP connections on ports 8200, 443and/or 80. Whichever connection responds firstwill be used and the others will be dropped. Thisconnection provides the foundation forparticipating in all future support sessions byenabling communication between hostedservers and the user’s desktop.When the user attempts to join a supportsession, GoToAssist Corporate endpointsoftware establishes one or more additionalconnections to communication servers, againusing SSL-protected TCP connections on ports8200, 443 and/or 80. These connections carrysupport session data during an active session.In addition, for connectivity optimization tasks,the endpoint software initiates one or moreshort-lived TCP connections on ports 8200, 443and/or 80 that are not SSL protected. Thesenetwork “probes” do not contain any sensitive orexploitable information and present no risk ofsensitive information disclosure.By automatically adjusting the local networkconditions using only outbound connections andchoosing a port that is already open in mostfirewalls and proxies, GoToAssist Corporateprovides a high degree of compatibility withexisting network security measures. Unlike someother products, GoToAssist Corporate does notrequire companies to disable existing networkperimeter security controls to allow onlinesupport session communication. These featuresmaximize both compatibility and overall network8
White Papersecurity.Endpoint system security featuresOnline support session software must becompatible with a wide variety of desktopenvironments, yet create a secure endpointon each user’s desktop. GoToAssist Corporateaccomplishes this using web-downloadableexecutables that employ strong cryptographicmeasures.Signed endpoint softwareAll our executables are digitally signed forintegrity protection. Strict quality control andconfiguration management procedures arefollowed during development and deploymentto ensure software safety. The endpointsoftware exposes no externally availablenetwork interfaces and cannot be used bymalware or viruses to exploit or infect remotesystems. This protects other desktopsparticipating in a session from being infectedby a compromised host used by anotherattendee.Cryptographic subsystem implementationAll cryptographic functions and securityprotocols employed by GoToAssist Corporateclient endpoint software are implemented usingopen source OpenSSL cryptographic libraries.Use of the cryptographic libraries is restricted tothe GoToAssist Corporate endpoint application;no external APIs are exposed for access by othersoftware running on that desktop. All encryptionand integrity algorithms, key size, and othercryptographic policy parameters are staticallyencoded when the application is compiled.Because there are no end-user-configurablecryptographic settings, it is impossible for usersto weaken GoToAssist Corporate sessionsecurity through accidental or intentionalmisconfiguration. A company that usesGoToAssist Corporate can be certain that thesame level of online support session security isgotoassist.comData Security Measurespresent on all participating endpoints, regardlessof who owns or operates each desktop.Hosted infrastructure security featuresWe deliver GoToAssist Corporate using anapplication service provider (ASP) modeldesigned expressly to ensure robust andsecure operation while integrating seamlesslywith a company’s existing network and securityinfrastructure.Scalable and reliable infrastructureThe GoTo global service architecture has beendesigned for maximum performance, reliabilityand scalability. The GoToAssist Corporateservice is driven by industry-standard, highcapacity servers and network equipment withthe latest security patches in place. Redundantswitches and routers are built into thearchitecture to ensure that there is never onesingle point of failure. Clustered servers andbackup systems help guarantee a seamlessflow of application processes — even in theevent of heavy load or system failure. Foroptimal performance, the GoToAssist brokerload balances the client/server sessions acrossgeographically distributed communicationservers.Physical securityAll GoToAssist Corporate web, application,communication and database servers are housedin secure co-location datacenters. Physicalaccess to servers is tightly restricted andcontinuously monitored. All facilities haveredundant power and environmental controls.Network securityWe employ firewall, router and VPN-based accesscontrols to secure our private-service networks andbackend servers. Infrastructure security iscontinuously monitored, and vulnerability testing isconducted regularly by internal security staff andoutside third-party auditors.9
White PaperData Security MeasuresCustomer privacyBecause maintaining the trust of our users is apriority for us, we are committed to respectingyour privacy. A link to a copy of the currentGoToAssist Corporate privacy policy can befound on the service website at www.gotoassist.com.interface and feature set make it the mosteffective solution for conducting online supportsessions. Using GoToAssist Corporate, support,consulting and IT professionals can quickly andeasily deliver technical help to customers acrossthe globe.Compliance in regulated environmentsBecause of its comprehensive set ofapplication and communications securitycontrols, including its customer-authorized,permission-based security model, GoToAssistCorporate may be confidently used to supportcomputers and applications in environmentssubject to HIPAA, Gramm-Leach-Bliley Act orSarbanes-Oxley regulations, where robust dataconfidentiality and integrity controls must beemployed.Behind the scenes, our hosted servicearchitecture transparently supports multi-pointcollaboration by providing a secure, reliableenvironment. As this paper shows, GoToAssistCorporate promotes ease of use and flexibilitywithout compromising the integrity, privacy oradministrative control of businesscommunications or IT assets.We recommend that organizations carefullyreview all standard and configurable securityfeatures of GoToAssist Corporate in the contextof their specific environments, user populationsand policy requirements to determine whichfeatures should be enabled and how best toconfigure them. In some cases, communicatingadditional usage guidelines to users may bead
GoToAssist Corporate is a hosted service that provides a way to deliver remote support to Windows-based and Mac computers. GoToAssist Corporate allows a user to request support from a support represe
