Remote Support by GoToAssist

This is a 3 part series. Part 1 explained Unattended Support, Part 2 gave you step-by-step instructions for how to set up Unattended Support on a client computer. Now, in Part 3, I will discuss the security issues and best practices to follow when using GoToAssist Express Unattended Support.

As I sat down to type out this post, I realized it would be much better if you could hear directly from the Citrix Online security team, as they are the ones who develop and enforce our remote support security policies. To put it a bit more directly, they are the ones who ensure your data, and your customer’s data is encrypted, uncompromised, and secure. And they are awesome at it!

So I called up Citrix Online Security Architect, Tony Spataro. Tony is the security lead for GoToAssist Express and part of the Citrix Online Security Group. He performs security analysis and design, working closely with other engineers to ensure that all changes are implemented in accordance with the product’s security architecture. Tony designs and implements the security-relevant features of GoToAssist Express and other Citrix Online products.
Below is the transcript from our interview.

Brenda: How many hours a day are you thinking about security issues?
Tony: Hmm… If we assume that I never have security dreams or nightmares, then I’d say I spend about 16 hours per day thinking about security – which is to say, every waking moment! Of course, it’s not always computer security that I think about. Security guys are always looking for threats in the environment and finding ways to reduce risk. It’s just the way our minds work.

Believe it or not, I spend a fair amount of time at work thinking about ways to provide less security. One of my guiding philosophies is that availability and security are generally at odds with one another. We’ve all used software before that was so secure it hurt! A large part of my job is to identify the important risks, mitigate risk in the least obtrusive way possible, and find ways to accommodate the very wide range of security needs that our customers exhibit.

Brenda: Is GoToAssist Express Unattended Support secure?
Tony: Absolutely. Since the word “secure” can mean different things to different people and it is not a very precise word, I want to define what I mean when I say “secure” at Citrix Online. I mean that the confidentiality and integrity of all customer and session data is completely protected using 128-bit AES encryption, SSL and strong passwords.

GoToAssist Express customers know their clients entrust them with access to the client computer and its data; our goal is to ensure that their remote-support experience is just as secure as being at their computer and supporting them in person. If you were sitting at your customer’s machine, you would know if someone was monitoring your keystrokes or mouse commands, or looking over your shoulder at the screen. And you could fight them off with a baseball bat or whatever you have nearby for intruders. GoToAssist Express uses encryption and authentication to prevent unknown intruders and security threats, so you never have to use a baseball bat or ever really worry about intruders or threats – we do that for you. The level of security built into GoToAssist Express makes it just like being there, sitting next to your customer at their computer, only you aren’t physically present at the computer, and you don’t have to have a baseball bat.

Brenda: Nice metaphor, OK, but can I still have a baseball bat (or in my case, a hocky stick) near my desk just for fun?
Tony: Yes, of course.

Brenda: What security measures are in place to notify the end-user customer that someone has set up Unattended Support on their machine?
Tony: First of all, enabling Unattended Support on a machine requires the explicit consent of someone who is physically at that machine – in other words – it is 100% permission-based. When you set up Unattended Support during a session, you will notice that screen sharing pauses momentarily. During this pause, we are showing a dialog box to the customer explaining what Unattended Support is and asking their permission to continue. Once Unattended Support is set up, the GoToAssist Express icon remains in the system tray at all times as a reminder to the customer. They can get more information or disable Unattended Support at any time by right-clicking the system tray icon.

Brenda: How do we guarantee the confidentiality and integrity of the end-user customer’s data and machine?
Tony: It’s all about the access code. As part of the setup process for Unattended Support, we ask you to choose an access code for the machine. Your access code is a secret that you share with the customer’s machine, and it lets the two of you authenticate each other at the beginning of a session and agree on secret cryptographic keys that are guaranteed to be known only to the two of you. Not even Citrix Online knows these keys; as long as you choose a sufficiently long and complex access code and keep it safe, it is computationally infeasible for anyone to spy on your unattended sessions.

Brenda: What if the end-user customer doesn’t want their support rep to access their machine anymore. What controls do they have?
Tony: Customers can choose to revoke the support rep’s unattended privileges at any time using the system tray icon’s context menu. The customer has the option to permanently revoke access or to temporarily block access for a limited time. Blocking access is useful if the end-user customer knows a late night unattended session is planned but they want to cancel so they can finish up a project for a deadline. Revoking access or uninstalling the software will also keep the support rep away! Support reps can also delete the Unattended Support Computer from their list at the request of their client.

Brenda: What are some best practices that all GoToAssist customers should follow when setting up Unattended Support on their clients’ machines?
Tony:

• Never set up Unattended Support without first explaining to your customer what you are doing and how it will provide access to their computer. GoToAssist Express software shows them an informative dialog and asks their permission to continue, but at the end of the day, your customer places their trust in you – the person with whom they have a business relationship – and not in any piece of software. It’s important that you build on their trust in you by talking them through the process and explaining the concept of Unattended Support to them. 
• Always choose the longest, most complex access code you can tolerate. It’s better to choose a real doozy, write it down and put it in your wallet, than to choose something easy to guess. Bear in mind that the access code is the cornerstone of the security guarantees that GoToAssist provides. 
• Choose a different access code for every unattended host you set up. If someone manages to learn one of your access codes, they won’t be able to leap-frog into every computer that you manage. 

• Once you’ve set up Unattended Support, give your customer a tour of the system tray. Show them how to block or revoke access. 

• It’s a good idea to call or email your customer ahead of time when you’ll be accessing their computer. Even though your customer is giving you permission, it can be very disorienting to have someone jump into your computer while you’re using it.
• Remember to check the computer status in the Unattended Support dialog before you connect. Computers that show up as “in use” are being actively used by someone who is physically at the machine, and you should think twice (or maybe call them) before connecting.
• At the time you set up Unattended Support, agree with your customer on the times of day you are likely to access their computer. Find a schedule that works for them and honor it. 
• Use the software’s session notes feature to keep a log of what you do during every Unattended Support session. Email or call your customer after every session and notify them of what you did. You can even generate a weekly or monthly report of session notes and send it to your customer to demonstrate the value you’ve provided as a vendor. 

Brenda: I know you are taking a few weeks off for the holiday, are you going on a trip?
Tony: Not only am I going on a trip, it’s a very unusual trip. I have a reputation around the office for sprinting off to exotic locales such as Japan, Iceland, Costa Rica and Belgium. As an amateur linguist I find it supremely enjoyable to be immersed in another culture, soaking up their language and customs.

This year I’m doing something different, taking advantage of affordable gas and going on a road trip! My exotic destinations include Utah, Arizona, Oklahoma, New Mexico and Texas. I am assured that the locals are friendly, that the food is quite palatable, and that the language will be no problem for me. I’ll fill you in when I get back!

Brenda: Thanks Tony! Have a great holiday and a fabulous trip!
Tony: As always, it was a pleasure. Have a happy holiday yourself!

If you would like to comment on this post, please log in to your account on the beta Web site and click the link for the forum to log in to the Beta Forum.