Link to home
Start Free TrialLog in
Avatar of sunhux
sunhux

asked on

Best practices for remote access support for vendors to sensitive systems

In some places (eg: Defense sites & possibly banking), it's forbidden for vendors
(MS, storage vendors, VMWare etc) to do Webex to do troubleshooting/support.

If the expertise is not available locally & it requires experts overseas to further
look into it, what are the acceptable/secure ways to do this so that vendors
don't take screen shots of sensitive screens?

a) I've heard of callback : is this just to identify that the remote party is a
    legitimate party?  Is this still applicable in internet access today or it's
    in the dial-up modem days?

b) or get the the vendor company to sign an non-disclosure & official
    secrecy agreement only?
Avatar of sunhux
sunhux

ASKER

Is it a practice to do 2FA (sending changing secure code to the vendor's mobile phone) for such remote access ?
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of John
John
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan
Ascertain the exposure and make sure the remote do not go direct if possible as getting the rules to open up, at least I tried is surmountable task compared to onsite visit. The vendor is able to suggest means. Avoid having sharing any internal log or equivalents to cloud shares which vendor may suggest as dump can be very huge. Data confidentiality outweigh the aftermath of such "intentional" leakage for convenience of sharing.
ASKER CERTIFIED SOLUTION
Avatar of Ian Arakel
Ian Arakel
Flag of India image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of btan
btan
agreement signed, watch over onsite or even remote should always have your staff and vendor being presence, audit trails of activities from beginning till end of session and do not hold long session. Never expose production backend server directly into internet