sunhux
asked on
Best practices for remote access support for vendors to sensitive systems
In some places (eg: Defense sites & possibly banking), it's forbidden for vendors
(MS, storage vendors, VMWare etc) to do Webex to do troubleshooting/support.
If the expertise is not available locally & it requires experts overseas to further
look into it, what are the acceptable/secure ways to do this so that vendors
don't take screen shots of sensitive screens?
a) I've heard of callback : is this just to identify that the remote party is a
legitimate party? Is this still applicable in internet access today or it's
in the dial-up modem days?
b) or get the the vendor company to sign an non-disclosure & official
secrecy agreement only?
(MS, storage vendors, VMWare etc) to do Webex to do troubleshooting/support.
If the expertise is not available locally & it requires experts overseas to further
look into it, what are the acceptable/secure ways to do this so that vendors
don't take screen shots of sensitive screens?
a) I've heard of callback : is this just to identify that the remote party is a
legitimate party? Is this still applicable in internet access today or it's
in the dial-up modem days?
b) or get the the vendor company to sign an non-disclosure & official
secrecy agreement only?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ascertain the exposure and make sure the remote do not go direct if possible as getting the rules to open up, at least I tried is surmountable task compared to onsite visit. The vendor is able to suggest means. Avoid having sharing any internal log or equivalents to cloud shares which vendor may suggest as dump can be very huge. Data confidentiality outweigh the aftermath of such "intentional" leakage for convenience of sharing.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
agreement signed, watch over onsite or even remote should always have your staff and vendor being presence, audit trails of activities from beginning till end of session and do not hold long session. Never expose production backend server directly into internet
ASKER