Remote access and execution (or IT automation) are high-value targets for malicious actors. Yet until now, zero trust has never been applied to remote access control in SaaS RMM solutions. GoTo Resolve is the first in the industry to do so—and it’s perfect timing as businesses fully adopt remote and hybrid work.
Former President Ronald Reagan once said about negotiating nuclear disarmament treaties with the former Soviet Union: “Trust, but verify.”
Zero trust says, “Never trust, always verify.” Trust always involves risk, especially when you don’t know people and what they might do. Verification (the process of establishing the truth, accuracy, or validity of something) is about risk mitigation in a context where people can’t always be “known” and/or trusted.
So, what is zero trust security?
Zero trust is a strict security protocol that takes a “trust nothing, verify everything” approach within software or an IT environment. It assumes that there are multiple entry points into a piece of software or an IT infrastructure. That could be not only through a traditional user login, but also through software backdoors, APIs (Application Program Interfaces), and more. With zero trust security, any sensitive actions or information invokes an additional verification point, with the intention of countering malicious/unwanted actors.
Until now, true zero trust has never been applied to access control in a SaaS (Software as a Service) RMM (remote monitoring and management) solution. GoTo is leading the way with the launch of GoTo Resolve, a new all-in-one IT management solution. Here’s why that matters.
Why zero trust access control is 100% important today
1. Access to remote endpoints and data is mission-critical for businesses, making remote access an attractive target.
Actions related to remote access and execution (or IT automation) are high-value targets for malicious actors, especially given the level of “silent" access they provide to a company’s endpoints. Zero trust applied to access control is a valuable tool to counter such threats.
2. Hybrid work means organizations are flexible-first, not office-centric.
Remote work has changed how and where work happens. IT teams must now support and secure a highly fluid workforce using multiple devices both on and off network. All of this IT complexity (and inconsistency) can open new vulnerabilities that malicious actors are increasingly seeking to exploit. In today's flexible work landscape, traditional, on-premises security measures no longer offer the best protection.
3. Cyberattacks are increasing in volume and sophistication.
Malicious actors have been busy. They are highly adaptive in their cyberattacks and are eagerly taking advantage of opportunities presented by evolving gaps in security. Cyberattacks like phishing and ransomware, both accelerating since the pandemic began, put personal and business data at risk. If that weren’t bad enough, supply chain attacks can cause catastrophic results for many companies, disrupt business continuity, and result in significant financial impact.
With the risk landscape expanding, the best and perhaps only response is to tighten security with tools like zero trust.
How GoTo Resolve’s approach to zero trust is unique
As a first for SaaS solutions, GoTo is applying zero trust architecture to remote monitoring & management (RMM) access control. This secures remote access and remote execution across deployed hosts to counter malicious actors.
What is zero trust architecture and how does it work?
Where there are deployed hosts, zero trust assumes that even if a user is behind the login wall, the system should not automatically trust that they should be there. Instead of automatically trusting access and giving a user (or piece of code) the ability to take actions (such as running IT automations) on hosts, zero trust requires that anyone and everything trying to connect to its systems verify identity before granting a sensitive level of access.
- The applet on a remote device accepts commands from authorized agents only.
- Agents must create and use a unique, individual signature key to reauthenticate sensitive tasks.
- This key is only known to the agent, not to GoTo, and cannot be compromised online.
- Even if a malicious actor hacks into the backend or phishes login credentials, the attacker cannot change or create new automations for endpoints without the signature key.
- Endpoints obey only their signed commands.