Secure Application Access
The security and integrity of organizational and customer data is vitally important to every organization. While many employees continue to work from home post-pandemic, remote application access solutions can be an easy access point for attackers, making them subject to intense scrutiny by IT security teams. Post-pandemic, as organizations become more distributed, those security concerns and that scrutiny will remain.
GO-Global® leverages the best available security technologies to provide organizations with a multi-layered security system that ensures data security and customer privacy. Applications deployed through GO-Global are typically more secure than when they are installed directly on an endpoint device.
Proprietary Connection Protocol
From its beginning, GO-Global was designed to be secure. GO-Global was developed using GraphOn’s proprietary, closed-source RapidX Protocol (RXP). Compared to open-source protocols like Microsoft® Remote Desktop Protocol, RXP offers additional defense against attackers simply because it is closed-source. Additional GO-Global built-in security measures include disabling all configuration options that enable sharing of server or client resources and control over exactly which applications can be accessed remotely.
Operating System Security and User Authentication
GO-Global inherits and honors all user and data security boundaries from the Windows® operating system, including Group Policies, Access Control Lists, etc. GO-Global also maintains security settings controlling access at the user and application level that are enforced during the logon process. Additionally, GO-Global respects Windows file, folder, share, printer, and registry permissions, which are central to Windows system security.
To reduce potential security threats, IT admins using GO-Global should adhere to Microsoft’s recommended best practices, especially avoiding Administrator privileges for end users. To ensure consistency across multiple hosts, GraphOn® recommends using Windows Group Policies for all global security settings.
Additional security recommendations when using GO-Global include the use of Integrated Windows Authentication to eliminate the need to cache passwords for connections between Windows clients and GO-Global Hosts.
GO-Global provides a vital extra layer of connection security with Two-Factor Authentication (2FA) for remote app access, which requires users to enter a 6-digit code from an authenticator app on a smart phone in addition to their username and password. 2FA ensures that, even if a user’s password is compromised, the attacker will not be able to access the host system without access to the user’s unlocked phone. This renders brute force and dictionary password searches useless – which is especially critical now, with many end users working remotely, driving increases in brute force attacks. 2FA also reduces the burden of forcing a complex password policy.
Single Sign-On (SSO) is an access control method that enables end users to securely authenticate with multiple cloud applications and websites by using just a single set of credentials, like a username and password. SSO saves end users from having to remember multiple sets of credentials—and saves helpdesks thousands of hours annually recovering and changing passwords when end users do forget.
Historically, SSO has not allowed users to authenticate to Windows applications. Instead, Windows uses Winlogon, its proprietary authentication module, to enable end users to log in to Windows with a username and password. Windows does not support logons without a password and as such does not support strong authentication through SSO.
GO-Global rectifies this situation by providing support for OpenID® Connect (a simple identity layer on top of the OAuth 2.0 protocol) to enable single sign-on to Windows applications published using GO-Global. OpenID Connect support allows end users to sign in once to their identity provider using the authentication policies and credentials defined by that provider, and then access Windows applications with just one click.
Client Session Encryption
By default, GO-Global accomplishes session encryption using DES (Data Encryption Standard) with 56-bit key strength for all client session connections to protect against basic packet sniffers and clients intercepting raw data communications. It is fast, reliable, and offers an immediate level of security for LAN-based connections via GO-Global.
For internet communications and security-conscious environments, GO-Global offers TLS-based transport with the following encryption algorithms: 128-bit RC4, 168-bit 3DES and 256-bit AES. These stronger encryption algorithms require that the administrator applies a signed TLS certificate on the host, which can be generated using any standard Certificate Authority. Administrators can also generate trusted TLS certificates for GO-Global Hosts through the Security tab of the Host Options dialog in the Admin Console, where the GO-Global Host has a publicly registered DNS address. This allows administrators to enable strong encryption and TLS security without purchasing a certificate from a third-party Certificate Authority.
Additional Security Measures
Many organizations use a VPN solution for remote access to applications. Most GraphOn® customers opt to extend their existing VPN environment to support GO-Global session traffic from remote end users. To get an additional security layer, IT can use TLS to encrypt GO-Global sessions running within a VPN data stream. GO-Global also supports Proxy Server Tunneling, also known as HTTP Connect, which allows a user who accesses the internet via a web proxy server to connect to GO-Global Hosts on the internet.