DocumentationRelease Notes
Log In
Documentation

Cloud security

What is security for Secure Remote Access Cloud?

Security for Secure Remote Access Cloud ensures the protection of remote access sessions through advanced security measures designed specifically for cloud environments. It helps maintain compliance with industry and organizational standards while enabling secure and reliable support operations.

How is it useful to my organization?

Security for Secure Remote Access Cloud protects your organization by preventing unauthorized access, safeguarding sensitive data, and ensuring secure remote support activities. This enhances your overall security posture, streamlines operations, and delivers a reliable and secure end-user support experience.

Get to know BeyondTrust Secure Remote Access: an overview

BeyondTrust connects and protects people and technology with leading secure access solutions that strengthen security while increasing productivity. Secure Remote Access lets you control access to critical systems without hindering the work privileged users need to perform. You can define how users connect, monitor sessions in real time, and record every session for a detailed audit trail.

Secure Remote Access can connect to external user directories, such as LDAP, for secure user management, and natively integrates with leading systems management and identity management solutions. An API is provided for use with automation tools and external applications.

Secure Remote Access is compatible with multiple operating systems, including Windows, Mac, various Linux distributions, and mobile operating systems. Supported system types include laptops, desktops, servers, kiosks, point-of-sale systems, smartphones, and network devices.

Secure Remote Access mediates connections between users and remote systems, allowing file uploads and downloads, remote control of desktops, and access to system information and diagnostics, the command line, and the registry editor.

Architecture

Infrastructure

The BeyondTrust Secure Remote Access Cloud infrastructure is spread across six Tier 3 or higher data centers. Secure Remote Access customers can designate a regional data center to host their Secure Remote Access solution so that performance is not hindered by geographic distance between users of the solution. All data centers leverage advanced electrical and cooling systems and N+1 redundancy with uninterruptable power solutions and generator backup. The data centers have advanced networking capabilities such as 10Gb+ connectivity and a 40Gb+ core network.

Compliance

Data centers hosting Secure Remote Access Cloud have achieved ISO/IEC 27001 certification of their information security management systems. Additionally, all data centers have completed the following examinations:

  • SOC II Type 1
  • SSAE 16
    • SOC 1 Type II
    • SOC 2 Type II

They are also Data Privacy Framework-compliant to meet European Data Privacy compliance regulations.

Physical security

All Secure Remote Access Cloud servers are housed in data centers that employ a high standard of physical protection. The measures include multiple levels of physical security, such as:

  • Man traps / air lock
  • Badged access
  • Securely locked cages
  • Biometric access
  • Securely isolated storage area
  • 24/7 security personnel on duty

Network security

The network architecture is built to protect all entry points assigned to customers. Highly available edge gateways and segmented network components are dedicated and configured in Secure Remote Access. The infrastructure is continuously monitored, and vulnerability testing is conducted regularly by internal security staff.

Customer data

All customer data is confined to a dedicated instance of Secure Remote Access allocated to your organization. The data physically and logically resides in a siloed Secure Remote Access instance and is not shared between customers. This unique approach to the segregation of customers keeps your data safe.

Authentication

Secure Remote Access can be provisioned for locally defined user Secure Remote Access accounts or can be integrated into existing authentication sources. For instance, a commonly integrated authentication source is Microsoft Active Directory. When using a directory such as this, all authentication follows the existing controls and processes in place for safeguarding user accounts.

Additional security providers are available that allow for user authentication using Kerberos or SAML (for single sign-on) or using RADIUS (for multi-factor authentication). Each of these providers can be configured to use LDAP groups to set the permissions for the user, allowing you to map existing LDAP groups to teams in Secure Remote Access.

There are a large number of granular permissions that can be granted to users. These permissions determine which features in Secure Remote Access a user has access to.

Credential management

BeyondTrust Secure Remote Access can be integrated with an Endpoint Credential Manager (ECM) to improve password security for privileged users and vendors.

An ECM functions as the middleware for communication, and the ECM can be used to integrate Secure Remote Access with password vaults.

Credential injection is a built-in feature of Secure Remote Access. It allows administrators and privileged users to seamlessly inject credentials into systems without exposing plain text passwords, and this feature can also be used with third-party vault tools.

Encryption and ports

BeyondTrust Secure Remote Access can be configured such that it enforces the use of SSL for every connection made to the site. Secure Remote Access requires that the SSL certificate being used to encrypt the transport is valid.

Secure Remote Access can natively generate certificate signing requests. Configuration options also are available to disable the use of TLSv1 and/or TLSv1.1. Secure Remote Access always has TLSv1.2 enabled to ensure proper operation of the software. Available cipher suites can be enabled or disabled and reordered as needed to meet the needs of your organization.

The Secure Remote Access software itself is uniquely built for each customer. As part of the build, an encrypted license file is generated that contains the site Domain Name System (DNS) name and the SSL certificate, which is used by the respective Secure Remote Access client to validate the connection that is made to the Cloud site.

The chart below highlights the required ports and the optional ports. Note that there is very minimal port exposure of the Secure Remote Access Cloud infrastructure. This drastically reduces the potential exposed attack surface of the site.

Below are example firewall rules for use with Secure Remote Access Cloud, including port numbers, descriptions, and required rules.

Firewall rules
Internal network to the Secure Remote Access Cloud instance
TCP Port 80 (optional) Used to host the portal page without the user having to type HTTPS. The traffic can be automatically redirected to port 443.
TCP Port 443 (required) Used for all session traffic.
Secure Remote Access Cloud Instance to the Internal Network
TCP Port 25, 465, or 587 (optional) Allows the B Series Appliance to send admin mail alerts. The port is set in SMTP configuration.
TCP Port 443 (optional) B Series Appliance to web services (e.g., HP Service Manager, BMC Remedy) for outbound events.

Auditing

Logging and storage

BeyondTrust Secure Remote Access provides two types of session logging. All the events of an individual session are logged as a text-based log. This log includes users involved, session tools used, chat transcripts, system information, and any other actions taken by the SRA user. This data is available on the B Series Appliance in an uneditable format for up to 90 days, but it can be moved to an external database using the Secure Remote Access API or the integration client. All sessions are assigned a unique session ID referred to as an LSID. The session LSID is a 32-character string that is a unique GUID for each session. The LSID is stored as part of each session log for every session conducted.

Secure Remote Access also allows enabling video session recordings. This records the visible user interface of the endpoint screen for the entire screen sharing session. The recording also contains metadata to identify who is in control of the mouse and keyboard at any given time during the playback of the recorded session. The period of time these recordings remain available depends on the amount of session activity and the available storage, up to 90 days maximum. As with the session logging, these recordings can be moved to an external file store using the API or the integration client.

BeyondTrust integration client

The integration client can be used to export data from the site and store it if needed to comply with security policies. Secure Remote Access can also be configured to store data for a shorter period of time to help comply with security policies.

The integration client is a Windows application that uses the API to export session logs, recordings, and backups from the Secure Remote Access Cloud site according to a defined periodic schedule. The integration client uses plug-in modules to determine the repository for the exported data.

Secure Remote Access provides two integration client plug-in modules. One handles export of reports and video recordings to a file system destination. The second exports select report information (a subset of the entire data collection) to a Microsoft SQL Server database. Setup of the integration client for SQL Server includes all of the procedures needed to automatically define the necessary database, tables, and fields.

In practice, the integration client is used to export session data that must be retained for legal and compliance reasons. The reports and recordings are archived in a file system, indexed by session IDs. Data stored in the SQL Server tables may be queried to locate the Secure Remote Access session ID corresponding to given search criteria such as date, user, or IP address.

All authentication events, such as when a user logs in to the console or accesses the /login interface, generate a syslog event which can be logged on a syslog server. Additionally, any configuration change that is made to the Secure Remote Access Cloud instance also generates a syslog event showing the change that was made and by which user.

Validation

To ensure the security and value of our product, BeyondTrust incorporates vulnerability scanning in our software testing process. We track the results of vulnerability scans performed prior to a software release and prioritize resolution based on severity and criticality of any issues uncovered. Should a critical or high-risk vulnerability surface after a software release, a subsequent maintenance release addresses the vulnerability. Updated maintenance versions are distributed to our customers via the update manager interface within the Secure Remote Access administrative interface. When necessary, BeyondTrust Technical Support contacts customers directly, describing special procedures to follow to obtain an updated maintenance version. Additionally, Secure Remote Access Cloud instances might be automatically updated based on the update interval chosen by the customer at the time of purchase.

In addition to internal scanning procedures, BeyondTrust contracts with third-parties for a source code level review as well as penetration testing. The source code review conducted essentially provides validation from a third party that coding best practices are followed and that proper controls are in place to protect against known vulnerabilities. A penetration test is conducted to confirm the findings.


©2003-2025 BeyondTrust Corporation. All Rights Reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.