Enhanced Security

Know where your equipment is at all times

In today's interconnected digital landscape, security remains a paramount concern for individuals and businesses alike. With the increasing demand for remote access to applications and data, the debate between Remote Desktop Services (RDS) and web access with Secure Sockets Layer (SSL) encryption has gained prominence. While both methods strive to ensure data protection, this article delves into why Remote Desktop Services stand out as a more secure option compared to web access with SSL.

Understanding the Basics

Before delving into the security aspects, let's briefly outline the two approaches:

  1. Remote Desktop Services (RDS): RDS allows users to remotely access a computer's desktop environment and applications. It establishes a direct connection between the user's local device and the remote server, enabling them to interact with the host system as if they were physically present.
  2. Web Access with SSL: Secure Sockets Layer (SSL) encryption, now succeeded by Transport Layer Security (TLS), secures data transmitted over the internet between a user's browser and a web server. SSL/TLS certificates encrypt data in transit, ensuring confidentiality and integrity.

1 Reduced Attack Surface

Remote Desktop Services typically operate over a Virtual Private Network (VPN) or a dedicated connection, which inherently reduces the attack surface. By establishing a direct connection, RDS minimizes the exposure to potential threats that could exploit vulnerabilities in web applications.

2 Centralized Control

RDS offers centralized control over user access and permissions. Administrators can manage who can access specific resources, applications, or data, reducing the risk of unauthorized access or data leakage. In contrast, web access through SSL can be more challenging to manage, especially with multiple web applications spread across different servers.

3 Limited Web Application Attack Vectors

Web applications accessible through SSL face a range of vulnerabilities, including SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). While SSL encryption protects data during transmission, it does not inherently shield against these application-level threats. RDS, on the other hand, provides a more isolated environment, reducing the chances of exploitation through web application vulnerabilities.

4 Stronger Identity Verification

RDS can be configured to require multi-factor authentication (MFA) before granting access. This adds an additional layer of security by verifying the user's identity through multiple means, such as something they know (password), something they have (security token), or something they are (biometric verification). While SSL/TLS also supports client certificates for authentication, implementing MFA with RDS offers a more robust defence against unauthorized access.

5 Protection Against Keyloggers and Malware

One of the significant advantages of RDS is that it operates on the host system, not on the user's local device. This means that even if the local device is infected with keyloggers or malware, the remote session remains relatively secure. In a web access scenario, if a user's device is compromised, the encrypted data sent via SSL can still be intercepted and decrypted by the malware.

6 Encrypted Data Transmission and Storage

While both RDS and web access with SSL offer encryption, RDS extends this encryption to data storage on the remote server as well. This ensures that sensitive information remains protected even when stored on the host system, adding an extra layer of security beyond data transmission.

In conclusion, while both Remote Desktop Services and web access with SSL encryption are designed to enhance security, the former provides a more comprehensive and inherently secure approach. By minimizing attack surfaces, centralizing control, and offering stronger identity verification, RDS mitigates many of the vulnerabilities associated with web applications accessible through SSL. As organizations continue to prioritize data protection and secure remote access, choosing the right approach can make all the difference in maintaining a robust and resilient cybersecurity posture.

we elevate your security

Comprehensive Security

Software applications are integral components of an organization’s success. Unfortunately, while applications are built to support faster growth and enhanced user experience, these are also prone to security incidents in the absence of appropriate security mechanisms. Knowing the basics of application security had never been so relevant.

Therefore, over the years UBS has adopted Secure SDLC model to adopt the proper practices and tools to ensure attack vectors do not exploit inherent application vulnerabilities. Below are few examples of security initiatives taken by UBS over the years.

TLS security image

TLS 1.2

Transport Layer Security (TLS), like Secure Sockets Layer (SSL), is an encryption protocol intended to keep data secure when being transferred over a network. TLS 1.2 is more secure than the previous cryptographic protocols such as SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. Essentially, TLS 1.2 keeps data being transferred across the network more secure.

HSTS

The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) informs browsers that the site should only be accessed using HTTPS, and that any future attempts to access it using HTTP should automatically be converted to HTTPS. If a website accepts a connection through HTTP and redirects to HTTPS, visitors may initially communicate with the non-encrypted version of the site before being redirected. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site. The HTTP Strict Transport Security header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

HSTS logo
CS image

Crowdstrike

CrowdStrike has redefined security with the world’s most advanced cloud-native platform that protects and enables the people, processes and technologies that drive modern enterprise. CrowdStrike secures the most critical areas of enterprise risk – endpoints and cloud workloads, identity, and data – to keep customers ahead of today’s adversaries and stop breaches. Powered by the CrowdStrike Security Cloud, the CrowdStrike Falcon Platform leverages real-time indicators of attack, threat intelligence on evolving adversary tradecraft and enriched telemetry from across the enterprise to deliver hyper-accurate detections, automated protection and remediation, elite threat hunting and prioritized observability of vulnerabilities – all through a single, lightweight agent. With CrowdStrike, customers benefit from superior protection, better performance, reduced complexity and immediate time-to-value.

Disaster Recovery

Organizations of all sizes generate and manage massive amounts of data, much of it mission critical. The impact of corruption or data loss from human error, hardware failure, malware, or hacking can be substantial. Therefore, it is essential to create a disaster recovery plan for the restoration of business data from a data backup image. RPO (Recovery Point Objective) and RTO (Recovery Time Objective) are two important aspects of IT resilience planning. A Recovery Point Objective (RPO) is the maximum targeted period during which transactional data is lost from an IT service due to a major incident. The Recovery Time Objective (RTO)[9][10] is the targeted duration of time and a service level within which a business process must be restored after a disaster (or disruption). UBS periodically performs DR drills with two fold objectives; to test the backup are in good-to-recover state and reassessing the RPO and RTO parameters.

Recovery of Data
Updates image

Latest software versions (Java & .Net)

Data breaches, hacks, cyber attacks and identity theft have all been in the news. While threat actors continue to come up with new methods to steal information and gain access to systems, there are some simple, preventative measures to help stop them. Keeping your software on latest version is one such layer of protection. Here are some reasons to consider software updates as soon as possible.

  • Patch security flaws – Security is the No. 1 reason to update software immediately.
  • Get new features – Installing updates may add new features and remove old ones that are no longer necessary. Technology is constantly changing, and updates offer the latest features and improvements.
  • Improve performance – Not all patches are security related. Software vendors may find bugs in a program or need to make necessary enhancements to a program. These patches help improve the performance of the software.
  • Ensure compatibility – Software manufacturers send updates to ensure their software is compatible with the latest technology. Without updates, older software may not be able to work with newer technology.

Netsparker scans

Netsparker is an industry-leading web application security solution that automatically scans custom web applications for Cross-Site Scripting (XSS), SQL Injection, and other types of vulnerabilities. It features unique Proof-Based Scanning technology that automatically and safely exploits vulnerabilities and generates a proof of exploit to prove that they are not false positives.

Security image
CVE image

CVE Remediations

Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. UBS has been quick in response and very proactive in remediating CVEs like; log4j & WSO2

Deprecating older features

With ongoing improvements to the R2 platform, sometimes that means retiring outdated functionality or that provides low value to a limited number of customers. There are several motivations for why we deprecate features:

  • UBS’s Product and Engineering team continuously investigates and implements better ways of doing things. With a focus on innovation and our customers' evolving needs, some technologies and applications on our platform may no longer serve customers in the most effective way possible. Additionally, third-party software leveraged by the R2 platform may no longer support specific functionality.
  • UBS may be required to deprecate or retire functionality that does not meet the industry standards.
  • UBS deprecates features only when absolutely necessary. Usually, UBS upgrades features to provide enhanced functionality. However, it is sometimes necessary to deprecate and retire a feature completely.