Andrew Woodhouse is CIO at RealVNC, a remote access solution that enables businesses to monitor and secure user access to desktop applications, no matter where or when they’re connecting. Woodhouse has over 25 years of experience in the technology and cybersecurity space, specifically in product design, development and delivery.
Hot off the heels of InfoSecurity Europe 22, we spoke to Woodhouse to discuss the benefits of a modern remote access solution over legacy VPNs, how organizations should go about choosing a remote access solution, and why businesses shouldn’t trust vendors when they say they’re secure.
Can you give us an overview of RealVNC and what differentiates you from other providers in the remote access space?
Absolutely. Let’s start by going back in time to the late 90s. AT&T had a research lab in Cambridge where they were working on a project called Video Tile, which was a very early, effectively thin remote access client. The program allowed users to display something from somewhere else onto a small portable device. This was way before smartphones and iPads.
And, as part of that project, they developed a protocol called “Remote Frame Buffer,” or “RFB.” And then a solution called “Virtual Network Computing,” or “VNC.”
Then AT&T decided that they were going to close down that research lab in Cambridge, which meant the project and remote access protocol—the first one to do graphical remote access—were going to die. Some big industry players—the likes of Intel—were not very happy that these technologies were going to disappear. They could see a future in this graphical, remote screen sharing technology. So, they effectively gave the founders of the company seed money to start a new company and continue the development of the remote access protocol.
Fast forward to 2002, and that’s when RealVNC was founded with the goal of continuing the development of the screen sharing technology called VNC. Back then, the AT&T-produced protocol called RFB was all open source. The last version of that open source protocol is 3.8, and it has a number of problems. Because of this, one of the misconceptions in the industry is that VNC as a whole is an insecure protocol—people mistakenly think it’s not encrypted, and so on. But that only applies to the last open source version of the protocol (3.8)
Since RealVNC was founded and started developing the closed source protocol, that hasn’t been the case—we’re currently at RFB V6. We’ve added a whole lot of performance enhancements, a ton of security—including encryption—and it’s now massively different from the open source protocol that a lot of your readers might be familiar with.
RealVNC were the original inventors of remote access technology. We invented the category, and we have continued to develop the technology.
What challenges are you helping your customers solve today?
There are many use cases of VNC technology, but the most common is remote IT support. If you’ve got a user who has a problem, our technology allows somebody to connect to their machine, see what they’re seeing and, if necessary, control their computer to show them how to do something or fix a problem. We have clients who use the software in space, on deep sea oil rigs, and other interesting use cases.
We have two deployment models: attended access, which is more for that support use case where the support agent wants to connect while somebody is using the machine; and unattended access, which is typically used to connect to servers. For example, If I want to connect to my server to do some administration.
Those are the main use cases we used to see, but interestingly, they have changed since COVID. During the pandemic, a lot of organizations had employees work from home with company laptops. But companies that were processing sensitive data started realizing they had a problem—they did not want that data on a home network. They wanted the data to stay in a secure environment: in the office or in the data center.
Installing applications locally on a laptop that your staff has taken home wasn’t seen as a secure solution. A lot of organizations adopted our technology and installed VNC Viewer onto their staff laptops, which enables the staff to log into a central system in a secure environment, where they’re running the applications remotely. Since COVID hit, that work from home use case has become increasingly popular.
What are some of the benefits of using a modern remote access solution over more traditional technologies, like a VPN?
We’re currently helping one of the biggest pharmaceutical companies in the world move from an all-in-office Active Directory environment to Intune, which will allow staff to work from home. They needed a solution that would let their staff securely access the systems in the office that contained clinical, medical, or sensitive company data that could be managed with Intune. And, most importantly, be easy to use.
Whatever you do as an organization needs to be secure, and it also needs to be easy to use. Because if it’s not, users are going to try and circumvent the security controls you have in place. Very often, things like VPN clients can be quite difficult to use. Users might forget to connect to the VPN, or they might deliberately bypass the VPN so they can access certain categories of websites that are blocked by a DNS filter when connected to the VPN. So, there’s a risk that malware, for example, could be installed onto a work machine by people not having the same network controls on their home network as they do in the office.
With our solution, there is a simple view app, you double click on it, you double click on a computer, it comes up, and that’s it—you’re connected. It’s as if you’re working locally, but all the data is staying where it needs to stay. So, it’s all secure, and it’s very difficult for staff to circumvent. All we have on the machine on the unsecured network is a viewer app. And their staff are connecting to a locked down network where they can’t change anything, so malware can’t affect that network.
What should organizations consider when choosing a remote access solution? What are the key features they should look for, and are there any they should try to avoid?
There are some things which are obvious: it must be secure, connections must be encrypted end-to-end. It must be easy to use, it must perform well, and you must be able to deploy the service and manage it centrally. That piece is really important; IT teams don’t want to be managing hundreds of different proprietary systems. So, things like your AD integration and single sign-on are key. It must also be able to scale to manage as many endpoints as you need it to, using your existing tooling.
If it isn’t those things, you shouldn’t use it.
Touching more on the security piece, one of the things that every organization says is that they take their customer security seriously. But one thing we tell our customers—and it’s not just sales BS—is, you don’t need to trust us to trust our product. And what we really mean by that is, the VNC server component that’s installed onto all the devices that you want to connect to, ultimately decides who can connect to it.
Why is that important? Because if we as a company got compromised and we weren’t doing that—if it wasn’t authenticating using your Active Directory or your system credentials—a compromise of the vendor could mean a compromise of the customer systems. We saw that with SolarWinds, we saw that with Kasaya, and we don’t want to be in that game.
So, ultimately, when you connect to a server, the username and password with which you’re prompted to connect are the same credentials as if you’re just signing into your machine. If you’re using Active Directory, they’ll be your Active Directory credentials.
A lot of our competitors have this concept of a remote access password. And the problem with a remote access password is A, it’s another password that your users need to remember and B, a single password can be shared and therefore leaked out. So, with our service, the users just log in as if they’re sitting at the machine in their place of work.
Another way we differentiate ourselves from our competitors is that they often use something called an ID. So, an endpoint would have a Partner ID. But if you can find out the cloud ID of their machine, you can start hammering at their credentials. With our solution, when an endpoint is joined to a team—a group of all your users and all your computers—there is no way to even discover that machine, unless the account you log into at the cloud services level has access to that endpoint.
That means admins can do role-based access control, and we can guarantee that there is no way that anyone who shouldn’t have access to a machine can get access. And that’s surprisingly different from a lot of our competitors.
Our solution is designed from the ground up to be secure at every level. Security is the absolute bedrock of our service. The world is littered with the corpses of easy-to-use solutions that compromise on security for ease of use. We refuse to do that.
What is your final advice to organizations struggling to secure themselves against some of the sophisticated cyberthreats we’re seeing today?
We were at InfoSec Europe last week, and our key message there was, don’t trust a vendor when they say they’re secure. Make them prove it. Because we invented remote access, we’re now trying to hold the industry to a new standard; we’re trying to set a new bar. As an industry, we’re not good enough at security. So, at the beginning of this year, RealVNCwent out and commissioned a full audit of all of our code. Clients, servers, website, cloud services—an independent security consultancy reviewed all of our code, and those results are available to anyone to download—we’re not hiding anything.
The only way to know that something is secure is to have experts going through the code and giving it their seal of approval. Far too often—and this is kind of a bugbear of mine—we see terms like “military grade security”, “defence grade security”, and “bank grade security”. It means absolutely nothing because you don’t know where the encryption stops. Is the data encrypted in transit and at rest? How do you know there aren’t massive security holes or backdoors in the code?
We want to move the industry forward and set a new bar, and actually be able to back up our claim that our solution is secure.
We used a company called Cure53 that has audited a lot of VPN solutions, a number of password managers, and various open source software. For our audit, They had access to everything we do.
So, my one piece of advice for anyone rolling out any software in their organization is, don’t just trust their word that they’re secure. Far too many times, suppliers say they’re secure, and the next thing you hear, “Oh, there’s a vulnerability in it.” And yes, vulnerabilities are going to happen. But if the architecture of the code is solid and the design is solid, and it’s had a respected third party go through all the code and fix any issues, the vendor is in a better place.
In addition to making sure your vendor can back up their claims of security, get your own house in order. Train your staff on security, have a password policy, help your staff by using systems like single sign-on so they’re not having to remember 5000 passwords. Audit your systems, know what software is installed on your endpoints. It’s amazing how many organizations don’t do that.
As an industry, we’re not learning, we are making the same mistakes. In fact, with the rise of internet connected devices, it seems to be getting worse.
At the end of the day, the most vulnerable part of security is the people—it’s your staff. Unless you’re running some really awful software, your staff are the people that are going to set bad passwords, share their passwords, and bypass your security tools. So, no matter how secure your solution is, educate your staff, train your staff, make sure that your IT systems are helping your staff stay safe.
Thank you to Andrew Woodhouse for taking part in this interview. You can find out more about RealVNC’s secure remote access solution via their website.
Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.