Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Remote-control software for telework: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: Remote-control software designed for supervised maintenance is being used to reach office workstations from home, even though that model breaks the security assumptions behind telework access, according to Systancia. The real issue is not convenience but governance, because session control, accountability, and identity boundaries shift when access is mediated by a tool built for hands-on support rather than remote work.

NHIMG editorial — based on content published by Systancia: Logiciels de prise de contrôle à distance, une pratique dangereuse en situation de télétravail

By the numbers:

Questions worth separating out

Q: How should organisations handle remote-control tools in telework environments?

A: Organisations should treat remote-control software as a supervised support control, not a standard telework method.

Q: Why do remote-control tools create identity governance risk for remote work?

A: They create risk because the tool’s design assumes an operator is present to initiate and monitor the session.

Q: What do security teams get wrong about temporary access exceptions?

A: They often treat temporary exceptions as harmless because they were created for a narrow use case.

Practitioner guidance

  • Retire support-only remote-control tools from standard telework paths Limit these tools to supervised maintenance scenarios where a human operator initiates and observes the session.
  • Classify every remote-control exception as a governed access waiver Assign an owner, an expiry date, and a documented business justification to each exception.
  • Require provable session attribution before any access is approved Ensure logs show who started the session, why it was started, and what systems were reachable.

What's in the full article

Systancia's full blog covers the operational detail this post intentionally leaves for the source:

  • The article explains why telemaintenance tools are a poor fit for everyday remote work and how that design assumption affects access control.
  • It outlines the difference between supervised session use and standard employee access, which matters when you are deciding whether to permit the tool at all.
  • It provides the broader security rationale behind the warning, useful if you need to justify policy changes to stakeholders.
  • The post frames the remote-control risk in the context of telework behaviour and access habits, not just technical features.

👉 Read Systancia's analysis of remote-control software and telework access risk →

Remote-control software for telework: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Remote-control software used for telework is an access-governance mismatch, not just a user-experience compromise. The tool model assumes a supervised session, while telework assumes ordinary business access under standard identity policy. When organisations collapse those two models, they weaken the boundary between helpdesk control and end-user access. Practitioners should treat the mismatch as a governance defect, not a convenience trade-off.

A few things that frame the scale:

  • 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to The 2024 Non-Human Identity Security Report.
  • Another finding from the same research shows that 23.7% of organisations share secrets through insecure methods such as email or messaging applications, which is a useful reminder that convenience frequently outruns governance.

A question worth separating out:

Q: Who is accountable when a remote-control access path fails governance review?

A: Accountability usually sits with the access owner, the system owner, and the control owner who approved the exception. If the organisation cannot show who authorised the path, what purpose it served, and how long it remained active, then the governance failure is systemic rather than individual.

👉 Read our full editorial: Remote-control software and the telework access control gap



   
ReplyQuote
Share: