Secure Remote Access

The Problem with Insecure Remote Maintenance

VPN access for external service providers, uncontrolled remote access tools such as TeamViewer or AnyDesk, and missing logging of administrative activities are security risks still found in many companies. Attackers systematically use compromised remote maintenance access as an entry point.

Secure Remote Maintenance Architecture

A modern remote maintenance architecture is based on zero trust principles: no implicit trust, minimal permissions, complete logging. We implement and configure solutions that make remote maintenance secure, controlled, and auditable — without compromising usability.

Remote Maintenance and VPN Compatibility: Interplay, Limits, and Architecture Decisions

VPN is in many companies the first response to the question of secure remote access — and for many use cases a solid foundation. For remote maintenance scenarios, however, purely VPN-based architectures quickly reach their limits. The key difference: a VPN grants network access, but no granular control over what an external service provider actually does after connecting. No session recording, no just-in-time access, no automatic deactivation after the end of a maintenance window. This is insufficient for compliance audits under ISO 27001, NIS2, or DORA.

There is also a frequently underestimated compatibility problem: many common remote maintenance tools use cloud relay architectures that partially bypass VPN connections or create conflicts with full-tunnel VPN. Split-tunnel configurations can open security gaps when remote maintenance traffic is routed over the internet while company data runs through the VPN tunnel. These interactions are a common cause of inexplicable connection drops and inconsistent behavior during remote maintenance sessions.

The optimal architecture depends on the requirements profile. In many cases, VPN as a network layer makes sense — supplemented by a dedicated Privileged Remote Access solution that builds on the VPN tunnel and adds the missing controls (session recording, access governance, approval workflows). In other scenarios — particularly with high service provider density or dominant compliance evidence obligations — replacing VPN with Zero Trust Network Access (ZTNA) with an integrated PAM layer is the superior solution. Blackfort analyzes your existing VPN infrastructure and develops a compatible or replacing remote maintenance architecture.

Service Provider Management

External service providers need access to your systems — but only on a time-limited basis, with minimal permissions and complete monitoring. We implement processes and technologies for secure vendor access management.

Remote Maintenance Compliance: Requirements from ISO 27001, NIS2, and DORA

ISO 27001 treats remote maintenance access as privileged access with elevated requirements. The relevant controls are A.8.18 (Use of privileged utility programs), A.8.15 (Logging), and A.8.3 (Restriction of information access). The Statement of Applicability must explicitly address controls for external remote access. Auditors check whether accesses are approved, logged, and regularly reviewed — missing or incomplete session logs are a classic non-conformity finding.

NIS2 (Art. 21) addresses access control and identity management as a minimum requirement. For essential and important entities: remote maintenance access by external service providers must be verifiably controlled and logged. Uncontrolled remote access tools such as unsecured VPN accounts or consumer remote maintenance software without access logs are a direct NIS2 violation. The same applies to BSI KRITIS operators, where unauthorized remote access to control components is assessed particularly critically.

DORA explicitly anchors Privileged Access Management in the ICT risk management framework for financial companies. Session recording and access logging for critical systems are mandatory, not optional. DORA third-party management additionally requires that external ICT service providers only receive controlled, time-limited access and access rights are regularly reviewed. For ICT third-party providers themselves serving financial institutions, the same evidence obligations apply on the service provider side.

Compliance Evidence: What Auditors Check for Remote Maintenance

Session recording is the central compliance requirement for privileged remote maintenance access. Auditors expect complete, tamper-proof recordings of all remote sessions: who connected when, which systems were accessed, which actions were performed? These recordings must be protected against subsequent modification — ideally on infrastructure separate from the target system and write-protected. Without these records, certification or a declaration of conformity is practically impossible.

Access governance comprises three core elements: just-in-time access (access rights are granted only after approval and only for the duration of a maintenance measure), time-limited credentials (no permanent access for external service providers), and regular access reviews (quarterly review of all active access rights of external parties). For particularly critical systems, a four-eyes principle is required: a second authorized employee must monitor or approve the session.

Blackfort delivers the complete compliance documentation: security concept for remote maintenance, process documentation for vendor access management, technical evidence of implemented controls, and audit reports that withstand ISO 27001, NIS2, and DORA reviews. We know the specific audit questions from numerous audits and build remote maintenance architectures so that evidence is structurally anchored in the process — not as a retrospective paper document.