Search

US-20260129446-A1 - SYSTEM AND METHOD FOR MANAGING REMOTE ACCESS TO A COMPUTER

US20260129446A1US 20260129446 A1US20260129446 A1US 20260129446A1US-20260129446-A1

Abstract

A system and computer-implemented method to manage remote access to an enterprise device are disclosed. A secrets manager operates on an access manager device and a gateway application operates a gateway device remote from the access manager device. The gateway application receives a request to access the enterprise device. The request is generated by a client application operating on an end-user device that is remote from the access manager device and the gateway device. The gateway application further receives access credentials for the end-user device from the secrets manager, uses the access credentials to open a network connection to the end-user device, and establishes a secure peer-to-peer network connection with the client application. In addition, the gateway application receives an encrypted end-user payload from the client application via the secure peer-to-peer network connection, decrypts the encrypted end-user payload to generate a decrypted end-user payload, and transmits the decrypted end-user payload to the enterprise device.

Inventors

  • Craig B. Lurey
  • Darren S. Guccione
  • Maksim Ustinov
  • Sergey Aldoukhov
  • Micah Roberts

Assignees

  • KEEPER SECURITY, INC.

Dates

Publication Date
20260507
Application Date
20250519

Claims (20)

  1. 1 . A system to manage remote access to an enterprise device, comprising: a secrets manager operating on an access manager device; and a gateway application operating on a gateway device remote from the access manager device, wherein the gateway application is adapted to: receive a request to access an enterprise device, wherein the request is generated by a client application operating on an end-user device and the end-user device is remote from the access manager device and the gateway device; receive access credentials for the enterprise device from the secrets manager; use the access credentials to open a network connection to the enterprise device; establish a secure peer-to-peer network connection with the client application; receive an encrypted end-user payload from the client application via the secure peer-to-peer network connection; decrypt the encrypted end-user payload to generate a decrypted end-user payload; and transmit the decrypted end-user payload to the enterprise device.
  2. 2 . The system of claim 1 , wherein the access credentials are not available to the client application.
  3. 3 . The system of claim 1 , wherein the secure peer-to-peer network connection is in accordance with a WebRTC protocol.
  4. 4 . The system of claim 1 , wherein the gateway application is further adapted to receive an unencrypted enterprise device payload associated with the enterprise device, encrypt the unencrypted enterprise device payload, and the transmit the encrypted enterprise device payload to the client application via the secure peer-to-peer network connection.
  5. 5 . The system of claim 4 , wherein decrypted end-user payload comprises one or more user input commands and the gateway application is further adapted to open a network connection to a device gateway application in order to open the network connection with the enterprise device and transmit the decrypted end-user payload to the device gateway application to forward the user commands to the enterprise device.
  6. 6 . The system of claim 5 , wherein the unencrypted enterprise device payload comprises commands to render a graphical user interface generated by the enterprise device and gateway application is adapted to receive the unencrypted enterprise device payload via the network connection to the device gateway application.
  7. 7 . The system of claim 6 , wherein the encrypted enterprise device payload and decrypted end-user payload are encoded in accordance with a WebRTC protocol and the device gateway application forwards the user input commands to the enterprise device in accordance with a Remote Desktop protocol, a Virtual Network Computing protocol, or a Secure Shell protocol.
  8. 8 . The system of claim 4 , the gateway application is adapted to open network port associated with the enterprise device in order to open the network connection to the enterprise device, and transmit the decrypted end-user payload to the end-user device and receive the unencrypted enterprise device payload via the network port.
  9. 9 . The system of claim 1 , further including a router application operating on the access manager device, wherein the client application and the gateway application each authenticate with router application in order to establish the peer-to-peer network connection.
  10. 10 . The system of claim 1 , wherein the gateway application communications with the secrets manager and the client application over a public network.
  11. 11 . A device-implemented method to manage remote access to an enterprise device operating in a network, comprising: receiving by a gateway application operating on gateway device a request to access an enterprise device, wherein the request is generated by a client application operating on an end-user device and the end-user device is remote from the gateway device; receive access credentials for the enterprise device from a secrets manager operating on an access manager device remote from the end-user device and the gateway device; using the access credentials to open a network connection to the enterprise device; establishing a secure peer-to-peer network connection with the client application; receiving an encrypted end-user payload from the client application via the secure peer-to-peer network connection; decrypting the encrypted end-user payload to generate a decrypted end-user payload; transmitting the decrypted end-user payload to the enterprise device.
  12. 12 . The device-implemented method of claim 11 , wherein the access credentials are not available to the client application.
  13. 13 . The device-implemented method claim 11 , wherein secure peer-to-peer network connection is in accordance with a WebRTC protocol.
  14. 14 . The device-implemented method of claim 11 , further including receiving an unencrypted enterprise device payload associated with the enterprise device, encrypting the unencrypted enterprise device payload, and the transmitting the encrypted enterprise device payload to the client application via the secure peer-to-peer network connection.
  15. 15 . The computer-implemented method of claim 14 , wherein decrypted end-user payload comprises one or more user input commands and wherein opening a network connection with the enterprise device includes opening a network connection to a device gateway application and further including transmitting the decrypted end-user payload to the device gateway application to forward the user commands to the enterprise device.
  16. 16 . The computer-implemented method of claim 15 , wherein the unencrypted enterprise device payload comprises a rendering of a graphical user interface generated by the enterprise device and further including receiving by the gateway application the unencrypted enterprise device payload via the network connection to the device gateway application.
  17. 17 . The computer-implemented method of claim 16 , further including encoding the encrypted enterprise device payload and decrypted end-user payload in accordance with a WebRTC protocol and the forwarding the user input commands to the enterprise device in accordance with a Remote Desktop protocol, a Virtual Network Computing protocol, or a Secure Shell protocol.
  18. 18 . The computer-implemented method of claim 14 , wherein opening the network connection to the enterprise device comprises including opening a network port associated with the enterprise device in order to, and transmit decrypted end-user payload to the end-user device and receive the unencrypted enterprise device payload via the network port.
  19. 19 . The computer-implemented method of claim 11 , further including authenticating the client application and the gateway application with a router application operating on the access manager device in order to establish the peer-to-peer network connection.
  20. 20 . The computer-implemented method of claim 12 , wherein the gateway application communicates with the client application and the secrets manager over a public network.

Description

CROSS-REFERENCE TO RELATED APPLICATION The present application claims the benefit of priority to Lurey et al., U.S. Provisional Patent Application Ser. No. 63/716,356, entitled “ESTABLISHING CONNECTIONS AND TUNNELS TO WORKLOADS FROM A CLOUD-BASED VAULT WITH ZERO KNOWLEDGE ENCRYPTION,” filed Nov. 5, 2024, the entire contents of which are incorporated herein by reference. FIELD OF DISCLOSURE The present subject matter relates to systems and methods for managing access to infrastructure devices and more particularly, a system and method that manages access to an infrastructure device from a remote end-user device. BACKGROUND An enterprise may have one or more infrastructure or enterprise devices (e.g., computer systems) that are installed on-premises at a facility associated with the enterprise or that operate on a cloud computing platform such as, e.g., Amazon AWS, Microsoft Azure, etc. Such enterprise devices may be used to manage the operation of the enterprise and store data associated with such operations. End users, e.g., employees, contracted staff, and other authorized users may be provided access to such enterprise devices to monitor and control the operation thereof, access data stored thereon, and the like. Further, IT administrators and development teams may need access to computers of the enterprise used by other end users such as desktop computers, laptop computers, workstations and the like to support such other end users. Connection management products such as a Guacamole gateway developed by the Apache Software Foundation, and the like may be installed on the enterprise devices to allow end users to access such enterprise devices from a location remote from an enterprise facility. As would be understood by one having ordinary skill in the art, an end user who may use an end user computer on the same network (i.e., either on the same local area network, via a virtual private network, a zero trust network access service, and the like) may open a browser window on the end user computer that may connect to the connection management product to open a remote desktop session, a secure shell, a virtual network computing viewer, and the like to access and control the infrastructure compute system. Typically, use of the connection management product requires the end user to have authentication credentials such as login passwords, SSH keys, database credentials, cloud access keys, and the like associated with infrastructure computer systems. Such authentication credentials may be provided to the end user or may be shared among a team of end users to allow such users to access the infrastructure computer system. However, controlling which end users have access to such authentication credentials may become complex as the enterprise scales, end users move to different organization within the enterprise, and/or end users leave the enterprise. Poor credential management in such situations may pose a significant security risk to the enterprise. SUMMARY According to one aspect, a system to manage remote access to an enterprise device includes a secrets manager operating on an access manager device and a gateway application operating on a gateway device remote from the access manager device. The gateway application is adapted to receive a request to access an enterprise device. The request is generated by a client application operating on an end-user device and the end-user device is remote from the access manager device and the gateway device. The gateway application is further adapted to receive access credentials for the enterprise device from the secrets manager, use the access credentials to open a network connection to the enterprise device, and establish a secure peer-to-peer network connection with the client application. In addition, the gateway application is adapted to receive an encrypted end-user payload from the client application via the secure peer-to-peer network connection, decrypt the encrypted end-user payload to generate a decrypted end-user payload, and transmit the decrypted end-user payload to the enterprise device. According to another aspect, a computer-implemented method to manage remote access to an enterprise device operating in a network includes receiving by a gateway application operating on a gateway device a request to access an enterprise device, wherein the request is generated by a client application operating on an end-user device and the end-user device is remote from the gateway device. The method also includes receiving access credentials for the end-user device from a secrets manager operating on an access manager device remote from the end-user device and the gateway device, using the access credentials to open a network connection to the end-user device, and establishing a secure peer-to-peer network connection with the client application. In addition, the method includes receiving an encrypted end-user payload from the client application via the secure peer-to-peer ne