ExpertCity tries to change its image

Company’s GoToMyPC Corporate 4.0 is slowly winning acceptance from cautious enterprise security pros.

Everybody knows ExpertCity’s GoToMyPC. Download a client to your office computer, and then access the machine and all its resources remotely from any Web browser. So easy to use, employees signed up for the service by the tens of thousands – often without the knowledge or consent of network managers. Even after IT departments started blocking the GoToMyPC site, users could ping it to gain access. Blocking Internet Control Messaging Protocol traffic was the only way to shut users down.

What you might not know is that Expert City’s intent has always been to win over big corporations. But when the start-up launched GoToMyPC five years ago, it didn’t have the resources to sell to them. So instead it relied on individual employees to push the product into their firms directly. ExpertCity launched GoToMyPC Corporate just months after the Personal version, which provides user management features as well as the ability to block access to the personal version.

Today, GoToMyPC Corporate 4.0 uses Advanced Encryption Standard and integrates with two-factor authentication schemes such as SecurID. While it’s slowly winning acceptance – mainly in small companies with limited IT support or in workgroups with specialized remote access needs – it’s far from becoming IT’s product of choice. ExpertCity’s biggest GoToMyPC Corporate account is for 2,000 users with the Texas Department of Protective and Regulatory Services.

“Historically GoToMyPC’s value has been to bypass the security guy. That damaged ExpertCity’s reputation with corporate clients,” says Zeus Kerravala, vice president of enterprise infrastructure at The Yankee Group. “I don’t think it’s warranted anymore. But people take a long time to forget, and when making buying decisions, emotion is as much of a criteria as ROI.”

ExpertCity’s “reverse demand” strategy paid off at firms like Jennison and Associates, a financial services company in New York. When a portfolio manager signed up for the personal version 18 months ago, Vincent D’Amico, the firm’s technical services supervisor, denied the user access because the encryption level was too low.

“But the guy kept busting my chops about getting it, so when Version 2.0 came out with higher encryption, we deployed it,” D’Amico says. “We started with 20 portfolio managers, then word spread and the next thing we knew we had 100.”

Cart driving the horse

“Personal remote-control products are good for diagnostics, but they’re expensive to scale. For large numbers of people, you have to start asking if these applications should be on servers,” says John Girard, vice president and research director at Gartner.

Jennison and Associates also offers users VPN and dial-up remote access, but most prefer the ability to access their own desktops with GoToMyPC. “They like having all their desktop icons like they’re used to. The portfolio managers here wield a lot of power. Denying them a product they can make a business case for would create a conflict between IT and the financial people,” he says.

For Ross McKenzie, director of IS for Johns Hopkins Bloomberg School of Public Health in Baltimore, knowledge that his users were downloading GoToMyPC came when one asked him if an ExpertCity support technician could take control of his desktop to troubleshoot a problem. McKenzie set up the product internally and watched the traffic. “We realized there wasn’t a good way to stop it even if we wanted to. Our firewall’s not that restrictive,” he says. “We’re big on academic freedom.”

McKenzie’s team manages 5,000 users, a mix of graduate students, faculty and support staff. Most access e-mail and server applications via the school’s intranet, but about 150 use GoToMyPC to access large e-mail stores, large data sets or statistical software that home systems can’t handle.

“It’s not something we’d use on 5,000 desktops, but some folks use it every day,” McKenzie says. “During a snowstorm last year those who had it worked from home and were happy. More signed up after that.”

Gartner’s Girard points to problems with using personal remote-control products for remote access, such as the need to keep host systems running continuously. “I get calls every week from companies that are having their internal corporate networks shut down by old Trojans coming in from remote users. If you keep all those machines running all the time and they’re not protected, they’re vectors for internal attack,” he says.

Even though GoToMyPC’s datastream is encrypted, and IT can monitor who accessed which machines and when, there’s no ability to log everything the user does. “If I want audit-level responsibility and accountability of my systems, I’m going to have to control the product myself, or the company I work with will need to be a certificate authority,” Girard says. He adds that Funk Software’s Proxy offers premises-based remote-control capability with an optional audit server.

ExpertCity says it might add audit capability by integrating the product with third-party network security appliances and services. Lightweight Directory Access Protocol is planned for the next release.