7 minute read
Remote Access Best Practices
An important consideration for organizations developing a business continuity plan is the organization may not be capable of sustaining normal operations onsite. The ability to support employees working remotely is essential to ensuring both business continuity and security.
The following best-practices should serve as a framework and reference for organizations needing to provide secure remote access to employees as broken down into 3 categories: General User, Power User and Super User.
*Note this framework is not comprehensive but rather a starting point for businesses to expand upon based on individual requirements.
1. Create a Policy
The remote access policy should complement existing policies such as, but not limited to: • Acceptable Use Policy • Data Use and Transfer Policy • Device/Endpoint Security Policy • Password Policy • Approved Software Policy • BYOD policy (All of which should be in place prior to allowing remote access) This policy should clearly state the purpose, scope and procedures to be used in the implementation and enforcement of the organization’s remote access / teleworker program.
The policy should be reviewed and updated regularly (at least annually), and all changes should be tracked. (Reference Documents: ISO 27002 6.2.2 & 9.1.2 | NIST Cybersecurity Framework PR.AC-3)
2. Select a Remote Access Solution(s)
3. Manage Identity and Access
Select a remote access solution(s) that best fits an organization’s needs, meets security requirements and adequately scales to meet current and future demand. Remote access solutions come in multiple forms with the most common being; VPN, 3rd-party Tools and Direct Application Access. It is not uncommon for organizations to maintain a hybrid remote access strategy.
VPN
Virtual Private Networks can provide enterprise-level secure remote access by encrypting traffic from source to destination inside the VPN tunnel.
• IPSEC - Gateway to Gateway | Full Encryption • SSL/TLS - Client to Gateway | Requires Agent | Full Encryption
SOURCE
Encryption
VPN TUNNEL
Decryption
DIRECT APPLICATION ACCESS (DAA)
3RD PARTY REMOTE ACCESS TOOLS
DESTINATION
USER ACCOUNT MANAGEMENT
• Integrate remote users with existing authentication servers (LDAP, RADIUS, etc) • Multi-factor Authentication should be enforced
• Least privilege methodology should be enforced ensuring access is only granted on a need to know / need to have basis. • Zero-Trust Network Access (ZTNA) should be considered to establish secure boundaries and evolve from the “Trust But Verify” methodology.
DEVICE MANAGEMENT
• Whether corporate assets, BYOD, or both are used in the environment, device identification, classification and management should be used to help ensure authorized devices meet company standards and reduce the risk of unauthorized device access.
• Network Access Control should be considered to identify, classify and control all endpoints in the environment including BYOD
4. Securing Your Remote Access Solution
DEPLOY A SECURE VPN GATEWAY
• A VPN provides high-encryption for data transmission and support for advanced authentication algorithms.
• IPsec - Use AES-256 with SHA2-512 or highest available encryption and authentication available
• SSL(TLS) VPN - Use tunnel mode with support protocols below SSL v3 and TLS 1.2 disabled. Use encryption such as AES-256 or highest available
• *Note split-tunneling can be used to route only designated traffic through the VPN gateway. This provides less inherent security and control unless the proper controls/ policies are in place.
• Direct Application Access / 3rd Party Remote Access
• These solutions may be used by organizations to provide users direct access to internal applications and services however generally lack the features, support, security and integrations of IPsec and SSL(TLS) VPN. Refer to individual provider for capabilities, support and best practices when implementing one of these platforms.
INSPECT > CONNECT > PROTECT
Inspect - Perform a Forward Posture Assessment (FPA) to ensure the remote devices meets the security requirements for connection to the protected network. The FPA may include:
Endpoint Protection
• When connecting to a corporate environment/protected network, the security posture of remote devices cannot be assumed therefore endpoint protection should be installed and updated with current signatures and/or engine. For corporate devices, this should be validated via the endpoint protection management platform.
• Some VPN gateways allow for a host check prior to connection verifying the proper installation and version of AV products. If this feature is not available, organizations should refer to their policies regarding endpoint protection, approved software and
BYOD
TRAINING
Training is an important aspect in the proper usage and security of remote access. Users should be required to take part in at least year training on remote access and certify adherence to the remote access policy. Training concepts should include, but are not limited to;
• Understanding of different remote access solutions • Understanding secure connectivity (ie hotel, coffee shop, home connections) • Understand HTTPS and man-in-the-middle attacks • Approved software and/or applications • Review of file sharing best practices and guidelines • Security stewardship: “Security is Everyone’s Responsibility”
5. Customer Data Management
In the wake of new and evolving data privacy regulations such as CCPA and GDPR, remote access policy must put a greater focus on data transfer and storage. In general, it is always best practice to limit the transfer and storage of data wherever possible. When data storage and transfer is required adhering to the following best practices is important:
• Any and all data communication / transmission should be done over connections with end-to-end encryption. Example; over IPsec VPN
• Collection and storage of logs, configurations, user preferences, etc. should be in accordance with internal business requirements and/or security requirements. If you don’t need it don’t collect it / store it.
• Users should be instructed no to save any files or work-related documents on their local device instead utilizing company approved secure data repositories
• Users should be educated on the use of secure file transfer when sharing sensitive data • Secure file transfer mechanisms should require authentication to view shared information and and should allow for logging and auditing of file access/sharing
• Wherever possible, implement Data Loss Prevention capabilities and ensure policies are updated regularly
• Wherever possible, devices (or applicable data repository on devices) should support the ability to be wiped remotely
6. Logging, Auditing, Alerting and Reporting
One of the most critical requirements of a remote access solution is ensuring comprehensive logging capabilities are available.
Event logging is vital for ensuring secure connectivity and, in many cases, required in order to satisfy regulatory requirements such as PCI.
Robust security logging is vital for giving context of what is occurring on the network, aiding in the identification of non-legitimate access or breach, and organizations quickly decipher whether an event was legitimate or a false alarm.
While a number of compliance regulations exist, PCI DSS is most applicable for retailers. PCI DSS requirement describes the following that standards to adhere to in order to remain compliant:
• Access to audit trails • Logging of users and devices with particular focus on privileged users and sensitive systems • Date and Time of events and access attempts • Success or failure of events • Origination of the event (IP, MAC, etc) • List of affected systems
In general, storage of logs must be maintained for one year; however, other requirements may exist for specific businesses and according to new and evolving compliance regulations.
7. Business Continuity and Capacity Planning
Operational Capacity refers to what organizations are able to produce in a given amount of time. Many variables affect operation capacity, namely being resources, efficiency, infrastructure and staffing. Under ideal conditions, operational capacity is in balance and work product output is at optimal efficiency. During a major business disruption, such as a natural disaster or pandemic, organizations must ensure they have a solid Business Continuity plan as it will enable them to serve customers even in the midst of challenging circumstances.
OPERATIONAL CAPACITY AND BUSINESS CONTINUITY BEST PRACTICES
• Consult with an expert or trusted partner • Determine a baseline • What are the lows and highs of your b • Can your infrastructure scale to meet demand • Identify critical processes and applications • Build in security from the beginning • Ensure network resiliency • Cross-train users • Document everything
