With the increasing mobility of the workforce, and an equal boost in the type and number of personal and company-owned devices used for work outside the offices, companies and organizations would do well to pay heed to securing and monitoring what access they permit outside the firewall. Ultimately, this boils down to a well-defined and universally-applied set of rules and tools to govern who gets remote access, how it’s established, and what’s made accessible for remote access and use.
If You Know Your Friends, You Also Know the Enemy
The cardinal rule of remote access is to know who’s allowed to use it. This means requiring anyone who seeks remote access to first request it, and then to grant only those requests that meet all entrance criteria that apply. This approach basically denies all requests by default, and makes exceptions only for those who meet all (or the minimum acceptable subset) of the entrance criteria needed for a request to be granted.
What should such entrance criteria include? Here’s a representative set of elements:
- All users must provide positive proof of identity to request remote access, preferably using multi-factor authentication. Security tokens or similar devices make excellent second factors, but these days, cellphone-based token delivery and response is quick and easy for most users.
- For personally owned devices (a BYOD scenario), users must register their devices with the company before they may be granted access. This includes keying on unique device identifiers (such as MAC address for computing devices or IMEI for mobile devices), checking device health and security status, and installing software for monitoring and secure communications purposes.
- For company-owned devices, the necessary information will already be in hand, and necessary software installed and in use. The same basic checks apply to such devices as well before access is granted: confirmation of device identity, health and security status checks, and presence of required software elements and components.
- Use of secure protocols and communications. All devices must be able to communicate securely for remote access to occur. Generally, this means all access occurs using some kind of secure VPN connection, with encryption strong enough to comply with prevailing security policy.
- Once a remote access session is established, all access requests are subject to authentication and access controls based on user identity. This includes requests for access to applications, data, services, and other network resources. Additional security policy considerations may apply—for example, additional authentication and access control hurdles for accessing sensitive or confidential material, with content filters to prevent remote copy, print, or other data protection schemes -- as discussed in the following section.
- Any device, whether company or personally owned, should be covered with the organization’s endpoint security software as and when it’s used for remote access to the organization’s systems, networks, and data.
- Users should be made aware that all remote access will be monitored, and that the company or organization Acceptable Use Policy applies equally to remote access to in-house resources and networks as it does to internal access to such resources and networks.
- All devices that fail to meet entrance requirements will be denied access, and may be shunted off to a DMZ network for quarantine and remediation, or denied access outright.
Security Policy Trumps Everything Else
Above all, remote access should be a specific and well-delineated part of any company’s or organization’s security policy. This policy should spell out all requirements mentioned in the previous section in sufficient detail for remote access to be implemented, monitored and audited. The security policy should include requirements for monitoring remote access, and should spell out clearly what kinds of applications and data may be accessed and used remotely and what kinds of applications and data may not. It’s especially important for employees to understand that sensitive or proprietary data may not be downloaded, copied, printed, or otherwise exfiltrated outside company boundaries and control. Security policy should also mandate use of data protection tools and technologies to assure absolute compliance. Remote devices should be able to be remotely wiped (for company owned items) or all company data and apps should be able to be remotely deleted and wiped (for personally owned items) in the event that a device is stolen, missing, or its user is summarily terminated from employment.
The general idea is to make sure that nothing that shouldn’t be disclosed or made public falls into unauthorized or unwanted hands. Thus, remote devices need to be secured to protect their communications with the organization and to protect the data and/or applications that belong to the organization. Ongoing monitoring, regular audits, and remediation as needed will make sure that these goals are met.
Read about a node-based approach to securing remote users without backhauling data