Today, every organization, big or small, is looking for a way to increase the productivity of their employees. They offer employees various kinds of flexibility options to help them achieve the much sought after work life balance. One such option is providing remote access to corporate network. Through this functionality employees can access their office resources from anywhere in the world. Due to the ease and benefits for providing remote connectivity many companies have shifted to a virtual office, wherein employees can work from their home.
Though a useful technology but remote access comes with it’s own set of risks. For example, organizations have no control on the network their employees are connecting from, which exposes the corporate network to the risk of malware infection, data theft etc. In order to make life simpler, most organizations implement a Remote Access Policy (RAP) and associated standards and procedures which ensures the security of their corporate network. It is essential that the RAP is comprehensive and defines adequate controls to address risks associated with this technology. Below we mention few elements which every RAP should have, at minimum.
Remote access should be treated as a superpower. Not everybody gets it, only the chosen few. A RAP should clearly define the criteria to provide remote access to an employee. For example, an organization may decide to give remote access to employees who are at a particular designation / grade or above it.
Remote access is a potential weapon in the hands of a disgruntled ex-employee. Therefore, it is essential that organizations conduct a periodic review of active accounts with remote access capabilities. The review should check for accounts of employees who have left the organization or have been terminated, dormant accounts etc. The frequency of this review should be defined in RAP.
Since a connection could originate from any corner of the world, organization must ensure that proper authentication mechanisms have been employed. Most remote access solutions support two-factor authentication. A RAP should state the baseline authentication requirements.
Role-based user classification
It is a good practice to define roles and associated access before providing remote access to employees. It helps organizations to implement the principle of least privilege on remote access. For example, an employee in marketing department wouldn’t require access to finance applications. A remote access profile based on the requirements defined by marketing department would ensure that employees in this department get access to marketing related applications only .
Most remote access clients have the capability to assess an endpoint’s security posture before granting access. Clients can check for outdated anti-virus signatures, missing patches, account privileges etc. This feature makes sure that unsecured endpoints stay away from the network.
A RAP should also define the encryption standards that need to be followed when implementing and granting remote access. It should be kept in mind that the best encryption standard might not necessarily be the most feasible option. Depending on the volume of remote connections and scalability of the solution organizations might have to make a trade off between the best and most feasible.
Monitoring and logging
As I said before, remote access is a super power. This super power can easily turn into an organization’s biggest nightmare if they let their employees lose with it. Monitoring ensures that the organization knows what employees are doing with this power. It helps them maintain compliance to the information security policy. A logfile makes sure that all footsteps are recorded and could be traced back to an employee, if required.
For Image Source click here.
Uday Mittal (OSCP, Associate CISSP, DCPP) is the founder of Yaksas CSC. He has over 4 years of experience in dealing with various issues related to cyber security. He is actively working towards educating people on cyber security risks and steps to mitigate them. He’s also a member of (ISC)2, ISACA and DSCI.