Remote working, or teleworking, is one of the answers to get ahead of the coronavirus outbreak. While certain organizations have prepared for this, others are scrambling to enable this. To implement a remote working capability the right way, it needs to be done in a secure fashion.
The National Institute of Standards and Technology, or NIST, published in July 2016 a “Guide to Telework”, that was part of its special publication 800-46, revision 2. This article provides you with a synopsis of securely setting up teleworking for your organization. Use it as a checklist.
Telework and Remote Access Security
To stand up a teleworking capability securely, all the components of telework and remote access solutions, including client devices, remote access servers, and internal servers accessed through remote access, should be secured against a variety of threats. The most common threats are related to:
- Lack of physical security
- For example, the users’ homes, coffee shops, hotels and conference facilities lack the stringent access restrictions that your organization has in place
- Unsecured networks
- Broadband networks such as cable, wireless and cellular networks are susceptible to eavesdropping
- Infected devices on internal networks
- When allowing your employees to use their personal devices (Bring Your Own Device or BYOD) when accessing your internal network, e.g. personal mobile phones and personal laptops, these can already be infected by malware
Organizations should carefully consider the balance between the benefits of providing remote access to its systems which often contain confidential data and the potential impact of a compromise of this confidentiality data. Organizations should ensure that any confidential data it chooses to make available through remote access is hardened appropriately against external threats and that access is limited to the minimum necessary through firewalling and other access control mechanisms such as user authentication, encryption, client data security.
Remote Access Security Solutions
This section lists recommendations for securing remote access solutions.
- Remote Access Server Security
- The security of remote access servers, such as VPN gateways and portal servers, is particularly important because they provide a way for external hosts to gain access to internal resources, as well as a secured, isolated telework environment for organization-issued, third-party-controlled, and BYOD client devices.
- VPN gateways and portals can run many services and applications, such as firewalls, antimalware software, and intrusion detection software.
- The security of stored data is another important consideration for remote access server security. For portal servers that may temporarily store sensitive user data, wiping such data from the server as soon as it is no longer needed can reduce the potential impact of a compromise of the server.
- Remote Access Server Placement
- Organizations should carefully consider the placement of their remote access servers. Some remote access servers, such as VPN gateways, generally act as intermediaries between telework devices and the organization’s internal computing resources. Other hosts providing remote access services, such as direct application access and remote desktop access solutions, are true endpoints for remote access communications.
- Remote Access Authentication, Authorization and Access Control
- Most of the computing resources used through remote access are available only to an organization’s users, and often only a subset of those users. To ensure that access is restricted properly, remote access servers should authenticate each teleworker before granting any access to the organization’s resources, and then use authorization technologies to ensure that only the necessary resources can be used. Authentication can also be used to confirm the legitimacy of telework client devices and remote access servers. Access control technologies are also needed to restrict access to network communications and applications.
- Access Control for Applications
- Different types of remote access architectures offer different levels of granularity for application access control. Tunnels, portals, and direct application access are a few examples. Putting limits on which applications teleworkers can access does not necessarily prevent teleworkers from affecting other resources, because the applications being run may have access to other network resources.
Telework Client Device Security
Telework client devices can be divided into two general categories:
- Personal computers (PC), which are desktop and laptop computers
- Mobile devices, which are small mobile computers such as smartphones and tablets
One of the most important security measures for a telework PC is having a properly configured personal firewall installed and enabled. Another important consideration for telework PCs is applying OS and application security updates.
Other security measures for a telework PC that are particularly important include the following:
- Have a separate user account with limited privileges for each person that will use the telework PC.
- Enforce session locking, which prevents access to the PC after it has been idle for a period (such as 15 minutes) or permits the user to lock a session upon demand.
- Physically secure telework PCs by using cable locks or other deterrents to theft.
Many telework mobile devices can have their security managed centrally through enterprise mobile device management software. However, many devices will need to be secured manually. Examples to safeguard teleworking through mobile devices are:
- Limit the networking capabilities of mobile devices.
- For devices that face significant malware threats, run antimalware programs.
- Determine if the device manufacturer provides updates and patches; if so, ensure that they are applied promptly to protect the device from attacks against known vulnerabilities.
- Strongly encrypt stored data on both built-in storage and removable media.
- Require a password/passcode and/or other authentication before accessing the organization’s resources.
- Restrict which applications may be installed through whitelisting or blacklisting.
Telework often involves creating and editing work-related information such as email, word processing documents, and spreadsheets. Because that data is important, it should be treated like other important assets of the organization. Two things an organization can do to protect data on telework devices are to
- Secure it on the telework device
- Periodically back it up to a location controlled by the organization.
Sensitive information, as certain types of personally identifiable information (PII) (e.g., personnel records, medical records, financial records), that is stored on or sent to or from telework devices should be protected so that malicious parties cannot access or alter it.
All telework devices, regardless of their size or location, can be stolen. Some thieves may want to read the contents of the data on the device, and quite possibly use that data for criminal purposes. To prevent this, an organization should have a policy of encrypting all sensitive data when it is at rest on the device and on removable media used by the device.
The organization’s backup policy should cover data on telework PCs and mobile devices.
Telework and Remote Access Implementation Life Cycle
- Phase 1: Initiation. This phase includes the tasks that an organization should perform before it starts to design a telework or remote access solution. These include identifying needs for telework and remote access (including possible support for BYOD devices and/or third-party-controlled devices), providing an overall vision for how telework and remote access solutions would support the mission of the organization, creating a high-level strategy for implementing telework and remote access solutions, developing a telework security policy, and specifying business and functional requirements for the solution.
- Phase 2: Development. In this phase, personnel specify the technical characteristics of the telework or remote access solution and related components. These include the authentication methods; the cryptographic mechanisms used to protect communications; and firewalls and other mechanisms used to control access to networks and resources on those networks. The types of telework clients to be used should also be considered, since they can affect the desired policies. Care should be taken to ensure that the telework security policy can be employed and enforced by all clients. At the end of this phase, solution components are procured.
- Phase 3: Implementation. In this phase, equipment is configured to meet operational and security requirements, including the telework security policy documented in the system security plan, installed and tested as a prototype, and then activated on a production network. Implementation includes altering the configuration of other security controls and technologies, such as security event logging, network management, and authentication server integration.
- Phase 4: Operations and Maintenance. This phase includes security-related tasks that an organization should perform on an ongoing basis once the telework or remote access solution is operational, including log review, attack detection, and incident response and recovery. These tasks should be documented in the configuration management policy.
- Phase 5: Disposal. This phase encompasses tasks that occur when a remote access solution or its components are being retired, including preserving information to meet legal requirements, sanitizing media, and disposing of equipment properly.
Summary of Key Recommendations
The following list presents some of the key recommendations.
- To support confidentiality, integrity, and availability, all the components of telework and remote access solutions, including client devices, remote access servers, and internal servers accessed through remote access, should be secured against a variety of threats.
- Before designing and deploying telework and remote access solutions, organizations should develop system threat models for the remote access servers and the resources that are accessed through remote access.
- When planning telework security policies and controls, organizations should assume that client devices will be acquired by malicious parties who will either attempt to recover sensitive data from the devices or leverage the devices to gain access to the enterprise network.
- Organizations should plan their remote access security on the assumption that the networks between the telework client device and the organization cannot be trusted.
- Organizations should assume that client devices will become infected with malware and plan their security controls accordingly.
- Organizations should carefully consider the balance between the benefits of providing remote access to additional resources and the potential impact of a compromise of those resources. Organizations should ensure that any internal resources they choose to make available through remote access are hardened appropriately against external threats and that access to the resources is limited to the minimum necessary through firewalling and other access control mechanisms.
- When planning a remote access solution, organizations should carefully consider the security implications of the available remote access methods in addition to how well each method may meet operational requirements.
- Organizations considering permitting BYOD devices within the enterprise should strongly consider establishing a separate, external, dedicated network for BYOD use within enterprise facilities. Such a network may also be used for third-party-controlled client devices if desired.
Call to Action for CISOs
- Download a free copy of the NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security.
- Participate in one of INTERPROM’s NIST Cybersecurity Framework certification training courses. The exam is administered by APMG.
- Conduct a self-assessment to raise awareness and/or identify information security gaps in your teleworking capabilities. Contact us for guidance on how you can do this relatively easy. Or have INTERPROM conduct it for you.
- Allow us to coach your key players of the ISMS such as your risk owners and your control owners. Or, even have us coach your Chief Information Security Officer (CISO) and/or his or her direct reports during the journey of standing up your secure teleworking capability.
Good luck with helping navigate your organization during its journey towards establishing a secure teleworking capability!