Within the age of hybrid and distant work, distant entry is a strong enabler for organizations, permitting workers, contractors, enterprise companions, distributors and different trusted events to entry firm sources. But, distant entry will increase cybersecurity threat. It inadvertently supplies comparatively easy-to-compromise entry factors into inner networks and techniques — entry factors that attackers know to hunt out and exploit.
The next are 10 essential safe distant entry finest practices, learn how to implement them and the way they enhance a corporation’s cybersecurity posture and scale back threat.
Have a distant entry coverage
The muse of any distant entry implementation is a complete distant entry coverage. The coverage ought to outline the high-level necessities governing safe distant entry, together with acceptable use, and specify the potential penalties of violating any of these necessities. The coverage ought to deal with the next subjects, at minimal:
The types of distant entry that the group permits, reminiscent of VPNs.
The forms of units that may use every distant entry type — for instance, organization-issued laptops versus personally owned smartphones — and some other necessities these units should meet.
The forms of sources that can be utilized by means of distant entry, with any limitations for explicit distant entry kinds or gadget varieties.
Any necessities for acceptable use of distant entry applied sciences that aren’t already addressed within the group’s acceptable use coverage.
Present organization-issued units for distant customers every time possible
For years, BYOD — the place customers introduced their very own computer systems and cellular units to entry the group’s sources — was an enormous development. BYOD enabled telework for a lot of customers, however endpoint safety suffered in consequence. The group may strictly management the safety posture of its personal units, however had restricted skill to regulate and even monitor the safety of personally owned units and different forms of BYOD.
To keep away from this hole in safety, equip distant customers with firm units every time possible. This could embody contractors and, in some circumstances, enterprise companions and distributors. Get rid of or strictly restrict BYOD to customers who want solely entry to low-risk, publicly accessible sources.
Require use of a distant entry server for inner sources
VPNs have anchored distant entry servers for many years. A VPN supplies a single, well-secured and monitored level of entry that enforces safety insurance policies on the customers and units trying to make use of it.
Most VPN applied sciences present a spread of cybersecurity options, from authenticating customers and units to assessing gadget safety posture earlier than allowing entry to inner sources. That is extremely handy for each customers and directors. The choice can be for customers to entry every inner useful resource immediately and individually, with directors having to handle and monitor each step within the course of.
In recent times, VPN options have emerged, together with safe entry service edge (SASE) and zero-trust community entry (ZTNA). Most organizations want at the very least one in every of these distant entry applied sciences applied to safeguard entry to inner sources. Utilizing a single VPN, SASE or ZTNA occasion to entry all sources could be sophisticated as a result of many sources are cloud-based and publicly accessible. A typical instance is utilizing SaaS to host e mail companies. If an worker solely must entry e mail remotely, forcing them to attach by means of an equipment at headquarters could be cumbersome and inefficient. Options are to allow direct entry to low-risk cloud-based sources or to make use of cloud-based distant entry companies along with, or as an alternative of, on-premises distant entry home equipment and software program.
Carry out cyber well being checks on person endpoints
One of many greatest dangers posed by distant entry is compromised person units. As soon as exploited, these units present attackers with direct entry to and management over the group’s inner networks and techniques.
One of many greatest dangers posed by distant entry is compromised person units. As soon as exploited, these units present attackers with direct entry to and management over the group’s inner networks and techniques.
To fight this, examine customers’ endpoints for any compromises earlier than they’re permitted to make use of inner sources. VPN, SASE and ZTNA robotically carry out cyber well being checks on organization-issued units and, to a lesser extent, on some BYOD units.
Cyber well being checks ought to assess the next, relying on the endpoint’s OS:
If the endpoint is managed by the group or is permitted for BYOD use.
If the OS is updated.
If antimalware software program is operating and is updated.
If some other required safety instruments or configurations, reminiscent of host-based firewall guidelines, are enabled and correctly configured.
That there are not any indicators of malware, exploit kits or different assault instruments on the endpoint.
Require MFA
Passwords alone are extremely dangerous. An attacker can purchase a password by means of social engineering, phishing, guessing, performing brute-force assaults or reusing a compromised password from one other account of the identical person. With out verifying a second authentication issue that’s not additionally “one thing ,” attackers who know any person’s password may simply bounce into the group’s inner community.
Require MFA for distant entry to inner sources and, if possible, require it for distant entry to public-facing sources. MFA, particularly when linked to single sign-on, simplifies the authentication course of for customers whereas additionally offering a a lot greater stage of assurance that the person is who they declare to be. MFA would not have to incorporate a password, and most customers can be thrilled to scale back or reduce their use and administration of passwords.
Encrypt all community communications from finish to finish
All distant entry community site visitors ought to be encrypted from finish to finish. VPN, SASE and ZTNA distant entry applied sciences safeguard the confidentiality and integrity of community site visitors transmitted between their platforms and person endpoints. But, these platforms do not essentially shield the community site visitors because it passes between distant entry applied sciences and the techniques and networks behind these frameworks.
Overview community site visitors flows related to distant entry, establish any communications passing unencrypted and decide which of these communications want safety. Guarantee the required safety is put into place. That is most relevant to VPNs, which hardly ever lengthen safety previous the VPN server itself. There are various choices, together with utilizing proxy servers, to encrypt site visitors between the VPN and inner sources, and encrypting inner community segments at a low stage to maybe get rid of the necessity for higher-level encryption.
Take into account implementing a zero-trust structure
Zero-trust structure is the precept of limiting entry as tightly as doable. Because the identify implies, zero belief verifies that individuals and units are reliable as an alternative of assuming they’re.
Zero-trust structure entails quite a few applied sciences working intently collectively to implement zero belief all through your entire enterprise. ZTNA, though not required for a zero-trust structure, is a useful part, however many different items are additionally wanted — and so they have to be built-in and configured correctly.
Transitioning to a zero-trust structure typically takes years of planning and part rollouts earlier than your entire structure could be absolutely built-in and all insurance policies enforced. Organizations contemplating utilizing a zero-trust structure to safe their distant entry want to make use of different means to safe the distant entry till the zero-trust structure is totally deployed and working in manufacturing.
Prepare all distant entry customers on safe distant entry practices
Educate all distant entry customers concerning the significance of distant entry safety to scale back the chance of actions that would compromise the group. Retrain customers as distant entry applied sciences and practices change. Supply periodic refreshers even when practices have not modified considerably.
Person coaching is not only for workers; it is also very important for contractors, enterprise companions, distributors and anybody else who makes use of the group’s distant entry applied sciences. Coaching ought to cowl each bodily and technical safety practices. For instance, advise customers to by no means depart unlocked units unattended in public areas, to deactivate private assistants like Alexa and Siri throughout delicate conferences and calls, and to by no means allow any family member to make use of the organization-issued pc or cellular gadget.
Limit who can use distant entry
It is typically not prudent to robotically give everybody within the group distant entry. Except distant entry is really wanted, making it obtainable to additional folks will increase the chance with out offering a profit.
Solely present distant entry to these customers who want it to carry out their duties, and solely accomplish that after they’ve been educated on safe distant entry practices and have learn and signed the group’s distant entry coverage.
If doable, assign a separate person account to every individual as an alternative of allowing shared distant entry accounts. This may very well be notably difficult for distributors and different third events that want distant entry however haven’t got a particular individual or small group performing these duties. Having a separate account for every individual will increase accountability.
Revoke distant entry as soon as it’s not wanted, particularly if somebody leaving the group is underneath unfavourable circumstances, reminiscent of termination for trigger. Distant entry is typically misused by disgruntled customers after they depart the group to exfiltrate information, injury sources and trigger outages, amongst different penalties.
Repeatedly monitor all distant entry exercise
It would not matter if a corporation adopts these safe distant finest practices if it would not additionally repeatedly monitor all distant entry servers and all of the exercise involving these servers. As a result of these servers are key entry factors into the group, they’re apparent targets for attackers. Their safety is paramount.
At all times monitor all distant entry servers utilizing safety applied sciences and guarantee human analysts can be found to intervene instantly within the occasion of a possible assault or suspicious exercise. Rigorously monitor and analyze the distant entry exercise itself to establish anomalies and different indicators of compromise. For instance, if a selected person makes an attempt to attach from a far-flung nook of the world only a few hours after she was current at headquarters, this can be a sturdy indication that the account may need been compromised. Or if a person begins downloading massive volumes of information from inner servers onto his laptop computer, this might point out an insider menace exfiltrating information or an attacker utilizing a compromised laptop computer to reap delicate info from inner techniques. Both approach, sudden exercise requires additional investigation so it may be stopped as quickly as doable — particularly if it is malicious.
Karen Kent is the co-founder of Trusted Cyber Annex. She supplies cybersecurity analysis and publication companies to organizations and was previously a senior pc scientist for NIST.
