In the era of hybrid and remote work, remote access is an important factor for enterprises. Secure remote access to enterprise resources is critical for employees, suppliers, business partners, contractors, and other trusted parties. However, remote access capabilities also come with security risks. Relatively easy-to-compromise access points to internal networks and systems can be created. Attackers can then deliberately locate and exploit these. Below you will find ten important best practices for secure remote access, information on their implementation, and explanations of how they improve an enterprise’s cybersecurity and mitigate risks.
Establish Remote Access Policies
The foundation of any remote access solution is a comprehensive Remote Access policy. This policy should establish general requirements for secure remote access, including acceptable use, and outline the possible consequences of violations of these requirements. The policy should address at least the following topics:
The forms of remote access that the enterprise permits, such as VPNs.
The types of devices that can use the respective form of remote access—for example, company-provided laptops compared to personal smartphones—as well as any additional requirements that these devices must meet.
The types of resources that can be accessed via remote access, including any restrictions for specific forms of remote access or device types.
All requirements for acceptable use of remote access technologies not already addressed in the organization’s acceptable use policy.
Use Enterprise-Provided Devices
For years, BYOD was considered a major trend, allowing employees to use their own devices to connect to company IT. BYOD enables many users to work from home offices, but endpoint security suffers as a result. Enterprises can exercise fairly strict control over the security of their own devices. With personal devices, the scope of policies and controls is more limited.
To minimize this risk, remote users should primarily be equipped with company-owned devices. Depending on the implementation, this can also include contractors and partners. Therefore, it may be prudent to restrict BYOD to a very limited group.
Regulate Remote Access to Internal Resources
VPNs have been a mainstay of remote access servers for decades. A VPN provides a single, well-secured and monitored access point that enforces security policies for users and devices attempting to access it.
Most VPN technologies offer a range of cybersecurity features. These range from authenticating users and devices to verifying the security status of devices before granting access to internal resources. This is extremely convenient for both users and administrators. The alternative would be for users to access each individual internal resource directly and separately, with administrators managing and monitoring every step of the process.
In recent years, VPN alternatives such as Secure Access Service Edge (SASE) and Zero-Trust Network Access (ZTNA) have emerged. Most enterprises need to implement at least one of these remote access technologies to secure access to internal resources. Accessing all resources through a single VPN, SASE, or ZTNA instance can prove complicated, as many resources are cloud-based and publicly accessible. A common example is the use of SaaS to host email services. If an employee only needs remote access to emails, forcing them to connect through an appliance at headquarters can be cumbersome and inefficient. Alternatives include allowing direct access to low-risk cloud-based resources or using cloud-based remote access services in conjunction with or instead of on-premises remote access appliances and software.
Scrutinize Endpoint Security
One of the biggest risks of remote access is compromised user devices. Once these devices are compromised, they give attackers direct access to and control over the enterprise’s internal networks and systems.
To counter this, user endpoints should be checked for compromise before they are permitted to use internal resources. VPN, SASE, and ZTNA automatically perform security checks on enterprise-provided devices and, to a lesser extent, on BYOD devices.
Depending on the operating system of the endpoint, security checks should verify the following:
Whether the endpoint is managed by the organization or is approved for BYOD use.
Whether the operating system is up to date.
Whether antimalware software is running and up to date.
Whether other required security tools or configurations, such as host-based firewall rules, are enabled and properly configured.
That the endpoint shows no signs of malware, exploit kits, or other attack tools.
Implement Multi-Factor Authentication
Traditional login with username and password poses a high security risk. An attacker can obtain a password through social engineering, phishing, guessing, brute-force attacks, or reusing a compromised password from another account of the same user. Without verification of a second authentication factor that is not also something you know, attackers who know any user’s password could easily penetrate the enterprise’s internal network.
Establish two-factor authentication or multi-factor authentication (MFA) for remote access to internal resources, and if possible, also for remote access to publicly accessible resources. MFA simplifies the authentication process for users, particularly when combined with single sign-on, while providing a significantly higher level of security that the user is actually who they claim to be.
Today’s MFA logins can be implemented user-friendly and need not contain a password. Employees will appreciate being able to reduce or minimize the use and management of passwords.
Encrypt All End-to-End Network Communication
All network traffic for remote access should be continuously encrypted. Remote access technologies such as VPN, SASE, and ZTNA ensure the confidentiality and integrity of network traffic transmitted between their platforms and user endpoints. However, these platforms do not necessarily protect network traffic when it is transmitted between the remote access technologies and the systems and networks behind these frameworks.
Review the network data flows associated with remote access, identify which data is transmitted unencrypted, and determine which of this data must be protected. Ensure that the necessary protective measures are taken. This is particularly important for VPNs, whose scope of protection rarely extends beyond the VPN server itself. There are numerous options, including using proxy servers to encrypt traffic between the VPN and internal resources and enc