Secure Remote Access Best Practices

The COVID-19 virus outbreak, also known as the coronavirus, has caused major supply-chain disruptions for a wide range of industries around the world. Aerospace companies Airbus and Boeing, and automakers Tesla and G.M. both have closed production facilities while Apple announced that it may miss its quarterly revenue numbers, all due to the coronavirus.

COVID-19 has also resulted in major global employers, including technology companies Amazon, Google, Microsoft, Facebook and Twitter, requiring their employees and third-party contractors to work from home.

Request Trial Learn More

Secure Remote Access

Today, 43% of all U.S. employees work off-site at least part-time, according to Gallup’s State of the American Workplace report. Research also shows that employees believe working remotely is not a productivity hindrance while the majority of Americans feel that remote workers are just as productive as those who work in an on-site office.

With companies now adopting remote work en masse due to the coronavirus threat, online security has become a critical issue as organizations must protect their employees, third-parties and contractors, digital assets and customer data against not only the biological virus but also cyber criminals.

Business Continuity, Disaster Recovery, and the Coronavirus

In response to crises such as the coronavirus, organizations should have IT disaster recovery plans in place that have been developed simultaneously with business continuity plans. This includes business priorities and recovery time objectives for IT resources along with a business impact analysis. Technology recovery strategies should also be developed to restore hardware, applications and data in time to meet the needs of the business recovery in the event of an outage.

Secure remote access also plays a critical role when considering disaster recovery and business continuity as organizations must be flexible enough to enable remote work for a majority of all of their employees while still achieving normal workforce productivity despite external disruptions.

The coronavirus, a disruptive biological event, has forced organizations to shift their employees and IT resources so that they can function with work at home scenarios or in secure locations.

Banks and financial institutions have installed screens in securities traders’ homes to help slow and stop new coronavirus infections through employee isolation. And while investment bankers, engineers, IT staff, human resources, and senior management can work from home, workers such as traders or salespeople that must meet regulatory requirements are faced with technological limitations that must be solved.

Goldman Sachs, JPMorgan Chase, Morgan Stanley and Barclays’ business continuity planning all called for isolating and protecting employees in Asian countries at the coronavirus outbreak epicenter.

“We’re practicing,” said a senior executive at one large US bank. “You don’t want to wake up and find that the US has half a million cases and someone tells you to send everybody home.”

Now, to prevent banking employees from being quarantined globally over coronavirus, financial institutions are looking at spreading workers out between head offices and disaster recovery sites that have the same technical capabilities as their main sites, according to the Financial Times.

How to Implement Secure Remote Access

Many organizations let their employees, contractors, business partners, and vendors use enterprise remote access technologies to perform work remotely using organization-owned and bring your own device (BYOD) client devices that must be secured against data breaches and theft. Security concerns include the lack of physical security controls, the use of unsecured networks, connection of infected devices to internal networks, and the availability of internal resources to external hosts.

In addition, security policies and agreements with third-parties regarding device security cannot always be enforced, potentially leaving unsecured, malware-infected, and compromised devices connected to sensitive organizational resources.

Therefore, to secure organizations using remote access technologies and mitigate BYOD and third-party-controlled access risks to network resources, the National Institute of Standards and Technology (NIST) recommends that organizations implement the following controls:

Plan remote work-related security policies and controls based on the assumption that external environments contain hostile threats.

  • Organizations must assume those client devices used at external locations by employees and third-parties are susceptible to loss or theft and could be used by malicious actors to access data or use the devices to gain organizational network access.
  • Mitigating client device loss or theft includes encrypting device storage and sensitive data stored, and not storing sensitive data on client devices altogether. For mitigating device reuse threats, use strong and multi-factor authentication.

Develop a remote work security policy that defines telework, remote access, and BYOD requirements.

  • Remote work security policies should define remote access types, devices, and the type and access policies for remote workers.
  • The policies should also cover how remote access servers are administered and how their policies are updated.
  • Organizations should make risk-based decisions about what levels of remote access should be permitted from which types of client devices.

Ensure that remote access servers are secured effectively and are configured to enforce remote work security policies.

  • The security of remote access servers is particularly important because they provide a way for external hosts to gain access to internal resources, as well as a secured, isolated telework environment for organization-issued, third-party-controlled, and BYOD client devices.
  • In addition to permitting unauthorized access to enterprise resources and telework client devices, a compromised server could be used to eavesdrop on communications and manipulate them, as well as to provide a “jumping off” point for attacking other hosts within the organization.

Secure organization-controlled remote work client devices against common threats and maintain their security regularly.

  • Remote work client devices should include all local security controls used in an organization’s secure configuration baseline for its non-telework client devices.

If external device use (e.g., BYOD, third-party controlled) is permitted within the organization’s facilities, strongly consider establishing a separate, external, dedicated network for this use with remote access policies.

  • Allowing BYOD and third-party-controlled client devices to be directly connected to internal enterprise networks adds risk as these devices do not have the same security safeguards as the organization’s own devices.

NIST also recommends placing remote access servers at the network perimeter and defines four types of remote access methods:

  • Tunneling servers provide administrators control over the internal resources for remote worker access at the network perimeter.
  • Portal servers that run the application client software on the servers themselves. Placing them at the network perimeter because the remote access user is only running applications on the portal server, not on servers inside the network.
  • Remote desktop access does not involve remote access servers, so there is no issue with the placement of the remote access server.
  • Direct application access servers run the application server software on the servers themselves. Placing them at the network perimeter has a similar effect as the remote access user is only running applications on the direct application access server, not on servers inside the network.

Check Point’s Secure Remote Access Solution

Check Point enables organizations to meet NIST remote access security standards and more while easily managing least privilege access to internal resources with real-time, intelligent trust decisions based on defined policies and contextual data. Check Point’s zero trust architecture also restricts user access to authorized resources so that the right people have access to the right resources at the right time, without the need for a VPN.

With granular access control over and within each resource, based on the dynamic and contextual assessment of user attributes and device state, the zero trust solution provides a rich set of rules that can be enforced across all users, servers and enterprise data stores, including user commands and database queries.

The security of remote access servers, such as gateways and portal servers, is also important as they let external hosts access internal resources, as well as provide a secure, isolated remote work environment for organization-issued, third-party-controlled, and BYOD client devices.

Check Point provides several secure remote access options for remote workers including VPN Replacement, Third-party Access, Developer Access and Privileged Access Management (PAM) as well as application. database and remote desktop access that meets or exceeds NIST security controls.

VPN Replacement:

Companies no longer have corporate data centers serving a contained network of systems but instead, typically have some applications on-premises and some in the cloud with employees accessing these applications from a range of devices and multiple locations – including their living room, airport lounges, hotel conference rooms, and their local cafe.

This poses security challenges that were not an issue only a decade ago. Companies can no longer rely on perimeter-based security models that focus on letting good guys in and keeping bad guys out.

The zero-trust access solution is designed for the complexities of the modern digital environment. Privileged access to private company web applications is granted only once the user and device are fully authenticated and authorized at the application layer, eliminating implicit trust from the network.

Third-Party Access:

Freelancers and contractors are an integral part of today’s workforce. Managing their access to sensitive data at scale is a nearly impossible task, exposing companies to potential security risk. Perimeter-based solutions provide no visibility into user activity. Only 34% of companies know the number of individual log-ins that can be attributed to third-party vendors.

With Check Point, role-based controls allow administrators to easily provision and deprovision access to (and within) internal applications and limit access in both time and scope. Moreover, administrators receive full activity logs that provide visibility on all third party activity. Security teams no longer have to waste valuable time trying to set up and manage complex workflows.

Developer Access:

Today’s rapid pace of development and deployment increases the need for accessibility, which increases the risk of simple human error which can corrupt, delete, or drop valuable data from your database. But, traditional perimeter-based security methods often restrict the agility of development. As a result, developers are often given administrator privileges, which attackers can exploit to move laterally around your network.

Check Point eliminates the need to give developers such board access rights. Check Point integrates natively with database protocols, providing developers with a quick and secure connection to any database through their terminal. Any underlying security measures are indetectable. At the same time, Check Point’s role-based access controls allow administrators to easily provision and deprovision access to (and within) any database and limit a developer’s role down to “view only” completely blocking their ability to write, drop or alter the database.

Privileged Access Management (PAM):

Securing privileged access to servers has traditionally focused on key management. But managing, tracking, and rotating keys at scale is a nearly impossible task. Credential theft is still one of the most efficient and effective attack vectors with three out of four enterprises vulnerable to root-level attacks due to SSH mismanagement.

Check Point’s zero trust architecture secures privileged access to servers via a built-in PAM solution designed to eliminate the need for users to hold static credentials. Instead, users authenticate to a server using either a short-lived token or a public-private key pair, both of which are issued and managed through Check Point. The keys are rotated periodically and can be manually revoked at any time, instantly cutting off all access.

Additional benefits:

  • Agentless architecture for deployment in under three minutes with optional security certificates.
  • Granular access controls over and within each resource based on the dynamic and contextual assessment of user attributes and device state.
  • Policies can be enforced for all users, servers and enterprise data stores, including user commands and database queries.
  • Control over third-party access to and within any application, server, database or environment with monitoring, logging and alerting functions.
  • SSO for SSH keys are maintained in a central and secure location, eliminating manual management of static credentials and reducing the risk of lost or compromised keys.
  • Management and monitoring of database access with granular control over permissions.
  • Audit trails of user activity including server access executed commands and queried data, as well as fully recorded sessions.
×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK