With the
COVID-19 outbreak upon us, people are being advised to work from home. In this month’s ITL Bulletin, the focus is on
telework, remote access and BYOD (bring your own device) solutions.
Telework or
Telecommuting is the ability for employees or other providers to perform work
other than at an Organization’s facility.
Teleworkers use remote access to access private computing resources external
to the Organization’s facility.
Remote access
commonly used by teleworkers include:
Tunneling – Using
a VPN (virtual private network) gateway. Communication is encrypted. Email clients and web browsers can communicate
securely with Organization servers. The
most common types of VPN used for teleworking include IPsec (internet protocol
security) and SSL (secure sockets layer).
Portal – Most portals
are web based and most portal clients are regular web browsers. The portal protects communication between client
devices and the portal. Most portals
today are SSL VPNs.
Direct
application access – A teleworker can access an application directly, with the application
providing its own security. Direct
application access can be used from almost any client device.
Remote desktop
access – A teleworker can control a desktop at the Organization remotely from a
telework client device. Remote desktop resources
may include RDP (Microsoft remote desktop protocol) or VNC (virtual network
computing). The other remote access solutions
mentioned above offer superior security to that of remote desktop access.
Security
concerns include:
Lack of physical
security controls – Telework client devices are used in various locations outside
of the Organization. This makes them more
likely to be stolen, placing the data on the devices at risk of compromise.
Unsecured
networks – May be used for remote access.
Broadband and cellular networks are susceptible to eavesdropping and man-in-the-middle
attacks.
Providing
external access to internal only resources – May expose sensitive internal
servers to threats and being compromised.
Recommendations
for improving the security of telework and remote access solutions:
Plan telework-related
security policies and controls based on the assumption that external environments
contain hostile threats – encrypt sensitive data stored on client devices. Use a separate network at the Organization
for telework client devices.
Develop a
telework security policy that defines telework, remote access and BYOD
requirements.
The telework security policy
should define:
-
Which forms of remote access
the Organization permits
-
Which types of telework devices
are permitted to be used and
-
The type of access each
teleworker is granted
Ensure that remote access servers are secured effectively and
configured to enforce telework security policies. Remote access servers should be kept fully
patched and managed from trusted hosts by authorized administrators.
Secure organization-controlled telework client devices against
common threats and maintain their security regularly. Maintain operation system updates and encrypt
sensitive data stored on devices.
In conclusion, ensure internal resources remotely accessed are
hardened against external threats and access to resources are kept to a minimum.
A copy of the
NIST bulletin can be found at the following location:
RRit Security
can provide greater guidance on this topic: https://www.rritconsultants.com/
No comments:
Post a Comment