During the COVID-19 Pandemic, many companies have been required to set-up their employee base to work remotely. This includes not only employees, but also contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. Remote workers use various client devices, such as desktop and laptop computers, smartphones, and tablets, to read and send email, access websites, review and edit documents, and perform many other tasks. Most teleworkers use remote access, which is the ability for an organization’s users to access its non-public computing resources from external locations other than the organization’s facilities.
To Ensure your security posture remains strong while supporting remote workers some key actions include:
- Create a Telework Policy
- Create or review and update a telework security policy which defines the forms of remote access the organization permits, the types of telework devices permitted for company work for each form of remote access, , and how user account provisioning should be handled.
- Periodically reassess the policy’s accepted devices and consider updating permitted client devices and what levels of access they may be granted.
- Regularly perform operational processes to maintain telework and remote access security, such as deploying updates, verifying clock synchronization, reconfiguring access control features as needed, and detecting and documenting anomalies within the remote access infrastructure.
- Encrypt Sensitive Information and Manage sensitive data securely
- Create or review a policy of encrypting all sensitive data when it is at rest on the device and on removable media used by the device. The creation and use of cryptographic keys for encrypting remote data at rest should follow the same policies that an organization has for other keys that protect data at rest.
- Sensitive information, such as certain types of PII (e.g., personnel records, medical records, financial records), that is stored on or sent to or from telework devices should be protected so that malicious parties cannot access or alter it. An organization should have a policy of encrypting all sensitive data when it is at rest on the device and on removable media used by the device.
- Designate and secure specific remote work devices
- Have a separate user account with limited privileges for each person that will use the telework PC. Remote workers should use their limited privilege accounts for regular work and use a separate administrative account only for tasks that require administrator-level access, such as some software updates. This reduces the likelihood of an attacker gaining administrator-level access to the PC.
- Enforce session locking, which prevents access to the PC after it has been idle for a period of time (such as 15 minutes) or permits the user to lock a session upon demand. After a session is locked, access to the PC can only be restored through authentication.
- Employ user authentication
- Whenever feasible, organizations should implement Two-factor authentication
- Set up a VPN
- Carefully consider the security of all remote access solutions that involve running a remote access server on the same host as other services and applications.
- Review existing or carefully plan new remote access client software to ensure optimal security can be maintained and managed.
- Plan or evaluated how the telework client devices provided to teleworkers will be managed and supported. Organizations should ensure that remote management is properly secured, particularly encrypting network communications and performing mutual authentication of endpoints.
- To ensure that access is restricted properly, remote access servers should authenticate each teleworker before approving any access to the organization’s resources, and then use authorization technologies to ensure that only the necessary resources can be used.