Tips for Teleworkers, Remote Access Security

Telework Program Fundamentals:

For many organizations, telework programs have been in practice for years – whether as part of the organization’s everyday work program or as a component of their business continuity plans. For those organizations, policies, educational programs, technologies, and support services for the remote workforce are well established. For organizations engaging in telework for the first time, defining expectations is a good starting point. First, create a telework policy that addresses the following: the scope of the telework program, roles and responsibilities, eligibility to telework (not all jobs can be performed remotely), work hours and paid time-off, the suitability of the alternate workplace and its related safety requirements, responsibility for equipment and supplies, operating costs and expenses, and requirements for physical and information security.    

Remote Access:

In traditional virtual private networks (VPNs), individuals use VPN client software to establish a secure connection to an internal network. While still widely used, many remote users only require access to a set of web applications hosted within the organization’s network, not the entire internal network. IT departments should consider providing access to internal web applications via a portal where remote users can authenticate. Similarly, software-as-a-service (SaaS) applications hosted in the cloud and virtualized applications hosted on premise are often good options for limiting remote access to only what is necessary for that user. Organizations should scope VPN access accordingly to ensure the principle of least privilege is maintained. Regardless of which remote access method you offer, multi-factor authentication should be mandatory. Additionally, if remote devices are allowed to connect to your internal network, consider implementing a Network Access Control (NAC) solution to ensure only authorized devices are permitted to connect. 

Organization-Owned vs Personal Devices:

Many SaaS and virtualized applications may be securely accessed by remote users through their personal devices if certain security controls are implemented. To reiterate, MFA should be mandatory for remote access to any application, network, or service your organization provides to teleworkers. In addition, organizations must implement controls to ensure sensitive files and information are not downloaded or stored on personal devices or personal cloud storage services. Sensitive data should only be stored on organizationally-controlled devices or authorized cloud storage services. Cloud service providers often offer conditional access controls to prevent the download of data to unauthorized devices. IT departments are advised to enforce these controls. For cloud services that do not provide the option to restrict the download of sensitive data, organizations are advised to implement a Cloud Access Security Broker (CASB) solution that provides these security controls. 

Device Security:

Irrespective of whether a device is personally owned or organizationally owned, they are exposed to numerous risks when connecting to networks not controlled by the organization. Therefore, implementing strong security controls is paramount. This includes controls such as strong authentication, hardening the operating system, and applying the principle of least functionality to limit services, ports, and protocols to only those that are necessary. Protective technologies should be implemented, including anti-virus/anti-malware software, endpoint detection and response software, web content filtering software, host-based firewalls, device and file encryption, and the latest security patches. With a remote workforce, IT departments face a myriad of challenges in providing support, pushing security updates, and providing continuous monitoring and incident reporting and response services for remote devices and users.  
 
Additional best practices for cybersecurity can be found on the NJCCIC website at cyber.nj.gov.