The Information Technology Laboratory (ITL) has issued a bulletin reiterating a National Institute of Standards and Technology's publication SP 800-46 revision 2, first issued in 2016, that set guidelines for securing enterprise telework, remote access and bring-your-own-device (BYOD).
Given that companies have turned to telework in light of the coronavirus pandemic, the alert, which summarizes key concepts and recommendations from SP 800-46 and is entitled Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions, is particularly relevant. It covers the following security measures:
- Developing and enforcing a telework security policy.
- Requiring multi-factor authentication for enterprise access.
- Using validated encryption technologies to protect stored communications and data.
- Ensuring that remote access servers are secured effectively and kept fully patched.
- Securing all types of telework client devices against common threats.
Here are 10 NIST recommendations to secure telework and remote access solutions:
- All the components of telework and remote access solutions, including client devices, remote access servers, and internal resources accessed through remote access, should be secured against expected threats.
- Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats.
- Assume that external facilities, networks, and devices contain hostile threats that will attempt to gain access to the organization’s data and resources.
- Assume that malicious parties will gain control of telework client devices and attempt to recover sensitive data from them or leverage the devices to gain access to the enterprise network.
- A telework security policy should define which forms of remote access the organization permits, which types of telework devices are permitted to use each form of remote access, and the type of access each type of teleworker is granted.
- Organization should make their own risk-based decisions about what levels of remote access should be permitted from which types of telework client devices.
- Ensure that remote access servers are secured effectively and configured to enforce telework security policies.
- Ensure that remote access servers are kept fully patched and that they can only be managed from trusted hosts by authorized administrators.
- If possible, a server should be placed at an organization’s network perimeter so that it acts as a single point of entry to the network and enforces the telework security policy.
- Telework client devices should include all of the local security controls, such as applying operating system and application updates promptly, disabling unneeded services, and using anti-malware software and a personal firewall.
Conclusions
- Making an organization’s resources remotely accessible increases security risk.
- Organizations should carefully consider the balance between the benefits of providing remote access to additional resources and the potential impact of a compromise of those resources.
- Organizations should ensure that any internal resources they choose to make available through remote access for telework purposes are hardened against external threats and that access to the resources is limited to the minimum necessary.