Remote Access Security: Risks & Best Practices

By Yuki Arbel. April 16, 2020

Remote access has helped businesses function for decades. It makes it possible for mobile and dispersed workforces, including employees, contractors, partners, and vendors, to access corporate IT systems and data from anywhere, anytime. 

The rise of telework — 52% of global workers are said to work from home at least once a week — has had a big impact on remote access adoption, turning it into a staple for many companies. And now that COVID-19 is requiring almost anyone who can work from home to do so, the reliance on remote access is skyrocketing. And so are its inherent cybersecurity risks. 

The more people that use an internet connection or public Wi-Fi to access corporate information, the more mobile devices (PC’s, tablets and phones) there are for cyber criminals to target. And you can bet that the vast majority of those devices aren’t as secure as their users think. 

Thanks to attack techniques such as phishing that are used to trick end-users into downloading malware, cybercriminals can easily infiltrate endpoint devices and wreak havoc on corporate systems and information. So it’s not surprising that Cisco’s 2020 CISO Benchmark Report found 52% of IT decision-makers believe it’s “very” or “extremely” challenging to defend mobile devices, and 41% say the same thing about securing network infrastructure.

Securing Remote Access: How Popular Best Practices Measure Up

Organizations that maintain their assets and systems within the corporate network (as opposed to cloud based systems that can be accessed directly from the Internet) need to get their employees to use VPNs for remote access. VPNs extend a private (corporate) network across a public network (internet). They enable users to send and receive data as if their devices were directly connected to the corporate network, and create a secure tunnel by using data encryption during the connection.

Most organizations that use VPNs implement a multi-layer line of defense to protect their corporate network and privileged assets. They implement network access controls through a combination of endpoint security measures, user authentication, and network security policy enforcement. Often, these include 2-factor or multi-factor authentication, client certificates, least privilege policies, and operating system isolation. 

  • Two-Factor Authentication typically pairs something a user knows with something they have. For instance, end-users first enter their user name and password, and then enter a second temporary code, which is sent to their smartphone, before they can gain access. 
  • Multi-Factor Authentication adds extra steps in order to access areas of the network that contain sensitive information. This could include requiring users to answer a question like “what is your mother’s maiden name?” and using fingerprint technology on the user’s device. 
  • Least Privilege Security Policy limits users’ access rights to the resources absolutely necessary to do their jobs. This can help contain damage that results from human errors or unauthorized use. One of the challenges here is choosing who gets what access rights. It can be extremely difficult, even if you have a policy that specifies access by job function or role. 
  • Client Certificates installed on user devices are using cryptography to attest the identity of the device. This allows organizations to verify that access to systems and assets is only done from devices approved by the organization.

Even if your VPN is secured using safety measures, as described above, an infected end-user device can grant a hacker access to your private network, as well as open the door to viruses and malware. VPNs also allow end-users to save sensitive corporate data to their device. 

Keep in mind that these end-users can include third-party vendors – recall the lessons of data breaches like Target’s, where bad actors stole a Target partner’s VPN credentials and 40 million of Target’s customer debit and credit card accounts were exposed. To limit what vendors can access, you might want to segment your networks with VLANs. 

So how do you ensure that using remote access doesn’t expose your corporate network to malware, and doesn’t allow sensitive data to leave the corporate network? More and more companies are turning to operating system isolation.

Operating System Isolation for Secure Remote Access

Operating system isolation platforms, like Hysolate’s, split a single physical endpoint into multiple, completely separate operating system environments. To secure remote access, dedicate one OS as the privileged environment that can only be used for accessing sensitive data and systems. Reserve a second OS for general corporate work. Allow it to be open to internet browsing and used for email and non-privileged information. 

If end-users try to use the wrong virtual OS for a particular task, Hysolate automatically redirects them to the correct one. You can also set policies in Hysolate specifying what users can and cannot cut and paste between the two operating systems. This ensures sensitive information doesn’t make its way onto the open VM. 

Any cyber criminals that breach the corporate OS are completely contained within it. They cannot reach the privileged OS or even see that it exists. You can also configure that corporate zone to be non-persistent so that it’s wiped clean at specified intervals for added protection.

Want to future proof your attack mitigation? Learn how Hysolate makes privileged access workstations a reality without restricting user experience. Start your free trial here.

 

About the Author

An industry veteran with 20 years of IT, networking and cloud experience, Yuki serves as Hysolate's VP of Product Management. Yuki started his career at P-Cube, a networking startup that was later acquired by Cisco. After his position as system architect at Cisco, Yuki became CEO of Comsleep, an energy saving startup. Most recently, Yuki served as Head of Product for Nokia’s NFV infrastructure, driving telecom networks towards virtualization.

Share this article: