Secure Remote Access: Risks, Auditing, and Best Practices
What is Secure Remote Access?
Remote access is the ability of authorized personnel to access a computer or network from a geographical distance, through a network connection. This is especially important for branch office workers, business travelers and employees working from home.
With remote access, users can access files and other system resources from any connected device (as long as it is supported by the remote access system), increasing employee productivity and allowing them to more easily collaborate with colleagues.
Remote access must be secured to prevent unauthorized access to company resources. This involves securing the remote access protocol itself, ensuring that users do not share credentials or use weak passwords, and securing the devices used to connect remotely, including bring your own device (BYOD). Remote access security was always important, but as more and more employees work remotely, it is becoming a primary concern for most organizations.
The Importance of Secure Remote Access
When employees work remotely, the nature and scope of cybersecurity threats change. New types of risks are emerging, including:
Workers relying on home computers (very often infected with malware, even if not explicitly targeted by attackers), home routers, personal mobile devices, and unsecure Wi-Fi networks. All of which can be easily compromised by attackers, yet they are difficult to manage and protect by corporate IT staff.
- When employees connect to a corporate system or storage resource, the data must be transferred through a public Internet connection. If the transfer protocol is not properly protected, third parties can eavesdrop on the connection and steal sensitive information.
- Working from home requires employees to adopt a broader set of tools, such as remote desktop protocol (RDP) and virtual private network (VPN) clients, increasing the attack surface and creating new potential security vulnerabilities.
- Phishing attacks, while not unique to remote workers, can be more effective when employees are working remotely. Employees may be distracted, using the device during off hours, or sharing or their devices with family members, including children, making it easier for attacks to succeed. It is also much more difficult to apply security measures like email security solutions.
Remote Access Security Risks
Here are some of the most common security risks affecting remote access.
Permissive Remote Access Policies
When an attacker compromises a VPN (virtual private network), they can easily gain access to the rest of the network. Historically, many companies deployed VPNs primarily for technical roles, enabling them to access key IT systems. Today, all users, including non-technical roles, might access systems remotely using VPN. The problem is that many old firewall rules allow access for VPN clients to almost anything on the network.
A new approach to remote access known as Zero Trust Network Access (ZTNA) ensures that every user and device connecting to the network only receives access to the specific services it needs to access.
Related content: read our guide to Zero Trust Network Access
Following the COVID-19 pandemic and the huge number of employees working from home, many organizations were forced to purchase computing equipment and provide it to remote employees, or have employees purchase equipment on their own, leading to potential “supply chain” vulnerabilities, like the SuperFish vulnerability that affected Lenovo laptops.
Other organizations use the bring your own device (BYOD) model, letting employees perform work activity with their personal or home equipment.
The proliferation of new equipment presents challenges for security teams. They need to make sure that devices are protected from malware and viruses. Whether it is a BYOD device, or a corporate device used remotely by an employee, the organization needs to ensure security tools can be installed, managed and supported remotely.
A main challenge with BYOD is that organizations may not always be able to manage the device or install security software, because users can object. It is also difficult to verify the initial state of a BYOD device, and understanding if it was previously infected or tampered with by attackers.
Related content: read our guide to BYOD security
Limited Visibility Into Remote Activity
In a remote work environment, security teams need to monitor endpoint devices to prevent the spread of malware, fileless attacks, and other threats to remote users.
However, many security teams do not have visibility over remote user activity, and cannot monitor east-west traffic on their local networks, making it difficult to detect advanced threats. This raises the possibility of attackers compromising a remote device, using it to connect to corporate assets, and then moving laterally to compromise other systems.
Security analysts are now also working from home, like other employees, making it even more difficult to investigate threats and manage endpoint detection and response. The combination of these problems makes it easier for attackers to evade detection.
Users Mixing Home and Business Passwords
Users have a bad habit of using passwords repeatedly—unaware of the risks that any website they used a password on could be hacked, and passwords shared on the dark web. Reuse of passwords makes it possible for attackers to easily obtain credentials, and use them to access all the user’s accounts, including corporate systems.
Secure Remote Access Concepts and Technologies
Remote access technology made great progress. There are many new ways for users to access computing resources remotely, from a variety of endpoint devices. Here are some of the technologies enabling secure remote access at organizations today.
Remote Access with Full Network Access: Virtual Private Networks (VPN)
VPNs allow employees working remotely to connect to a corporate network by routing their activity through a secure server. VPN systems encrypt data transmitted over the network, so that data is unusable to an attacker eavesdropping on the connection.
While VPNs are widely used and still considered secure, there are growing security concerns. VPN, by default, allows access to the entire corporate network. This means that a compromised end-user device, or an attacker with stolen credentials, can use VPN connections to gain broad access. Organizations are switching from VPN to zero trust network access (ZTNA), described below.
Remote Access with Credentials
Virtual Network Computing (VNC)
VNC is a technology that enables screen sharing, allowing a remote user to view and control the desktop of another computer. This can be achieved through a network connection using the
Remote Framebuffer protocol. The VNC viewer is installed on the client and connects to a VNC server on the remote workstation. VNC usually uses VPN as a transport.
RDP (Remote Desktop Protocol)
RDP is a protocol originally developed by Microsoft, which enables remote connection to a compute system. RDP is also available for MacOs, Linux and other operating systems. The RDP server listens on TCP port 3389 and UDP port 3389, and accepts connections from RDP clients.
VDI (Virtual Desktop Infrastructure)
Many large organizations set up dedicated infrastructure, usually based on solutions like Citrix or VMware Horizon, which allow them to run large numbers of virtualized desktops and serve them to end users, who connect to the desktops remotely. VDI solutions provide dedicated gateway solutions to enable secure remote access.
DaaS is an evolution of virtual desktop infrastructure (VDI), where virtualized desktops are hosted by a cloud provider, and organizations pay a fee per desktops or hours used.
Zero Trust and Modern Approaches to Remote Access
Zero Trust Network Access (ZTNA)
In the zero trust security model, users only have the rights they need to perform the role they have. All user accounts and devices on the network are not trusted by default. This is very different from traditional security solutions that allow users full access to the target network.
Zero Trust Network Access (ZTNA), also known as Software Defined Perimeter (SDP), is a set of technologies that can implement the zero trust strategy on a corporate network. Users who want to connect to an organization’s network can connect only to the specific applications or systems they need to perform their tasks, when they need them. This greatly reduces the cyber threats that organizations face when granting remote access to networks.
Multi Factor Authentication
Multi-factor authentication (MFA) is a secure access control process that combines multiple credentials to verify the identity of a user. It is especially important, and is commonly used, for secure remote access.
An MFA portfolio of access methods should include at least two of the following: something the user knows (such as a password), an object the user possesses (such as a smart card or mobile phone), and something that is essential to the user’s identity (for example, a voiceprint or fingerprint).
Because there are additional layers of validation in MFA, even if one of the authentication factors is compromised, unauthorized access is hindered by the other factors. For example, if a password has been compromised, the account will not be compromised, because the attacker will probably not possess the physical token, or will not be able to pass the biometric scan.
Privileged Access Management (PAM)
PAM provides a way to manage identities using systems like Active Directory. Identity management is crucial for privileged or administrator accounts, which are used for enterprise-level support tasks.
PAM is a set of technologies that can secure, control, and monitor access to organizational resources through privileged accounts. PAM solutions provide capabilities like certificate management, system and data access control, user activity monitoring and credential masking. This reduces the threat of unauthorized network access, and makes it easier to detect and mitigate suspicious activity on privileged accounts.
Vendor Privileged Access Management (VPAM)
Many organizations need to provide privileged accounts for two types of users: employees and external users, such as technicians and contractors. However, organizations using external vendors or contractors must protect themselves from potential threats from these sources.
External users pose unique threats, because the organization has no control over the security best practices of their companies.
Vendor Privileged Access Management (VPAM) is a solution that addresses the risks inherent in third-party remote access. VPAM is related to PAM, but there are important differences:
Traditional PAM solutions are designed to manage internal privileged accounts, based on the assumption that administrators know the identity and usage status of the users.
- Because this is not always true for third-party users, the VPAM solution uses multi-factor authentication to provide an additional layer of protection.
VPAM allows network administrators to identify and authenticate external users through advanced methods, to ensure they are linked to an active employee account. A VPAM solution continuously monitors the activity of external users, and provides protection against abuse.
Secure Access Service Edge (SASE)
SASE is a new security model, leveraging software-defined networking (SDN), that helps users connect securely to remote data centers. It includes technologies like cloud access security broker (CASB), secure web gateway (SWG), firewall as a service (FWaaS), and ZTNA (ZTNA, described above, can be a component within a SASE solution).
SASE takes complete ownership of remote access in an organization, eliminating VPN, physical equipment, and backhauling solutions, and managing remote access using virtualized appliances. It can not only facilitate remote access and authenticate users, but also filter content being transferred on the network, detect and prevent malware and a host of other security threats.
What to Include in a Remote Access Audit
An important first step to evaluating remote access security is to conduct an audit. Here are the key elements you should include in a remote access security audit.
Penetration testing—connect to the network like a user does and attempt to gain access to internal systems like databases or backend applications. Users should never have access to these types of systems. Also, scan for vulnerabilities on systems that users can legitimately access, to ensure they cannot be exploited by attackers.
- Remote device testing—test samples of remote user devices (whether BYOD or company owned) to see what security measures they are running, whether they are infected by malware or have other security issues.
- Check protocols and authentication—identify how users connect to the corporate network and how authentication is performed. Ensure protocols are secure and encrypted, authentication is strong and cannot be easily bypassed. Evaluate the entire remote access system in light of company policies and compliance requirements.
- Governance—how are company policies enforced across remote users and devices? Are governance policies applied automatically, or set manually by administrators or supervisors, which can lead to human error and security gaps?
- Logging and reporting—ensure that any activity by remote devices is properly logged and the organization is able to generate reports and audits required by its compliance obligations.
Secure Remote Access Best Practices
Here are a few best practices you can use to improve security for a remote workforce.
Develop a security policy for remote access—the policy should specify which protocols must be used for remote access, which devices are allowed to connect (company owned or BYOD), permitted use of those devices, and policy for wiping lost or stolen devices.
- Protect and manage endpoints— Many enterprise companies are looking for more than just a proxy service in the cloud, as they add zero trust network access (ZTNA), remote browser isolation (RBI), sandbox, firewall as a service (FWaaS), data loss prevention (DLP) and other cloud-based security services.
- Use encryption—ensure all data is encrypted, both during transmission, and at rest on an employee’s local device. Encryption is another layer of protection, in addition to antivirus and secure authentication mechanisms, which ensures that even if attackers compromise the devices, they cannot make use of sensitive data.
- Invest in security awareness—conduct ongoing training on security practices. Every employee must be aware of security policies, consequences for violating them, common social engineering attacks and how to identify and prevent them.
Secure Remote Access with Hysolate
Securing privileged access to sensitive resources is a critical step for organizations to establish security assurances for business assets in a modern workspace. The security of most or all business assets in an organization depends on the integrity of the privileged accounts that administer and manage IT systems. Cyber attackers are targeting these accounts and other elements of privileged access to rapidly gain access to targeted data and systems using credential theft attacks.
With Hysolate, remote employees can work in a clean, managed environment, without IT administrators worrying about potential malware.
Hysolate Isolated Workspace is a local hyper-isolated virtual environment that provides users with a superior user experience. It is built to spin up instantly on any Windows 10 operating system and managed, at scale, from the cloud. This reduces the risks associated with privileged users by providing them with isolated operating systems that run locally on their end-user device.