Allowing access to an organization’s resources from outside the corporate network may be necessary for some businesses. Logically, when this kind of remote access is allowed, your organization takes on additional risks, and the access should be handled as securely as possible by:
-
Ensuring the remote access is encrypted (SSL, IPSec, etc.)
-
Ensuring there is strong authentication for remote access (Multi-factor Authentication or MFA)
-
Ensuring that strong passwords are required for remote access
-
If possible, require remote users to use company-provided hardware that has been secured to your company standards. Otherwise, ensure that employees understand the reasonable standards they should be taking (e.g., antivirus, passwords, etc.)
Examples of remote access technologies:
-
Virtual Private Networks (VPN) (Note: We recommend all remote access technologies be placed behind a VPN)
-
Citrix
-
SSL VPN
-
IPSec VPN
There are common remote access protocols (especially Remote Desktop Protocol or RDP) that pose a great risk to organizations of all sizes. Do not leave these capabilities active unless required, and never leave RDP or RDWeb exposed to the internet. If RDP or RDWeb are business-critical, using MFA isn't enough. They must also be used with a VPN.
Remote technologies to use with extreme caution:
-
Remote Desktop Protocol (Never expose directly to the Internet)
-
RDWeb (remote desktop over the web)
Limit and review who has access
-
Do not allow widely scoped authorization for remote access. Be sure to limit authorization/access to only those with a business need.
-
Review authorizations for remote access regularly to assure that no unwanted personnel can access.
As always, Coalition is here to help you on your way. Please reach out to us for additional information!