Given the proliferation of mobile devices and the “Anytime, Anywhere” mindset regarding company information, every company should at least be having a discussion about remote access. The purpose of defining a policy is to:
- Define standards for connecting to the network from any host
- Minimize the potential exposure from damages which may result from unauthorized use of resources
- Set employee expectations for how and what they can connect
- Discover what is available for remote access
One of the first steps that needs to be done when determining a remote access policy is defining what needs to be made available remotely and through what method. Review firewall rules, NAT policies and Client VPN or SSL-VPN settings to determine what is currently available. Determine why those networks or applications are available, what their authentication levels are and how sensitive the information contained is.
When investigating what is available, keep in mind things like security cameras or applications that don’t necessarily contain company information, but may provide enough information to identify the company. There is a website that is devoted entirely to security cameras that are publically available with the default passwords still set. One would hate to have the view from their cameras for everyone to see.
When looking at our own infrastructure, our conversation about authentication levels revolved around two factor authentication. If the application didn’t support two factor authentication, regardless of the sensitivity of the information, did we want access available directly from the Internet or did we want access to go through a device that supports two factor authentication? Security comes at the expense of convenience, so keep in mind employee productivity when determining access methods.
Sensitivity of information can be defined many different ways. Usually one thinks only of the leaking or confidential data, intellectual property or damage to critical internal systems. Public image isn’t always thought of. With the use of social media and how quickly information can spread, public image needs to be given a higher priority.
After looking at what services to publish, define how employees can connect and the requirements for connecting.
- Are only company assets going to be allowed to connect?
- Are employee owned assets (BYOD) going to be allowed to connect?
- Are all device types going to have the same access?
- Are requirements like Antivirus software going to be enforced on employee owned assets?
- Are site-to-site VPN tunnels going to be allowed from home offices?
Each company has different requirements in regards to remote access, so there is not a one-size-fits-all policy that can be applied to everyone. With careful planning, discussions with all affected stake holders and an understanding of requirements, a remote access policy can be crafted that can help keep the company secure while allowing employees to complete their job responsibilities.