Remote Access Control Policy Management
A significant number of external security incidents or data breach threats begin with unauthorized remote access being gained to the infrastructure or systems belonging to organizations.
A remote access control policy needs to be implemented to protect remote access to networks, systems, and applications. These control frameworks need to be implemented to minimize the window of exposure organizations face regarding unauthorized access or potential intrusions associated with remote access activities. Remote access management is the focus of pitfall #36 in my eBook, Security Program Pitfalls and Prescription to Avoid Them.
Your organization should ensure that usage restrictions, configuration requirements, connection requirements, and implementation guidance is documented for all remote access activities. Remote access should be securely configured, monitored, logged, and controlled. All remote access should be authorized prior to allowing remote connections to your organization’s network to occur. These remote access requirements should be communicated to all appropriate personnel.
Creating a user group, or groups, within Active Directory or alternative lightweight directory access protocol (LDAP) solution for users that require remote access can be leveraged to support a more granular remote access control policy for authorized users. For example, a “remote access” group within Active Directory can be used to allow only users that have been added to that group to connect to your organization’s networks remotely.
Cryptography mechanisms should be implemented and maintained in perpetuity to protect the confidentiality and integrity of remote access sessions. All remote access should be routed through managed network access control points. Additionally, the execution of privileged commands and access to security-relevant information via remote access should be authorized only for defined needs. The rationale for such access should be documented in cryptography, key management, or other remote access procedures.