Secure Remote Access

Secure Remote Access: The Next Generation

What is Secure Remote Access?

Secure remote access is the processes and solutions designed to prevent unauthorized access to an organization’s IT systems and digital assets. Common methods for secure remote access include multi-factor authentication and encrypted communication channels such as IPsec

As the number of remote workers increases and organizations transition to cloud computing infrastructure, secure remote access has become a critical element of most IT environments. Ensuring secure remote access requires more than just technological solutions—it also relies on user education, cybersecurity policies, and security hygiene best practices which can reduce the chance of misconfigurations and accidental exposure.

We’ll introduce the challenge of secure remote access in modern IT environments, and introduce the next generation of secure access technologies and platforms, including ZTNA, SASE, and cloud-based IAM.

In this article:

Why Is Secure Remote Access Important?

Threats that exist in traditional work environments can be exploited in new ways or on a larger scale in remote work environments. The transition to remote work presents new security challenges for organizations: 

  • Employees access corporate environments through personal devices, routers, and networks which are all outside the control of corporate IT. Any of these components could be infected by malware or compromised by an attacker.
  • Employees connecting to corporate systems remotely must do so over a public Internet connection. If the connection is not properly secured, third parties can eavesdrop on the connection and easily gain access to sensitive data.

Remote access is an important business need in a modern IT environment, but also creates significant risks. Companies can manage this risk by following best practices for keeping systems and data safe, even when employees access corporate systems remotely.

Remote Access Security Challenges

New Devices to Protect

With a large percentage of the workforce switching to work from home, some organizations purchased new devices and shipped them to remote workers, while others allowed users to work on their personal devices, a policy known as bring your own device (BYOD).

These new devices, both managed and unmanaged, are creating new security challenges. Because they operate outside the corporate network and outside the control of corporate IT, it is difficult to keep them safe from malware and other threats. It is also a challenge to ensure that these devices have the necessary security updates and are not exposed to vulnerabilities.

Lack of Visibility Into Remote User Activity

Security teams have the new challenge of monitoring endpoint devices for malware, fileless attacks, and threats targeting remote users. However, many security teams do not have visibility over remote user activity. It is often impossible to identify that a remote endpoint was compromised, and that attackers are using it to access the network. 

Bring Your Own Device (BYOD)

Bring Your Own Device (BYOD) refers to an employee using a personal device to connect to an organization’s corporate networks or cloud services. BYOD devices are used to access work-related systems and, in many cases, sensitive data. These devices can include laptops, smartphones, and other mobile devices.

Companies adopting BYOD can reduce hardware and software costs and improve productivity, but also expose themselves to security risks. IT and security teams must manage access from BYOD devices, and monitor them to ensure they have a minimal level of security hygiene and don’t pose a threat to corporate networks and data.

Remote Access Without VPN: The Rise of ZTNA

Until recently, almost all remote access to corporate environments occurred over virtual private networks (VPN). However, today it is widely recognized that VPN is not sufficiently secure

VPNs do not provide granular access controls—by default, they grant access to an entire network. Attackers can easily compromise user credentials using social engineering or other techniques, and obtain unlimited access to the network.

The emerging alternative to VPN is zero trust network access (ZTNA). ZTNA is a modern approach to securing remote access to applications and services. ZTNA denies everyone and everything access to a resource unless explicitly allowed. This approach enables tighter network security and data security via micro-segmentation. Even if users are authenticated, they can only “see” the specific applications and resources explicitly permitted by their company’s security policy.

ZTNA solutions can prevent lateral movement, because it grants users granular permissions, only allowing them to access the applications and data they actually need. ZTNA solutions also provide improved visibility into what users are doing on the network, enabling analysis, detection and response of suspicious activity.

According to Gartner, by 2023, 60% of enterprises will phase out VPNs as remote access methods and replace them with ZTNA solutions.

What Is a Remote Access Policy?

A remote access policy provides guidelines for remote users connecting to a corporate network. It has three aspects: 

  1. Extending the rules governing the use of networks and computers in the office, such as password policies and network access control, to remote workers. 
  2. Granting restricted access to remote users, ensuring they can only access the applications and data they actually need for their role or task.
  3. Ensuring that devices accessing the network comply with the organization’s rules and do not represent a risk.

Remote access policies are an important mechanism for protecting the network from potential security risks. They clarify how a company can enforce network security for remote access, including:

  • Which users can access which applications and data
  • How secure connections are established
  • Whether policy exceptions are allowed
  • Disciplinary actions or penalties as a result of violations

Essential Features of Modern Secure Remote Access Solutions

Secure remote access refers to a network connection between geographically distant end users and centralized resources. A strong and secure remote access solution is based on identity and access management (IAM) controls, but includes additional elements that can help regulate and protect remote access.

At a minimum, a secure remote access solution should include or integrate with:

  • Identity repository—an identity store or directory is a trusted, centralized database of user information. It determines who can access which resources and under what conditions.
  • Multi-factor authentication (MFA)—authenticates users through multiple authentication methods, creating multiple layers of defense. Gartner recommends implementing MFA as a mandatory security measure in all remote access use cases.
  • Session management—when a user is authenticated with MFA, session management ensures that the IAM tool remembers the user’s authentication and allows them to continue accessing enterprise applications, without additional authentication, until the session expires.
  • Single sign on (SSO)—improves security and the user experience by allowing users to access multiple enterprise applications with one set of login credentials. According to Gartner, organizations should only use SSO tools supporting modern identity protocols such as OAuth, OpenID, and SAML.

When choosing a remote access solution, you must consider your existing technology ecosystem and the architecture you plan to implement. In today’s environment, it is strongly recommended to select solutions compatible with the zero trust approach. 

Solutions must be able to:

  • Provide granular remote access following the least-privilege principle
  • Detect and automatically block suspicious access attempts
  • Enable centralized security policies regardless of the location of the user or the accessed service
  • Address the risks of personal and non-managed devices

Related content: Read our guide to secure remote access solutions

Secure Remote Access Components and Technologies

Zero Trust

It is widely understood that network perimeter, protected by a firewall, is an outdated concept which is largely irrelevant in a modern IT environment. Perimeters are collapsing and remote access to corporate resources is becoming the norm. 

Standards bodies, governments, and technology giants like Google, Amazon, and Microsoft are all adopting a security paradigm known as zero trust. The zero trust model is based on the idea of “never trust, always verify”. 

Zero trust solutions enable strong authentication and continuous validation of remote workers, with granular access policies based on the current security context of each connection.

SASE

Secure Access Service Edge (SASE) is a new type networking solution that converges SD-WAN and network security point solutions, including firewall as a service (FWaaS), cloud access security broker (CASB), secure web gateway (SWG), and ZTNA, into a unified, cloud-native service.

The SASE framework allows organizations to connect remote users from any location or device to any resource (whether on-premise or cloud-based) while maintaining edge-to-edge security, ensuring connectivity, and improving performance.

IAM

Identity and access management (IAM) enables enterprisesto define specific access and privileges for users in one central platform rather than over multiple products and consoles.. It can be purchased as a cloud IAM service, a software product, a hardware appliance, or some combination.

IT adminscan use IAM to define which access and privileges a specific digital identity is allowed, effectively controlling who can use what IT assets and what actions the identity can perform on these IT assets.

Identity Providers (IdP)

An identity provider (IdP) helps you store and manage digital user identities, including human users and service accounts used by machines in one central platform rather than over multiple products and consoles. It can help authenticate various entities connected to a system or network. It is commonly used for authentication in cloud application.

Each stored entity is referred to as a principal – it is not called a user. The IdP can verify identities using various factors, such as username-password combinations, biometrics, one-time-passwords (OTPs), and more. It often also serves and an authentication authority for other service providers, enabling a unified and consistent single sign on (SSO).

Cloud Security

The cloud helps manage remote workers and gives users access to resources wherever they are. Cloud access can improve productivity, collaboration, and employee satisfaction, but the cloud also presents security challenges. 

The first step is to apply best practices and configure appropriate security controls for the organization’s cloud systems. Beyond that, organizations can leverage cloud security solutions to secure remote access. The following security solutions are not designed specifically to secure remote access, but many of the risks and misconfigurations they mitigate are related to unauthorized access to cloud systems:

  • Cloud Access Security Broker (CASB)—provides a security policy enforcement gateway to ensure that user actions are approved and comply with security policies. CASB can identify all cloud services used by an organization, including unapproved or unmanaged SaaS and PaaS products, log their activity, and alert if they are responsible for policy violations.
  • Cloud Workload Protection Platform (CWPP)—provides a workload-centric security solution for all types of cloud workloads, including physical servers, virtual machines (VMs), containers, and serverless workloads. CWPP provides a single pane of glass for visibility and protection across on-premises and cloud environments.
  • Cloud Security Posture Management (CSPM)—evaluates the security and compliance configuration of the cloud platform control plane and publicly accessible aspects of cloud services. CSPM provides a set of tools to support compliance monitoring, incident response, risk assessment, and risk visualization. CSPM solutions identify risks in an organization’s cloud assets, including cloud services such as compute, storage, and IAM, recommends remediations, and prevents configuration drift.
  • Cloud Native Application Protection Platform (CNAPP)—combines the capabilities of CWPP and CSPM into a single platform to scan and protect workloads and configurations, both during development and at runtime. CNAPP protects cloud-native applications from threats, and provides automation to remediate vulnerabilities and misconfigurations on an ongoing basis. 

Tips for Implementing Secure Remote Access

Develop a Cybersecurity Policy for Remote Workers

The best way to prevent data misuse is to educate your employees. Human error and carelessness is one of the biggest risks organizations face, making it critical to turn your employees into partners in your security strategy. 

Create a remote access security policy, review it with your employees, and listen to their feedback to create a policy that balances security needs with productivity constraints. 

Don’t stop at employees—create a remote work policy for vendors and contractors, train them on security policies and demand contractual guarantees that their security measures are adequate. 

Use Encryption

All forms of remote access must use encryption of data at rest and in transit. This means any remote access should be performed over encrypted channels, and all data retrieved by remote users should be encrypted on their local device. In addition, data should be encrypted at rest in the cloud and within the local data center. This means that even if a remote connection is compromised, attackers cannot make use of sensitive data they gain access to.

Encryption provides an additional layer of protection both for the enterprise and remote workers. For example, if a remote employee’s computer is lost or misplaced and an attacker gains access to it, encryption will prevent them from accessing sensitive data on the computer. If a cloud storage bucket is accidentally exposed, encryption will prevent attackers from making use of the data.

Employ the Principle of Least Privilege

An effective way to mitigate security risks is to limit operator privileges across all systems and datasets. Security privileges are usually divided into four categories: superuser, administrator, normal user, and guest user:

  • Superusers and admins are users with full access to system privileges. They can change network definitions, define permissions for other users, and alter configuration for key systems. Abuse of superuser accounts is the biggest risk of remote access. This means that remote access for superusers should be severely limited and carefully monitored.
  • Normal users are users with a limited set of privileges. This type of user should be a named account belonging to a known individual, and their permissions should closely reflect their tasks and job responsibilities. Ensure that all system access occurs via carefully controlled, least-privilege user accounts.
  • Guest users should not be ignored in the remote access discussion. It is often necessary to allow guest or unauthenticated access to computer systems, and in this case, it is important to take measures to ensure that attackers cannot escalate privileges. Conduct regular security testing to ensure that none of your guest account functionality grants access to sensitive data or operations.