NIST revises guidance for remote access and teleworking security
Secure teleworking requires both policy and technology at each end of the connection.
- By William Jackson
- Feb 25, 2009
Teleworking can be help productivity and contribute to a greener environment, but it also presents security challenges that must be considered, according to the National Institute of Standards and Technology (NIST).
“The nature of telework and remote access technologies — permitting access to protected resources from external networks and often external hosts as well — generally places them at higher risk than similar technologies only accessed from inside the organization, as well as increasing the risk to the internal resources made available to teleworkers through remote access,” NIST said in its guidance for telework security.
NIST is revising its "Guide to Enterprise Telework and Remote Access Security," which was first published in 2002. A draft of Special Publication 800-46 Revision 1 has been released for public comment. It is intended to help organizations understand and mitigate the risks of teleworking, emphasizing the importance of securing sensitive information stored on telework devices and transmitted across external networks. The draft also provides recommendations for selecting, implementing, and maintaining the necessary security controls.
“Major security concerns include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks, and the availability of internal resources to external hosts,” the guidelines say. “This publication provides information on security considerations for several types of remote access solutions, and it makes recommendations for securing a variety of telework and remote access technologies. It also gives advice on creating telework security policies.”
Recommendations for securing telework and remote access technologies include:
- Plan telework security policies and controls based on the assumption that external environments contain hostile threats. “An organization should assume that external facilities, networks, and devices contain hostile threats that will attempt to gain access to the organization’s data and resources. Organizations should assume that telework client devices, which are used in a variety of external locations and are particularly prone to loss or theft, will be acquired by malicious parties who will attempt to recover sensitive data from them.” Solutions include encryption and not storing data on remote clients.
- Develop a telework security policy that defines telework and remote access requirements. “A telework security policy should define which forms of remote access the organization permits, which types of telework devices are permitted to use each form of remote access, and the type of access each type of teleworker is granted. It should also cover how the organization's remote access servers are administered and how policies in those servers are updated.”
- Ensure that remote access servers are secured effectively and are configured to enforce telework security policies. “Remote access servers provide way for external hosts to gain access to internal resources, so their security is particularly important. In addition to permitting unauthorized access to resources, a compromised server could be used to eavesdrop on remote access communications and manipulate them, as well as to provide a “jumping off” point for attacking other hosts within the organization.” Keeping servers patched is critical, and a single point of entry to the network should be considered.
- Secure telework client devices against common threats and regularly maintain their security. “There are many threats to telework client devices, including malware and device loss or theft. Generally, telework client devices should have the same local security controls as those used in the organization’s secure configuration baseline for its non-telework client devices deployed in the enterprise.”
Comments on draft SP 800-46 Revision 1 should be sent by March 27 to email@example.com with "Comments SP 800-46" in the subject line.
William Jackson is a Maryland-based freelance writer.