Remote Access Policy Best Practices | A Practical Guide to SOC 2 Compliance

By Blog, SOC 2

Our world has changed.  Gone are the days of an 8 to 5 work day at a physical office, and leaving all your responsibilities behind at the end of the day.  We now live in a 24×7 global economy and are perpetually connected to our corporate networks with cell phones, laptops, and tablets.  The convenience of “work from anywhere” introduces some exciting challenges for your information security and information technology teams, and that’s where the remote access policy comes in.  The purpose of this policy is to make your employees productive from anywhere without sacrificing security.

Enforcing your Access Control Policy for SOC2 is not easy when database credentials, ssh keys, and app permissions are stored in a dozen different places. strongDM unifies access to everything in your existing SSO.

Here are steps your team can take to work remotely while still maintaining security:

  • Define who can work remotely

Before you start mandating security controls for remote access privileges to your internal network, you need to take a step back and determine which roles should even have permission to work remotely, and when.  For example, you probably don’t need to give your front desk person the ability to remote in and access PII from a cafe’s public WiFi.  Too often, though, companies enable “wide open” VPN access as a standard step in the employee onboarding process.  Remote candidates should be vetted carefully based on job role, and formally granted access by filling out a waiver that management must cosign.

If parsing out remote access candidates by job roles doesn’t make sense for your organization, consider at least limiting access on when users can work remotely.  For instance, you can set up remote access connections to be allowed only during certain hours.  Or maybe you enable remote access technologies for a specific project, and the access is set to automatically shut off after a specific date – at which time users can request permission again if necessary.  Another useful control is enforcing a timeout so that users are disconnected after a period of idle time.  The main idea is to not leave access “wide open” for all users 24/7.

  • Monitor access

Monitoring VPN access is another area where many companies fall short.  In the event you need to audit secure remote access, you should (at a minimum) have logs which show when a login occurs and from what IP address.  This information can help you quickly identify unauthorized use.  If you have any home office workers, you might want to keep a spreadsheet of their home IP addresses so that if you see a suspicious connection in your logs, you can quickly correlate it to a user.

In addition to logging when VPN connections start and stop, you may want to enable more detailed logging so you can capture what the remote machines are doing while connected.  This is where implementing a logging/alerting solution, such as a SIEM, can provide greater visibility into what’s happening in your network, and help you better identify if a remote connection is friendly or hostile.  As a best practice, consider any VPN endpoint as posing a high risk to your network, so the more logs you have, the better.

  • Rotate keys/revoke access

Another common problem with VPN access is when it is granted perpetually.  You need to make sure that any VPN keys are rotated (every six months is a good standard) to avoid anyone with a compromised key from misusing it.  This plays into other best practices and policies you should have in place as well, such as making sure all your user accounts go through a periodic review, and that remote access privileges are removed anytime an employee is fired or offboarded.  Otherwise, you run the risk of terminated employees having unauthorized access to the network.

  • Practice good workstation hygiene

Any remote devices connecting to your network should be in your complete control – or as close to it as possible.  This means enforcing all machines to have up-to-date anti-virus, use hard drive encryption and receive automatic operating system and third-party patches.  You may want to also disable the DNS split tunneling setting on workstations, which will force all Web browsing through the company’s firewall and filtering protections.  Users should also understand what type of communications are acceptable (i.e. using SSH instead of telnet; passphrases instead of simple passwords).  All technical controls need to be backed by appropriate policies, such as an acceptable use policy, encryption policy, password policy, and workstation security policy.  Otherwise, you aren’t justified in taking disciplinary action against employees who aren’t following your remote access guidance.

Providing secure remote access to your private network is a great way to give employees the flexibility they need to work from anywhere.  However, you need to make sure their access is provisioned correctly and monitored, that their personal computers are denied access and that you prevent unauthorized use by disabling connections whenever an employee leaves your organization.  Ensure that your remote access guidelines and expectations are clearly defined in the remote access policy and complemented with clear onboarding/offboarding policies and procedures.  This way, you will know that the right employees get the appropriate type of access for the proper amount of time.

Free eBook: Everything I Wish I'd Known Before Starting SOC 2

Tagged under: