Remote and hybrid work are here to stay. Remote workers enjoy quantifiably higher productivity and greater work-life balance – the stronger autonomy and sense of trust between employees and managers further pave the way for greater retention rates.
However, safely unlocking the benefits of secure remote access is proving a substantial challenge. For many, remote device access was first introduced during the early days of the pandemic, and while hodgepodge solutions helped in the ensuing scramble, too many organizations are still reliant on flawed remote access methods. A traditional VPN, for instance, became the epicenter of the Russian-backed Colonial Pipeline attack, which halted gas supplies throughout the Eastern US and saw President Biden issue a state of national emergency.
Data access is a paradox: on one hand, the productivity of remote work hinges upon users accessing files and system resources. This data needs to be simultaneously accessible to users – and inaccessible for attackers.
The process of connecting authenticated users to sensitive internal networks can be full of hazards. Whether scrupulous digital hygiene sees employees reusing passwords, or certain employees wishing to use their own personal devices, standardized remote access can be hard to keep secure. Here are some of the most common secure remote access software technologies.
Virtual Private Networks (VPN)s offered one of the first secure remote access software. Traditionally, a VPN routes the employee’s connection via a network access server. This allows the employee to connect to a corporate network over the public internet; any data traveling to or from the corporate network is encrypted. Before connecting to the network access server, credential-based authentication works to verify the person using the device. The authentication process can either be unique to the server – or a separate authentication server running on the network.
While useful, VPNs allow access to the entire corporate network by default, meaning a compromised account can enjoy all the benefits of broad access. This is made worse by the fact that credential theft continues to be a particularly thorny topic for VPNs, as employees regularly reuse passwords across internal and remote access devices. A single reused VPN password is now thought to be the underlying method of entry in the Colonial Pipeline ransomware attack.
Multi Factor Authentication
Used as a way to sidestep the issue of compromised credentials, Multi Factor Authentication (MFA) sits on top of the credential-based authentication process. The goal of MFA is to verify the identity of a connecting user via a second factor, such as a phone, before they can access sensitive corporate data. The implementation of MFA is offered by many VPN providers, and helps streamline access security protocols. This brings remote access in line with logging into email and file sharing applications.
Zero Trust Network Access
Zero Trust Network Access (ZTNA) aims to combat one of VPN’s major flaws. Instead of allowing full access to the target network, ZTNA platforms connect users only to the specific applications and systems that they need. This is achieved via a cluster of solutions. Firstly, the user’s connection request requires authentication; a trust broker will ideally integrate with the organization’s existing identity provider for this. Once successful, ZTNA refers back to a policy engine, which defines the level of access for each user. Finally, the user connects directly to the application they require. This granular approach to network access denies threat actors – even those wielding fully compromised accounts – the chance to move laterally.
Secure Access Service Edge (SASE) is a new model of remote security that takes the defined software perimeters of ZTNA and combines it with other cloud-based security solutions. For instance, while ZTNA provides application-specific access, an integrated cloud access security broker (CASB) evaluates the security of each application’s data handling. Corporate data is monitored, with the identification of malicious application behavior. At the same time, SASE moves firewall protection to the cloud, rather than the old school network perimeter. Security teams benefit from a real-time view of compliance violations, while a remote and highly mobile workforce can send and receive data from the corporate network. Consistent security policies are enforced throughout the organization.
While remote working was already established before 2020, the Covid-19 pandemic was the catalyst to remote work becoming mainstream. This accelerated the demand for users to access organizational networks on an as-needed basis; organizational networks suddenly had to facilitate access from multiple different locations at the same time. The vast majority of connections were now originating from employee’s home networks – and many employees were also using personal devices. This amplified the risks faced by corporate and personal networks, and often invalidated legacy security measures.
Initially this was a tech headache. However, many organizations have discovered the cultural and financial benefits of remote work: many businesses are now free to hire based on qualification rather than location. On the flip side, evolving attack groups have been reliably making victims of the organizations that fail to keep up with the increased demands on data and network hygiene. Furthermore, vulnerabilities remain at all-time highs; this has forced secure remote access into the top of priority lists for IT and security departments around the globe. Across every industry, a new security baseline is facilitating remote system access for every user, from any network that they dial in from, on every device they choose.
The risk surrounding remote access varies depending on the flavor of remote access solution. Below are some of the security and user concerns levied at a few of the most popular approaches to remote access.
Permissive Remote Access Policies
An issue most commonly seen among VPN solutions, permissive access policies define access via entire networks. While firewall rules often allow access to almost everything on corporate networks, even modern remote access software requires careful access provisioning. User privilege needs to be carefully divvied out, otherwise the blast radius of account compromise becomes far greater than it otherwise would have.
When remote working suddenly became mainstream, many organizations were faced with the choice between purchasing at-home equipment (while swallowing the losses of widespread disruption), or to allow employees to use their own laptops. This opened the door to sizable spikes in hardware-borne supply chain vulnerabilities. Weaknesses in ASUS home wifi routers, for instance, have recently been paving the way for Russian-backed Sandworm attacks.
A statistically more concerning aspect to BYOD is the lack of encryption offered to the data within. This opens up the risk of exposed corporate assets, particularly when the device is stolen, or otherwise removed from the user’s home.
While VPNs have historically not offered the greatest protection for remote access, they are considerably easier to set up than some new-fangled solutions. For instance, the implementation of SASE requires a full overhaul of authentication policies. Given that the network needs to keep functioning during this process, it’s frequently easier to build a new network from the ground up. This presents a severe issue for older and legacy machines, too – if these are irreconcilable with Zero Trust’s secure remote access protocols, many organizations find themselves having to start almost from scratch.
Lack of User Visibility
When working remotely, it becomes particularly important for security teams to monitor the status of every endpoint device. Knowing this can help proactively stop the spread of malware throughout a remote-minded organization. However, even in many modern solutions, the traffic throughput on local networks is incredibly opaque. The inability to monitor this traffic makes it much more difficult to identify advanced threats, raising the possibility of remote device compromise. Complicating matters is the fact that security analysts are now often also working from home – the lack of visibility becomes twofold, and risks the blind leading the blind. This combination can allow attackers to advance deep into corporate networks.
Remote access enables users to access sensitive data and systems from outside the organization, by design. Consequently, attackers who are able to exploit insecure technologies and gain unauthorized access to the network or remotely connecting devices, may be able to steal confidential information, introduce malware or ransomware, or disrupt business operations.
Unauthorized access can be obtained by exploiting vulnerabilities in the remote access technology itself, like weak passwords, unpatched software, misconfigured security settings, or the browser. They may also use social engineering techniques, like phishing, to trick remote users into divulging their login credentials or other sensitive information.
Account Takeover Attacks
A subset of malicious access is account takeover, i.e the attacker gaining access to the legitimate user’s credentials and performing identity theft. For an organization, this means the attacker can disguise itself as a legitimate user and progress laterally in the system per the user’s permissions.
User credentials can be compromised through a variety of methods, including social engineering (like phishing attacks), brute-force attacks, and password guessing. Attackers may also be able to intercept remote access sessions or exploit vulnerabilities in the remote access tools themselves to gain access to the system or resource.
The benefits of secure remote access for employees center around a strengthened and flexible security stance. A proactive approach to secure remote access allows for attack mitigation processes that are reflected throughout every facet of an organization, protecting customers and end-users alike.
Secure Web Access
The sheer number of web-based applications that every team requires is growing every year. Users require protection across every component of internet connectivity; with the right approach to secure remote access, users are protected whenever they connect to the internet, not just when they’re directly engaged with corporate resources. With always-on protection from the public internet, today’s hyper aggressive threats such as ransomware and drive-by downloads can be practically eliminated.
Robust Endpoint Protection
The days of ring fencing databases are long gone. With modern secure remote access, endpoints are offered full protection. Since users are increasingly reliant upon multiple devices – from laptops to smartphones – secure remote access solutions need to reflect this multi-endpoint focus. Alongside this, teams can rely on security that protects employee-owned devices – offering the same endpoint security enjoyed by organization-provided ones.
Heightened Awareness of Security Issues
Via a solid foundation of endpoint security – no matter the geographical location of employees – organizations help build a culture of cybersecurity awareness. With the maintenance and enforcement of solid security policies, regulatory best practice becomes a springboard for the organization’s security stance in the face of evolving threats.
Flexibility to Work Remotely
Thanks to the ability to connect securely from anywhere, employees do not have to be physically present in the office to perform their tasks. Instead, they can work from home, on the road or even from the beach. This enables them to integrate work into other daily requirements and obligations they have, like caring for children or traveling. In addition, remote work expands the talent pool for companies since they can hire employees from anywhere, without limiting themselves to employees who are willing to commute to the brick and mortar offices.
Following best practices allows an organization to continue making adjustments on its path toward true remote protection. Developing an in-depth security policy for all remote users is vital: this will help specify which protocols define remote access, what devices can be allowed to connect, what uses these devices are permitted for, and finally a policy for neutralizing the threat of lost and stolen devices.
Best practices can be split into three main areas. First and foremost is the ability to protect and manage endpoints. A proxy service in the cloud is far too remote to offer such endpoint visibility; that’s why best practices underpin endpoint-first visibility. Second is encryption. All data must be encrypted throughout any transmission procedure and also whilst at rest on each employee’s device. This level of encryption acts as a layer of protection. Upon this foundation sit authentication mechanisms and comprehensive antivirus solutions, which ensure that – even if an attacker does manage to compromise a device – they are unable to make use of any sensitive data. Finally, security needs to promise threat prevention. The solutions in place need to identify, mitigate, and block potential cyber threats before they can cause damage to the organization’s systems or data. This mitigation can (and should) take place through security controls and organizations processes that address the relevant security risks With these best practices in place, an organization is best equipped to give at-home teams the full benefits of remote work.
LayerX is a browser security solution that sits on layer 7 of the application layer and provides comprehensive secure access protection and visibility. This is achieved by providing a powerful authentication and authorization process, enabling the blocking of actions inside and outside the network (like copy/paste, downloads, accessing specific web pages, showing applications in read-only mode, etc.) and elegantly integrating with ZTNA, SASE, IdPs (Google, Okta, Azure-forthcoming, etc.), and other solutions. In addition, LayerX provides visibility into user actions in the network and on the web.
LayerX can integrate with remote access solutions like VPNs and MFA, however it makes them redundant by providing strong multi-factor authentication. In addition, LayerX is ‘always on’, ensuring protection and attack blocking at all times. This is unlike VPNs, which the user needs to be connected to for it to operate.
LayerX is the only solution to provide complete secure access while also integrating with other networking security solutions.