The Information Technology Laboratory (ITL), a component of the NIST Computer Resource Center, has issued a bulletin that reiterates NIST standards for teleworking.
The bulletin, Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions, summarizes key concepts and recommendations from the NIST SP 800-46,Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security bulletin, which was published in July 2016.
The March 2020 ITL bulletin includes deploying some or all of the following security measures:
- Developing and enforcing a telework security policy, such as having tiered levels of remote access
- Requiring multi-factor authentication for enterprise access
- Using validated encryption technologies to protect communications and data stored on the client devices
- Ensuring that remote access servers are secured effectively and kept fully patched
- Securing all types of telework client devices—including desktop and laptop computers, smartphones, and tablets—against common threats
According to the bulletin, "Telework and remote access technologies often need additional protection because their nature generally places them at higher exposure to external threats compared to technologies that are only accessed from inside the organization. Major security concerns for telework and remote access technologies include:
A lack of physical security controls is an issue because telework client devices are used in a variety of locations outside of the organization’s control, such as employees’ homes, coffee shops, and other businesses. The mobile nature of these devices makes them likely to be lost or stolen, which places the data on the devices at increased risk of compromise.
Unsecured networks are used for remote access. Because nearly all remote access occurs over the internet, organizations normally have no control over the security of the external networks used by telework clients. Communications systems used for remote access include broadband networks, such as cable, and wireless mechanisms, such as Institute of Electrical and Electronics Engineers (IEEE) 802.11 and cellular networks. These communications systems are susceptible to eavesdropping as well as man-in-the-middle attacks to intercept and modify communications.
Providing external access to internal-only resources such as sensitive servers will expose them to new threats and significantly increase the likelihood that they will be compromised. Each form of remote access that can be used to access an internal resource increases the risk of that resource being compromised.
NIST’s Recommendations for Improving the Security of Telework and Remote Access Solutions
1. Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats. Options for mitigating this include encrypting the device’s storage, encrypting all sensitive data stored on client devices, and not storing sensitive data on client devices. For mitigating device reuse threats, the primary option is using strong authentication—preferably multi-factor—for enterprise access.
1. Plan telework-related security policies and controls based on the assumption that external environments contain hostile threats. Options for mitigating this include encrypting the device’s storage, encrypting all sensitive data stored on client devices, and not storing sensitive data on client devices. For mitigating device reuse threats, the primary option is using strong authentication—preferably multi-factor—for enterprise access.
2. Assume that communications on external networks, which are outside of the organization’s control, are susceptible to eavesdropping, interception, and modification. These types of threats can be mitigated by using encryption technologies to protect the confidentiality and integrity of communications, as well as authenticating each of the endpoints to each other to verify their identities.
3. Assume that telework client devices will become infected with malware. Possible controls for this include the use of anti-malware technologies, network access control solutions that verify the client’s security posture before granting access and a separate network at the organization’s facilities for telework client devices brought in for internal use.
4. Develop a telework security policy that defines telework, remote access, and BYOD requirements. A telework security policy should define which forms of remote access the organization permits, which types of telework devices are permitted to use each form of remote access, and the type of access each type of teleworker is granted. It should also cover how the organization's remote access servers are administered and how policies in those servers are updated.
5. Make risk-based decisions about what levels of remote access should be permitted from which types of telework client devices. Having tiered levels of remote access allows an organization to limit the risk it incurs by permitting the most controlled devices to have the most access and the least controlled devices to have minimal access.
6. Ensure that remote access servers are secured effectively and configured to enforce telework security policies. In addition to permitting unauthorized access to enterprise resources and telework client devices, a compromised server could be used to eavesdrop on communications, manipulate them, and provide a “jumping off” point for attacking other hosts within the organization. Ensure that remote access servers are kept fully patched and that they can only be managed from trusted hosts by authorized administrators.
7. Consider the network placement of remote access servers; in most cases, a server should be placed at an organization’s network perimeter so that it acts as a single point of entry to the network and enforces the telework security policy before any remote access traffic is permitted into the organization’s internal networks.
8. Secure organization-controlled telework client devices against common threats, and maintain their security regularly. There are many threats to telework client devices, including malware, device loss or theft, and social engineering. However, because telework devices are generally at greater risk in external environments than in enterprise environments, additional security controls are recommended, such as encrypting sensitive data stored on the devices.
9. Ensure that all types of telework client devices are secured, including desktop and laptop computers, smartphones and tablets. Security capabilities and the appropriate security actions vary widely by device type and specific products, so organizations should provide guidance to device administrators and users who are responsible for securing telework devices on how they should secure them.
Additional Resources:
• NIST Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• NIST SP 800-114 Revision 1, User’s Guide to Telework and Bring Your Own Device (BYOD) Security
• NIST SP 800-77 Revision 1 (Draft), Guide to IPsec VPNs
• NIST SP 800-52 Revision 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices
• NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies
• NIST SP 1800-4, Mobile Device Security: Cloud and Hybrid Builds
• NIST SP 1800-21 (Draft), Mobile Device
• NIST Special Publication (SP) 800-46 Revision 2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security
• NIST SP 800-114 Revision 1, User’s Guide to Telework and Bring Your Own Device (BYOD) Security
• NIST SP 800-77 Revision 1 (Draft), Guide to IPsec VPNs
• NIST SP 800-52 Revision 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
• NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices
• NIST SP 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise
• NIST SP 800-40 Revision 3, Guide to Enterprise Patch Management Technologies
• NIST SP 1800-4, Mobile Device Security: Cloud and Hybrid Builds
• NIST SP 1800-21 (Draft), Mobile Device