<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">

PAM Was Dead. StrongDM Just Brought it Back to Life. ✨  An important message from StrongDM's CEO!

Close icon
Search bar icon

4 Steps To Work Remotely While Maintaining Security | Remote Access Policy

Our world has changed. Gone are the days of an 8 to 5 work day at a physical office and leaving all your responsibilities behind at the end of the day. We now live in a 24x7 global economy and are perpetually connected to our corporate networks with cell phones, laptops, and tablets.

The convenience of “work from anywhere” introduces some exciting challenges for your information security and information technology teams, and that’s where the remote access policy comes in. The purpose of this policy is to keep your employees productive from anywhere without sacrificing security.

Enforcing your Remote Access Policy for SOC2 is not easy when database credentials, SSH keys, and app permissions are stored in a dozen different places. StrongDM unifies access to everything in your existing SSO.

4 steps your team can take to work remotely while still maintaining security

Define who can work remotely

Before you start mandating security controls for remote access privileges to your internal network, you need to take a step back and determine which roles should even have permission to work remotely and when. For example, you probably don’t need to give your front desk person the ability to remote in and access PII from a cafe’s public WiFi. Too often, though, companies enable “wide open” VPN access as a standard step in the employee onboarding process. Remote candidates should be vetted carefully based on job role and formally granted access by filling out a waiver that management must cosign.

If parsing out remote access candidates by job roles doesn’t make sense for your organization, consider at least limiting access on when users can work remotely. For instance, you can set up remote access connections to be allowed only during certain hours. Or maybe you enable remote access technologies for a specific project, and the access is set to shut off after a specific date automatically - at which time users can request permission again if necessary. Another useful control is enforcing a timeout so that users are disconnected after a period of idle time. The main idea is to not leave access “wide open” for all users 24/7.

Monitor access

Monitoring VPN access is another area where many companies fall short. In the event you need to audit secure remote access, you should (at a minimum) have logs that show when a login occurs and from what IP address. This information can help you quickly identify unauthorized use. If you have any home office workers, you might want to keep a spreadsheet of their home IP addresses so that if you see a suspicious connection in your logs, you can quickly correlate it to a user.

In addition to logging when VPN connections start and stop, you may want to enable more detailed logging so you can capture what the remote machines are doing while connected. This is where implementing a logging/alerting solution, such as a SIEM, can provide greater visibility into what’s happening in your network and help you better identify if a remote connection is friendly or hostile. As a best practice, consider any VPN endpoint as posing a high risk to your network, so the more logs you have, the better.

Rotate keys/revoke access

Another common problem with VPN access is when it is granted perpetually. You need to make sure that any VPN keys are rotated (every six months is a good standard) to prevent anyone with a compromised key from misusing it. This plays into other best practices and policies you should have in place as well, such as making sure all your user accounts go through a periodic review and that remote access privileges are removed anytime an employee is fired or offboarded. Otherwise, you run the risk of terminated employees having unauthorized access to the network.

Practice good workstation hygiene

Any remote devices connecting to your network should be in your complete control - or as close to it as possible. This means enforcing all machines to have up-to-date anti-virus, use hard drive encryption, and receive automatic operating system and third-party patches. You may also want to disable the DNS split tunneling setting on workstations, which will force all Web browsing through the company’s firewall and filtering protection. Users should also understand what types of communications are acceptable (i.e., using SSH instead of telnet; passphrases instead of simple passwords). All technical controls need to be backed by appropriate policies, such as an acceptable use policy, encryption policy, password policy, and workstation security policy. Otherwise, you aren’t justified in taking disciplinary action against employees who aren’t following your remote access guidance.

Providing secure remote access to your private network is a great way to give employees the flexibility they need to work from anywhere. However, you need to make sure their access is provisioned correctly and monitored, that their personal computers are denied access and that you prevent unauthorized use by disabling connections whenever an employee leaves your organization. Ensure that your remote access guidelines and expectations are clearly defined in the remote access policy and complemented with clear onboarding/offboarding policies and procedures. This way, you will know that the right employees get the appropriate type of access for the proper amount of time.

To learn more about how StrongDM helps companies with managing permissions, make sure to check out our Managing Permissions Use Case.


About the Author

, Security Engineer / Podcaster, is the president of 7 Minute Security, an information security consultancy in the Minneapolis area. Brian spends most of his days helping companies defend their networks.

Since 2004, Brian has also run the blog/podcast called 7 Minute Security, where he shares what he has learned about information security into short, 7-minute chunks.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

Automating access to cloud environments
Managing Access to Ephemeral Infrastructure At Scale
Managing a static fleet of strongDM servers is dead simple. You create the server in the strongDM console, place the public key file on the box, and it’s done! This scales really well for small deployments, but as your fleet grows, the burden of manual tasks grows with it.
Illustration of an technical employee who is offboarding from their employer.
All Offboard! The 2024 Tech Staff Offboarding Checklist
Offboarding technical employees can be a complex and arduous process with a lot of moving parts. The key to successful offboarding is to have a clear understanding of what needs to be done, who does it, and how to monitor for any shenanigans from former employees.
User Provisioning: How To Automate & Manage Credentials
How We Automate User Provisioning & Keep Track of Credentials
There are a number of ways to automate user provisioning but the real challenge lies in keeping track of those credentials.
SOC 2 dashboard
What Would My SOC 2 Dashboard Look Like?
As your organization pursues your SOC 2 certification, organization is critical. ‍You will be busy actively managing dozens of ongoing daily tasks, which can bury you in minutiae. But at the same time, you need to keep your high-level compliance goals in focus in order to successfully move your certification over the finish line.
SOC 2 Policies Guide
A Definitive Guide to SOC 2 Policies
In this post, we will help you get started with a hierarchy to follow, as well as a summary of each individual SOC 2 policy.