Aligning Secure Remote Access to NIST Guidelines

With 80% of security professionals scaling up their remote access infrastructure, per Check Point research, certain controls should be applied to ensure that security is not compromised. Below are key guidelines recommended by the National Institute of Standards and Technology (NIST) in supporting standard users, privileged administrators, BYOD and third parties.

Plan remote work-related security policies and controls based on the assumption that external environments contain hostile threats.

  • Organizations must assume that client devices used at external locations by employees and third-parties are susceptible to loss or theft and could be used by malicious actors to access data or use the devices to gain organizational network access.
  • Mitigating client device loss or theft includes encrypting the device (e.g. hard disk encryption), and not storing sensitive data on client devices altogether. For mitigating device reuse threats, use strong and multi-factor authentication.

Develop a remote work security policy that defines telework, remote access, and BYOD requirements.

  • Remote work security policies should define the forms of remote access permitted, the types of devices that can be used and the type of access allowed for each type of remote worker.
  • The policies should also cover how remote access servers are administered and how their policies are updated. Organizations should make risk-based decisions about what levels of remote access should be permitted from which types of client devices.

Ensure that remote access servers are secured effectively and are configured to enforce remote work security policies.

  • The security of remote access servers is particularly important because they provide a way for external hosts to gain access to internal resources, as well as a secured, isolated telework environment for organization-issued, third-party-controlled, and BYOD client devices.
  • In addition to permitting unauthorized access to enterprise resources and telework client devices, a compromised server could be used to eavesdrop on communications and manipulate them, as well as to provide an entry point for attacking other hosts within the organization.

Secure organization-controlled remote work client devices against common threats and maintain their security regularly.

  • Remote work client devices should include all local security controls used in an organization’s secure configuration baseline for its non-telework client devices.

If external device use (e.g., BYOD, third-party controlled) is permitted within the organization’s facilities, strongly consider establishing a separate, external, dedicated network for this use with remote access policies.

  • Allowing BYOD and third-party-controlled client devices to be directly connected to internal enterprise networks adds risk as these devices do not have the same security safeguards as the organization’s own devices.

NIST also recommends placing remote access servers at the network perimeter and defines four types of remote access methods:

  • Tunneling servers provide administrators control over the internal resources for remote worker access at the network perimeter.
  • Portal servers that run the application client software on the servers themselves. Placing them at the network perimeter because the remote access user is only running applications on the portal server, not on servers inside the network.
  • Remote desktop access does not involve remote access servers, so there is no issue with the placement of the remote access server.
  • Direct application access servers run the application server software on the servers themselves. Placing them at the network perimeter has a similar effect as the remote access user is only running applications on the direct application access server, not on servers inside the network.

Meeting NIST Guidelines with Check Point Corporate Access

Check Point Corporate Access redefines secure remote access with a simple, clientless remote access service that deploys in minutes. Based on a Software-Defined Perimeter (SDP) architecture, Check Point Corporate Access enables organizations to enforce a granular access policy that gives only the right people in the right context, least privileged access to the right resources–and all while making the user experience a breeze.

To learn more, watch the webinar Securely Connect Remote Users with Clientless Zero Trust Corporate Access.

Check Point Corporate Access provides an innovative framework for supporting diverse users within and without the organization:

Clientless Remote Access for Third Parties

Removing the need to install and maintain a VPN client enables organizations to easily secure remote access for third parties such as consultants, contractors, partners and suppliers. Role-based controls allow administrators to easily provision and deprovision access to (and within) internal applications and limit access in both time and scope.

Clientless Remote Access for Employees

Eliminating network-layer risks, the service provides application-layer access with full authentication and authorization. Applications are accessed through any browser (including PC, Mac and mobile) via direct link or a user app portal.

Clientless Remote Access for DevOps

Engineering teams need to leverage the agility and flexibility of cloud-based development and production environments, without compromising security. Using the cloud-native service, administrators can leverage the cloud-native service to effortlessly provision and deprovision access to virtual machines, applications and services with granular role-based access profiles.

Privileged Access Management for Administrators and Engineers

By supporting a variety of protocols, Check Point Corporate Access enables secure access to databases (SQL), administration terminals (SSH) and remote desktops (RDP). Integrating with any Identity Provider, its lightweight Privileged Access management (PAM) module offers built-in SSH server key management to ensure the security of an organization’s crown jewels.

Discover Clientless Access for Remote Workers

To learn more about clientless zero trust network access delivered as a service (ZTNAaaS), check out these resources: