Remote Access: New Guidance from NISTRemote Access Guidance Revised for Era of Smartphones and BYOD
Imagine the worst. That's what revised guidance from the National Institute of Standards and Technology advises as organizations allow employees, contractors and business partners to access critical information systems from outside the enterprise, especially with smartphones and other mobile devices, often owned by individuals.
Assume that "external environments contain hostile threats," states NIST's just-issued draft of the revised guidance, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security, NIST Special Publication 800-46 Revision 2.
NIST simultaneously published a companion guide aimed at employees, the User's Guide to Telework and Bring Your Own Device Security, or Draft NIST Special Publication 800-114 Revision 1.
Both draft publications leverage advice from the original versions issued more than a half-decade ago but include updates to address changes in technology - such as smartphones and tablets, virtual desktop infrastructures and mobile device management tools - and how they're being used.
Big Tech Changes Since 2009
A significant change since 2009, when NIST released the original guidance, is the extensive use of mobile devices to remotely access enterprise systems.
"The explosion of these devices is what's challenging to these organizations," says Murugiah Souppaya, a NIST computer scientist who co-authored the revised guidance. "Resources are becoming much more remotely accessible these days than they were back a few years ago. Most people would have had to show up to work in order to perform their job function. But nowadays, all of those functions are widely accessible across the network, and most services are being shifted to the cloud, which leads to the explosion of the access to resources remotely."
Among the first organizations to allow employees to use their own mobile devices was Intel, which in 2009 began allowing employees to use their own smartphones, tablets and mobile storage devices on the job. "Rather than reject the trend, as many organizations initially attempted, Intel's senior leaders were quick to embrace it as a means to cut costs and improve productivity," according to an Information Security Media Group webinar hosted by then Intel Chief Security and Privacy Officer Malcom Harkins, who now is global CISO at Cylance (see Mobile: Learn from Intel's CISO on Securing Employee-Owned Devices ).
Surge in Teleworkers
Accessing systems remotely using various mobile devices led to the growth in telework - and the need for organizations to adopt policies and procedures to make accessing enterprise systems secure. In the United States, the number of non-self-employed workers teleworking more than doubled from 2005 and 2014, according to Global Workplace Analytics, a workplace research and advisory company. During that same period, U.S. federal employees teleworking soared by nearly 425 percent. In 2014, nearly 159,000 of the government's 4.4 million employees teleworked.
Teleworkers aren't just full-time telecommuters; they also include those who work remotely occasionally or under special circumstances, such as during severe weather. In fact, a day after NIST published the drafts of its revised telework guides, thousands of federal government workers and private-sector employees opted to work from home when the Washington, D.C., Metro rail system closed down for emergency safety inspections on March 16, two days after an electrical fire in a tunnel crippled three subway lines.
Threats to Enterprise IT
What horrible things does NIST envision threatening enterprises' IT as a result of remote access to systems? Smartphones and laptops will be lost or stolen; third parties will eavesdrop, intercept or modify communications; and devices will be infected with malware.
To address these threats, the draft guidance encourages use of virtual mobile infrastructures to deliver a secure environment to a mobile device used for telework. Virtual mobile infrastructures establish a temporary secure environment when the teleworker needs to access the organization's data and applications. When the session is done, the environment is securely destroyed, leaving no traces of the data and applications on the mobile device.
Also, mobile device management systems can be used to enforce security policies on mobile devices, including those owned by employees or used by vendors and contractors. These systems, for instance, can check each device for signs that the user has deactivated the device's built-in security controls before allowing the device to access the organization's computing resources.
NIST's Souppaya says the new draft publications outline ways for organizations to gain "higher visibility into who's using the device, what resources people are accessing from those devices and how they're communicating with that, and also protecting that communications channel [by] using encryption to make sure that the network communications is protected between the enterprise resource and the smartphone."
Both publications recommend that teleworkers should understand their enterprises' policies and requirements and proper ways to safeguard their organizations' information and systems being accessed. They also call for organizations to strongly consider establishing a separate, external, dedicated network for BYOD devices if their use is allowed.
NIST is seeking comments on the two draft publications before they're finalized. The deadline for comments is April 15. Stakeholders can email their comments to firstname.lastname@example.org for the enterprise publication and email@example.com for the user guide.