CSA CCM HRS-04
Remote and Home Working Policy and Procedures

With remote work becoming increasingly common, it's important for organizations to establish clear policies and procedures to protect information accessed, processed, or stored off-site. These guidelines should cover topics like secure remote access, data protection, and use of personal devices. Regular reviews are needed to keep the policy up-to-date.

Where did this come from?

This article is based on the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a comprehensive set of cloud security controls mapped to various standards and regulations.

Who should care?

  • IT managers responsible for developing and enforcing remote work policies
  • Information security professionals assessing risks of remote access
  • Compliance officers ensuring remote work aligns with regulations
  • Remote employees accessing corporate systems and data from home

What is the risk?

Allowing remote access to business systems and data introduces several risks:

  • Sensitive information could be accessed by unauthorized parties if proper security is not in place. This could lead to data breaches and reputational damage.
  • Malware infections on remote devices could spread to the corporate network.
  • Use of insecure home/public networks exposes data to eavesdropping.

Having a remote work policy helps mitigate but not eliminate these risks. Additional technical controls are also needed.

What's the care factor?

Remote work policies should be a high priority for any organization with employees working off-site. Failure to adequately secure remote access is a common cause of data breaches. Regulations like HIPAA and GDPR also require protection of sensitive data accessed remotely.

However, smaller organizations with minimal remote work may have less exposure. The policy should be tailored to the level of risk.

When is it relevant?

A remote work policy is applicable whenever employees are accessing business systems and data from outside the office, such as:

  • Working from home full-time or part-time
  • Traveling for business
  • Using personal devices for work (BYOD)

It's less relevant for roles that don't involve off-site work or access to sensitive information.

What are the trade-offs?

Implementing secure remote access has costs and challenges:

  • Multi-factor authentication improves security but adds friction for users
  • Tight restrictions on copying data to personal devices protects information but makes it harder for employees to work offline
  • Providing corporate devices for remote work is expensive compared to BYOD
  • Over-restrictive policies may push employees to use unapproved "shadow IT" solutions

The key is balancing security and productivity based on the sensitivity of the data involved.

How to make it happen?

  1. Assess risks: Identify the types of data and systems that will be accessed remotely and the associated threats. Consider regulatory requirements.
  2. Define policy: Document rules for remote access, such as:
  • Allowed devices and software
  • Required security controls (e.g. encryption, VPN, MFA)
  • Acceptable use of business data
  • Incident reporting procedures
  1. Implement controls: Put in place the technical safeguards defined in the policy. For example:
  • Set up virtual desktop infrastructure (VDI) to avoid storing data on personal devices
  • Enforce MFA for remote access (e.g. AWS IAM, Microsoft AAD)
  • Configure secure remote access via VPN
  • Deploy mobile device management (MDM) to secure BYOD
  1. Train users: Educate employees on the remote work policy and their security responsibilities. Cover topics like phishing, public Wi-Fi risks, and physical device security.
  2. Monitor and maintain: Use tools to log remote access activity and check for compliance with policy. Review and update the policy at least annually.

What are some gotchas?

  • VPN access requires appropriate inbound security group rules in AWS VPC. The specific ports depend on the VPN protocol (e.g. UDP 500, 4500 for IKEv2).
  • Implementing MFA for AWS root account access requires use of virtual MFA, not SMS. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#id_root-user_manage_mfa
  • Many SaaS apps have their own MFA settings that must be configured separately from the corporate SSO provider.
  • Remote access solutions that store data in the cloud may not be compliant with certain data residency laws.

What are the alternatives?

Some options to complement or replace a remote access policy:

  • Virtual desktop solutions that stream applications to a web browser, avoiding the need for a full VPN connection. Amazon WorkSpaces is an example.
  • Cloud access security brokers (CASB) that enforce security policies on SaaS apps.
  • "Zero Trust" security models that evaluate device health and user risk to make granular access decisions in real-time.

Explore further

?

Blog

Learn cloud security with our research blog