Securing Remote Desktops During a Pandemic

Written by

The COVID-19 pandemic changed the way the world worked nearly overnight. Companies large and small were forced to enable tens of millions of employees to do their jobs remotely, many with no more than a day or two of notice.

Now, many months later, employees have settled into this new remote reality, and concerns have begun to shift from providing immediate access to ensuring remote workers can continue to access the resources they need reliably and safely from this point forward.

It has become apparent that remote work is needed not only to reduce the risk of spreading the virus, but also to ensure that everyone has the flexibility they need to be productive under unpredictable circumstances.

The advantages of “Bring Your Own Device”

Remote access, when properly implemented, offers a compelling way for employees to work from home without having to be tied to a traditional company-provided laptop or desktop. It brings advantages in security and flexibility, while also reducing the administrative burden of preparing, supporting, and maintaining each employees’ work environment.

From the perspective of the employee, access to resources is simplified. Regardless of whether they are using their own laptop, the desktop of a friend, or their personal phone, their work environment is always accessible. Any applications that were running when they previously signed in to work are still there, exactly as they left them.

Meanwhile, all actions performed within that remote desktop are actually executed on the employer’s devices and behind the employer’s firewall. Software and data are transparently protected by the same corporate security infrastructure that would apply in a physical office environment.

Auditing required by the nature of the job, even something as fine-grained as recording absolutely all activity, can be automatically enforced. Backups of important data are made by the infrastructure hosting the desktop, without having to rely on the end-user’s own home network and power grid to function.

When remote access is a primary means of work, employers have the ability to control resources and prevent exfiltration of data that would otherwise require implementing complex controls on all end-user devices. Companies that don’t provide remote access will inherently incur greater security risks, data integrity risks, and find themselves at a competitive disadvantage.

Securing remote access

While it may be easier to secure company-wide remote access than it is to secure numerous company-provided laptops, there are still specific best practices that must be followed. To ensure that deploying remote access has the intended effect of hardening security, IT needs to do the following:

  • Follow the Principle of Least Privilege: Access rights must be carefully delegated through such that end-users can access only the resources they need. Restricting access using a remote desktop gateway can help guarantee this. This also means that the traditional solution of leveraging a virtual private network (VPN) is insufficient, because it will likely be possible to access other resources on the private network as long as the VPN client is connected.
  • Encrypt all traffic between the end-user’s device and their desktop(s): This can be accomplished via VPN, but going that route requires the installation and configuration of a VPN client, limiting end-users to specific devices and increasing complexity. A remote access solution that takes advantage of the ubiquity of web browsers can provide proper encryption while also avoiding the limitations of a VPN. (As an active developer within the Apache Guacamole project, I am naturally biased in this regard, but I would argue that bias is reasonably justified.)
  • Do not allow direct access: Raw remote access services are common targets for hackers and should never be exposed to the public Internet. Placing these services behind a remote desktop gateway shields them from direct public access and provides an additional layer of security and access control.
  • Isolate your remote desktops: It’s critical to keep your internal network isolated. With a remote desktop gateway in place, servers should be configured to accept inbound connections only from the networks authorized to establish those connections.
  • Consider requiring multi-factor authentication (MFA): If your end-users will be handling sensitive data, MFA is a must-have to reduce the likelihood that a user’s credentials may be fully compromised, particularly if you need to be compliant with security standards like PCI DSS.

We’ve entered an entirely new business world, and though the pandemic will eventually pass, remote work is clearly here to stay. To ensure employees can work efficiently and securely, remote access must be fundamentally available and must be secure. With a bit of care and planning, employers can provide the simple, scalable remote access that their employees need, all while simultaneously hardening security.

What’s hot on Infosecurity Magazine?