key requirements for secure remote access

Below are the various security requirements that must be implemented to protect remote workers and their environments as specified by PCI DSS:

• For all remote network access from outside the corporate network, use multi-factor authentication.
• Enforce a strong password policy wherever passwords are used.
• Allowing the use of shared passwords is not permitted.
• Educate staff on the importance of protecting their passwords and other authentication information from unauthorized access.

Full Answer

What are the characteristics of a successful remote access implementation?

These characteristics of a successful remote access implementation mean different things across various communication contexts: facility-to-facility (F2F), business-to-business (B2B), and individual-to-business (I2B). Three current solutions provide the flexibility to match implementation-specific requirements: T1/T3, IPSec VPN, and SSL VPN.

What is remote access security?

Remote access security begins with hardening the devices seeking to connect, as demonstrated in Chapter 6. We follow this with a selection of one or more remote access methods based on functional and technical requirements. Finally, we control access based on context.

What do I need to set up a remote key exchange?

Multiple parameters, including IP address, domain name, key ID, authentication mode, a suitable encryption algorithm, and an efficient hash function, all need to be configured to properly establish connectivity with remote machines and to be able to exchange the necessary authentication keys and data.

How to ensure the security of cloud-based remote access?

c) Follow existing IT security policies without any compromises: Cloud-based remote access solutions build outbound connections using the outbound service port 443 (normally reserved for secure website access using SSL) to access remote equipment, which does not present any issues for IT departments managing plant networks.

How do you secure remote access to a network?

Use virtual private networks (VPN) - Many remote users will want to connect from insecure Wi-Fi or other untrusted network connections. VPNs can eliminate that risk, however VPN endpoint software must also be kept up-to-date to avoid vulnerabilities that can occur from older versions of the software client.

What allows for secure remote console access?

You can enable remote access (dial-up or VPN), Network Address Translation (NAT), both VPN and NAT, a secure connection between two private networks (site-to-site VPN), or you can do a custom configuration to select any combination of these, as shown in Figure 14.25.

Which method of remote access is the most secure?

Remote Access Solutions: Which is the Most Secure?VPNs. ... Desktop Sharing. ... The Verdict: VPNs and Desktop Sharing Are Not Secure Enough for Remote Vendor Access. ... The Best Alternative: Vendor Privileged Access Management. ... The Bottom Line.

What are the types of remote access?

Remote Access Control MethodsDirect (Physical) Line. The first direct remote access control that can be implemented is a direct line from a computer to the company's LAN. ... Virtual Private Network. Another method which is more common is establishing a VPN. ... Deploying Microsoft RDS.

What is remote access examples?

Accessing, writing to and reading from, files that are not local to a computer can be considered remote access. For example, storing and access files in the cloud grants remote access to a network that stores those files. Examples of include services such as Dropbox, Microsoft One Drive, and Google Drive.

What is secure remote access protocol?

PPTP is a remote access protocol, based on PPP, created by Microsoft. It's used to establish virtual connections across the internet via PPP and TCP/IP, enabling two networks to use the internet as their WAN link while retaining the security benefits of a private network.

Why is secure remote access important?

A secure remote access system protects your employees from web-based threats such as phishing attacks, ransomware and malware while they're logged in to your company's network. These cyber incidents can lead to unauthorized access and use of both the company's business data and the employee's personal data.

What is remote console access?

Accessing the Remote Console. The remote console application, which you access via a web browser, enables you to control your server's operating system remotely using the screen, mouse, and keyboard, and to redirect local CD and diskette drives as if they were connected directly to the server.

Is remote access security Secure?

Yes. A robust cloud-based, highly secure remote access solution can provide unified protection for virtually all users against web-based threats — independent of a VPN connection.

What is secure remote communications?

Secure Remote Working is a combination of multiple technologies and procedures comprising: Virtual Private Network (VPN) – Facilitates secure access to on-premises applications and services. VPNs also provide secure internet access for employees on public wireless or third-party corporate networks.

Which protocol is used for encrypted remote access to a server?

IPsec. Internet Protocol security (IPsec) can be used as a remote access tunneling protocol to encrypt traffic going over the Internet.

What is remote access security?

Remote access security begins with hardening the devices seeking to connect, as demonstrated in Chapter 6. We follow this with a selection of one or more remote access methods based on functional and technical requirements. Finally, we control access based on context.

What is remote access?

Remote access is no longer just about a laptop or home desktop user connecting to catch up on some work or update customer and order information. The explosion of consumer devices in the hands of our employees changes how we look at remote connectivity. In addition to supporting various platforms and proprietary operating systems, traditional security controls do not provide sufficient granularity for policy enforcement. This results in either lax security or inflexibility in how we deliver business services.

How many T1s can be bonded?

When an organization requires more bandwidth, it can bond multiple T1s to look like a single connection. For example, bonding two T1s results in bandwidth of about 3 Mbps. Another option is to implement a full or partial T3 circuit. A T3 is an aggregate of 28 T1s, providing bandwidth of 44.736 Mbps.

How is context based access control facilitated?

Context-based access control is facilitated by first defining policies, as depicted in Figure 9-9. Remote access policy must address who, what, when, where, and with what is access allowed and to what extent. Figure 9-10 depicts an example of how an organization might apply a set of polices.

What is expanding connectivity requirements?

The expanding connectivity requirements are exceeding the ability of our traditional access and admission control technologies. For example, is the acceptable use policy the same for remote employee-owned tablets as it is for company-owned laptops? Should it be? How can we enforce different policies for different devices?

Which is better for today's Internet connected businesses with multiple communication pathway requirements?

A better choice for today’s Internet-connected businesses with multiple communication pathway requirements is VPN, which we explore in detail later in this chapter.

Do access controls apply to all devices?

The principle standard to apply across all access and all devices is that different controls apply to different access contexts.

IIoT driving OEM business models

The IIoT has revolutionized the way business owners view their production environment by providing the capability to acquire real-time data from machines and devices in the field so that business owners can efficiently monitor and control production processes.

Challenges using VPN & RDC

Virtual Private Network (VPN) and Remote Desktop Connection (RDC), the latter using Virtual Network Computing (VNC), are two common methods used to remotely access machines and equipment at field sites.

Cloud-based secure remote access

Cloud-based remote access is a new type of remote access solution that enables flexible remote access to field machines. The network topology of a cloud-based remote access solution is composed of three components: remote gateway, cloud server, and client software.

Ease of use

Plug and play remote access without technical configuration. In a cloud-based remote access solution, security parameters, such as the hash functions, encryption/decryption algorithms, etc., are configured automatically.

Flexibility and scalability

Client software isn’t limited to a specific hardware platform. As long as they have an active client account, users can download the client software to any laptop/PC and have remote access from anywhere and at any time.

Conclusion

OEMs and machine builders require a secure, easy-to-use, and scalable remote access solution to enable on-demand remote access to machines deployed in the field. The traditional VPN and RDC solutions are cumbersome and require IT/networking knowledge as well as changes in the security/firewall policies.

Why is remote access not required?

Remote access to machines and equipment is typically not required on a continuous basis and hence can be used on an as-needed basis to minimize security issues and reduce costs , especially in cases where remote connectivity is based on a volume-dependent pricing option, such as with cellular technology.

What is remote access for machine builders?

Some machine builders have adopted traditional remote access methods such as Virtual Private Networking (VPN) and Remote Desktop Connection (RDC) to improve their service levels and to provide quick response times for their customers. However, these traditional remote access solutions have various limitations and constraints that prevent machine builders from achieving their maximum service potential.

What is cloud based remote access?

Cloud-based remote access is a new type of remote access solution that enables flexible remote access to field machines. The network topology of a cloud-based remote access solution is composed of three components: a remote gateway, a cloud server, and client software. Remote gateways are connected to field equipment in order to remotely access and control them. Client software is installed on the engineer’s PC or desktop. The cloud server can be installed on a cloud-based platform such as Amazon Web Services or Microsoft Azure. The remote gateway and client software will both initiate outbound secure connection requests to the cloud server.

How to achieve a higher level of security?

One way to achieve a higher-level of security is to have different pre-shared keys or X.509 certificates for each VPN tunnel. When the number of VPN tunnels/connections required are few, it is easy to manage the keys or certificates for these connections. However, as the number of VPN tunnels grows, it becomes very hard to manage these keys and certificates. When VPN servers or client systems are changed, certificates have to be regenerated. When a certificate expires, a new certificate has to be assigned and reloaded to the system, which further complicates maintenance.

Does VPN have a limit?

VPN servers typically have a limitation on the number of VPN tunnels they can support. When a business grows, more and more machines and devices are connected to the network with an increasing number of engineers supporting business operations. This leads to an increase in the number of VPN connections required.

Does VPN need a public IP address?

In order to have access to the VPN servers from outside the service center—for example, by using OpenVPN or L2TP over IPsec—VPN servers have to be installed at remote sites, and each VPN server needs to have a public IP address. This results in high installation and maintenance costs.

Install personal firewall software on portable computing devices that access the CDE remotely

PCI DSS requirement 1.4 requires you to install personal firewall software or equivalent functionality on any portable computing device that connects to the Internet outside the network, such as laptop computers used by employees and is also used to access the CDE. Firewall or equivalent configurations should include the following requirements:

Monitor third-party remote accesses

PCI DSS requirement 8.1.5 requires you to manage identities used by third parties to access, support, or maintain system components via remote access as follows:

Use multi-factor authentication (MFA) controls

PCI DSS requirement 8.3.2 requires you to use multi-factor authentication for all remote network access from outside the organization’s network, including user, administrator, and third-party access for support or maintenance.

Use unique credentials for each customer, valid only for service providers

According to PCI DSS requirement 8.5.1, service providers with remote access to customer facilities for activities such as supporting POS systems or servers must use unique authentication information for each customer.

Establish usage policies for critical technologies, including remote access

Under PCI DSS requirement 12.3, you must develop usage policies for critical technologies and define the correct use of these technologies, including:

Automatically terminate remote access sessions after a specified time

PCI DSS requirement 12.3.8 requires automatic disconnection of sessions for remote access technologies after a specified period of inactivity.

Use remote accesses for third parties only when necessary

PCI DSS requirement 12.3.9 requires vendors and partners to enable remote access technologies only when needed by vendors and partners and be disabled immediately after use.