{"id":12615,"date":"2022-06-30T15:09:18","date_gmt":"2022-06-30T15:09:18","guid":{"rendered":"https:\/\/www.realvnc.com\/?post_type=blog&p=12615"},"modified":"2022-06-30T15:09:19","modified_gmt":"2022-06-30T15:09:19","slug":"securing-remote-access-nist-cybersecurity-framework","status":"publish","type":"blog","link":"https:\/\/www.realvnc.com\/en\/blog\/securing-remote-access-nist-cybersecurity-framework\/","title":{"rendered":"Securing Remote Access Based on the NIST Cybersecurity Framework"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

At a minimum, an organization\u2019s cyber risk increases when any kind of externally-facing Remote Access exists. And, in a worst-case scenario (that is relatively common across ransomware and data breach-related cyberattacks), the risk proves to be certain, as threat actors leverage unsecured remote access as the initial vector for an attack.<\/p>

I\u2019ve also discussed some high-level ways to improve the security of remote access but wanted to take a moment and see how some of the industry\u2019s most highly-respected security standards look to address insecurities found within remote access. And, in an effort to look at the problem through a number of lenses simultaneously, I thought it prudent to start with the Cybersecurity Framework (CSF) from the National Institute of Standards and Technology (NIST), or, more commonly referred to as the NIST CSF.<\/p>

First, an ever-so-brief primer on the NIST CSF. In the current iteration of the framework core<\/a> (we\u2019re on CSF version 1.1 as of the date of this article) are five Functions representing the major groupings of cybersecurity activities. These are Identify<\/em>, Protect<\/em>, Detect<\/em>, Respond<\/em>, and Recover<\/em>. The Functions are further broken down into Categories<\/em> and Subcategories<\/em> representing more granular specific desired outcomes.\u00a0 And, lastly, there are Informative References<\/em> which are specific standards from industry-recognized regulations, best practices, etc. that can be used as examples of practical guidance on how to address a particular aspect of your cybersecurity strategy.\u00a0 There\u2019s also a maturity aspect NIST refers to as Implementation Tiers<\/em> so you can gauge how well your organization is doing at implementing each required cybersecurity activity.<\/p>

With the primer out of the way, let\u2019s talk about how the NIST CSF applies to Remote Access. There are two ways to look at how NIST applies \u2013 directly and indirectly.\u00a0 The direct approach is easy; under the Protect<\/em> function, within the Identity Management, Authentication, and Access Control <\/em>category lies a subcategory entitled PR.AC-3: Remote access is managed.<\/em> So, in essence, NIST goes right for the remote access jugular and tells you \u201cthis is something that needs to be secure.<\/p>

So, what does NIST mean with they say remote access must be managed<\/em>?<\/p>

The informative references under this subcategory provide us with an idea of how we should be managing remote access. Let\u2019s look at a few relevant examples from within PR.AC-3:<\/p>