NIST SP 800-46 REV. 2 GUIDE TO ENTERPRISE TELEWORK,
R
EMOTE ACCESS, AND BYOD SECURITY
vi
This publication is available free of charge from: http://dx.doi.org/10.6028/NIST.SP.800-46r2
Executive Summary
For many organizations, their employees, contractors, business partners, vendors, and/or other users
utilize enterprise telework technologies to perform work from external locations. Most of these people use
remote access technologies to interface with an organization’s non-public computing resources. The
nature of telework and remote access technologies—permitting access to protected resources from
external networks and often externally controlled hosts as well—generally places them at higher risk than
similar technologies only accessed from inside the organization, as well as increasing the risk to the
internal resources made available to users through remote access.
All the components of telework and remote access solutions, including client devices, remote access
servers, and internal resources accessed through remote access, should be secured against expected
threats, as identified through threat models. Major security concerns include the lack of physical security
controls, the use of unsecured networks, the connection of infected devices to internal networks, and the
availability of internal resources to external hosts.
There are additional security concerns for organizations that permit the use of client devices outside the
organization’s control, referred to in this publication as third-party-controlled technologies. These include
contractor, business partner, and vendor-controlled devices, as well as personally owned (bring your own
device, BYOD
1
) employee, contractor, business partner, and vendor laptops, smartphones, and tablets.
Even though the organization may have agreements with employees and third parties that require their
client devices to be properly secured, those agreements generally cannot be automatically enforced, so
unsecured, malware-infected, and/or otherwise compromised devices may end up connected to sensitive
organizational resources.
This publication provides information on security considerations for several types of remote access
solutions, and it makes recommendations for securing a variety of telework, remote access, and BYOD
technologies. It also gives advice on creating related security policies. To improve the security of
organizations’ telework and remote access technologies, as well as better mitigate the risks posed by
BYOD and third-party-controlled technologies to enterprise networks and systems, organizations should
implement the following recommendations:
Plan telework-related security policies and controls based on the assumption that external
environments contain hostile threats.
An organization should assume that external facilities, networks, and devices contain hostile threats that
will attempt to gain access to the organization’s data and resources. Organizations should assume that
telework client devices, which are used in a variety of external locations and are particularly prone to loss
or theft, will be acquired by malicious parties who will either attempt to recover sensitive data from them
or leverage the devices to gain access to the enterprise network. Options for mitigating threats of loss or
theft include encrypting the device’s storage, encrypting all sensitive data stored on client devices, or not
storing sensitive data on client devices. For mitigating device reuse threats, the primary option is using
strong authentication—preferably multi-factor—for enterprise access.
Organizations should also assume that communications on external networks, which are outside the
organization’s control, are susceptible to eavesdropping, interception, and modification. This type of
1
Strictly speaking, BYOD devices could be used only within the enterprise, and not for telework or remote access. However,
the vast majority of BYOD devices are used externally, so for the purposes of this publication, all BYOD devices are
considered telework devices. Also, the security concerns associated with enterprise-only BYOD devices are nearly identical
to those for telework BYOD devices.