How do I manage security for remote workers accessing Specified Information?

Answer

Implement layered security including VPNs, multi-factor authentication, endpoint protection, and zero trust architecture for remote workers accessing specified information.

Remote work has become increasingly common, but it introduces significant security challenges when workers access specified information from outside traditional office environments. CPCSC requirements apply regardless of where work is performed, making remote access security a critical compliance consideration.

Understanding remote access requirements helps executives implement secure remote work capabilities that protect specified information while enabling workforce flexibility.

Remote Access Security Challenges

Remote work creates multiple security challenges that don't exist in traditional office environments.

• Network security becomes problematic when workers use home networks that lack enterprise security controls, potentially sharing networks with family members, smart home devices, and other unsecured systems
• Endpoint security is more difficult when devices are outside direct organizational control, potentially used by family members, or connected to unsecure networks
• Physical security of devices and documents is compromised in home environments where visitors, family members, or cleaners might see sensitive information
• Monitoring and incident detection becomes harder when users are geographically distributed and not connected to centralized security infrastructure
• Authentication risks increase as remote workers might be more susceptible to phishing or might use weak passwords when not in office environment
• Data exfiltration becomes easier for malicious insiders working remotely without physical supervision or network monitoring

Organizations must implement layered security controls to mitigate these elevated risks for remote workers handling specified information.

ITSP.10.171 Remote Access Requirements

The Access Control family in ITSP.10.171 includes specific requirements for remote access.

• Organizations must establish usage restrictions, configuration requirements, and connection requirements for each type of allowable remote system access
• Authorize each type of remote access prior to establishing connections
• Route remote access through authorized and managed access control points rather than allowing direct connections to internal systems
• Authorize remote execution of privileged commands and remote access to security-relevant information with heightened controls
• Implement cryptographic mechanisms to protect confidentiality and integrity of remote access sessions
• Deploy multi-factor authentication for all remote access to systems containing specified information
• Implement replay-resistant authentication mechanisms
• Monitor remote access sessions for suspicious activity
• Terminate sessions after defined periods of inactivity

These requirements recognize that remote access creates elevated risk requiring compensating controls beyond those needed for local access.

Virtual Private Networks (VPNs)

VPNs are fundamental technology for secure remote access, creating encrypted tunnels through untrusted networks. Organizations should implement full-tunnel VPNs that route all remote worker traffic through organizational network rather than split-tunnel VPNs that might allow data to bypass security controls.

• Use strong encryption algorithms (AES-256) and modern protocols (IPsec, SSL/VPN) rather than legacy protocols
• Implement multi-factor authentication before establishing VPN connections, requiring something users know (password) and something they have (hardware token, smartphone app)
• Deploy per-application VPN or zero trust network access (ZTNA) solutions that provide access only to specific applications rather than entire networks, implementing least privilege
• Monitor VPN logs for unusual connection patterns, connections from unexpected locations, or credential sharing
• Implement device health checks before allowing VPN connection, verifying devices have current patches, antivirus updates, and compliant configurations

Organizations handling specified information should generally prohibit remote access from personally owned devices, requiring use of organization-issued hardened devices for remote work.

Endpoint Security for Remote Devices

Remote devices require comprehensive security controls. Endpoint Detection and Response (EDR) solutions provide continuous monitoring, threat detection, and response capabilities even when devices are remote.

• Full-disk encryption protects data if devices are lost or stolen, a particular concern when devices leave office environments
• Application allow listing prevents execution of unauthorized software including malware
• Strong authentication including biometrics or smart cards prevents unauthorized access if devices are unattended
• Automatic screen locking after brief inactivity periods protects information when users step away
• Regular patching is enforced through automated patch management that works over VPN connections
• Remote wipe capabilities enable erasing devices if lost, stolen, or employee separates
• Device configuration management ensures remote devices maintain security baselines
• Personal firewalls protect devices on untrusted networks

Organizations should prohibit storing specified information on local device storage when possible, instead using remote desktop solutions or file streaming where data remains on secure servers and never exists on remote endpoints.

Physical Security for Remote Work

Physical security in remote environments requires policies and user training since technical controls are limited. Written policies should prohibit family members or visitors from using organizational devices or seeing specified information.

• Require dedicated workspace separated from household activities where sensitive work is performed
• Mandate privacy screens on laptop displays to prevent shoulder surfing by family members or others
• Require locking devices when unattended even briefly
• Prohibit printing specified information at home, or if necessary, require secure printers and shredders
• Establish secure storage for devices and documents when not in use, such as locked rooms or cabinets
• Require returning all specified information to office or secure destruction when remote work concludes

Regular training reinforces these requirements and emphasizes that specified information requires protection regardless of location. Organizations should conduct periodic remote work site inspections or self-attestations verifying compliance, and consider prohibiting remote access to most sensitive information if physical security cannot be assured.

Remote Desktop and Virtual Desktop Infrastructure (VDI)

Remote desktop solutions provide alternative to traditional VPN approaches with security advantages. Virtual Desktop Infrastructure (VDI) hosts desktop environments on centralized servers with only display and input transmitted to remote devices—specified information never resides on remote endpoints.

Remote desktop protocols like Microsoft Remote Desktop, Citrix Virtual Apps, or VMware Horizon enable centralized desktop management. Advantages include data never leaves data center, preventing loss if remote devices are compromised; centralized patch management and configuration control is simpler; and monitoring and data loss prevention controls remain effective.

Disadvantages include requiring high-bandwidth, low-latency connections for good user experience; infrastructure costs for hosting virtual desktops; and single point of failure if VDI infrastructure fails.

Organizations handling highly sensitive specified information should strongly consider VDI or remote desktop solutions over traditional VPN access, as they significantly reduce risk of data exposure through compromised endpoints.

Zero Trust Architecture for Remote Access

Traditional network security assumes users inside the network perimeter are trusted—remote work breaks this model. Zero trust architecture treats all access requests as untrusted regardless of origin, verifying every access attempt. Key principles include verify explicitly, authenticating and authorizing based on all available data points including user identity, location, device health, service or workload, data classification, and anomalies.

Use least privilege access, limiting user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. Assume breach, minimizing blast radius for breaches, verifying end-to-end encryption, using analytics to detect threats, and improving defenses.

Implementing zero trust for remote access means continuously verifying device health before allowing access, implementing micro-segmentation so compromising one system doesn't grant broad network access, using identity-aware proxies that broker access based on context, monitoring user behavior for anomalies even during active sessions, and continuously reevaluating trust rather than trusting after initial authentication.

While full zero trust requires significant investment, even partial implementation significantly improves remote access security.

Cloud-Based Security for Remote Workers

As remote work increases, cloud-based security services provide advantages over traditional on-premise security. Cloud Access Security Brokers (CASBs) provide visibility and control over cloud service usage by remote workers.

• Secure Web Gateways (SWGs) in the cloud filter web traffic from remote workers regardless of location
• Cloud-based email security protects remote workers from phishing without requiring VPN connection
• Identity and access management (IAM) platforms centrally manage authentication and authorization for remote workers across multiple services
• Security Information and Event Management (SIEM) in the cloud aggregates logs from remote worker devices and cloud services for analysis

Advantages include services follow users wherever they work, not dependent on connecting to corporate network; scale elastically as remote workforce grows; and reduce latency compared to backhauling all remote traffic through central data centers.

Organizations should evaluate cloud-based security services as part of remote work security architecture, ensuring solutions meet CPCSC requirements and data sovereignty obligations.

Remote Access Policies and Training

Technology alone is insufficient—clear policies and user training are essential. Remote access policies should define who is authorized for remote access to specified information, from what locations (prohibit access from foreign countries due to legal jurisdiction concerns), using what devices (organization-issued only vs. personal devices), using what connectivity (home internet, public WiFi generally prohibited), and under what circumstances.

Document security requirements for remote access including VPN usage, multi-factor authentication, endpoint security, and physical security. Establish incident reporting procedures for lost devices, suspected compromise, or policy violations. Define consequences for non-compliance including access revocation or employment consequences.

Training for remote workers should cover all policy requirements, demonstrate proper VPN and security tool usage, practice recognizing phishing and social engineering, emphasize physical security in home environments, and be provided before granting remote access and refreshed regularly.

Organizations should require remote workers to acknowledge policies and complete training as conditions of remote access.

Monitoring and Auditing Remote Access

Organizations must actively monitor remote access for security and compliance. VPN logs should track who connected from where and when, identifying anomalies like connections from unexpected countries, unusual connection times, or credential sharing.

• User activity monitoring on remote desktops identifies unusual access to specified information, large downloads, or policy violations
• Data loss prevention (DLP) monitors data transfers from remote workers, blocking attempts to exfiltrate specified information to unauthorized locations
• Security event monitoring from remote device EDR solutions detects malware, suspicious process execution, or unauthorized configuration changes
• Regular audits of remote access logs verify policy compliance, identify dormant accounts requiring revocation, and assess remote access patterns

When remote workers separate from organization, prompt access revocation, device return, and verification that specified information is not retained are critical—remote worker offboarding requires special attention given physical distance and difficulty recovering devices.

Learn More

Additional guidance on remote access security is available from the Canadian Centre for Cyber Security.

• Protecting Specified Information (ITSP.10.171)
• Guidance on Securely Configuring Network Protocols (ITSP.40.062)