IG2 IG3

Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

Control Group: 12. Network Infrastructure Management

Asset Type: Devices

Security Function: Protect

Description

Require users to authenticate to enterprise-managed VPN and authentication services prior to accessing enterprise resources on end-user devices.

Implementation Checklist

1

Assess current protection controls in place

2

Configure and deploy required security controls

3

Test control effectiveness in non-production environment

4

Deploy to production and verify functionality

5

Document configuration and operational procedures

6

Identify systems requiring multi-factor authentication

7

Select and deploy MFA solution

8

Enroll users and distribute authentication factors

9

Test MFA across all identified systems

Tool Recommendations

Darktrace DETECT + RESPOND Gartner MQ Visionary, NDR 2024; Forrester Wave Leader, NDR 2024

AI-driven network detection and response with self-learning threat analysis and autonomous response

Darktrace · Enterprise subscription

Vectra AI Platform Gartner MQ Leader, NDR 2024

AI-driven threat detection and response for network, cloud, and identity with attack signal intelligence

Vectra AI · Enterprise subscription

ExtraHop RevealX Gartner MQ Leader, NDR 2024; Forrester Wave Leader, NDR 2024

Network detection and response platform with real-time traffic analysis, encrypted traffic inspection, and cloud visibility

ExtraHop · Per-device/bandwidth subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Remote Device Compromise Spreading to Enterprise Network

Confidentiality

Remote devices compromised by malware while connected to untrusted networks (hotels, coffee shops, home networks) connect directly to enterprise resources without VPN tunnel protection, introducing the compromise into the corporate environment.

Credential Interception on Untrusted Networks

Confidentiality

Remote users authenticate to enterprise services over untrusted networks without VPN encryption, allowing man-in-the-middle attackers to intercept credentials, session tokens, and sensitive data transmitted in transit.

Split Tunnel Bypass of Enterprise Security Controls

Integrity

Remote devices without VPN requirements access both internet resources and enterprise resources simultaneously, allowing malware or attackers to pivot from the untrusted internet side to the enterprise network through the unprotected device.

Vulnerabilities (When Safeguard Absent)

No VPN Requirement for Remote Enterprise Access

Remote users access enterprise resources directly over the internet without being required to establish a VPN connection first, transmitting potentially sensitive data over untrusted network paths without tunnel encryption.

Remote Devices Not Authenticating to Enterprise AAA Infrastructure

Remote end-user devices connect to enterprise resources without authenticating through the organization's centralized AAA infrastructure, bypassing conditional access policies, MFA requirements, and device compliance checks.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Technical	Configuration screenshots or exports showing protection controls enabled	Captured quarterly
Document	Procedure documentation for protection measures	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Network Security Policy

Control 12, Control 13

Related Safeguards in Control 12

12.1 Ensure Network Infrastructure is Up>to>Date

12.2 Establish and Maintain a Secure Network Architecture

12.3 Securely Manage Network Infrastructure

12.4 Establish and Maintain Architecture Diagram(s)

12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)

12.6 Use of Secure Network Management and Communication Protocols

12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work