Unsecured remote access is one of the top ways attackers get into Indian businesses—especially MSMEs that don't monitor these connections carefully. A manufacturing company in Bangalore lost ₹15 lakhs when a vendor's weak VPN password was breached, giving attackers access to production schedules and customer data. If your auditor or a customer's security team discovers you have remote access without proper controls, you can lose contracts, face regulatory fines under DPDP Act 2023, or have to shut down systems while you fix the problem. Ransomware attacks often start with remote access tools, and recovery costs can easily exceed ₹50+ lakhs for a small business.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You find that remote access (VPN, RDP, vendor connections) exists in your network but there is no documented policy or control over who uses it or how. Passwords may be shared, default credentials might still be in use, and there is no log of who connected when.
Initial
You have a basic list of people who are allowed remote access and a simple password policy in place. You may have enabled VPN or RDP, but multi-factor authentication (MFA) is not required and logs are not regularly reviewed or retained.
Developing
You require strong passwords and have MFA enabled for VPN and remote desktop. You keep access logs and review them occasionally, but there is no formal approval process for granting access and no regular audit of who still needs access.
Defined
All remote access requires MFA, strong passwords are enforced, and every person requesting access must get written approval from a manager. Access logs are reviewed monthly and users are removed promptly when they leave the company or change roles.
Managed
You have a documented remote access policy covering VPN, RDP, and vendor connections. All access requires MFA, IP whitelisting is in place where possible, encrypted connections are mandatory, and logs are monitored in near-real-time for suspicious activity. Quarterly access reviews ensure no unnecessary accounts remain active.
Optimised
Your remote access system is fully integrated with your identity management platform, risk-based authentication adjusts security based on location and device, all sessions are encrypted end-to-end, and behavioral analytics detect anomalies instantly. Access is revoked automatically when someone leaves and periodic penetration testing validates the security of your remote infrastructure.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Document a basic remote access policy: list who is allowed remote access, require 12+ character passwords with mixed case and numbers, and enable password history (prevent reuse). Set up basic VPN or RDP logging to a separate file. | IT person or operations manager | 2-3 days |
| 1 → 2 | Enable multi-factor authentication (MFA) on all VPN and remote desktop systems using TOTP apps (Google Authenticator) or SMS. Configure log retention for at least 90 days and create a simple monthly log review checklist. | IT person | 1 week |
| 2 → 3 | Create a formal access request and approval form (on paper or simple spreadsheet). Require manager sign-off before granting remote access. Perform a quarterly audit: list all active remote users, confirm each is still needed, and document removals. | IT person and department managers | 2-3 weeks |
| 3 → 4 | Implement IP whitelisting for known offices or home locations where staff work remotely. Add session timeout after 15-30 minutes of inactivity. Create an automated daily log analysis report highlighting failed login attempts and unusual session times. | IT person | 4-6 weeks |
| 4 → 5 | Integrate remote access with a centralized identity management system (if using Active Directory, enable conditional access). Deploy behavioral analytics to detect impossible travel or unusual access patterns. Conduct annual penetration testing of remote access infrastructure and implement zero-trust network principles where devices must be verified before access. | IT person or external consultant, CISO if available | Ongoing (quarterly reviews and updates) |
Documents and records that prove your maturity level.
- A written remote access policy signed by management, covering VPN, RDP, and vendor access (who is allowed, password rules, MFA requirement, session timeouts)
- A list of all active remote access accounts with approval dates, user names, and the date each person was granted access (maintained and updated quarterly)
- MFA configuration records showing that all VPN and RDP systems have MFA enabled (screenshots of settings or vendor documentation)
- Remote access logs covering at least the last 90 days, showing login timestamps, user IDs, IP addresses, and success/failure status
- Documentation of at least two quarterly access reviews, showing which users were audited and which accounts were disabled or removed
Prepare for these questions from customers or third-party reviewers.
- "Show me your remote access policy and the list of people authorized to use VPN, RDP, or vendor portals. How often is this list reviewed and updated?"
- "Can you demonstrate that multi-factor authentication is required and working on all remote access? What authentication method do you use (TOTP, SMS, hardware token)?"
- "Pull up remote access logs from the last 30 days. Show me how you review these logs for suspicious activity (failed logins, unusual times, unusual IPs). How do you respond to anomalies?"
- "Walk me through your process for granting remote access to a new employee. Who approves it and how is that approval documented?"
- "When an employee leaves the company, how quickly is their remote access disabled? Can you show me examples of recent terminations and the corresponding access removal dates?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| VPN (secure remote connection to office network) | OpenVPN Community (self-hosted, requires technical setup); WireGuard (lightweight, open-source) | Cisco AnyConnect (₹1,50,000–3,00,000/year for small deployments); Fortinet FortiClient (₹80,000–2,00,000/year) |
| MFA (add second verification to remote access) | Google Authenticator or Microsoft Authenticator (TOTP apps); Authy (free TOTP); FreeOTP | Duo Security (₹3,000–8,000/user/year); Microsoft Entra MFA (included in Microsoft 365 business plans, ₹5,000–15,000/user/year) |
| Remote desktop (allow staff to access office computer from home) | Windows Remote Desktop (built-in to Windows); Chrome Remote Desktop (free, cloud-based) | TeamViewer (₹50,000–1,50,000/year for small business); AnyDesk (₹40,000–80,000/year) |
| Log management and analysis (collect and review remote access logs) | ELK Stack (Elasticsearch, Logstash, Kibana—open-source, self-hosted, steep learning curve) | Splunk Cloud (₹2,50,000+/year); Microsoft Sentinel (₹4,000–15,000/month); Datadog (₹60,000–2,00,000+/year depending on scale) |
| Identity and access management (control who can access what, enforce policies) | Keycloak (open-source, self-hosted); OpenLDAP (requires expertise) | Microsoft Entra ID / Azure AD (₹3,000–8,000/user/year); Okta (₹8,000–20,000+/month for small deployments) |
- Shared credentials: Multiple staff members using the same VPN or RDP account to save time, making it impossible to audit who did what. This also means if one person's device is compromised, all of them lose access.
- No MFA because 'it's inconvenient': Many Indian MSMEs skip MFA to avoid 'slowing down' remote workers, but a single weak password then puts the entire company at risk. Attackers specifically target businesses known to skip this step.
- Vendor access not tracked: Giving consultants, auditors, or outsourced IT support remote access but never documenting when they were granted it or when it should expire, leaving old access open long after the vendor relationship ends.
- Logs kept but never read: Setting up logging and feeling secure, but no one actually reviews the logs, so a breach can go undetected for months until a customer or regulator notices the damage.
- Default or weak credentials on networking equipment: VPN appliances, firewalls, or remote desktop servers sometimes ship with default admin passwords that are never changed, allowing attackers to bypass all other controls and manage the device directly.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (data security and encryption); Schedule 2 Part A (organizational and technical measures for data protection) |
| CERT-In 2022 | Rule 4(d) on data security measures; advisory on ransomware and remote access security |
| ISO 27001:2022 | Annex A controls A.8.1 (user access management), A.8.2 (user access rights), A.8.3 (access control), A.9.2 (user authentication and approval) |
| NIST CSF 2.0 | Govern function (GV.RO-01, GV.AT-03); Protect function (PR.AA-01, PR.AA-02, PR.AC-01, PR.AC-06) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →