Encrypted Remote Access and VPN

CyberSecure Canada Section 5.7.3.4 requires organizations to mandate encrypted connectivity to all corporate IT resources. Additionally, it explicitly requires using a VPN with multi-factor authentication (MFA) for all remote access into corporate networks.

While secure HTTPS satisfies the requirement for encrypted connectivity to specific web-based IT resources, the standard specifically requires a VPN with multi-factor authentication when granting broad remote access into internal corporate networks.

Organizations must use industry-recognized strong encryption standards. This includes TLS 1.2 or higher for web traffic and secure protocols like IPsec, OpenVPN, or WireGuard for VPN connections, while avoiding deprecated protocols.

Yes, multi-factor authentication (MFA) is strictly mandatory for VPN access under Section 5.7.3.4. It is required to verify the identity of users attempting to connect to the corporate network remotely.

Remote access includes any external connection to the internal corporate network. This encompasses Remote Desktop Protocol (RDP), SSH, internal admin portals, and third-party vendor access to on-premise or private cloud infrastructure.

Organizations can enforce this by routing all remote gateways through an identity provider that strictly prompts for MFA. Endpoint posture checks can also be configured on the VPN gateway to restrict access to managed devices or apply stricter controls to BYOD environments.

Organizations should provide VPN configuration settings showing required encryption protocols, MFA enforcement policies from the identity provider, and connection logs demonstrating successful MFA prompts during remote access. Tools like WatchDog Security's Compliance Center can help centralize these artifacts, document who reviewed them and when, and keep an audit-ready trail aligned to CSC 5.7.3.4.

CyberSecure Canada does not explicitly prohibit split tunneling, provided that all traffic destined for corporate IT resources remains encrypted and is securely routed through the MFA-authenticated VPN tunnel.

Common mistakes include allowing fallback to single-factor authentication, using deprecated encryption protocols, leaving direct RDP exposed to the internet instead of placing it behind the VPN, and failing to revoke VPN access for offboarded employees.

While the standard specifically names VPNs, a properly configured Zero Trust Network Access (ZTNA) solution that enforces encrypted connectivity and MFA at the application layer generally exceeds baseline requirements and serves as a robust, compliant alternative.

Remote access controls often fail audits because evidence is scattered across the VPN, identity provider, and log systems. Tools like WatchDog Security's Compliance Center can map CSC 5.7.3.4 to required artifacts (VPN encryption settings, MFA enforcement configuration, and remote access logs), track collection and review cadence, and highlight gaps when evidence is missing or outdated.

Weak VPN encryption, missing MFA, or exposed admin services create high-impact risks that need clear ownership and deadlines. Tools like WatchDog Security's Risk Register can record remote-access risks, link them to controls and findings, assign treatment plans (e.g., disable split tunneling or block internet-exposed RDP), and report remediation status to leadership.