POLICY BUILDER
Remote Access & VPN Policy
MFA-enforced remote access path inventory. Define which methods are approved, require MFA on all remote sessions, and minimize internet-exposed services.
What this cyber insurance requirement is
A remote access and VPN policy for cyber insurance should document all approved remote access methods (VPN, ZTNA, RDP, SSH, cloud consoles), require MFA enforcement on all remote sessions, define VPN configuration requirements including split tunnel restrictions, minimize internet-exposed services, and establish connection logging and session timeout policies. Carriers require this evidence to verify your organization controls how users access systems remotely — a primary attack vector for ransomware and unauthorized access.
Create your remote access policy below
What you'll get
- Remote access method inventory (VPN, ZTNA, RDP, SSH, Cloud console, VDI)
- MFA requirement for all remote access
- VPN configuration requirements and provider selection
- Split tunnel restrictions and justification
- Internet-exposed service minimization
- Connection logging and monitoring requirements
- Session timeout and idle disconnection
- Carrier alignment (Coalition, Hartford, Beazley, Travelers)
Select all remote access methods your organization uses.
Primary VPN solution for remote access.
All remote access methods (VPN, ZTNA, RDP, SSH, Cloud console) require multi-factor authentication.
Users can route non-corporate traffic outside VPN. If enabled, document justification and controls.
Check any services that are currently exposed. Policy should state these are prohibited and describe remediation timeline.
Senior role responsible for remote access policy and compliance.
What carriers are looking for
Each carrier asks slightly different questions. Here are some named artifacts by carrier.
Coalition
- Evaluates remote access methods and requires MFA for VPN
- This policy satisfies their remote access and VPN MFA controls
Hartford
- Requires MFA for all remote network access
- This policy document proves MFA enforcement across all remote access methods
Beazley
- Assessments cover remote access and VPN control requirements
- Policy document and VPN configuration satisfy their requirements
Travelers
- Supplement includes MFA requirement for remote access
- This policy document and enforcement evidence satisfy that requirement
What Proves This Control
Evidence That Proves Implementation
- Documented remote access policy and approved methods inventory
- VPN configuration export showing MFA requirements enabled
- ZTNA / Zero-Trust platform configuration screenshot
- MFA policy settings (TOTP, push notification, hardware token)
- Internet-facing asset scan showing minimized exposure
- Firewall rule audit showing RDP/SSH internet access blocked
- VPN usage reports and active session logs
- Annual access review with role-based remote access matrix
What This Does NOT Prove
- Policy was actually followed during live sessions
- MFA was enforced on every connection (requires logs/audit trail)
- Users didn't use shadow IT or personal VPNs
- Split tunnel wasn't used despite policy prohibition
- Internet-facing services are actually protected
- RDP/SSH access was never attempted from internet
- Suspicious VPN sessions were detected and blocked
Ownership & Responsibility
🏢 CISO or VP of Information Security
Policy Owner
🔧 Network & IAM Teams
Implementation & Enforcement
⚡ Security Operations Center
Monitoring & Annual Review
Frequently Asked Questions
What's the difference between VPN and ZTNA (Zero-Trust Network Access)?
VPN connects the user's entire device to the corporate network. ZTNA (e.g., Cloudflare Zero Trust, Okta) grants access only to specific applications and is considered more secure because it reduces network surface area.
Should we allow RDP or SSH directly on the internet?
No. Direct internet exposure of RDP (port 3389) or SSH (port 22) is a major attack surface. All administrative access should go through VPN or a bastion/jump host. Carriers strongly discourage internet-exposed administrative access.
Is split tunnel acceptable?
Most carriers prefer split tunnel disabled (full tunnel) to prevent traffic bypass. If you allow split tunnel, document business justification and enforce additional controls like firewall rules.
What MFA methods do carriers accept?
TOTP (authenticator app), push notifications, and hardware tokens are all acceptable. SMS-based MFA is weaker but still better than no MFA. Avoid SMS if possible.
How long should we keep VPN logs?
Carriers typically want 90 days minimum. Longer retention (6-12 months) provides better forensics for breach investigations. Consult with your legal and compliance teams.
What's a reasonable idle timeout for VPN?
15-30 minutes is common. Shorter timeouts (15 min) are more secure but can annoy users. Balance security and usability, but document your timeout policy.
Common Remote Access Gaps
- No MFA on VPN: Policy requires MFA but VPN is not enforcing it. Audit VPN config to confirm MFA is enabled.
- RDP exposed on internet: Port 3389 accessible from internet without VPN requirement. Implement firewall rule blocking direct RDP access.
- SSH bastion exposed: SSH servers accessible directly from internet. Use jump host or bastion with MFA instead.
- Split tunnel enabled by default: Users' internet traffic bypasses VPN. Disable split tunnel or document exceptions.
- Cloud console (AWS/Azure) without MFA: Cloud provider portals accessible with password only. Enable cloud-native MFA or conditional access.
- No VPN audit logs: VPN connection events not logged. Enable connection logging for compliance and incident response.
- Contractors on personal VPNs: Third parties use personal ExpressVPN or similar. Require corporate VPN access only.
Sources (March 2026)
- Coalition – Remote access and VPN MFA control requirements
- Hartford – MFA for all remote network access requirement
- Beazley – Remote access control assessment criteria
- Travelers – MFA supplement for remote access coverage
- NIST Cybersecurity Framework – Remote access controls (PR.AC-1, PR.AC-3)
- CISA – Zero-Trust Architecture implementation guidance
- CIS Controls – Secure Remote Administration (Control 4.7)