I'm curious what people would recommend for VPN session lengths and timeout periods for remote workers and why.

Looking at NIST SP 800-53r4 AC-11, it goes into session lock in general as defined by org by risk; sometimes no session lengths if org determines a session is mission critical.



PCI-DSS 8.1.8 lists 15 min but I'm assuming this is related to anything in scope of processing, storing, etc PCI data. 12.3.8 goes into automatic disconnect of sessions for remote-access technologies, but doesn't establish a timeframe; just that a timeframe exists.

Maybe I'm looking in the wrong places?

@SandPaper Guidance from PCI DSS 3.2 "When users walk away from an open machine with access to critical system components or cardholder data, that machine may be used by others in the user’s absence, resulting in unauthorized account access and/or misuse.

The re-authentication can be applied either at the system level to protect all sessions running on that machine, or at the application level."

To me, that reads "have a 15 minute screen lock time" to app-consumers.

@SandPaper and "allow a 15 minute app-lock or session timeout" for app-vendors in case, for some bizarre reason they use an OS without screen locking timeout capability.

@SandPaper a 15 minute VPN timeout would be incredibly inconvenient. I could only see that working if the VPN was very fast to resume. It would be unavoidable if while connected the VPN provided direct unauthenticated access to CHD (which seems incredibly suspect and unwise).

@SandPaper that 15 minutes timeout shouldn't apply to VPN sessions, but to the endpoint itself

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.