Are they doing control or just looking at status and historical data? If the latter is the case, you might remotely log/update data via Ignition directly or use some kind of database synchronization to achieve this.
Some tips for secure remote access:
The best remote access from a security perspective would be using IT to help support VPN connectivity for clients. If this isn’t feasible, the next best approach of the top of my head places the Ignition gateway in a DMZ, only port forwarding the (single) port that you need from the public IP address. Enabling SSL/TLS with a “real” certificate would be a good idea for a public hosted environment. You can achieve additional protection by separating the gateway from other nodes on your network, particularly file servers, and even the database (unless it’s running on the same machine). If the database is on the same machine, ensure that DB access is limited to the local IP address (localhost is best) and disable remote access over the DB port on the local firewall (even Windows Firewall or whatever will do here).