Federal, state, and local governments have been intently focused on managing the wholesale transition of their Information Technology to create sustainable operations for a suddenly remote workforce. Continuity of Operations/Continuity of Government COOP/COG became more urgent post-9/11, but it was still primarily focused on identifying that subset of the workforce was deemed ‘essential’ or ‘mission critical’ and telling them to come to work at their customary location or an alternate official worksite, and telling everyone else to stay home.
Now, however, governments are faced with figuring out how to ensure the full utilization of their workforce for an extended period of time, and with most of those employees based outside of the office – many from home – to ensure the continuity of government operations. From an IT perspective, it helps to break this challenge down into its components:
- The first component to consider is ensuring the endpoint security of a remote worker’s computing environment. This can be a home network with vulnerable IoT devices such as baby cams and doorbells attached, and family members using applications and platforms such as social media and gaming consoles that potentially introduce threats into the network. This entire operating environment is outside of the organization’s control, and brings a new meaning to the term ‘insider risk’. The key question is, “how do you isolate the remote worker’s device, or at least, ensure the integrity of any government data and operations in use on that device?”
- A second element is transmission security – this involves ensuring that government data is encrypted when it moves across the internet.
- A third element is the HQS or parent office. The networks of nearly all of these environments were designed with the expectation that employees would be working from inside the network perimeter. Does that network have the ability to absorb the number of connections expected from moving its workforce to a remote location? Can it handle those connections with acceptable latency, so that users don’t become frustrated by slow network performance? Can it ensure that these connections are secure and only available to authorized users?
Outside of those three primary considerations, other issues need to be addressed as well. Bandwidth is an important consideration in any IT solution. Do any of the applications require unusually high levels of bandwidth? How efficient can your solution be when not all teleworkers will have broadband access? And even if they do have access, it is important to recognize that not only do broadband speeds vary dramatically, but that other resources attached to a home network – such as children engaged in distance learning – can eat into available bandwidth.
Under these circumstances, cloud computing becomes an especially attractive option. For Federal users, TIC 3.0 permits direct connection to cloud-based resources – rather than having to route traffic back through the home agency – and it also allows the use of software as a service (SaaS) platforms.
With these considerations and options in mind, key elements of a solution for secure remote access by a government workforce should include:
- A Virtual Private Network (VPN) whose endpoints are the remote user’s device and the parent office (or cloud).
- Multifactor authentication to ensure that only the authorized remote employee is able to access the employer’s network or data.
- Employer-provided endpoint security to ensure secure computing and access to government data and networks, even when the employee is working from a home network that is vulnerable or compromised.
- Data Loss Prevention (DLP) that provides a safety net against the inadvertent exposure of sensitive data, even when employees are operating with potential distractions and under extraordinary stress factors.
- Device management control to accommodate organizations that want to permit – or may even require – BYOD operations by their employees.
There are mature commercial solutions that address all of these factors. And ideally, from an IT overhead perspective, as many of these solutions as possible should function as a single integrated system, with a single point of management. Organizations that have been grappling with the need to move rapidly to support remote and mobile worker populations don’t have to – and frankly, shouldn’t – re-invent the wheel, either in terms of technologies or the best practices required for their adoption.