Federal, state, and local governments have been focusing on transitioning their Information Technology to create sustainable operations for a suddenly remote workforce. In a short time, priorities have drastically shifted toward business continuity more than it ever has.
Continuity of Operations and Government, Then and Now
Continuity of Operations (COOP) and Continuity of Government (COG) became a more urgent matter, post-9/11. But the focus was still on identifying the subset of the workforce deemed ‘essential’ or ‘mission critical’ — and then telling them to come to work at their customary location or an alternate official worksite (and telling everyone else to stay home).
Now, however, governments are faced with figuring out how to ensure the full utilization of their workforce and operations for an extended period of time. That is with most of those employees based outside of the office – many from home. From an IT perspective, it helps to break down this challenge into its components.
1. Endpoint Security
The first component to consider is ensuring the endpoint security of a remote worker’s computing environment. The environment could be a home network with vulnerable IoT devices (baby cams and doorbells attached) and family members using applications and platforms (social media and gaming consoles) that potentially introduce threats into the network.
This entire operating environment is outside of the organization’s control, and brings a new meaning to the term ‘insider risk’. The question is, “how do you isolate the remote worker’s device, or at least, ensure the integrity of any government data and operations in use on that device?”
2. Transmission Security
Data is secure when it stays in one place, but that rarely happens. As data moves from one place to another, it becomes vulnerable to interception. As a result, you have to take steps to ensure its security — especially for a government’s confidential data. Transmission security involves ensuring that government data is encrypted when it moves across the internet.
3. HQS or Parent Office
A third element is the HQS or parent office. The networks of nearly all of these environments were designed for employees to work from inside the network perimeter. However:
- Does that network have the ability to absorb the number of connections expected from moving its workforce to a remote location?
- Can it handle those connections with acceptable latency, so that users don’t become frustrated by slow network performance?
- Can it ensure that these connections are secure and only available to authorized users?
Other Considerations for Remote Telework Security
In addition to those three aspects of telework security, there are others to consider.
Bandwidth is an essential consideration in any IT solution. Do any of the applications require unusually high levels of bandwidth? How efficient can your solution be when not all teleworkers have broadband access? And even if they do have access, it is crucial to recognize that not only do broadband speeds vary dramatically, but that other resources attached to a home network – such as children engaged in distance learning – can eat into the available bandwidth.
Under these remote work circumstances, cloud computing becomes an especially attractive option. For Federal users, TIC 3.0 permits direct connection to cloud-based resources – rather than having to route traffic back through the home agency – and it also allows the use of software as a service (SaaS) platforms.
Checklist for Secure Remote Access by a Government Workforce
With these considerations and options in mind, here are the key elements you should be looking for in a solution:
- A Virtual Private Network (VPN) whose endpoints are the remote user’s device and the parent office (or cloud).
- Multi-Factor authentication to ensure that only the authorized remote employee can access the employer’s network or data.
- Employer-provided endpoint security to ensure secure computing and access to government data and networks, even when the employee is working from a home network that is vulnerable or compromised.
- Data Loss Prevention (DLP) that provides a safety net against the inadvertent exposure of sensitive data, even when employees are operating with potential distractions and under extraordinary stress factors.
- Device management control to accommodate organizations that want to permit – or may even require – BYOD operations by their employees.
There are mature commercial solutions that address all of these factors. And ideally, from an IT overhead perspective, all of these solutions should function as a single integrated system, with a single point of management.
Organizations that have been grappling with the need to move rapidly to support remote and mobile worker populations don’t have to – and frankly, shouldn’t – reinvent the wheel, either in terms of technologies or the best practices required for their adoption.
We know the safest practices, and we’re ready to listen to your security needs.