Maj, Marcus Mosher(left) and Maj. Nathan Moseley(right) participate in a video chat on Commercial Virtual Remote environment (CVR) June 22, 2020. CVR has enabled the 12th Operations Group to adapt and overcome challenges during the COVID-19 pandemic. (Photo by Sabrina Fine/502nd Air Base Wing Public Affairs)

6 Steps for Agencies to Strengthen Remote Access Security Infrastructure

More federal employees teleworking means more risk of users bringing malicious content and security attacks onto the network through legacy appliance-based remote access technologies.

“With the increased telework capability comes an increased attack surface for our adversary. They’re already taking advantage of the situation and the environment that we have on hand,” said Principal Deputy DoD CIO Essye Miller at a virtual town hall meeting in March.

Now, the Defense Department (and all of government) has to take a sober look at remote access security infrastructure to identify vulnerabilities and make updates. It’s time that agencies better align technology, security, and operations to get ahead of adversaries. To evaluate your team’s security capabilities and preparedness now that we are settling into a steady state, agencies can follow the below steps:

  1. Ensure your agency is scalable during continuity of operations (COOP) scenarios. This is one of the most critical evaluation criteria for IT teams. The Joint Regional Security Stacks (JRSS) alone cannot support this massive shift to telework – with issues around performance, reliability, latency, and cost-reducing efficiency and productivity for DoD agencies. Security and user experience must expand alongside bandwidth and throughput as teleworking grows, or users will bypass the security to do their job. Many initial reactions to grow capacity during the current crisis would be to implement new infrastructure or add new appliances. But the only truly scalable solution is a cloud native capability.
  2. Reduce infrastructure exposure to external attack. Often, the traditional remote access approach opens more appliance-based capabilities through ports, protocols, and IP spaces. But the more openings there are, the larger the attack surface. So, we need to shrink the attack surface by limiting those ports/protocols. Agencies only need one outbound port (a 443 connection) open to a specific subset of IP addresses (a security cloud provider).
  3. Manage users from a single control plane. How many tools is your agency using to manage users’ remote access and enforce policies for authentication, authorization, and accounting? The more complex the process – multiple interfaces, methodologies, and terminology – the more likely bad actors could be hiding in the background and human error can occur. Simplify it. And, empower your IT and security teams. Modern access methods, such as zero trust, can give admins full visibility to manage, administer, and log user abilities.
  4. Limit users’ remote access. Employees need the right access to the right applications to perform their job duties. But this doesn’t mean they need full access. Isolate application access and verify your users before granting access. Zero trust network access (ZTNA) methods can manage the verification process, while keeping users off the network – ultimately reducing the attack surface and eliminating east-west traffic on the network.
  5. Reduce the need for significant maintenance of remote access infrastructure. Appliance-based remote access solutions constantly need updates on firmware, software, security, and policies to keep up-to-date with technology and advancing security risks. And it can require a number of specialized skillsets for upkeep. But a cloud Software-as-a-Service (SaaS) model greatly reduces management and upkeep. This can free up time for agencies to focus on improving their policies, instead of patching security holes along with other more critical mission needs.
  6. Protect remote users surfing the internet. As federal employees connect through virtual private networks (VPNs) then back out to the internet, they experience significant latency and a poor user experience. And many users end up going around VPNs and the security measures that are in place. This leaves users unprotected and opens the network to cyber risks. Agencies should embrace a platform that offers “direct to internet” and “direct to application” security capabilities to provide fast, secure, and direct access for users to surf the web.

Follow these key points of evaluation to identify where those pressing risk areas are, and improve security postures for telework now and in the future. Guidance such as the NIST Special Publication 800-46 and DoD’s Cloud Computing Security Requirements Guide are also a great source for security best practices for telework and cloud. Going forward, agencies should consider moving to a multitenant cloud platform with zero-trust access to ensure complete visibility, security, and an improved experience for all users.

(Visited 217 times, 1 visits today)

As Director of Emerging Technology for Zscaler, Patrick is responsible for the alignment of usable and secure Zscaler capabilities providing dynamic, mission-focused capability with tailored operations to the Department of Defense (DoD) and Intelligence Communities (IC). Patrick recently retired from the Army as a Signal Corps Chief Warrant Officer Four after 21+ years of service. Patrick’s experience over the last 15 years has been with the U.S. Special Operations community. Throughout his career, he has served as the Chief Technical Advisor to senior military leaders as well as performed both network and security engineer positions. He specialized in developing innovative and emerging technology solutions to both strategic and tactical missions globally. Patrick holds degrees from the University of Oklahoma and University of Maryland University College, as well as industry certifications including 2 x CISCO Certified Internet Expert (CCIE) and a CISSP. He is married to a career Army Signal Officer currently serving on active duty and they have five children.

Leave a Reply

Latest from Cybersecurity

Go to Top
X
X