More federal employees teleworking means more risk of users bringing malicious content and security attacks onto the network through legacy appliance-based remote access technologies.
“With the increased telework capability comes an increased attack surface for our adversary. They’re already taking advantage of the situation and the environment that we have on hand,” said Principal Deputy DoD CIO Essye Miller at a virtual town hall meeting in March.
Now, the Defense Department (and all of government) has to take a sober look at remote access security infrastructure to identify vulnerabilities and make updates. It’s time that agencies better align technology, security, and operations to get ahead of adversaries. To evaluate your team’s security capabilities and preparedness now that we are settling into a steady state, agencies can follow the below steps:
- Ensure your agency is scalable during continuity of operations (COOP) scenarios. This is one of the most critical evaluation criteria for IT teams. The Joint Regional Security Stacks (JRSS) alone cannot support this massive shift to telework – with issues around performance, reliability, latency, and cost-reducing efficiency and productivity for DoD agencies. Security and user experience must expand alongside bandwidth and throughput as teleworking grows, or users will bypass the security to do their job. Many initial reactions to grow capacity during the current crisis would be to implement new infrastructure or add new appliances. But the only truly scalable solution is a cloud native capability.
- Reduce infrastructure exposure to external attack. Often, the traditional remote access approach opens more appliance-based capabilities through ports, protocols, and IP spaces. But the more openings there are, the larger the attack surface. So, we need to shrink the attack surface by limiting those ports/protocols. Agencies only need one outbound port (a 443 connection) open to a specific subset of IP addresses (a security cloud provider).
- Manage users from a single control plane. How many tools is your agency using to manage users’ remote access and enforce policies for authentication, authorization, and accounting? The more complex the process – multiple interfaces, methodologies, and terminology – the more likely bad actors could be hiding in the background and human error can occur. Simplify it. And, empower your IT and security teams. Modern access methods, such as zero trust, can give admins full visibility to manage, administer, and log user abilities.
- Limit users’ remote access. Employees need the right access to the right applications to perform their job duties. But this doesn’t mean they need full access. Isolate application access and verify your users before granting access. Zero trust network access (ZTNA) methods can manage the verification process, while keeping users off the network – ultimately reducing the attack surface and eliminating east-west traffic on the network.
- Reduce the need for significant maintenance of remote access infrastructure. Appliance-based remote access solutions constantly need updates on firmware, software, security, and policies to keep up-to-date with technology and advancing security risks. And it can require a number of specialized skillsets for upkeep. But a cloud Software-as-a-Service (SaaS) model greatly reduces management and upkeep. This can free up time for agencies to focus on improving their policies, instead of patching security holes along with other more critical mission needs.
- Protect remote users surfing the internet. As federal employees connect through virtual private networks (VPNs) then back out to the internet, they experience significant latency and a poor user experience. And many users end up going around VPNs and the security measures that are in place. This leaves users unprotected and opens the network to cyber risks. Agencies should embrace a platform that offers “direct to internet” and “direct to application” security capabilities to provide fast, secure, and direct access for users to surf the web.
Follow these key points of evaluation to identify where those pressing risk areas are, and improve security postures for telework now and in the future. Guidance such as the NIST Special Publication 800-46 and DoD’s Cloud Computing Security Requirements Guide are also a great source for security best practices for telework and cloud. Going forward, agencies should consider moving to a multitenant cloud platform with zero-trust access to ensure complete visibility, security, and an improved experience for all users.