The COVID-19 pandemic has transformed the way federal agencies work, forcing them to quickly adapt to an environment where the majority of the workforce is decentralized. Agencies have made great progress – and many have begun to release official numbers documenting success.
The Environmental Protection Agency has 96 percent of its workforce teleworking, the National Science Foundation has 100 percent, the Department of Housing and Urban Development has 95 percent and the Department of State has 90 percent. Additionally, the Department of Defense has 900,000 employees equipped for telework, with 250,000 added in a single day – making it the largest rollout the department has seen.
However, this massive shift has exposed a set of challenges for agencies that may have been already struggling with basic blocking and tackling of endpoint hygiene, system patching, and compliance before the crisis hit. When you factor in Bring-Your-Own-Devices (BYOD) alongside agency-owned assets operating outside the protective perimeter of the enterprise local area network, there is a massive increase in overall risk. Now that agencies are operational, the focus must shift to improving the security and reducing risk.
Understanding the Expanded Network
The work environment has changed – agencies are leaning on a mix of government-issued and BYODs. The users of these remote endpoints not only need access to the data residing behind the confines of the enterprise network perimeter, but IT staff also need to be able to reach out and manage the endpoints.
Agencies must continue to push updates to the remote endpoints and maintain compliance with security and operations policies. These functions are often very resource-intensive – if deployed via the VPN – and will consume precious bandwidth and increase latency and performance issues for users.
With a shift in how devices are connecting to the network – and new challenges managing those devices – it’s critical that cyber hygiene evolves quickly to keep teams working and networks safe.
A New Approach
Agencies were required to rapidly transition to remote work – and have successfully established remote infrastructure in a short period of time. The demand for a predominantly distributed workforce will not snap back when the pandemic subsides – agencies must consider the sustainability of solutions long-term, specifically in terms of mitigation of the inherent risk it carries.
The challenge can’t be resolved by disjointed solutions, by following policies and procedures that worked in the past, or by asking overstretched internal teams to simply do more. Agencies must consider a radical rethinking of how IT administrators manage and secure operational environments. This new approach must:
- Provide end-to-end visibility into the new, borderless, operational environment
- Monitor and manage endpoint usage, performance, and security in real time without concern for where the endpoint resides
- Monitor and manage distributed workforce infrastructure and software deployments and patching
- Continue to manage existing centralized infrastructure
- Help enforce policy and maintain fundamental cyber hygiene
- Account for and protect the type, location, and state of protected data now residing outside the perimeter of the enterprise LAN
All of this must be done without negatively impacting the remote connectivity infrastructure – which is primarily intended to carry critical user data, not endpoint management traffic.
Leveraging a single platform that integrates endpoint management and security unifies teams, effectively breaking down the data silos and closing the accountability, visibility, and resilience gaps that often exist between IT Operations and Security teams. It also enables agencies to leverage a modernized approach for end-to-end visibility across end-users, servers, and cloud endpoints as well as the ability to identify assets, protect systems, detect threats, respond to attacks, and recover at scale.
The risk landscape has changed dramatically and irrevocably. Agencies must build a foundation based on unification for assessing and addressing risk by ensuring not only that existing operations can withstand daily threats caused by this change, but that this risk mitigation continues as the current crisis abates and the next normal settles in.