Sustaining large-scale, long-term remote telework security

In response to the COVID-19 pandemic, the Office of Management and Budget made an unprecedented call for agencies to maximize telework arrangements, resulting in some cases with almost 100% of an agency’s employees working remotely. Now, as federal agencies commence reopening efforts, the question remains: Is a maximized telework approach here to stay? And with so many federal workers working remotely, how can agencies ensure that appropriate cybersecurity controls are in place?

According to our recent report, 89% of cybersecurity professionals surveyed said COVID-19 has been a stress test for every security control and policy within their organizations. Ninety-four percent  said they are more concerned about security now than before the COVID-19 pandemic. Given the stress of COVID-required telework, are federal agencies prepared to sustain a secure approach to a mostly remote workplace?

Likely not. After all, it's one thing to say that there's no perimeter, and another thing entirely to suddenly be forced to operate without a perimeter. When the workforce is no longer bound by perimeter, we have to think a lot more strategically.

What must security teams do in order to sustain a large-scale, long-term approach in a mostly remote environment?

Build upon best practices. Sustaining the security of remote environments is more about making sure the security basics are in place than it is about trying something different. Existing security frameworks can help agency security teams do just that. To ensure security and compliance of a vast array of remote endpoints, security teams should reference both general security frameworks (such as Center for Internet Security controls and the National Institute of Standards and Technology’s Cybersecurity Framework and 800 series guidance) that provide a holistic approach to cybersecurity and specific government compliance requirements. Telework-specific guidance is also available, such as Cybersecurity and Infrastructure Security Agency’s TIC 3.0, which includes controls like configuration management, vulnerability assessment, dynamic threat detection, strong authentication, backup and recovery of data. CIS’ Telework and Small Office Network Security Guide offers guidance for securing home office environments through proper configuration of devices, networks and encryption standards.

Increase visibility. In order to sustain a secure remote environment, visibility is essential. Visibility was a significant challenge across the federal enterprise even before the pandemic. In telework environments, security teams are working with even less visibility and control due to VPN constraints such as exceeded bandwidth and/or dropped connections and laptops not properly configured. Sustaining a secure telework environment means that agencies must have security tools that still perform when overloaded VPNs fail. Security tools should be able to connect and send information from an endpoint via proxy as an alternative to using a VPN connection.

Focus on what’s important. With the overabundance of remote traffic, security teams must figure out a way to focus their attention, controls, and management on network activity that is vital to protecting critical assets. “Things are just happening too fast, and it's dispersed across a large front,” said CIS Senior Vice President and Chief Evangelist Tony Sager on a recent podcast. “You have to be both looking really broadly at all these different problems, but also be very focused on what really matters. Everything deserves some level of protection, but some deserve more.”

Monitoring widely dispersed endpoints can become unmanageable in a maximum telework environment. There are too many security alerts with minimal insight into the degree of risk each alert represents. That is why, when it comes to monitoring for potentially malicious or unauthorized changes, it is essential to be able to identify business-as-usual changes vs. changes that indicate trouble. This capability enables teams to first focus remediation efforts on those issues that place the highest risk to critical assets.

Typically, an agency relies on its file integrity monitoring capability to monitor for change. But sustaining a long-term telework environment will require security teams go beyond basic change monitoring. They will need tools that apply change intelligence to determine each change’s impact so they can prioritize their response accordingly.

From a security perspective, the abrupt and wide-scale shift to a remote work environment as a result of COVID-19 required agency security teams to adjust with little to no planning, placed a tremendous strain on all aspects of security operations and intensified risk beyond the norm for federal infrastructure. If maximum telework becomes the norm for government agencies, it is likely to impact every area of business from security clearances to network infrastructure. “As a practical matter, it will be a very real struggle to put in place the kind of flexibility and capacity needed to sustain a large-scale, work-from-home program,” Sager said.

As agencies evaluate the potential impacts of reopening, they must weigh the benefits/costs of tackling very practical challenges. But as COVID taught many of us, we don’t know what we are capable of until we are forced to find a way. Fortunately, there are guidelines and tools already available which, when properly deployed and managed, can help achieve the new normal.