The pandemic has brought to light two important factors for federal agencies. First, to deliver citizen services efficiently and rapidly in a distributed workforce, agencies need more robust IT architectures. Second, cyber threats are growing – and there is an increased need for stronger defenses.
Widespread telework has underlined the need for agencies to ensure staff can access the data they need from any location, on any device. Further, the increased use of mobile and personal devices, cloud computing, and Internet of Things (IoT) is complicating the environment. To ensure security of operations, many IT teams are adopting a zero trust approach.
Real-time Data for Real-time Decisions
The network perimeter is dissolving – employees are no longer working exclusively from the confines of a secure office environment. This was true before the pandemic – and it will remain true. In a zero trust architecture, agencies can provide precise access to users and devices. The basic premise of zero trust is: trust no one. Trust must be continually assessed and granted in a granular fashion. Authorized users receive access to applications – regardless of whether the user is on-site or remote, an agency worker, or a third party.
This approach comes down to a risk-based decision – and, good risk-based decisions must be based on real-time data. For example, a power user has access to a lot of functions – but if they are trying to access the network via an old computer with outdated software, the risk is higher. To accurately evaluate risk, agencies need the latest data on who the user is, where they are coming from, and what they are trying to connect to.
Not a Silver Bullet
While zero trust provides a comprehensive approach to secure network infrastructure access, there are challenges. Many agencies do not have the needed policy control technology architecture. Smaller agencies, with less staff and bandwidth, struggle. Telework has forced the adoption of bring-your-own-devices (BYOD) – and unfortunately, this creates even greater cybersecurity risks as agencies determine how to control, measure, and manage those devices.
Further, many agencies were struggling with basic cyber hygiene before the telework surge – and most of the security tools implemented were designed for local enterprises. With a distributed workforce, this means increased cyber risk, as the security tools in place become even less effective.
Telework is not going away – and with cyber threats rising, the need for secure access is more important than ever. The Office of Management and Budget (OMB) should establish standards for minimum defensive controls for assets to connect to government networks. This guidance would particularly benefit smaller agencies and lay the groundwork for a zero trust approach.
Other challenges include the diversity of data access and storage options, application and device variety, and employees using government virtual private networks, home routers, and even public Wi-Fi through personal devices to connect to the network.
These factors all increase complexity, and require endpoint analysis (and real-time data) to grant access.
OMB works with the National Institute of Science & Technology (NIST) to issue guidelines, including the Guide to Enterprise Telework and Remote Access Security, that emphasize the importance of securing sensitive information stored on telework devices and transmitted across external networks. This guidance also provides recommendations for selecting, implementing, and maintaining the necessary security controls.
In addition to zero trust, there are many cloud security architectures that agencies can implement. For instance, Trusted Internet Connections (TIC) 3.0 recognizes shifts in modern cybersecurity and provides agencies with a greater variety of connection options. While TIC is detailed from a security and telecommunications perspective, it is missing some of the risk evaluation that is associated with who and what devices are trying to connect to the network.
Security concerns can’t be resolved by disjointed solutions, by following policies and procedures that worked in the past, or by asking overstretched internal teams to simply do more. Leveraging a single platform that integrates endpoint management and security unifies teams, effectively breaking down the data silos and closing the accountability, visibility, and resilience gaps that often exist between IT operations and security teams.
A platform approach also gives agencies end-to-end visibility across end-users, servers, and cloud endpoints, and the ability to identify assets, protect systems, detect threats, respond to attacks, and recover at scale. Zero trust offers a way to keep agency data secure and employees productive – if implemented using accurate, real-time data.
Brian McKee is Senior Director of Technical Account Management at Tanium