As agencies have gone remote, they have had to evolve their cyber security strategies to adjust to their new telework reality. What challenges are they encountering as they make this shift? How can they adopt or adapt “bring your own device” (BYOD) plans to ensure the security of agency applications and data?
MeriTalk spoke with Dean Scontras, Vice President of Public Sector at Cisco’s Duo Security, and Sean Frazier, Advisory CISO for Federal, for their take.
MeriTalk: With telework becoming the new normal, agency leaders must offer their remote staff different tools to accomplish daily tasks. What are the necessary tools or guidance organizations need to provide to ensure success and security when working remote?
Frazier: Consistent access is critical in an emergency situation where everyone is suddenly working remotely. If you need a virtual private network (VPN) to access corporate resources outside the network, and now everybody’s outside the network, you have to look at scalability and security capabilities.
Scontras: Whether it’s an emergency situation, or we’re just considering the workforce of the future, agencies are going to need to accommodate new forms of authentication that they haven’t necessarily previously used. Although that’s what the National Institute of Standards and Technology (NIST) policy clearly spells out, there is a lack of these tools, and there is also a lack of confidence, often unfounded, in the ability of these tools to perform authentication at a level equal to or greater than what they require.
Frazier: You need to provide access either way. In this current environment, if you can’t use a personal identity verification (PIV) card because it’s expired and you’re at home, and you don’t have a government-furnished t device, you need to use a personal device, you need to make do. For example, HSPD-12 required a card to access any system or building, but those systems used to be behind the same four walls, and that’s obviously changed. There are tools available, like Duo’s, that authenticate and provide secure access without a card, and that leverage FIPS validated cryptographic algorithms and are aligned with NIST’s SP-800-63-3 assurance levels.
MeriTalk: How are agencies approaching their BYOD policies in this environment, and what should they take into consideration?
Scontras: In this environment, they’re forced to have one, because up until now agencies have not really had robust BYOD policies. Previously, if the government owned the device, you got full access, but if you were using a personal device, your access would be restricted, because most likely your agency had a semi-policy, or no policy at all. The interim emergency guidance from the Cybersecurity and Infrastructure Security Agency (CISA) specifically calls out that you’re going to need a BYOD policy because people are going to bring their own devices.
MeriTalk: As agencies are driven to develop these policies, what sort of things should they take into consideration?
Scontras: They need a consistent security model. Even though employees may use their personal equipment, you still can’t say they have carte blanche, full open access, depending on the device. You still need some kind of assessment or posture capability. You might say, “Yes, you can use your own device, but I’m going to need to check a few things before we let you on the network, and I may require you to make some updates before I grant you access.”
MeriTalk: In early April, CISA released the Trusted Internet Connections (TIC) 3.0 Interim Telework guidance focused on the rapid transition to telework as Federal agencies adjust operations to combat spread of the coronavirus. In your opinion, how is the TIC 3.0 Interim Telework guidance helping agencies develop successful telework plans?
Frazier: The TIC 3.0 draft that came out last year accelerated some things, and the recent emergency guidance started to codify alternative access methods. The previous TIC versions had a pretty hard requirement for backhauling traffic back to your network for inspection before you let it go back out – rather than having a direct conversation between a user on a device pointing to a cloud service provider (CSP). The interim guidance is meant to give agencies the ability to build architectures around things like BYOD, VPN access, multi-factor authentication (MFA), and alternative authentication methods.
MeriTalk: Talk to us about “elastic trust zones” and how they are made for a telework environment.
Frazier: Elastic trust zones are designed to put security capability – or reduce the threat surface – around access. You put a trust zone around a certain app or data, and you require users trying to access that application to meet a defined standard of trust. You go through a validation of user trust with strong MFA to enhance the primary authentication. You go through a validation of device trust through a posture assessment – do I trust the device because it’s on the right software? Is it the right kind of device? Has the user turned on biometric settings like face and touch ID, for a higher level of trust? Being able to define trust zones is important because it focuses the agency on exactly what they need to care about – the access to their data.
MeriTalk: COVID-19 has presented unique cyber security threats, causing Federal agencies and organizations to shift their defense plans to secure their platforms. What have been some of the biggest challenges you’ve seen when transitioning to these telework environments in regards to maintaining security?
Frazier: The biggest challenge is in continuity of operations, or scalability requirements. Security needs to be considered across the entire stack, no matter what you’re doing.
Another thing to keep in mind is not only are your employees teleworking, but your IT staff is too. So they can’t sit in the data center and flip the switch on things that they normally would do sitting inside the organization. They’re also working remotely.
Scontras: Another challenge is time – that speed to security in a remote workforce. As we’ve had to move people to their homes, how do we do things at the same speed as we did when everyone was in the office? Again, things like Duo and cloud MFA allow you to do that in days, not weeks or months.
MeriTalk: The TIC 3.0 Interim Telework guidance indicates that agencies may need to increase capabilities and capacity in existing services such as internet service provider (ISP), bandwidth, VPN, and cloud while workers are remote. How can increasing and expanding on these capabilities improve cyber security efforts? And what other solutions or services, if any, should agencies focus on expanding?
Frazier: As you’re expanding your capacity, you need to be sure that you’re baking in the security. It can’t be an afterthought. You need to look at the fundamentals – things like Domain Name System (DNS)-based security, MFA, the bare bones and connective tissue of security. When the world goes “back to normal,” we want to make sure that everything we’ve done to improve remote access security during this time is reusable.
MeriTalk: How has MFA been impacted by the new, remote workplace? And how is it helping agencies adapt to our new normal?
Frazier: We’ve always known that MFA is important; that’s exactly what a Common Access Card (CAC) or PIV card is. These smart cards provide inherent multi-factor, but we need to provide consistency across cloud service providers and access modes, or modalities. And we need to ensure those modes are consistent across the user experience, whether you’re a remote worker or you’re sitting in the office.
Scontras: There are other forms of MFA within the government, such as cloud-based MFA, which is particularly attractive in our current scenario. There’s no hardware to be shipped, so a FedRAMP-approved cloud-based MFA like Duo can fill that gap particularly well for agencies in this environment, especially in regards to speed to security.
Frazier: While the smart card has done a really good job over the last 15 years, that model requires you to bolt on innovative solutions to legacy technology. Security is done best when it’s not bolted on, but actually integrated overall. By moving to a cloud-based MFA solution, you’re creating a security model that allows for innovation in the cloud.
Like Dean said before, not only are the IT people working from home, but the people that issue CAC and PIV cards are too. People can’t go see someone to verify their identity to get that card in the first place.
MeriTalk: As cloud-based and mobile use proliferates, agency attack surfaces expand. How can agencies adjust to this reality, maintain control, and improve their security postures?
Scontras: We’ve been dealing with cloud and mobility for almost 20 years. And I think these models can actually reduce our attack surface. If you apply a zero trust-based principle to security – whether in the cloud, or mobile, or not – you can protect the assets that matter most by validating each access request by user and device. That’s where you can reduce the attack surface – to that singular request for access to data through an application.
MeriTalk: Any final thoughts?
Frazier: It’s all about innovation and consistency. As an agency, you don’t want to stand up a one-time thing and then go back to the old way later. You want to make sure that you’re building something that has legs, that you can use for the next 20 years, and you need to have that elastic mindset of cloud and mobility.
Scontras: Make sure you’re building a platform that you can innovate on top of. With things like password-less authentication, a lot of agencies are just starting to look at this and how they might deploy it. As they’re building a cloud-based authentication solution, they’re laying the groundwork for the next part of the journey, which is password-less.
We’re going to be in this remote workforce state, in one form or fashion, for probably about a year. And even when we’re on the other side, there will always be drivers that require us to be more agile. We need to bake security into our plans on an ongoing basis.
Learn more about Duo Security’s solutions for government.