This presentation was originally delivered during the Secure Remote Work Virtual Summit, which took place on March 31, 2020.
You can view the full event summary and as well as access additional sessions from the Secure Remote Work Summit in our Secure Remote Work Resource Center.
Following is the recording and a session summary of a talk by Vesh Bhatt, CTO, Attila Security.
Watch the session recording to learn how Government Agencies can help mobilize their workforce, allow more workers to stay out of the office but still keep the day-to-day moving.
Watch the video or peruse the notes from the session below.
Remote work security
Vesh Bhatt has a background in the federal government and now works in the private sector.
So many people in both the federal government and private sectors have had their typical workday disrupted by the COVID-19 pandemic. Governmental institutions and businesses alike adapted to this unexpected adjustment at varying speeds.
For some, the transition was simple, leveraging existing systems and resources. For others, the transition has uncovered weaknesses or immediate improvement needs.
Sometimes, these work teams were simply not prepared to facilitate remote work at the volume required.
Approvals and remote work policies
Organizations that already had a remote work policy in place are having an easier time. The ones that didn’t are not only struggling to find viable solutions, they’re struggling to develop policies.
Arguably, the private sector is empowered to move faster and is not subject to the kinds of approvals required for the federal government.
In the government, there is typically a pre-certified list of applications or vendors that can be used. As a result, groups that are looking to purchase technology or hardware to facilitate remote work in response to the pandemic are having to choose off of an existing list or try to fast-track approval for alternatives.
The latter option may require vulnerability scans and company assessments as part of an existing process. Even existing pools and resources that are certified may be subject to approvals.
For information systems and security managers, there will be an authorizing official that gives an ATO (Authority To Operate) which includes having a Systems Security Plan (SSP). The SSP is a document that describes everything from maintenance to emergency protocol.
None of this is achievable overnight.
Read the Guide: The Secure Remote Work Guide
How to Work from Home Securely for Government Agencies & Contractors During the Coronavirus Outbreak.
Challenges to remote work for the federal government
There are numerous challenges currently facing remote work in the federal government.
- Not enough Government Furnished Equipment (GFE).
- No remote work policy.
- The need for fast approvals and certifications.
- The need for remote access to classified documents.
- Ongoing maintenance.
Different branches and agencies of the government have different needs and different levels of readiness.
For example, there is a big difference between the Department of Defense and other governmental agencies. At the DOD, there has always been a heightened awareness of security.
By contrast, on the federal side, they’ve moved faster to cloud-based solutions like Office 365.
Solutions are regularly being accelerated through the process to help teams work remotely.
Solutions to remote work challenges in government
Experts are coming to the table with good solutions for some of these challenges.
On the DOD side, virtual desktop solutions (VDI) could be used. This would resolve the issue of insufficient equipment because users could use their own devices without risk.
It’s significantly easier to set up 1,000 virtual desktops than to set up and configure 1,000 physical laptops.
For a lot of agencies with SaaS solutions, Single Sign On should be activated. This also enables centralized control and management.
For remote access to classified documents, the Commercial Solutions for Classified Program (CSfC) is a viable option. In this scenario, commercial programs have already been vetted, which alleviates a lengthy approval process.
Remote management and monitoring tools can offset the challenges of maintenance needs. This can address issues as well as uphold policies and remotely apply software patches and updates.
Read the Case Study: Transitioning to Secure Remote Work
How ASSETT Seamlessly Transitioned Its Team To Securely Working From Home During the COVID-19 Pandemic With GoSilent.
Q & A from listeners
Vesh Bhatt & Kathleen Booth discuss questions directly from listeners.
Q: Where does “Zero Trust” fit into this discussion?
A: Zero trust fits in well, especially on the federal government side. A lot of cloud-based solutions can supply SSO and provide network inspection and traditional security stack solutions. On the DOD side, there are very few solutions for zero trust. It is new and different, compared to standard VPNs. The technology behind it is different and takes a lot longer to certify and verify.
Q: How does the cost of implementing a VDI solution compare to other options?
A: BYOD means that no hardware has to be procured. You may have existing server space. This means that more desktops can be added. Around the two or three year mark, the overall cost of ownership for VDI is more cost-efficient. A lot of management issues are cut out in both hardware support and time.
The VDI really breaks down to the cost of the server and solution. You still need licensing for every desktop or whatever OS is being used. All applications installed on top of that will still require licenses. All of that stays the same. As an entire solution set, the cost difference is lower on the VDI side.
Q: Are there issues with VPN capacity right now? If so, what’s the solution?
A: Yes, this is an issue. When you plan for remote work, you’ll estimate the percentage of employees and their location. You won’t have 80%-100% of the workforce working remotely. Until now. If you like your existing solution, a lot of customers are just going back to the vendor and reporting on the new volume of users and requesting a solution.
Many vendors will work to understand user traffic and find the right solutions. There are good guidelines on how to do that so you can account for the overhead.
Quantum Computing: Additional Resources
As government agencies architect remote work solutions, quantum computing may hold some potential for resolving challenges. Cryptography may be swapped out for future ciphers. Quantum-resistant ones are in the works today.