NIST updates telework security guidance
- By Bianca Spinosa
- Mar 17, 2016
As the number of government teleworkers grows, so does the likelihood that their devices can provide attack vectors for those targeting government IT systems.
"Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework," said Murugiah Souppaya, computer scientist at the National Institute of Standards and Technology.
Two draft publications were released on March 11 that are revisions to NIST’s 2009 telework guidance: the Guide to Enterprise Telework, Remote Access, and Bring Your Own Device Security and the User's Guide to Telework and Bring Your Own Device Security. In them, Souppaya and fellow NIST researcher Karen Scarfone advise organizations to assume that external environments contain hostile threats.
Major security concerns cited in the guides include the lack of physical security controls, the use of unsecured networks, the connection of infected devices to internal networks and the availability of internal resources to external hosts. The publications provide information on several types of remote access solutions and offer recommendations for securing a variety of telework, remote access and employee-owned devices.
NIST advises using multi-factor authentication for enterprise access. In case a device gets lost or stolen, organizations should encrypt the device's storage and all sensitive data stored on user devices, or refrain from storing sensitive data on devices at all. Agencies should consider deploying separate networks for BYOD users -- who include not just employees, but also contractors, business partners, and vendors -- rather than mingling organization and personal devices on the same system. Agencies should also take it for granted that user-owned devices will at some point acquire malware infections, the researchers urge, "and plan their security controls accordingly."
The guidance also explains two new technologies that are critical in securing telework devices.
Virtual mobile infrastructure technologies establish a temporary secure environment when the teleworker needs to access the organization's data and applications. When the session is done, the environment is securely destroyed, leaving no traces of the data and applications on the mobile device.
Mobile device management platforms can enforce an agency’s security policies on mobile devices, including BYOD and vendor/contractor devices by checking mobile devices for signs that security controls have been disabled, for example.
Teleworkers using their own laptop computer should secure its operating system and primary applications and back up all data. They should also make sure the wireless home network they are using is secure and beware of the possibility of eavesdropping and interception on networks that are outside the organization's control.
The deadline for comments on the revised guidelines is April 15, 2016.
This article originally appeared on FCW, a sister site to GCN.
Bianca Spinosa is an Editorial Fellow at FCW.
Spinosa covers a variety of federal technology news for FCW including workforce development, women in tech, and the intersection of start-ups and agencies. Prior to joining FCW, she was a TV journalist for more than six years, reporting local news in Virginia, Kentucky, and North Carolina. Spinosa is currently pursuing her Master’s degree in Writing at George Mason University, where she also teaches composition. She earned her B.A. from the University of Virginia.
Click here for previous articles by Spinosa, or connect with her on Twitter: @BSpinosa.