cloud-enabled telework

CISA outlines telework security strategies

The Cybersecurity and Infrastructure Security Agency has issued new emergency guidance to help federal agencies securely manage the surge in telework resulting from the COVID-19 outbreak.

The guidance offers telework-specific recommendations on capabilities like backup and recovery, log management, configuration management, incident response, authentication, vulnerability assessment, shared services and others. However, CISA is also taking a more strategic approach, helping agencies align their web traffic and data connections with authorized policies, protect the confidentiality and integrity of that traffic, promote the use of applications and services that ensure continuity of operations and allow for timely reaction and adaptation by agencies to newly discovered threats.

The guidance gives agencies  three telework options for employees accessing “resources on the agency campus, agency-sanctioned cloud services and on the public web." Each choice, CISA said, presents "unique risks and corresponding security capabilities."

The first option allows teleworkers to directly access cloud service provider resources, with certain capabilities normally handled by the agency through an internal Trusted Internet Connection (TIC) or service provider being duplicated and policy enforcement conducted at the CSP and user levels.

The second option involves teleworkers establishing a protected connection to agency networks and accessing cloud resources from there, with the agency, CSP and teleworkers all involved in enforcement. This method could result in increased latency, network congestion and other performance issues.

The third option allows teleworkers to connect through a cloud access security broker to access agency-sanctioned CSP resources. CISA advises that both the agency and teleworker should use the same broker or security-as-a-service to ensure enforcement parity.

The new guidance warns agencies that the shift to a largely remote workforce will open up new possibilities for malicious hackers and make it harder to ensure compliance.

"Telework environments, can present significant challenges associated with mitigating email-based threats (e.g., phishing). This challenge is amplified by the reality that agencies have limited visibility or control over remote user devices as the email service may be the only opportunity for meaningfully policy enforcement," the document said.

The guidance is temporary and explicitly states it will expire at the end of the year. However, an email from a CISA spokesperson said that agency officials will look to incorporate lessons learned in future iterations of the TIC program.

This article was first posted to FCW, a sibling site to GCN.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected