CISA outlines telework security strategies
- By Derek B. Johnson
- Apr 10, 2020
The Cybersecurity and Infrastructure Security Agency has issued new emergency guidance to help federal agencies securely manage the surge in telework resulting from the COVID-19 outbreak.
The guidance offers telework-specific recommendations on capabilities like backup and recovery, log management, configuration management, incident response, authentication, vulnerability assessment, shared services and others. However, CISA is also taking a more strategic approach, helping agencies align their web traffic and data connections with authorized policies, protect the confidentiality and integrity of that traffic, promote the use of applications and services that ensure continuity of operations and allow for timely reaction and adaptation by agencies to newly discovered threats.
The guidance gives agencies three telework options for employees accessing “resources on the agency campus, agency-sanctioned cloud services and on the public web." Each choice, CISA said, presents "unique risks and corresponding security capabilities."
The first option allows teleworkers to directly access cloud service provider resources, with certain capabilities normally handled by the agency through an internal Trusted Internet Connection (TIC) or service provider being duplicated and policy enforcement conducted at the CSP and user levels.
The second option involves teleworkers establishing a protected connection to agency networks and accessing cloud resources from there, with the agency, CSP and teleworkers all involved in enforcement. This method could result in increased latency, network congestion and other performance issues.
The third option allows teleworkers to connect through a cloud access security broker to access agency-sanctioned CSP resources. CISA advises that both the agency and teleworker should use the same broker or security-as-a-service to ensure enforcement parity.
The new guidance warns agencies that the shift to a largely remote workforce will open up new possibilities for malicious hackers and make it harder to ensure compliance.
"Telework environments, can present significant challenges associated with mitigating email-based threats (e.g., phishing). This challenge is amplified by the reality that agencies have limited visibility or control over remote user devices as the email service may be the only opportunity for meaningfully policy enforcement," the document said.
The guidance is temporary and explicitly states it will expire at the end of the year. However, an email from a CISA spokesperson said that agency officials will look to incorporate lessons learned in future iterations of the TIC program.
This article was first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a former senior staff writer at FCW.