6 metrics for evaluating telework risk, security capabilities and preparedness
- By Patrick Perry
- Jun 02, 2020
After rapidly shifting to a mass telework environment, the federal government is evaluating security controls and risk management policies so agencies can continue remote work now and into the future.
“There is a new way of doing business,” Defense Department Principal Deputy CIO Essye Miller said at a May 6 conference. “We have to define what that looks like based on the mission.”
Defense agencies redefining their security for remote workers should evaluate current infrastructure and potential vulnerabilities so they can adjust controls and align technology, security and operations. They should also consult the security, telework and remote access (RA) best practices outlined in the National Institute of Standards and Technology’s Special Publication (NIST) 800-46 guidance for evaluating current infrastructure.
Agencies can also assess their risk, security capabilities and preparedness against the following six telework health metrics:
Evaluation metric #1: Scalability during continuity-of-operations scenarios
Initially, DOD organizations did not have the bandwidth or throughput to meet mass telework needs. Joint Regional Security Stacks were not built to support a near total shift to teleworking, which amplified ongoing concerns around performance, reliability, latency and cost.
Many defense agencies have increased remote capabilities and bandwidth. Now, however, they must ensure these capabilities are scalable, cloud-based solutions that can accommodate the expanding mobile workforce and “consolidate infrastructure, leverage commodity IT functions, and eliminate functional redundancies, while improving continuity of operations,” as outlined in the DoD Cloud Computing Security Requirements Guide.
Evaluation criteria: Organizations proactively moving to scalable cloud-native capabilities should receive higher scores than those responding to crisis by modifying current architecture to grow capacity.
Evaluation metric #2: Infrastructure exposure to external attack
Traditional RA models allow for more appliance-based capabilities through ports, protocols and IP spaces. However, the more openings there are, the larger the attack surface.
Instead, agencies should embrace a solution that only requires one outbound port (a 443 connection) open to a specific subset of IP addresses (a security cloud provider). Agencies and cloud service providers should look to the Defense Information Systems Network Cloud Connection Process Guide to navigate DOD assessments and connection processes.
Evaluation criteria: Agencies that have a single secure outbound port to a subset of IP addresses score more points that those using inbound ports, a greater number of outbound ports and a broad range of IP addresses.
Evaluation metric #3: User capability management through modern and unified authentication, authorization and accounting
As IT administrators update user policies to accommodate a remote user base, they should consolidate the tools that manage authentication, authorization and accounting (AAA). If agencies use complex tools with multiple interfaces, methodologies and terminologies, there is increased risk of undetected threats.
Instead, a modern access approach, such as zero-trust, will wrap policies around the users so that administrators can ensure full visibility and control through a central control plane while providing a seamless user experience.
Evaluation criteria: Higher scores go to agencies using a central control plane to manage, administer and log user abilities in one place, and lower scores to those with a more complex set of tools to manage and analyze AAA.
Evaluation metric #4: Level of access granted to remote users
Federal employees working remotely need access to the right agency resources and applications, but access to unnecessary resources should be limited. Therefore, agencies’ RA capabilities should both isolate application access and verify users before granting access. Zero trust provides the necessary level of authentication needed, which reduces the security attack surface.
Evaluation criteria: Higher scores for verifying and granting access to remote users without ever placing them on the network. Lower scores for agencies using legacy RA technology to place the user directly on the network, as if they are connecting locally.
Evaluation metric #5: Effort level required to maintain remote access infrastructure
Defense agencies following the DoD Secure Cloud Computing Architecture Functional Requirements will “proactively and reactively provide a layer of overall protection against attacks upon the DISN infrastructure.”
Agencies that maintain appliance-based RA solutions must constantly update firmware, software, security and policies as technology changes and adversaries advance. Furthermore, in a time of emergency, their assurance of availability creates a demand for infrastructure to be built at N+1 for high availability with possible scalability of locations. This further expands the problem of sustaining an appliance-based RA solution.
If agencies shift to a software-as-a-service cloud model, they will reduce maintenance upkeep and improve scalability, giving them a much more proactive approach with less maintenance overhaul and providing the same level of security in the cloud that is typical for physical data centers.
Evaluation criteria: Give higher scores to agencies leveraging a cloud-native SaaS model to decouple maintenance upkeep and lower scores to those maintaining a distributed hardware/software infrastructure, requiring many specialized skill sets to maintain.
Evaluation Metric #6: Method of protecting remote users accessing the internet
Virtual private networks (VPNs) and legacy architecture were designed before mass cloud adoption and teleworking and cannot meet the heightened level of access and security now required. As users attempt to connect through legacy VPNs then back out to the internet, there is increased latency and a poor user experience. As a result, many remote users bypass the VPN and all security measures to access internet directly, opening the network to external malicious activities.
Instead, agencies should embrace a platform that offers “direct to internet” and “direct to application” security capabilities to provide fast, secure access for all users.
Evaluation criteria: Give a higher score if an organization provides RA to users through “direct to internet” and “direct to application” security capabilities and a lower score if the organization pushes all internet-bound traffic through a VPN.
A path forward: Cloud
These evaluation criteria provide a baseline for a telework health scorecard to help evaluate risk posture and identify the most pressing areas for improvement.
When evaluating an agency’s risk management against these metrics, IT managers should consult NIST guidelines, such as NIST SP 800-53 to ensure baseline security and tailor controls for the appropriate impact level and NIST SP 800-59 for identifying an information system as a national security system.
After the initial effort to scale telework and support mission operations in the wake of the pandemic, it will be important that defense agencies take these steps to evaluate their security and risk posture for long-term telework capabilities.
Consider the move to a multitenant cloud platform with zero trust access to be able to scale to provide comprehensive security and improve user experience.