How agencies can ensure continuity of operations
- By Eric Trexler
- Oct 26, 2020
Since 9/11, the federal government has been fixated on continuity of operations from a physical perspective. Work needed to continue even if, hypothetically speaking, the Pentagon was bombed or the data center disappeared. As such, a tremendous amount of money was spent on hard backup sites for both people, processing and data redundancy. Often we heard this referred to as continuity of operations or disaster recovery. Then the coronavirus pandemic presented a continuity curveball.
No continuity plans ever factored in a long-term, wholesale shift to telework and remote operations due to a virus that prevented personnel from working together in continuity facilities. For all their preparations, government agencies were caught mostly unprepared. The early response by many agencies had their employees working from home on emergency operations, funneling most traffic back to the data center. Other agencies moved to one week on, one week off, which inherently slowed the pace of productivity.
While today’s new normal of mass remote work is likely here to stay, government organizations are exploring new ways to adapt. The Senate, for instance, recently introduced a bill to extend full-time federal remote work, while the National Security Agency is now allowing telework for unclassified activities. The future will not be like the past. COVID-19 forced a rapid and lasting change not only in the way we work, but how we expect to work and what organizations will accept in how that work is performed. Users want flexibility and will demand it going forward.
The continuity of operations the government sought must now be reassessed via IT investments that mirror commercial sector cloud and software-as-a-service (SaaS) technologies. To ensure this massive cloud migration shift won’t result in compromised users or data, though, it must be accompanied by sufficient user monitoring. User monitoring allows agencies to employ more granular security policies and monitor data wherever it resides or moves and protect remote users, without hindering their ability to effectively perform their job duties. Let’s dig into a few specific technologies that can make continuity of operations a reality for government agencies today.
Monitor users with a CASB
In the past, remote work was executed primarily through VPNs, which permits the perimeter to be extended to the remote work location. The rapid onset of work from home due to COVID-19 caused problems when massive numbers of employees began relying on them; the sheer volume of additional remote users prevented reliable access to necessary services.
The good news is that the increased adoption of SaaS technologies reduces the need for VPNs. Users can access their SaaS providers directly through zero-trust network access technologies, bypassing the data center and leveraging a cloud access security broker (CASB). This gives agencies visibility into shadow IT, in addition to monitoring what passes through. For example, if a user accesses a SaaS provider and begins screenshotting sensitive information or transferring data to a memory stick, that activity will then be detected and blocked. Anomalous behavior can be detected, similar to the way credit card companies rapidly flag unusual consumer spending, preventing unauthorized access. By monitoring and analyzing user data the same way they would in the office, agencies can secure an exploding number of endpoint devices.
Isolate users with remote browser isolation
Another way agencies can ensure continuity of operations is by rerouting users through remote browsers leveraging virtualization or containerization technology as a cloud-hosted service when they try to access the web. This is far more effective than simply cutting off connectivity, as that tends to lead to even riskier workarounds, especially in remote, work-from-home users. With remote browser isolation, risk is minimized because any compromise will happen on the remote system and not the local one, significantly reducing the attack surface. If users engage in risky activity or start acting in ways inconsistent with past behavior, then it’s time to mitigate the risk in real-time through tools like RBI by physically isolating users’ browsing activity from their local systems and networks.
Improve user verification
Recently, social engineering attacks have been targeting remote workers, trying to trick them into surrendering their passwords so hackers can log in to the agency network. As already mentioned, user monitoring can detect changes in user behavior that might signal either inadvertent risk or an actual breach. The level of control should be based on the specific user’s risk and the sensitivity or value of the data. While the baseline changes with work from home, the user activities will tend to remain relatively constant over time in the performance of an individual’s work duties. Tied in with zero-trust concepts such as identity, credential and access management, behavioral analysis can be powerful in understanding user behavior and intent while also restricting or controlling access when a user is acting abnormally.
The bottom line
As government agencies work to adapt to telework, users can be both their biggest defense and their biggest risk. Mitigating that risk today can’t mean simply cutting off connectivity. Such an approach doesn’t just decrease productivity and hinder users’ ability to do their jobs -- it can actually lead to even riskier workarounds or worker resentment. Similarly, one-time temporary solutions like having employees only work half-time are unsustainable long-term.
The good news is that IT was already beginning to change in ways that make remote work far more seamless than it was a decade ago. The key is to supplement new SaaS and cloud-based offerings with security tools that enable the detailed monitoring of user behavior: understanding what’s normal, detecting when data is being accessed that shouldn’t and blocking the highest risks. Once again, this represents far more granular and effective security than harsh, overly restrictive all-or-nothing approaches that disrupt anything resembling continuity.
Eric Trexler is vice president, global governments and critical infrastructure, at Forcepoint.