End-to-End Security
For most systems and security technologists, achieving balance between providing mobile users with adequate access to their agencies’ infrastructure while keeping the government’s IT assets secure is a constant challenge.
“People get pulled into the idea that one size fits all, but it’s not true,” points out the Environmental Protection Agency’s Vaughn Noga.
For most systems and security technologists, achieving balance between providing mobile users with adequate access to their agencies’ infrastructure while keeping the government’s IT assets secure is a constant challenge.
“People get pulled into the idea that one size fits all, but it’s not true,” points out the Environmental Protection Agency’s Vaughn Noga.
Approaches to securing remote users abound, and agencies’ choices are influenced not just by users’ needs but also by available resources.
The Overseas Private Investment Corp. opted to use Citrix XenApp rather than a virtual private network, often the de facto standard for remote access. OPIC’s David Zeppieri says this setup — which relies on two-factor authentication — lets staff members easily access agency data over the web.
“It helps us a lot where you have human capital limitations,” he says. “The users have completely transparent access to it over the web, it’s secure and it’s so much easier for everybody.”
Likewise, the Patent and Trademark Office has cut costs outfitting its remote workforce — by letting teleworkers use their own computers. To ensure security, users must implement partitioning software on their computers and access the agency network through a secure portal.
“We assess the risk of the work that’s being done,” PTO’s Rod Turk says. “Then, based on that risk, we put in place the security process that’s necessary to secure the information and data being used.”
To read about the three distinct models at EPA, OPIC and PTO, read “Out of Harm’s Way.”
Compliance and Risk
“The sophistication and level of intensity of attacks increases day by day, so it’s really important to understand what the state of security is day to day — and sometimes hour by hour,” says the National Institute of Standards and Technology’s Ron Ross.
That’s why the government’s current push on continuous monitoring is so crucial. NIST has created new guidance to help agencies in this endeavor of gathering information about their systems and networks at regular intervals to validate compliance with security policies and prioritize vulnerabilities based on risk. It’s a dynamic versus static approach to cybersecurity.
It creates the opportunity for a more sweeping approach to security, says Col. Michael Jones of the Army CIO’s Cyber Directorate. “If the entire U.S. government is on the same scoring system, we can provide a view of what the risks are across the U.S. government and compare it between departments and agencies.”
To read how some of the federal front runners — the State Department and Army among them — are tackling this effort, turn to “Ever Vigilant.”
In this issue of FedTech, we dedicate the bulk of our coverage to security themes. In addition to the pieces on remote security and continuous monitoring, we also look at trends in disaster recovery ("Down the Street"), spotlight how the Veterans Affairs Department keeps malware at bay in medical devices ("For the Health of the Network") and offer a review of a Netgear VPN firewall ("Far-Flung Connections"). There’s also an interview with Maj. Gen. Steven Smith, director of the Army Cyber Directorate.
But this issue isn’t exclusively focused on security. You will also find tech tips on migrating Active Directory ("Making the Active Directory Leap"), a feature article on RFID and wireless in federal hospitals ("Wireless Medicine"), a best practices piece on IT leases ("The Lease-Versus-Buy Question") and a review of a Lenovo all-in-one PC ("All In").
We know that security is top of mind, so we hope this issue offers insights that help you keep your users and systems safe as well as provides you tips that help boost performance.
Ryan Petersen
EDITOR IN CHIEF
