May 14 2007

Snug @ Home

As telecommuting expands, the government's IT shops must find ways to outfit employees with the technology and security they need to work from home.

Photo: Ron Aira
Joe Hungate, assistant inspector general for IT for Treasury's IG for tax administration

Think of prep work for telecommuting as a mini, techno-version of an HGTV home improvement show. But instead of spicing up a room with new decor, agencies' information technology staffs are decking out home offices with new high-tech gear.

The tools agencies provide teleworkers vary. But those with large numbers of teleworkers generally supply computers, high-speed Internet connections, cell phones (and often second phone lines), and enough security to foil even the most determined hackers.

The Patent and Trademark Office's IT team makes house calls to install its package of telework hardware and software. At the Treasury Inspector General for Tax Administration Office, it's more of a do-it-yourself job for teleworkers. But for both PTO and TIGTA, help desk support is just a phone call away for teleworkers having technical difficulties.

"What makes teleworking possible is the technology infrastructure we provide. Workers can be anywhere," says Joe Hungate, assistant inspector general for IT at the Treasury Department agency.

To increase mobility, every TIGTA employee receives a notebook PC. Telecommuters who work from home at least twice a week can designate their homes as their primary offices. The agency will then furnish them with 17-inch monitors, full-size keyboards and printers.

For communications, Treasury workers choose between a cell phone or second phone line. The agency foots the bill for the installation of a Digital Subscriber Line or cable Internet access. After that, it splits the monthly cost with the employee.

"If teleworkers
use government
IT staff can
more easily
control system
and the software installed on
and enforce
user policies."
— Systems analyst Jeff Wilson

PTO has similar policies but pays each telecommuter's Internet service bill in full. The Commerce Department agency provides desktop PCs to workers who live within 50 miles of the office. Employees living even farther out receive notebook PCs, says Deborah Cohn, group director of PTO's trademark law offices. An IT crew visits each telecommuter's home to install and set up systems and also to provide security training.

As their telecommuting workforce has grown, PTO and TIGTA have given prominence to systems security requirements to assure they safeguard not only the systems but the sensitive data that travels across their networks.

To make teleworkers' systems as secure as possible, principal systems analyst Jeff Wilson, of Infonetics Research in San Jose, Calif., recommends that agencies install virtual private networks (VPNs) so employees can create protected connections from their computers to agencies' networks via the Internet.

To secure back-end servers on the network, agencies must keep them behind firewalls and deploy intrusion detection and prevention programs, he adds.

TIGTA has done just that. Employees tap a Treasury VPN on their notebooks. The VPN lets them access e-mail and retrieve files. On the back end, the agency has installed VPN equipment and firewalls that let only authorized traffic cross the firewall. The VPN software also encrypts all data exchanges between a teleworker's computer and the agency's servers.

"Our VPN solution allows end-to-end encryption. The National Security Agency could probably break in and figure what we're doing, but we're on the same side," Hungate says. "For the casual hacker, it's virtually impenetrable."

TIGTA also encrypts its Microsoft Outlook e-mail to protect messages and attachments, and to make sure they can be read only by the appropriate recipients.

The agency's IT staff monitors the network continuously, Hungate says. The network detection applications scan not only for attack attempts from outside the network but for tampering by the agency's own employees. If the tools turn up an anomaly, an alert is sent via e-mail or pager to the IT staff.

Infonetics' Wilson adds that for end-user systems, agencies must also install antivirus software, personal firewall software, spyware tools and the Microsoft Windows XP Service Pack 2, which includes patches for privacy and security.

At TIGTA, personal firewall software protects computers that use DSL and cable modems from hackers.

But for stronger protection, agencies should consider outfitting workers with firewall hardware connected to their modems, Wilson says. Without this added security layer, hackers could potentially open a hidden VPN tunnel and steal sensitive data, he warns.

Wireless Wariness

The addition of wireless services further complicates the security challenge, Wilson says. IT staff members who work for agencies that allow wireless networks must educate employees about the importance of using password protection and enabling all built-in features to encrypt data transferred over the network, he says.

TIGTA doesn't allow teleworkers to use wireless, Hungate says, and doesn't plan to until the industry improves wireless security standards, which he believes will happen within two years.

"We are dealing with highly sensitive taxpayer data. We can't accept any risks," he says.

Creating stringent telecommuter security policies, such as automatic shutdowns of VPN sessions on unattended computers, also will improve security, according to Wilson. And to help prevent viruses and spyware from infecting computers, agencies need to create Web-surfing rules that restrict the sites employees can access. For example, some spyware can track users' keystrokes, potentially revealing their passwords.

If teleworkers use government computers, IT staff can more easily control system configurations and the software installed on machines, and enforce user policies, Wilson says. But if employees telework from their own PCs, antivirus software, personal firewall software and spyware tools will at least provide basic security.

The bottom line is obvious, Wilson says: Just as in a government office, a remote home office requires vigilance to assure security.