Securing Teleworkers

One of the challenges of telework is equipment.

Your agency’s budget might not have enough in its capital fund to provide systems at home and at the office for official teleworkers. It also might be outside of the current refresh strategy and budget to replace workers’ desktop systems with notebook computers that they can use at docking stations.

For some agencies, the equipment issue has meant telework is a no-go unless employees can use their own systems, but the security risks inherent in such a setup are often considered too high. This dilemma, however, need not be a deal-breaker, say some feds.

There are ways to allow telework without the use of government-furnished equipment (GFE), says Theresa Noll, a senior telework program analyst at the General Services Administration, who spoke at the recent Telework Exchange Town Hall Meeting in Washington.

Noll points to the extensive guidance available from the National Institute of Standards and Technology as more than up to the task of helping agencies establish secure telework initiatives using non-GFE gear.

In particular, she cites NIST 800-46 Revision 1. The latest update came out in June, and Noll says it provides good direction on security by recommending a tiered approach to remote access:

• For GFE systems, provide access to many resources.
• For employee-owned systems, provide limited access.
• For individual devices such as personal digital assistants and phones, provide only web e-mail access.

“It’s important that the administrators of these devices give [users] a little advice” on how the agency wants them secured, she notes. “When interfacing with the nonpublic systems [inside an agency network], great care needs to be taken.”

That’s the approach implemented by the Overseas Private Investment Corp.

“Our employees greatly expressed that they did not want to have to be tied to a laptop to gain remote access,” says Mary HorseChief, information systems security officer at OPIC. Because many of the small agency’s staff members travel abroad, toting a notebook was a concern.

Given the agency’s budget and user needs, the goal was to provide telework support that did not use GFE, HorseChief says.

OPIC deployed Citrix MetaFrame Presentation Server so that users can launch a secure virtual desktop using RSA tokens and two-factor authentication wherever they have web access. Basically, the Citrix solution gives OPIC employees a window into the agency’s data resources without the need for portable hardware, she says.

The Conundrum

Security is admittedly a challenge, says Richard Kissel, a senior information security analyst at NIST. When data is inside the network, agencies’ IT and security teams have a fair notion of what needs to be done to protect it. The same is true once data leaves the network en route to a given remote system: “Use a Virtual Private Network, and encrypt the daylights out of it,” Kissel says.

But dealing with the data once it’s in use on systems at the other end of the communications link is a challenge, in part because of the variety of access devices in use today, says Kissel. “How do you adjust access based on what you know is out there? I’m not sure we have all the handles on that yet. Some of these devices are not easy to deal with.”

The desire to provide access to some information via the smaller devices definitely exists, and they have a use for telework and in supporting a more mobile workforce, notes Noll.

For smartphones, a lot of the security hinges on establishing an enterprise management capability, says David Coley, director of public-sector technical services for BlackBerry maker Research in Motion. The IT organization needs to be able to “apply security policies on the fly for all mobile users and manage software wirelessly,” Coley says. Plus, he adds, IT needs the ability to wipe any or all devices if a breach occurs.

Because smartphones may not be plugged into the network and users may not come into the office, IT needs to be able to handles upgrades and other software management issues wirelessly.