Out of Harm's Way

Security has come a long way since 2006, when the high-profile case of a single stolen notebook computer from a Veterans Affairs Department employee dramatically slowed the federal government’s adoption of mobile devices.

Yet the need — and the pressure — to let workers do their jobs and be productive in places other than the office has hardly abated. In fact, the realization that mobility is critical to achieving the federal government’s mission has increased significantly.

This stems in part from a growing acceptance of the productivity, environmental, and employee recruitment and retention benefits associated with telework; the recognition that mobile workers are a key part of any continuity of operations strategy during a pandemic or unexpected event (driven home by last year’s Snow-mageddon in Washington); and the set expectations and work habits of the incoming millennial generation, who are fully comfortable using mobile tools in every aspect of their lives, including the workplace.

The good news is that security technologies and security policies have finally caught up with the need and demand.

“There really is less risk today in mobile devices,” says David Graziano, operations director for security for Cisco Systems’ U.S. public-sector group. “Full-disk encryption on laptops is now pretty standard, and we’re seeing greater adoption of virtual private network technology and network admission controls to improve the security of the connectivity and improve the ability of federal agencies to enforce their security policies related to those devices.”

As a result, more agencies are em­­bracing mobility in unprecedented ways. FedTech profiles three of those agencies, how they’re using mobility to support their mission and the approaches they’ve taken to ensure the security of remote computing.

EPA:
Enabling a Mobile Workforce

The Environmental Protection Agency decided two years ago that the time was ideal to support and promote a more mobile workforce. Many EPA employees perform inspections at customer sites on a routine basis or are on the road working from regional offices.

Faced with the need for a technology refresh of approximately 12,000 of its computers, the agency for the first time opted to deploy more notebooks than desktops at its headquarters division.

“We definitely wanted to be able to facilitate the ability for our employees to access the network and do their work when they needed to, whether they were at the office or at home or in the field,” says Vaughn Noga, EPA’s chief technology officer. He notes that the refresh resulted in a 3-to-1 ratio of notebooks to desktops, an extreme flip.

Noga says the evolution of new security tools for mobile devices has succeeded in significantly reducing the risks involved in letting an IT asset leave government property. But from the beginning of the EPA plan to embrace mobility, a chief driver was making sure that the change didn’t create a new security management challenge for his team.

“We did not want a situation where we had one way of managing machines that are sitting in the office and then have to create a totally different infrastructure to manage the remote machines,” he recalls. “We wanted to make sure that we could manage a machine in the same effective way no matter where it was — whether sitting here in the office or at someone’s home or in a hotel room.”

One of the methods adopted at EPA was to fully embrace the Federal Desktop Core Configuration settings put out by the Office of Management and Budget.

The agency took the hard line, Noga explains, and encrypted the hard drives of not just the notebooks but also the desktops within the headquarters division. It also took the unprecedented step of minimizing the amount of access that all users have on their computers. Workers, for example, can no longer install their own software or make changes to the system that they could have made previously.

“The steps we took hardened the machines, locked them down, so to speak, and that certainly was a source of frustration for some of our users who were used to having more freedom,” Noga says. “But we’re becoming a more secure agency, and this is one of the ways that we’re doing that.”

Even so, a few minor differences between the notebooks and desktops remain. EPA outfits all notebooks with Computrace, so the team can work with law enforcement to recover a portable device in the event of a theft. Further, to ensure secure access to the EPA network, remote workers connect back to the agency over a Secure Sockets Layer VPN.

All computer users, though, must use multifactor authentication — something you have; something you know — to gain access to the internal network. What’s more, all computers — no matter their location — are automatically checked after the authentication process by the enterprise patch management and virus management utilities to make sure they have the latest virus definitions and software patches.

Noga notes that advancements in security technologies have playeda key role in making a centralized security infrastructure possible. In previous years, for example, the EPA IT team wasn’t able to remotely support a mobile worker’s computer when they were at home or on the road, which hampered the agency’s push for more mobility. Now, though, Noga has a capability that allows remote management and control to fix performance issues or perform routine maintenance.

Having one centralized management infrastructure has been critical to EPA’s ability to not only enable mobility but also to ensure the most effective security possible, Noga says. “What this does is give us visibility across the entire environment and allow us to be more nimble, so we can respond to any issues much more quickly.”

OPIC: Gearing Up for COOP

The Overseas Private Investment Corp. has long tried to accommodate its employees’ ability to do their jobs anywhere they needed to be so they could be as productive as possible (a generous policy that recently earned the agency a No. 2 ranking for the second straight year on the Partnership for Public Service’s annual list of best places to work in the federal government).

A recent recognition of the need for a more aggressive COOP strategy convinced management that it was time to scale the agency’s mobility capabilities even higher. OPIC CIO David Zeppieri and his IT and security teams implemented infrastructure and security policies so that the entire agency could work offsite simultaneously, if necessary.

“We had already realized the benefits associated with telework and alternate work schedules,” Zeppieri says. “However, if we had any kind of unexpected event, like a pandemic or what we saw with last year’s snow in Washington, we wanted to be able to support concurrent usage of not just 60 mobile workers, which is what we were able to handle before, but up to 500 employees and contractors.”

As a result, any staff member can now work at home or offsite, if it’s required for the job. The agency has a pool of netbooks that can be checked out and are equipped to handle the demands of international travel, which is a common need for OPIC staff members.

Photo: Zaid Hamid

“Telework and remote access should be an ongoing interdepartmental initiative,” OPIC’s David Zeppieri says.

Approved teleworkers are allowed to access the agency network using their home computers using OPIC’s secure remote access solution with two-factor authentication. Traveling employees can use BlackBerry devices, which have international capabilities, or remotely access their desktop or webmail through a secure Internet connection.

“We figured out that we had to be really flexible in order to meet everyone’s concerns and requirements,” Zeppieri says. “And so far, we’ve never maxed out our resources, and we haven’t had any complaints about not having access to the portable devices or data needed to perform our work.”

What’s the key to this type of virtual freedom? Zeppieri points to extra-robust security that addresses not only the security risks associated with remote work but also the risks that come with having an international presence.

To Zeppieri and CISO Mary HorseChief, accurate and regular assessments of risk are a fundamental requirement for any telework plan. The team does this by continuous monitoring of the network, devices and connectivity back through the remote-access infrastructure. On an ongoing basis, Zeppieri and his team rank and prioritize the risks and then handle remediations.

Like EPA, OPIC has fervently adopted FDCC. By implementing 90 percent to 95 percent of the configuration requirements, Zeppieri says, the agency is now less exposed to the most common threats.

In addition to FDCC, OPIC implements a defense-in-depth strategy using a Blue Coat ProxySG appliance to block employees from purposefully or inadvertently linking to inappropriate websites; full-disk encryption; remote-kill capabilities for dealing with lost BlackBerrys or other mobile devices; a managed security services provider to monitor the firewalls and an around-the-clock intrusion detection system to detect potential intrusions coming in or out of the network; and Symantec Antivirus to guard against viruses and other malware at the PC level.

Zeppieri adds that agencies considering how to handle the varying requirements of mobility and security need to also recognize that the “consumerization” of technology can unknowingly impact the way work is accomplished within their environment and cause them to quickly lose control.

“The paradigm has been turned upside down, so what used to cycle through government and business first is now going straight to consumers,” he says. “As a result, agencies really have to have processes in place to manage these demands, and telework and remote access should be an ongoing interdepartmental initiative.”

PTO: Growing Securely While Saving Money

The U.S. Patent and Trademark ­Office has what is widely considered the most successful telework program in the government — with more than 80 percent of eligible staff members working from home on a regular basis.

When the recession hit, however, constraints on USPTO’s budget — which is completely derived from application fees for new patents and trademarks — threatened to limit the agency’s ability to continue to grow its mobile workforce.

The solution was to do away with a policy that required teleworkers to use government-­furnished equipment and implement security measures that let workers use their own computers when at home.

The new policy is part of a telework option called the Enterprise Remote Access (ERA) Portal, which requires an investment of as little as $105 for a business unit to deploy a teleworker versus the standard telework setup, which cost, at a minimum, $2,800 per user.

A critical component in getting the new approach approved was making sure that there would be no increase in security risk. Rod Turk, director of the Office of Organizational Policy and Governance and CISO for USPTO, says that his team was able to build onto the robust, effective security configuration that was already in place for telework.

First, ERA Portal teleworkers had to be granted access privileges to the agency’s internal network via an SSL VPN and a web portal. Second, USPTO had to install partitioning software on each teleworker’s PC to establish a hard, impenetrable wall between work use and personal use.

“There is absolutely no crosstalk between their own part of the home computer and the part that the teleworker is using to conduct agency business,” Turk says.

Beyond that, ERA Portal teleworkers are subject to the same security measures as other USPTO teleworkers. This includes multifactor authentication using RSA SecurID tokens, full-disk encryption, network access controls that check computers for antivirus and software up­­dates, and intrusion detection and protection tools.

Teleworkers are also not allowed to save any data to remote hard drives, and they must undergo mandatory security awareness training.

“We take a defense-in-depth approach so there are many layers and a lot of redundancy to our security efforts,” Turk says. “As a result, our teleworkers, no matter if they use government equipment or their own, have everything they could possibly need to work in a secure way.”

The extra effort has clearly paid off. Since its launch in 2009, the ERA ­Portal has enabled USPTO to add more than 360 teleworkers to its roles, Turk says. “This has proved to be a very cost-­effective and very secure way to expand our telework population.”