May 04 2011

Avoiding a Bitter End

Remote access appliances and kits help agencies let in friends and keep out foes.

Craig Sherman at the Federal Housing Finance Agency finds himself in a situation that other IT executives in government can probably relate to: His agency must provide secure remote access to several hundred employees while simultaneously keeping its work as open and transparent as possible to the public.

Sherman is deputy CIO at FHFA, an agency created in 2008 from other government financial organizations to oversee federal mortgage activities. He says that FHFA has beefed up its information security program in part to support its roving workforce. With approximately 500 employees and a robust telework program, network connectivity is provided to multiple sites that can change each day, Sherman points out.

"Access control devices provide an extra layer to the other defenses," ­Sherman says. "This is critical because much of the data that the agency stores and uses is either business sensitive or nonpublic data. It must be protected from inadvertent or deliberate misuse, disclosure or destruction."

FHFA is in the process of deploying a Cisco Systems network access control solution to serve as its guardian at the access point.

Agencies increasingly are relying on this and similar technology solutions, implementing devices for identification verification, endpoint security and network foundation security, says industry analyst Dan Kusnetzky, founder of Kusnetzky Group. These tools deliver scalability and are easy to deploy and use at remote sites, he says.

Photo: Drake Sorey
"Access control devices provide an extra layer to the other defenses" on the Federal Housing Finance Agency's network, Deputy CIO Craig Sherman says.

"Many early security solutions assumed the people in the buildings are safe and the people out of the building are not safe," Kusnetzky says. "If the staff is mobile, all of the diversity creates a challenge to security schemes that rely on physical control."

Layer by Layer

That certainly describes the situation faced by FHFA, the Federal Deposit Insurance Corp. and the Defense Information Systems Agency, which have all deployed access control as another layer of protection for their on-the-go workforces.

At FHFA, Sherman says, the agency had previously used several hardware and software tools from the legacy agencies that were its forebears. But it was tricky to combine, maintain and operate such a mix of products and to be assured that the agency had adequate endpoint protections, he says.

The agency uses several layers to assess whether remote users are security risks. Physical access to the workspace is controlled using cameras, guards and access-card mantraps. FHFA also uses passwords and security tokens for two-factor authentication for network access.

Implementing the Cisco appliances has helped FHFA maintain authorization records for network and system access, something that challenged the agency previously, Sherman says.

"Access control devices provide protection from unauthorized network traffic while reporting the type of equipment and location of the attempted access," Sherman says. "This provides useful information for investigating unauthorized access attempts and for preventing future attempts."

Like their counterparts at FHFA, the audit teams at FDIC lead a nomadic existence. Charged with insuring bank assets, FDIC audit teams spend their days on a never-ending quest to inspect banks across the country.

Given the economic climate, the audit teams' workload has grown steadily. The result? FDIC auditors in field and regional offices move rapidly from one bank location to the next and need to log in to the agency's network as they pore over bank assets and determine whether individual banks are financially sound or should be closed.

"We need to make sure that access to corporate data is secure," says FDIC's Ned Goldberg, IT deputy director and chief information security officer. "We are not operating from set places all the time. A lot of our work is done offsite."

To provide its audit teams with secure, mobile and seamless access, the agency relies on secure portable wireless networks that the teams can pop up on location.

FDIC uses the Aruba Networks MC-800 mobility controller, a deployable remote wireless network kit that combines a preconfigured LAN and Aruba access points.

Goldberg says the access control devices are critical because the FDIC has more than 6,400 employees in field and regional offices who are using the agency's network.

"We have to stay agile," he says. "There are new threats every day."

The mobility controller features a policy enforcement firewall that prevents external users from accessing the FDIC network through illegitimate ports and includes access point software that allows instant connections to the FDIC network.

"Even though we have added additional security to our corporate resources and network, there is no perfect security short of cutting the wire," Goldberg says. "It's a juggling act."

From Afar

The network access needs of the Defense Information Systems Agency dwarf those of FHFA, and its users are more far-flung than those at FDIC. Even so, DISA's approach to ensuring that warfighters can access and share highly sensitive data only with those who need it is similar.

With 7,180 end users in 29 field offices around the world, DISA has implemented the Cisco Network Admission Control solution to help analyze and control all devices seeking access to the agency's network. Cisco NAC lets the agency validate endpoints, checking to see that each one complies with DISA security policies and runs the latest software and security protections.

"Data accessibility is a constant balancing act, and DISA is focused on ensuring that we can deliver the data when and where our end users need it," DISA CIO Henry Sienkiewicz says. "The changing nature of the data consumption from our users — warfighters, customers, service providers, developers — makes understanding the nuances of delivery an ever-evolving framework."

Network administrators at DISA can now authorize and authenticate remote users and their machines before they access the network. Deploying the Cisco NAC has enabled the agency to increase its security profile and reduce risk exposure, Sienkiewicz says.

"Access controls represent the next step," he says. "The agency is committed to continual improvement, and this installation of the next level of control is a natural step in that evolution. For us, the key is to recognize the risks and accept the appropriate risk or provide mitigation."


Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.