This blog is an excerpt of GovLoop’s recent industry perspective, How Proper Authentication Can Enable Government To Be Productive and Secure. Download the full perspective here.
The proliferation of access points has added to the problem of keeping information safe. Gone are the days when IT managers had to worry only about the desktops within the office building. Now data is being accessed from remote work centers and employees’ homes or positions in the field, plus mobile devices and more.
Here are four main access points to watch out for:
Telework and green computing initiatives throughout the government have contributed to the growth of and challenges with remote access. The federal workforce is more distributed today than it’s ever been.
“The whole idea is to be able to properly authenticate who that remote worker is, and then make sure that the data is cryptographically secure end-to-end,” McPeak said. “So there’s data at rest, data in transit and data in storage on the infrastructure side. Being able to manage that is obvi- ously complex.”
SaaS is a licensing and delivery model in which software is licensed on a subscription basis and centrally hosted. In essence, users are borrowing the software instead of installing it on their computers. Because it usually follows that government agencies also pay only for what they use, the appeal of SaaS applications is obvious: They save money and space because fewer machines are needed. But there are cons, too.
“When you have disparate software components, each one in turn needs to be managed, patched, updated and tracked for version control,” McPeak said. “Agencies also must make sure that none of those cloud-based software components are providing additional complex attack surfaces for hostile adversaries and be able to identify what the attack surface is and how to secure it.”
Cloud-based file-sharing applications
Popular applications such as Dropbox and Google Drive let data flow freely, with security often depending on the vendor. A January 2014 report by the Ponemon Institute found that 69 percent of IT and IT security respondents were not likely to know whether employees were using unapproved and risky file-sharing tools.
Cloud-based file sharing comes down to managing permissions – which users should have access to what files. Agencies need to ask cloud infrastructure providers if they offer Federal Risk and Authorization Management Program-certified controls and whether they are living up to their service-level agreements, McPeak said.
The issue of whether employees can use their own mobile devices to conduct government work, including accessing government networks via the device, has been ongoing for years. As smartphones and tablets become commonplace and the devices’ capabilities grow, the debate over how to handle this problem continues.
“That poses a lot of interesting challenges for large enterprises, but especially for federal,” Kevin McPeak, a Symantec Security and Mobility Architect, said about BYOD.
“For example, if the device is managed, then an employee may be concerned about their location being tracked even when they’re off-duty.”
Another problem is separating personal content and applications from government ones. The answer is through mobile device management or providing a federal agency app store that provisions specific apps out to that endpoint. That way, the work-related apps are wrapped and secure, and the agency can stream specific content and revoke access to certain types of content.
Download the full perspective here.