A Prescriptive Approach on How to Respond to the Rapid Surge of Telework and IT Services
DHS CISA recently published an Interim Telework Guidance to support federal civilian agencies as they deal with the surge in teleworking. The guidance was issued to help agencies leverage existing resources to secure their networks and comes on the heels of the pandemic crisis as agencies face challenges with insufficient capacity and legacy infrastructure.
The DHS guidance specifically addresses the scenario of remote users connecting to agency-sanctioned cloud services. While this interim guidance is temporary and does not represent a particular TIC 3.0 use case, it will be integrated into the TIC 3.0 remote user use case. Importantly, it provides a blueprint for constructing resilient and flexible infrastructure ready to support what perhaps will become a “new normal” of ubiquitous cloud services supporting a remote workforce and digital citizen services.
Cloud Services, Network Challenges and Recommended Approach
It’s no surprise that cloud is the main focus of the guidance as many agencies have moved IT services to the cloud (i.e. email, collaboration, CRM). With the sudden surge of remote teleworkers, agencies’ network bandwidth, VPN devices and cybersecurity stacks are strained. This comes as a result of traffic hair pinning where remote workers’ traffic is routed through centralized trusted Internet connections. Legacy network architecture in the federal government is not optimized for the shift to a user-centric/direct-to-cloud network model.
With the telework guidance, CISA recognizes the need for agencies to support a more user-centric, direct-to-cloud network architecture. They provide guidance on how to effectively secure the network traffic specifically for remote teleworkers connecting to cloud services. Utilizing policy enforcement points and management services, remote users can securely connect to agency-approved cloud services without the need for hair pinning.
Components of a Secure Remote Workforce
What constitutes a secure telework environment? First, it helps to understand a couple of the constructs that CISA illustrates in their guidance, and defines more broadly in TIC 3.0 documentation: Policy Enforcement Point and Management Entity.
A Policy Enforcement Point is a security device, tool, function or application that enforces security policies through technical capabilities. Essentially, it’s a logical insertion point for control manifested through policies. A Management Entity is a notional concept of an entity that oversees and controls the protections for data. It can be represented through organization, network device, tool, function or application. Basically, the management entity becomes an aggregation point for policies information such that IT has control and the ability to analyze and make intelligent decisions.
With an understanding of these two constructs, we can logically think about the secure telework scenario along these three key components: Endpoints & Identities, Cloud Services, Enterprise Cyber Infrastructure.
These three components serve as our management entities and logical insertion points for policy enforcement. In this blog series, we will discuss technologies, application of technology, and how we can align to the security best practices in CISA’s guidance.