During the COVID-19 outbreak, agencies have shifted much of their workforce to telework. The strain on existing infrastructures has made headlines, whether it be the DoD asking employees to avoid non-essential services while on the VPN or other agencies staggering work schedules and limiting overall Citrix users. Further complicating these issues is the increase in cloud-based resources.
I recently heard from an agency user attempting to participate in a required training session. Even though the training was hosted in the cloud, the user needed to use the overburdened VPN to access it, and the result was poor video quality. The problem is clear: current remote access systems were not scoped for this flood of users.
As it always seems to be, while IT operations and security teams deal with new complexities and challenges, malicious actors see newfound opportunities. CISA recently released a new alert (AA20-073A) that includes the following considerations regarding teleworking:
- As organizations use VPNs for telework, more vulnerabilities are being found and targeted by malicious cyber actors.
- As VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.
- Malicious cyber actors may increase phishing emails targeting teleworkers to steal their usernames and passwords.
- Organizations that do not use multi-factor authentication (MFA) for remote access are more susceptible to phishing attacks.
- Organizations may have a limited number of VPN connections, after which point no other employee can telework. With decreased availability, critical business operations may suffer, including IT security personnel’s ability to perform cybersecurity tasks.
The COVID-19 stimulus bill passed in March provided agencies the resources necessary to address telework infrastructure and security needs. Rather timely to this funding, there is new guidance from OMB regarding updates to TIC 2.0, providing the ability to use cloud-based solutions to assist with these issues. More specifically, the OMB memorandum regarding TIC 3.0 provides for the following new use case:
Remote Users: This use case is an evolution of the original FedRAMP TIC Overlay (FTO) activities. This use case demonstrates how a remote user connects to the agency’s traditional network, cloud, and the Internet using government-furnished equipment (GFE).
So how can agencies leverage these new TIC 3.0 guidelines to alleviate current strain and security concerns, while future-proofing their investments? TIC 3.0 allows agencies to modernize and move towards embracing a zero trust architecture (ZTA) by removing the outdated “trusted vs. untrusted” model and instead focusing the perimeter around the endpoint. To do this, the focus should be on the following key principles:
- Remove traffic destined for the cloud from current remote access infrastructure, thus lessening the load on the overburdened systems.
- Leverage the scalability and elastic nature of the cloud to deal with any further unexpected surges of remote access.
- Institute the principle of least privilege for remote access to overcome some of the shortcomings of VPN technologies.
- Where possible, move to an “identity as the perimeter” approach, targeting security at the remote user.
- Secure both new and legacy applications as the move to ZTA occurs, thus ensuring critical legacy systems are not left unsecured.
- Provide the least amount of friction to the end-users!
By embracing TIC 3.0 and ZTA, agencies can augment current remote access capabilities (VPN, Remote Desktop, Citrix, etc.) by providing access to cloud applications without the need to use old remote access systems. Further, this can be done alongside the current infrastructure, avoiding the dreaded “rip and replace,” and increasing security along the way.
At Merlin, we scout innovative, emerging technologies and establish technology partnerships that allow us to effectively implement unique remote access strategies that incorporate zero trust principles. As the model below illustrates, we provide end-to-end secure access, leveraging highly scalable and elastic solutions. Using cloud-based and cloud-native technologies like Okta and Netskope Private Access can increase security while lessening the load on remote access infrastructures. Adding Silverfort unique SSO capabilities can bring those legacy systems into the security of today.
While there is no quick fix for legacy remote access systems, agencies can take the first steps in their zero trust journey while augmenting the capacity of current systems and increasing overall security.