5 Steps to Secure Remote AccessNIST Revises its Guide to Enterprise Telework and Remote Access Security
With nearly 95,000 federal workers that's almost 8 percent of the government workforce telecommuting at least part time, information security managers face the constant challenge of assuring that data and systems remain safe from those accessing them remotely.
To help federal government information security managers secure work conducted offsite, the National Institute of Standards and Technology in February updated its guide on maintaining data security for telework: Guide to Enterprise Telework and Remote Access Security (Draft) Special Publication 800-46 Revision 1.
Characterized as a "real philosophy shift" from the recent past, government information security managers must take for granted the fact that people who would do the government and its citizens harm will exploit remote access systems designed for telecommuting government employees and contractors, cautions Karen Scarfone, a computer scientist in NIST's computer security division who co-authored the guide. "You should assume external environments contain hostile threats," Scarfone says.
Scarfone offers five steps managers supporting government telework programs should take to keep their systems and data safe:
1. Assume Hostile Threats Will Occur
Laptops, wireless handheld devices and other portable digital gadgets are prone to loss or theft. And external networks not controlled by the government are susceptible to eavesdropping and data interception. "Users are facing more frequent attacks than ever before," Scarfone says. "You just don't know how secure the local wireless and other third-party networks they use are. Assume that users are going to run into trouble."
Another assumption: teleworkers' portable devices will become infected with malware. NIST strongly urges the use of anti-malware software as well as employing network access control solutions that verify the client's security posture before granting access. An additional safeguard: have teleworkers use a separate network when they show up at the office to protect against spreading to other employees malware remote workers may have picked up on their laptops.
2. Develop Policy Defining Telework, Remote Access
A telework security policy should define the form of remote access, types of telework devices allowed to use each form of remote access and the type of access each type of employee or contractor is granted. NIST also suggests the policy should cover how the organization's remote access servers are administered and how policies in those servers are updated.
Organizations must make their own risk-based decisions about what levels of remote access would be permitted from which types of telework client devices. For example, an agency could choose to have tiered levels of remote access, allowing government-issued PCs to access most resources, teleworker-owned PCs to tap into a limited set of resources and other devices such as wireless PDAs to access only one or two lower-risk resources, such as Web-based e-mail.
Data sensitivity is another factor to be considered. Take, for instance, the Defense Department. Because the country is involved in two wars, the DOD tightened its telework policies, reducing by almost half to 17,921 the number of workers it allowed to telework in 2007, the latest years federal government telecommuting numbers are available. According to an annual Office of Personnel Management report on telework, the Defense Department expressed tremendous concern about information and data security during wartime, even though technologies exist to lessen most security concerns. "For the time being, at least, in this environment, DOD has determined that its mission is not best served by a growing telework program," the OPM report states. "Opportunities were offered for less frequent telework but this option was not popular with most employees, who felt the less frequent telework was inefficient or not worth the effort."
3. Configure Remote Access Servers to Enforce Policies
NIST cautions that compromised servers could be used to eavesdrop on remote access communications and manipulate them, as well as to provide a jumping off point for attacking other hosts within the organization.
Agencies shouldn't situate remote access servers just anywhere, NIST recommends; in most cases, a server should be placed at an agency's network perimeter so it serves as a single point of entry to the network and enforces the telework security policy before any remote access traffic is permitted into the agency's internal networks.
4. Secure Telework Client Devices Against Common Threats
Teleworkers' PCs, laptops and handhelds should have the same local security controls as client devices for non-telework employees. For instance, remote devices should receive the same application and security devices as those found in government facilities. They should employ antivirus software and personal firewalls. Still, greater security steps must be taken because threats are greater outside government facilities than from within.
"For example," the NIST guide states, "if a personal firewall on a telework client device has a single policy for all environments, then it is likely to be too restrictive in some situations and not restrictive enough in others. Whenever possible, organizations should use personal firewalls capable of supporting multiple policies for their telework client devices and configure the firewalls properly for the enterprise environment and an external environment, at a minimum."
5. Employ Strong Encryption, User Authentication
Information security managers can mitigate external security threats by encrypting data to protect the confidentiality and integrity of communications and authenticating endpoints to verify identities.
Remember the laptop stolen from the home of a Department of Veteran Affairs employee in 2006? It contained unencrypted personal information of 26.5 million veterans, their spouses and active-duty military personnel. The government might have saved taxpayers $20 million the cost to settle a class action suit this past January had the data been encrypted.
Authentication, too, is a key requirement to secure remote access. "We want to make sure that users are authenticated strongly so the organization is confident that users are who they're claiming to be," Scarfone says. "If an attacker can get in, they can hop from those servers to inside organization."