Security was once a simpler endeavor. Today, legions of workers telecommute. Government workers regularly log in to their work accounts outside the office and may use unsecured public Wi-Fi networks, such as those in coffee shops and libraries (but with a mask and hand sanitizer, of course). They may also use insecure personal devices over which many agencies have no real oversight—devices potentially riddled with spyware or worse.
A secure perimeter was once an essential component of secure computing and a secure architecture. This essential component, however, has become seemingly irrelevant. What good is a secure perimeter when those who need the extra protection are so often outside it?
This is the current challenge facing so many federal IT pros during our massive shift to remote work. How can a federal IT pro secure a remote environment? Specifically, what can a federal IT pro do to improve endpoint security in a more effective way?
The answer is simpler than you might expect, and it’s likely something federal IT pros can do today:
- Implement zero-trust policies
- Develop security policies capable of scaling with risk
- Consider the user experience
Implement Zero Trust Policies
When government employees were working within government facilities, the secure perimeter model worked—it trusted users within the perimeter and distrusted users outside it. By contrast, a zero-trust model treats all users with mistrust, as the model assumes threat actors may be operating both outside the perimeter and within it. Zero trust means all actions require authentication, regardless of whether the employee is working onsite or from a remote location.
To make zero trust work in the real world without prompting employees to resent endless authentication requests, make sure users are only prompted for additional credentials if they appear to be using an unknown or unexpected machine or are requesting an unexpected resource.
If you’re looking for products to use in this scenario, be sure to choose one capable of determining whether traffic or requests are normal or anomalous. In the latter case, anomalous behavior may require additional authentication steps to ensure a user’s identity.
Develop Security Policies Capable of Scaling With Risk
Just as it can be difficult to convince users to take an extra step and enter additional credentials, implementing additional security policies and procedures can be difficult as well—sometimes, it can even be detrimental. For example, if security policies prevent employees from getting their jobs done, they’ll look for workarounds in the form of outside emails, thumb drives, cloud drives, and other risky behaviors.
The best way to prevent this is to create security policies capable of scaling with risk. For example, a large funds withdrawal is a greater security concern for financial services than a balance inquiry; an unknown system is a greater security concern than a known system; and personnel records require more stringent controls than a system containing only publicly available information. Tailor security policies—and the automated systems supporting them—to recognize increased risk and enhance authentication in these situations.
Consider the User Experience
At the end of the day, it’s important to remember one of the most critical components of this enhanced security equation: users. Zero-trust policies and policies capable of scaling with risk both require user buy-in for success. It’s not enough to keep the bad actors at bay—you also need to ensure the security policies and systems federal employees use aren’t a hindrance to getting their jobs done.
Consider the user experience before implementing dramatic changes. Forcing endless credential queries and password resets may prompt users to use visible sticky notes for passwords, which introduces a new vulnerability. Remember, security measures must be user-friendly if they’re to be adopted successfully.
Looking Beyond Perimeter Security
Nobody knows how long we’ll be working from home or if our working model will change for good. Regardless, perimeter security is no longer an achievable goal for many agencies. A zero-trust environment can ensure authentication challenges support security needs, and security policies capable of scaling with risk can ensure security is applied precisely where and when it’s needed. But remember, adopting these security measures requires taking the end user into account.
As perimeter security wanes as a goal, securing endpoints with minimal adverse impact on employee productivity should be the next goal—and the logical replacement.
Download our whitepaper to discover a broad range of offerings designed to support remote users and their work experiences.