COVID-19 has forced hundreds of thousands of government and public safety staff to rapidly shift from the traditional office setting to remote offices located in their homes. These employees have gone to work in the same building every day for years, often with a badge for secure building access, and essentially followed the same daily operations. But now, everything has changed.
While many city buildings have shut down to slow the curve of the virus, staff are still expected to do the same job. They have to attend meetings, follow up with emails, and stay productive— but now, it must all be done from home.
The swift transition to telework has put tremendous pressure on government IT teams to enable secure remote access to the resources and applications necessary for daily tasks. As the number of government organizations issuing devices to enable work from home grows, endpoint security risks become much more difficult to manage.
In this post, we will discuss the security and access challenges government agencies now face, as well as our top recommendations to secure remote endpoints. Let’s dive right in.
Government Agencies’ Response to COVID-19
Government and public safety organizations are seeing many of the same problems educational institutions are facing in light of the pandemic. Cities, police departments, and technical administrators have found themselves in a predicament they’re not necessarily equipped to solve. Agencies are looking into various methods to provide staff with access to computers or alternate methods to access the resources they need. In this rush to adapt, government agencies have struggled to incorporate secure processes to mitigate their data and systems from risk.
At Identity Automation, we’ve heard from agencies that shipped laptops to their staff with fingerprint scanners attached. While secure, this can be costly and time-consuming, with large administrative overhead to boot. And then the question becomes, what will happen to the laptops and scanners when our daily lives go back to what they were pre-March 2020? On the other hand, when government agencies do not provide laptops, staff are forced to use personal devices, which can lack the necessary security features and bug patches.
Government agencies have been handed a monumental task— to plan the shift to telework. It can seem like a daunting task to determine how to approach this transition, the steps to take to solve access issues and secure endpoint access, and whether available solutions are within budget. Our recommendation is that agencies first understand the issues currently being faced and the end goal. That way, it makes it easier to plan out the steps in between.
Remote Access Solutions Broaden the Attack Surface
As soon as the amount of users remotely accessing systems expands, the surface of attack rapidly broadens. Instead of controlling access through a single point of entry, such as the physical door to a city building, there are now thousands of doors dispersed city- and perhaps even nation-wide, as staff now access systems from their homes.
One way to combat the accessibility challenges is through remote access solutions, such as Virtual Private Network (VPN), Virtual Desktop Infrastructure (VDI), portals, and remote desktops. Agencies that don’t have the budget to provide laptops or need a faster solution have expanded VPN from a handful of select users to the whole organization. This has increased the amount of people remotely accessing systems— and the attack surface.
Unfortunately, some government agencies are realizing they did not have a VPN set up and are now trying to get it implemented. In the meantime, other agencies who do not have budget for VPNs are allowing staff to remote into internal servers and desktops using knowledge-based credentials only— posing a major security risk.
While these remote access solutions are typically more affordable than buying and shipping devices to remote staff, there is still risk involved as employees are permitted to connect to their desktops from home. For example, if your agency enabled VPN before the outbreak, it could be an outdated system that is unable to handle large volumes of traffic.
It’s also important to note that even if your government agency was able to implement, or previously had VPN set up, an employee’s username and password are the only layer protecting the network. So, in the event the user credentials are compromised, a hacker can still easily gain access into the government organization’s network.
How Multi-Factor Authentication (MFA) Secures Remote Endpoints
According to Infosec Institute, government agencies are among the top five most cyber-attacked industries. Last year, a single ransomware attack affected 23 local government agencies in Texas— forcing their systems offline. Just three months prior, the city of Baltimore was hit by a massive ransomware attack, which crippled city employees and residents from their day-to-day tasks for weeks, ultimately costing millions in taxpayer dollars.
So, what are the recommended methods for securing remote access? Multi-Factor Authentication (MFA) is paramount right now in light of COVID-19 and has gained tremendous focus and purpose. MFA adds an extra layer of protection for all access entry points, including on-premises applications, cloud applications, offline desktops, employee and customer portals, and remote access using VPNs and other technologies.
For example, advanced authentication can be added to the workflow on the front-end of a remote access solution, such as VPN, so before the user connects, a secondary form of authentication is required. If your agency prefers staff to log in through the desktop, the MFA client can also be installed on the desktop directly. Then, the desktop will prompt a push notification to login, as an example.
This process adds authentication to the VPN connection, so the user logs in to their computer with their credentials, but they also need their mobile phone on hand to approve the push notification. So, in the event that a user’s credentials are stolen, MFA ultimately renders an attack harmless because the identity needs another form of verification. MFA also enables government organizations to achieve compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) and Criminal Justice Information Services Security Policy (CJIS) data security requirements.
In addition, MFA offers a broad range of authentication methods, many of which offer a relatively effortless end-user experience. Some of these include: push authentication, one time passwords (OTPs) in the form of hard and soft tokens, fingerprint biometrics, encrypted Radio-Frequency Identification (RFID), FIDO universal second-factor (U2F) tokens, among others.
At Identity Automation, we recommend push authentication and soft token OTP specifically for remote access, because neither require additional hardware and both options are convenient for the end-user. Budget-conscious agencies should also consider leveraging existing security investments, such as RFID cards already used for building access. These cards can be augmented with additional authentication options and as an added bonus, your staff have one less item they need to carry.
Ultimately, MFA helps secure your remote endpoints and ensure your government agency stays on track with your cybersecurity initiatives. So, even though your organization has altered your entire workforce and how they operate, you can still move forward and be confident that your agency is secure.
Discover How to Mature Your Security Posture in Our Live Webinar with GovLoop
With no play-by-play book for government agencies to reference, the rapid shift from the traditional office environment to working remotely has been impressive, but challenging. Creating a foundation of security through MFA enables a secure remote access process now, and years into the future, which will serve your agency not only during this crisis, but beyond it as well.
In order to explore how the current crisis has impacted government organizations today, we’ve teamed up with GovLoop. Join our webinar, Identity and Remote Work - How Do you Stay Secure?, on Wednesday, June 3rd, as we discuss the security and access challenges agencies are facing with the swift transition to telework.
Attendees will learn how to build a framework to mature your security posture while working remotely, and when you return to the office. This webinar will also provide actionable insights into how to evaluate your organization’s current authentication maturity level and take your MFA strategy to the next level.