By Stan Lowe, Global Chief Information Security Officer, Zscaler
Over the past months, the U.S. Federal government has deployed solutions to keep employees productive and secure from any location, including at home. The initial rapid response typically included increasing capacity, deploying new remote access options, and enhancing security measures.
As CIOs and CISOs move forward from the initial crisis mode, they now need to take a harder look at the systems in place – what is working and what is needed. But, to get the right answers, we have to ask the right questions.
There are different sets of considerations and evaluation questions to ask in initial crisis phases vs. in steady-state environments. IT leaders can build customized telework health scorecards for these two phases to provide a comprehensive view and then prioritize the next steps.
Initial Crisis Telework Health Evaluation Criteria
- What do we need to do? Prioritize the most important tasks. Then, consider the resources users will need and what can be postponed or cut altogether.
- Who needs access, when? Consider the access policies needed to align access with mission priorities. Do all employees need to have always-on connectivity? What work requires only occasional connectivity? To ensure comprehensive, secure access, agencies may initially need to take a “tiered” connectivity approach.
- How can employees connect? Some employees may have had government-issued laptops and devices prior to the crisis, but do all employees now need laptops? Prioritize needs. Then, evaluate risks and develop BYOD policies and education.
- Can we stagger work hours? It may not be possible to accommodate an almost entirely remote workforce within the typical 9-5 hours. Some agencies can adjust work hours, moving mission-critical work to the “graveyard-shift” hours to ensure seamless connectivity to perform critical duties.
- How do we improve performance/connection speed? As the network perimeter expands, many agencies are moving to the cloud through a secure access service edge (SASE) model. Direct access via internet breakouts provides fast, secure access for all users.
What’s Next? Evaluating and Evolving Telework Health for the Long Haul
Once mission-critical teams are operational in remote environments and the organization has moved past that initial crisis response – the next step is to take the lessons learned and evaluate how to continue down the modernization path. What will drive simplicity, reduce costs, and create scalability for any future COOP scenarios?
This is not a one-and-done process but should be built into ongoing IT operations and planning.
Here are six design architecture questions to help frame telework health – with the goal of driving digital transformation and improve security, access, and support for remote employees:
- Do we provide a seamless user experience with direct access to internal and external applications?
Agencies need to adjust security from traditional, legacy appliance-based tools, such as VPNs, to a solution that secures traffic no matter where the user or target application resides. Zero trust connections allow users to directly access applications in any location. This eliminates the hair-pinning caused by backhauling traffic through a VPN, reduces traffic, and reduces latency – ultimately, improving the user experience. Zero trust also never puts users on the network, reducing the attack surface.
- Do we have context-aware access?
Users should only be given access to resources and applications necessary for their job functions. Agencies should develop clear access policies and rules enforced through a zero-trust security model, where only authorized users will be granted access to authorized applications. This can further limit east-west traffic on the network so that users will not reach applications they were not intended to reach. Context-aware access also delivers benefits beyond work-from-home security, such as mergers and acquisitions, cloud migration, third-party access, and more. Zero trust network access solutions address all of these scenarios with simple policies that are user-centric, rather than network-centric.
- Are we enabling flexible deployment for instant and seamless expansion?
A cloud-based zero trust service can provide a scalable environment without placing a significant burden on the IT team. Agencies can start with an initial use case and transition from broad policies to more granular and specific policies as they go. And, many Federal agencies already have elements of zero trust in their infrastructure, such as endpoint management, Continuous Diagnostics and Mitigation, software-defined networking, micro-segmentation, and cloud monitoring. Once zero trust access is fully operational, decommission VPN access for the group, then iterate as necessary.
- How are we providing comprehensive visibility and troubleshooting that enables rapid user-issue resolution?
In a legacy environment, you can’t protect what you don’t know is there. A disadvantage of legacy solutions is that data is often distributed across the environment, and agencies often use complex tools with multiple interfaces, methodologies, and terminologies. This creates a higher likelihood that bad actors could be hiding in the background, hoping to be overlooked. Zero trusts provide IT administrators with a single pane of glass view to manage, administer, and log users in one place. Administrators will have full visibility and control into the distributed environment.
- How do we reduce security and remote access infrastructure maintenance requirements? Appliance-based remote access solutions constantly need updates on firmware, software, security, and policies to keep up-to-date with technology and advancing security risks. A cloud Software-as-a-Service model greatly reduces management and upkeep. This can free up time for agencies to focus on more critical mission needs along with improving their policies, instead of patching security holes.
- What will ensure scalability for future COOP scenarios?
Legacy remote access solutions, such as VPNs, may require adjustments to bandwidth, throughput, or additional technology adoption to scale to meet operational needs. Many agencies’ initial reactions to the current crisis have been to grow capacity by implementing new infrastructure or adding new appliances. But, a cloud-native capability is the only solution that can easily scale up and down as needed when future COOP scenarios arise.
Cloud-delivered zero trust SASE models will transition security from network-centric controls and remote network connectivity to user-centric and application-centric security, designed to support highly distributed teams working beyond the traditional network perimeter.
One thing we’ve learned from these past months is that every agency needs a systematic process to evaluate telework health. These questions and review processes will create a stronger, more resilient government that can keep employees safe, productive, and focused on delivering citizen services.
About the Author
Stan Lowe, Global Chief Information Security Officer. Stan Lowe, a cybersecurity and technology executive, has successfully led transformational change in large, complex environments, as well as small and mid-size cybersecurity and IT organizations.
As Zscaler Global Chief Information Security Officer, Stan oversees the security of the Zscaler enterprise and works with the product and operations groups to ensure that Zscaler products and services are secure. Part of his focus is to work with customers to help them fully utilize Zscaler services and realize the maximum return on their investment.
Prior to joining Zscaler, Stan served as the VP & Global Chief Information Security Officer for PerkinElmer, where he was responsible for global enterprise security and privacy. He has also been a Cyber Security Principal at Booz Allen Hamilton.
Stan has the extensive federal experience, serving as the U.S. Department of Veterans Affairs (VA) Deputy Assistant Secretary for Information Security, Chief Information Security Officer, and Deputy Chief Privacy Officer, as well as Deputy Director of the Department of Defense/VA Interagency Program Office. Before joining the VA, Stan served as Chief Information Officer of the Federal Trade Commission. Stan’s public service record extends to the U.S. Department of Interior in the Bureau, the U.S. Postal Service Inspector General, and the U.S. Navy.
Stan has also served as an executive in several technology startups and currently serves on several boards advising on cybersecurity. He is a frequent speaker and writer on security topics.