Remote Access for the Public Sector: Agencies Must Get this Right

Today, millions of Americans are leaning on the essential services provided by the public sector, and perhaps more so than any other time in living memory. Federal, State and Local government, and Educational institutions have been forced to act swiftly during this time of crisis, while also being confronted with unpredicted and unprecedented business continuity hurdles.

Last month, the Office of Management and Budget (OMB) mandated federal agencies to “maximize telework across the nation” to help reduce transmission of COVID-19. This has been an abrupt adjustment for the public sector workforce, which has historically lagged far behind the private sector in telework adoption. Many government organizations, particularly at the local level, have legacy IT solutions in place that hamper a seismic shift to telework.

Here’s a sampling of how public sector and critical infrastructure agencies are being impacted:

• Public k-12 and higher education classrooms are shifting to remote learning through the end of the year, and perhaps beyond. The ability to securely support these activities is crucial, not just for helping students move forward in their educational goals and careers, but for keeping students and teachers engaged and providing some measure of normalcy.
• Local governments are moving call center workers (311, 911, etc.) and other employees remote wherever possible. Often, these local governments are under-resourced and outsource much of their IT. In some cases, offices may have just one person who does IT part-time in addition to other administrative duties, including HR.
• The demand for telehealth services is skyrocketing and it’s an important way to minimize exposure, both to healthcare professionals, such as at the U.S. Department of Veteran Affairs, as well as the people and communities they serve. Earlier this month, the Centers for Medicare and Medicaid Services announced multiple reforms, including 80 additional services delivered through telehealth. “CMS is allowing telehealth to fulfill many face-to-face visit requirements for clinicians to see their patients in inpatient rehabilitation facilities, hospice and home health,” the agency said.

How Secure is Your Remote Work Environment?

Remote access points, BYOD endpoints, and shadow IT carry heightened risk during normal times. However, now, with the largescale move to telework, they are all proliferating at once and at tremendous scale. These risks, along with the surge of ransomware and malware targeting COVID-19 fears, are driving up service desk tickets and leaving organizations highly exposed to cyber threat actors.

Today’s challenges are further compounded when agencies make rushed IT decisions, which can result in “forced errors.” For instance, many agencies have hastily implemented and enabled a popular video/web conferencing and collaboration tool for their users. Even worse, many enterprises, schools, and agencies have been extending the tool well beyond its simple use cases and are using it ad hoc to perform remote support, often performing privileged activities. Unfortunately for the affected organizations, the technology has suffered embarrassing exploits over the last month, with the FBI issuing a sharp warning about it. Consequently, schools, cities, and companies are just as quickly ditching, and even banning the tool due to the security concerns. That's a pitfall of choosing quick and easy without considering "secure", and it’s an unfortunate scene that’s being replayed time and time again during these challenging times.

Even technologies that IT veterans consider as secure may have serious shortcomings under the special use cases they are stretched for amidst the coronavirus crisis. Here, I’m talking about virtual private networks (VPN) and remote desktop solutions. Both of these technologies have incurred a number of cyber exploits over the past few years. The FBI and DHS have warned about the rising threat to Remote Desktop Protocol (RDP).

VPN is a prime example of a technology that is frequently over-extended in corporate and agency environments. It can’t provide the granular control and visibility agencies need to meet security and compliance around privileged access and vendor sessions, and it usually won’t scale well when a large number of typically office-bound workers are suddenly forced to go remote.

As Sean Kelley, former CISO of the Environmental Protection Agency summed up, “Where you might have had 20, 30, 50% of your workforce connecting to the VPN at any time, now you have 80-to-100% of the workforce connecting via VPN all the time. And a lot of CIOs just didn’t plan for that, because that’s just not the scenario that we lived in before this week.” For more in-depth insight into the drawbacks of VPNs and why VPNs and BYOD should absolutely never mix, check out this recent blog from BeyondTrust CTO/CISO, Morey Haber.

Identify Your Remote Access Challenges & Use Cases to Map Out an Optimal Outcome

Even when pressed for time under crisis conditions, clarifying upfront the challenges and needs for your organization to move forward is a step that should never be skipped. Some questions that need to be asked when moving workers remote include:

• Who are your users (employees, vendors, students, the general public, etc.)?
• What kind of devices are your users on?
• Are the devices owned by your users (BYOD), or corporate-owned and provisioned?
• What does each user need to access (applications, databases, services, etc.)?
• Are any of the resources your users need cloud accessible?
• Is IT providing those tools/resources, or is the user able to self-provision what they need?
• What is appropriate for your users to do with their access?
• Is some of this access privileged? If so, can you control, monitor, and audit that access?
• What are the data privacy considerations?
• Do you know when your network is being accessed via a remote access session, by whom, and for what purpose?

Your answers to these questions should inform your risk management decisions and help you focus on the appropriate security technologies and best deployment model for your environment. For some agencies and schools, BYOD maybe the only viable short-term option, but personal devices will typically lack the systems hardening and security layers an agency-provisioned device would have. A personal device may also be shared with other family members, which adds a whole other dimension of security risk and data privacy concerns.

Also, while allowing workers to self-provision the applications and tools they need may seem like a win-win self-service model that helps relieve IT of some tasks at a time when it is already stretched to the max, shadow IT can have a dark side. Self-provisioned applications, services, and tools could open up dangerous backdoors into your corporate environment for threat actors to exploit. Also, IT should absolutely never allow an employee to self-provision a remote access tool!

How BeyondTrust Helps Holistically Enable & Secure Remote Access (VPN-less)

Enabling a productive remote workforce starts with securing remote access. BeyondTrust’s integrated platform, comprised of the three solutions described below, helps agencies holistically secure remote access sessions, identities, and assets.

• BeyondTrust Secure Remote Access solutions (comprised of Privileged Remote Access & Remote Support) enable agencies to apply least privilege and robust audit controls to remote access required by employees, vendors, and service desks. This ensures the right level of access for each user and for each session. Users can quickly and securely access any remote system, running any platform, located anywhere, and leverage the integrated password vault to discover, onboard, and manage privileged credentials. The credentials can be injected into the application, system, tool, etc. at the moment it is needed, never revealing the credentials to the end user. The most highly privileged credentials should expire after each use to eliminate credential re-use attacks, such as pass-the-hash. The solution enables agencies to implement remote access approval workflows and receive automated notifications when remote access sessions are initiated. Suspicious sessions can even be paused or terminated.
• BeyondTrust Endpoint Privilege Management solutions combine privilege management and application control to efficiently manage admin rights on Windows, Mac, Unix, Linux, and network devices, without hindering productivity. The solution enables agencies to eliminate local admin rights (reducing a massive piece of the attack surface), take control over applications and shadow IT, and enforce least privilege with fine-grained control.
• BeyondTrust Privileged Password Management solutions enable automated discovery and onboarding of all privileged accounts, secure access to privileged credentials and secrets, and auditing of all privileged activities. Security teams can instantly view any active privileged session, and, if required, pause or terminate it. The solution enables agencies to reduce the risk of compromised privileged credentials for both human and non-human accounts, while meeting compliance requirements.

You can deploy a single BeyondTrust product to meet one or a few specific use cases (i.e. remote support, vendor access, remote employee access, privileged access management, etc.), or implement the entire BeyondTrust platform and benefit from comprehensive coverage of remote access pathways and privileged access, while benefiting from synergies across your IT and security ecosystem. We also integrate with the leading IAM, MFA, ITSM, SIEM, DevOps, and other platforms.

With BeyondTrust, agencies can deploy physical appliances on premises or choose from a variety of cloud and hybrid deployment options. Our quick-start innovations enable customers to deploy BeyondTrust solutions fast and achieve rapid leaps in end-user productivity and risk reduction. In the era of coronavirus, we’ve been able to help many agencies and organizations achieve these leaps in days.

Communities across the United States are depending on the public sector to continue to provide valuable services, while protecting data and doing all they can to minimize the risk of virus transmission.

BeyondTrust has been working with hundreds of Federal, State, and Local government agencies, and Educational institutions to ensure their workforce and IT security teams are enabled, secure, and productive during the era of COVID-19 and well beyond. Whatever stage you are at, we are ready to help. Reach out for a live demo or visit our website to learn more: https://www.beyondtrust.com/

Related Reading

Enable & Secure Your Remote Workforce (quick guide)

Is Your Workforce Going Remote? – Why VPNs and Personal Computers (BYOD) Should Never Mix (blog)

IT Considerations for Supporting Remote Workers due to the Coronavirus Epidemic (blog)

Securing Privileged Access & Remote Access for Federal Agencies & Contractors (white paper)