October 30, 2012
By: Tony Busseri
On the heels of Hurricane Sandy’s devastation of large swaths of the East Coast, most government agencies (federal, state and municipal), businesses and other organizations have shut down. Only a handful of "essential" employees are reporting to work, and, in some cases, even allowed on the roads.
Accordingly, the past year's emphasis on supporting telework is proving to be visionary.
With the right technology, coupled with legislative support, government employees can work from home during dangerous conditions like Hurricane Sandy where they can access the data and networks they need safely and securely. Although our work force increasingly wants to embrace teleworking and mobile computing, adoption on a large-scale is lagging behind the need and capabilities for doing so.
In December 2010, President Obama signed the Telework Enhancement Act of 2010, which provides a framework for government agencies to better leverage technology and to maximize the use of flexible work arrangements. The intended result of the legislation is recruitment of new federal workers, retention of valuable and skilled employees and allowing the federal government to maintain productivity in situations when telecommuting is more beneficial, including during national security and other emergency situations.
Mobility will help both the private sector and the government retain better workers -- telework provides flexibility and quality of life that employees will require in the 21st century.
As managers and business owners, we must balance our need to empower employees with functional, easy-to-use tools anywhere they work while ensuring the integrity and security of data, sensitive information and enterprise networks through identity management, data entitlement and other solutions that enable secure remote access.
Our challenge is to create a user-friendly computing environment that can be productive and secure without adding the headache, cost and complexity of device management.
For organizations of all shapes and sizes and in all markets public and private, there are five core considerations for securely supporting teleworkers:
Ease of Use: People need technology to be easy to use and conducive to productivity. Users should not waste time on lengthy set-up processes and configurations, loading software, making changes to the remote computer — and they shouldn’t even need a specific, designated computer to enable remote access. These hindrances will have a very negative effect on costs and productivity, not to mention long-term security.
The climate in which we work today suffers neither fools nor naiveté; it demands that teleworkers use a true, multi-factor authentication-based remote access solution. This tried and true practice provides an easy-to-use security methodology to authorize users — “something you have,” such as a PIV, CAC or FRAC card and/or enabling device coupled with a private password or PIN that is verified against the smartcard as “something you know.”
Computing Experience: In the office or from the couch, users must receive the benefit of identical computing experiences. Unlike outdated, inadequate offerings, today’s remote sessions should be initiated from the inside out, which is both efficient and secure. There also should be no requirement of the enterprise to risk inbound malicious traffic to support remote users, so close the “inbound ports” to your network.
Offsite individuals benefit from a user experience that is identical to the onsite experience, and no data will be stored externally or exit the organization’s firewall, thereby eliminating any risk of cache, unauthorized file transfer, middleware or footprint on a guest PC.
Remote Device vs. Remote User: Data entitlement and identity assurance are critical aspects to the telework conversation. Contrary to some, we at Route1 believe that identity management for remote access should be based on the user, not the device.
Ask yourself this: “Should your organization count on technology that allows users to extract sensitive or confidential data with relative ease?” If you answered yes, then, frankly, you are asking for trouble.
Carrying a specific device or computer can be costly, cumbersome and limiting. Beside that, each user should only have access to the specific data files he or she is entitled to — and nothing else.
Service and Technical Support: If you have any technical challenges, is help immediately available? This can only be judged on a service provider by service provider basis. You want a service provider that provides a help desk that:
- Mirrors the possible hours of your usage of its solution, and;
- Answers with a voice on the other end of the line that is an expert in the solution you are using.
My Bottom Line: As is usually the case, the deciding factor behind most business decisions and technology investments is cost. Ask yourself: “Is the cost reasonable, or is there a tangible return on investment to support the secure teleworking argument?”
In today’s economy, office hours are no longer nine to five. Providing employees with the required resources and access to work away from the office will increase productivity and allow them to better integrate career, family life and play.
Each organization – be it government or private business – must address the telework question for itself. However, the decision to move forward should comprehensively tackle the security considerations detailed above, or you could face the much higher costs of trying to recover from a data breach or other cyber attack.
Tony Busseri is CEO of Route1, a security and identity management company and developer of MobiKEY. Recently appointed a Privacy by Design Ambassador by the Office of the Information and Privacy Commissioner of Ontario for its commitment to secure remote access and identity management, Route1 provides identity management and security solutions to various agencies for the US and Canadian governments, including the US Departments of Homeland Security, Defense and Energy.