Telework, the New Normal
Remote Worker Policies are Nothing New in Government
Policies like TIC 3.0 (specifically new Interim Telework Guidance), OMB’s ICAM memo 19-17 and architectures like Zero Trust are the foundation for the federal workforce to be remote.
Remote work in the federal space is not a wholly new concept. Yes, it presents a set of challenges in a sector not commonly known for its flexibility and adaptability. But when it comes down to it, we can empower the federal workforce to unite. In short: we’ve got this.
"Snowmageddon" = Shifts Towards Remote Policies
I recall “Snowmageddon” in February 2010. With federal workers forced to stay home, serious talks of fundamental change in government telework policies started, because government was largely unprepared for a remote workforce.
Since then we’ve been working hard (some might say not hard enough) to put policies and technological means in place so that, should any catastrophic event happen, we would be prepared. We would have the ultimate resiliency plan in effect. Allowing users to just stay home and work, seamlessly, with no disruption. This is a noble goal, but it’s a lot harder than it sounds.
Mobility and BYOD
First, you have the technological challenges. Now, these have gotten much, much better than what was available in 2010, but the legacy tail is still long in government. Agencies still use 10-year-old technology (some even older) and we still, largely due to aging infrastructure, have scalability issues that will be tested should we ever need to activate telework, at scale, quickly and, most importantly, securely.
We are a much more mobile society. The technology of the past made working remotely very challenging. Cloud and mobile computing have changed everything.
Second, you have the cultural challenges. We’ve always done it this way. We always come into the office. Spontaneous conversations around the water-cooler or in the breakroom are part of our office DNA. For some, in classified settings, this makes total sense. But I would argue that by and large, most government workers could do 90 percent of their job from their own homes, with their own technology. We need to adapt our cultural thinking to these realities.
But this isn’t some hypothetical. This is us.
Are Your Remote Worker Policies Realistic Today?
We are here now. Telework is the new normal, even if many haven’t realized it.
We always (or at least I always) use the “a chain is only as strong as its weakest link” analogy. Because it’s true. If we use smartcards with inherent multi-factor authentication on our government work systems as an example, we need to make sure we have comparative controls when we work from home. We need to anticipate that users will be using their own technology (Bring Your Own EVERYTHING). And we need consistent, easy to use security across all applications, across all access methods.
If we move a user to remote status and these basic protections don’t exist, we’ve created a threat vector. A weak link. If a user is never (or nearly never) remote, we need to prepare for the eventuality that this user may one day need to be remote and will need those same, simple security controls. We need to be prepared for the next large event that forces a massive chunk of our workforce to become remote – in an instant. Users who are being asked to work from home – some of whom never have – will need that same level of security. Consistent security. And did I mention that it has to be user-friendly?
We also need to prepare for the fact that once the remote worker genie is out of the bottle, it may never go back in. Remote workers, in some cases, are more productive and can help relieve commute congestion. No one likes to sit in their car for hours when they can come downstairs in their bunny slippers and be productive in minutes. Workers may ask for a more flexible schedule at minimum.
And if this happens, you need to prepare for the fact that a system that once supported thousands of users, must now be called upon to support tens of thousands or hundreds of thousands, in near real time. This is where the cloud shines (some might say it’s a silver lining).
Cloud Helps Spin up Remote Workers at Scale
Years ago (seems like a lifetime) we would be forced to build out this capacity ourselves, sending a bunch of kids to the data center to rack servers overnight with their protein bars and their youthful stamina, and it was still hard. Very hard. It’s a little bit easier today thanks to our friend the cloud, but you also have to not take the easy way out. Some organizations will be tempted, for timeliness, to roll out extremely insecure access methods like remote desktop protocol (RDP), and in all the haste forget to apply the necessary security controls. We don’t want to see an increase in open accesses across the internet that attackers are already scanning for.
The good news is that we got this. We have to. We have been preparing for this type of scenario for a decade. We have smart, capable people looking at this from a policy perspective; they’re finding ways to make the cloud and mobile world of telework an achievable goal.
None more so than my friends at DHS/CISA. The concept of elastic trust zones are made for this type of endeavor. Add to that the flexible nature of a zero trust security model (consistent security regardless of access method of location) and the new, more flexible ICAM guidance and we have the building blocks for a truly robust telework program as called out specifically in the most recent Interim Telework Guidance from CISA. This guidance recognizes the need for agencies to be able to surge their telework platforms, quickly, while still thinking about the security fundamentals. CISA has also provided a simple way to map vendor capability onto the core security principals for which CISA has deemed important.
Now, this isn’t gonna be all cake and ice cream. This is going to require hard work and tough decisions at every agency. But if we leverage the technology, leverage the policy and start to change the culture, we can set ourselves up for a resilient workforce that we can deploy in an instant.
