COVID-19
during the crisis, such as deferring the fingerprint collection, delaying the final reporting and adjudication of a new employee’s background investigation, or performing temporary identity proof- ing through remote tools such as vid- eoconference, fax or email. New hires vetted under the interim guidance will be required to undergo in-person iden- tity proofing when their agencies return to full capacity.
When that will happen is the subject of much debate by epidemiologists and other health experts, who have offered a wide range of estimates for when peo- ple can safely return to their offices and resume group gatherings. Some experts have predicted that social distancing could continue into next year or even 2022 if a successful vaccine is not developed quickly. As a result, some cybersecurity and technol-
ogy companies predict a broader shift in the global economy and believe remote work could be
here to stay. That means “bring
your own device” could become
even more prevalent.
“BYOD is now the reality and
will continue to be in the future because I don’t think we’re going back to that type of work environment that we used to be in,” said Greg Touhill, former U.S. chief information security officer and now president of AppGate Federal Group, during a webinar hosted by Billington CyberSecurity in April.
Looking for alternatives
Duo Security, which makes and sells remote access tools, is betting that governments and industry will use the crisis to restructure the way they con- duct identity and access management by shifting away from physical access cards and adopting solutions that allow workers to use their personal devices. Sean Frazier, advisory CISO for Duo’s federal business, said most organiza- tions are looking for quick and easy ways to ensure business continuity during the current crisis.
When the PIV card came out 16 years
ago, it “was a really good idea, but we’ve kind of moved on from it from the per- spective of agility,” Frazier said. “It’s not necessarily the easiest technology to ramp up quickly, so, for example, if you have some kind of event where all of a sudden your workers are remote and they’re working from home using personal technology, it was really never designed for that. People are right now kind of scrambling and looking for com- parable controls.”
Unfortunately, many organizations aren’t creating remote-work systems with a view toward the future, said
“BYOD is now the reality and will continue to be in the future because I don’t think we’re going back to
that type of work
environment that
we used to be in”.
GREG TOUHILL, APPGATE FEDERAL GROUP
Wendy Nather, head of advisory CISOs at Duo. “A lot of organizations are think- ing that this is a temporary aberration, and so when they put in an infrastructure to enable remote working, they’re putting in the fastest and cheapest thing they can find,” she said. “And they figure they’ll just pull it back later when this is over. We don’t know when this will be over. Even if it is over, we don’t know how many employees are going to be willing to come back into the office.”
In the meantime, Nather said agencies should take steps to protect IT and other assets at their now largely empty office buildings and facilities. The Department of Veterans Affairs, for example, recently purchased new PIV card readers for its medical center in Kansas City, Mo., and
has cited the outbreak in multiple emer- gency procurements for security services to prevent unauthorized access to VA facilities during the COVID-19 outbreak.
Agencies that have avoided modern- izing their IT and security infrastruc- tures to handle large numbers of remote employees must now rush to implement ad hoc protocols and purchase equip- ment to ensure that their employees can access agency systems. The Department of Health and Human Services issued a special notice in April detailing an urgent coronavirus-related require- ment for a multifactor authentication and identity assurance solution that can provide remote access to agency resources.
“There are a lot of employees who were never approved for remote work- ing. Now they’re signing in through their personal devices,” Grant said. “What information do you let them access? Odds are their home device is not going to have a smart-card reader built in, so how do you build in some multifactor
authentication?”
There are a number of ideas to
bridge the access gap in the short term. They include implementing new multifactor authentication processes, using app-based solutions and buying YubiKey or other authentication devices for agency personnel. Another option is to rely on the authentication tools that are embedded in many computers and smartphones so that employees can use their personal devices for identity verification.
Shifting the security focus to pro- tecting data rather than devices is an essential step. “Yes, [employees] may use their own personal technology, but I as a business or agency still have to protect my data,” Frazier said. “So I’ve got to make sure that if they’re com- ing in with a personal device, I know that device’s software is up-to-date, that encryption is turned on, and they’re using enabled biometrics so I can pro- vide identity [verification] comparable to what a PIV might provide.” n
32 May/June 2020 FCW.COM