Government agencies should establish virtual mobile infrastructure (VMI) technology, in which telecommuting employees would access network information through customized mobile operating systems hosted on virtual machines, and the intermediary connection is destroyed when the session ends, according to draft guidance for telework protocol released by the National Institute of Standards and Technology (NIST).
The guidance, an update to the federal agency's initial documents drafted in 2009, also encourages agencies to implement mobile device management tools, which prevent employees from accessing networks or sensitive data on devices that do not conform to established security standards. The update contained in NIST documents 800-46 and 800-114, offers solutions for the increasingly complex challenge of securing government networks as federal agencies move to adapt the telecommuting trend that has grown popular in the private sector.
“Organizations are realizing that many data breaches occur when attackers can steal important information from a network by first attacking computers used for telework,” NIST computer scientist Murugiah Souppaya said in a statement.
The new guidelines were released as federal agencies, and the private sector continue to face difficulties creating secure telework arrangements. The challenge of establishing secure telework arrangements is especially complex for federal employees who work from abroad, either from an embassy of elsewhere. Last week, Department of Veterans Affairs (VA) Deputy Assistant Inspector General Brent Arronte testified during a House Oversight subcommittee that the agency has “inconsistent implementation” of security protocol.
Among the security failings highlighted during Arronte's testimony was an episode in which VA employees were given permission to work from foreign nations, including from China and India, and employees "improperly connected to VA's network from foreign locations" without arrangements for secure network access and used personal equipment in accessing the agency's network.
The private sector continues to struggle with solutions to the challenge of employees accessing their organizations' networks remotely. After a federal court ruled against JPMorgan Chase in a 2013 lawsuit that claimed the financial institution had violated the Americans with Disabilities Act by denying multiple requests to telecommute, the company embarked on a proactive campaign to allow employees to work remotely -- and then experienced a massive breach that compromised 76 million personal accounts and 7 million business accounts, and led to the bank's CSO and CISO being reassigned to new positions.
Security standards, such as the guidelines established by NIST or through similar statewide initiatives, have been not always been consistently followed. For instance, a California attorney general report stated that organizations have failed to implement the CIS Critical Security Controls, California state cybersecurity guidelines enacted in 2014 that require businesses that collect personal information use “reasonable security practices and procedures.”