Telework’s weak link

Security is one of the inconvenient topics that inevitably arises, sooner or later, when agencies start talking about telework.Telework is a popular topic. The idea of letting employees work from home a few or most days each week has garnered increasing interest among government workers and managers for a number of good reasons.Workers enjoy the reduction in commuting costs and time and appreciate the convenience and flexibility that may help them juggle family and work responsibilities. Agencies benefit from improved employee morale, the ability to relocate offices without losing part of their workforce, and reduced real estate costs. Recognizing these and other advantages, the House approved last month H.R. 4106, which would require federal agencies to set policies that allow some workers to telework. Although workers and agency executives might only see telework’s upside, security officers and experts know it also has a dark side. Whenever employees take data home or work on it outside an agency’s physical walls and network firewall, there is the potential for security leaks. The challenge is to figure out how to give home-based workers sufficient freedom to do their jobs without compromising data security and privacy.Government telework pioneers, such as the U.S. Patent and Trademark Office, have been naturally cautious. The USPTO has 14 telework programs in which employees work from home as few as one day or less a week to almost the whole week. Nearly 4,000 USPTO workers and contractors are teleworking, representing about 85 percent of the telework-eligible workforce. Significantly, about 1,400 of the office’s teleworkers are “hotelers,” having given up their permanent office space and instead reserving temporary desk space when they come in a few hours each week. All this has been great for the USPTO’s bottom line. “We’re hiring additional workers each year,” said Danette Campbell, senior adviser for telework at USPTO. “Those hotelers let us do so without having to add to our real estate significantly.” Because of the sensitivity of the proprietary data USPTO works with, Campbell has gone to great lengths to ensure that the dispersed workforce is as close to leak-proof as possible. The most significant security policy is that all teleworkers use only USPTO computers, which hold virtually no applications or data. Employees work directly on the application server at the USPTO through a secure virtual private network connection, which encrypts data during its transit across the network from the server to the user’s local machine. Second, all employees handle their work-related telecommunications through voice over IP, which allows them to use the same phone number at home as in the office. That reduces mix-ups, such as not being able to reach a home-based worker during an emergency or leaving a phone message regarding agency business on the wrong telephone number.Finally, each laptop PC uses full-disk encryption software, which prevents an unauthorized person from accessing the data even if they got physical possession of the machine. “We have gone to great lengths to secure our data even if it at times it might seem to be overkill,” Campbell said.It is usually better to overdo security than to underplay it. However, financial realities sometimes force agency executives to make cost/benefit analyses about tactics for mitigating the risks associated with teleworking. One of the most important decisions for telework program managers is whether to provide workers with an agency computer or allow them to use their own computers.Several security experts said requiring teleworkers to work only on agency-owned machines is the best policy, but it is also the most expensive one. “If your agency owns the machines, you can control them completely,” said Vaughn Volpi, chairman of PICA, a loss prevention and security consulting company. “You can decide what applications workers can use, what data they can download and what external media they can connect to the machine. And if you need to investigate a leak, it’s much easier to get the computer back for forensic purposes than it would be to subpoena someone’s personal PC.”Volpi suggests placing keystroke mapping software and even Global Positioning System tracking devices on laptops, with the employees’ knowledge. The GPS can help the agency find lost PCs and also help enforce policies that identify where employees can use their laptops. But Volpi and other security experts say not all agencies are financially or culturally ready to limit teleworkers to agency-owned computers. And some might not need that level of protection.Bill Marsh, information technology security officer at the National Science Foundation, said he would like to provide all teleworkers with NSF-owned computers, but the cost would be prohibitive.“We can’t justify it financially right now,” Marsh said. Each day about 75 to 100 of the 1,500 NSF employees access the network remotely. Some of these — Marsh didn’t have exact numbers — are in one of the foundation’s two telework programs. In one program, employees work regularly from home a specific number of days each week. In the other, people work from home occasionally, getting their supervisors’ consent ahead of time. Marsh points out that most employees do not work on sensitive data. The few who do are not allowed to telework. Still, Marsh has a limited number of NSF-owned laptops on hand, which he gives to workers who request them. He doesn’t have enough for all workers, but he hopes to increase that number gradually so that eventually all teleworkers use machines owned and managed by NSF. The primary security technologies NSF uses for its teleworkers are two different kinds of VPNs. Most employees use a Web browser-based Secure Sockets Layer VPN to access their personal desktop data and applications at the office. This remote-access method eliminates the need for downloading data onto removable media, such as a USB thumb drive, to bring it home, which would present a security risk. A more limited number of managers who have administrative duties use an IPsec VPN that provides greater security than the SSL VPN for access to NSF’s more sensitive network resources. An IPsec VPN requires special software loaded on an employee’s remote computer.In general, the level of control an agency needs to have over the teleworker’s PC or laptop should be based on the sensitivity of the data balanced with the need for workers to have the ability to customize their machines to their liking, security experts say. Jill Knesek, who is now chief security officer at BT America and had been a special agent at the FBI’s computer crimes task force, said company officials decide on a case-by-case basis whether to allow teleworkers to use their own computers rather than company-provided equipment. “We assess risks,” Knesek said. “We try to give teleworkers as much freedom as possible because the more freedom, in general, the more efficient they will be. But we have to also consider the sensitivity of the data they will be working on.”Steven Antone, vice president of federal solutions at Lumension agrees with Knesek about giving users as much freedom as possible — even on agency-owned computers — without compromising security. One way to do that is to provide for exceptions to the security policy. “Have an easy-to-use change control plan,” he said. For example, if someone needs a PowerPoint slide and policy dictates that no Micr soft Office files can be downloaded from nonagency sources, an organization can provide a convenient means for the teleworkers to apply for a one-time exemption. For example, for some teleworkers and some types of actions, the policy might allow users to download a file without prior authorization. That action would be recorded for  a later security follow-up. In other cases, prior consent might be required. “You can be as specific as you need to be in determining who needs permission and the types of permissions each person or task requires,” Antone said.Managers can use various technologies to help enforce telework policy, but training will enlist users in the effort to keep the data safe. Marsh believes that ultimately, training and education might be the most important aspects of telework security. “Our goal is to create a culture of security awareness,” he said.All the agencies with telework programs interviewed for this article require employees to take a training class before working from home. These classes usually cover cybersecurity issues, such as one agency’s policy forbidding workers from using wireless local-area network Wi-Fi connections, and physical security issues, such as rules about securing with a locked drawer or cabinet work computers and even printouts of work information. The classes also cover other issues, such as the importance of having an appropriate, comfortable place to work. Requiring the right teleworking home environment might be so important that it could create the need for new enforcement methods, said Jack Phillips, managing director and co-founder of the Institute for Applied Network Security. Some of those might even seem intrusive. “There’s a looming question which will be coming down the line and which will have to be addressed,” Phillips said. “Does an organization have a responsibility to enter an employee’s house to check to ensure that the data is at least likely to be secure?” Phillips said that if agencies require that teleworkers have locked cabinets for paper files and idle computers, it might not be unreasonable that in return for the privilege of being allowed to telework, the employee submit to a home inspection. And further, he wonders if the lack of this kind of inspection might make an agency liable in the case of a security breach resulting from a poorly protected home office. There’s no doubt that maintaining a secure telework environment presents many challenges that do not affect office-based workers. But most agencies doing it say the benefits far outweigh the perils, which can be managed.