COVID-19 drives agencies to investigate alternatives to VPNs, raises need for BYOD support

A year ago, even a month ago, only a portion of federal employees and contractors were teleworking. Now, in the midst of the coronavirus pandemic, there is a mandate from the Office of Management and Budget (OMB M:2016) to maximize telework, sustain the mission of the agency, and encourage all employees and contractors who can work from home to do so.  This presents a security and an access challenge that agencies must quickly address.  MobileIron offers government-grade solutions, which are detailed below and already in place at some agencies.

 

The big change

The rapid escalation in the number of workers connecting to federal networks has been drastic and occurred almost overnight.  Some of those workers had been provisioned to telework, at least on an occasional basis or in exigent circumstances.  But for most federal agencies, they might have seen at most 20% of their workforce connecting remotely, even under extended weather-related closures.  Now, some agencies are seeing 80% or more of their workforce attempting to connect from home, and, with the OMB mandate, this will increase and remain high for the foreseeable future.  For many users, there have been no provisions made to enable them to officially telework.  They have neither government furnished equipment (GFE) or appropriate training on how to connect to, sign-on to, and access federal networks, applications, and resources.  They are using their own devices, such as smartphones, tablets, and (frequently) older, less well-maintained laptops and desktops with out-of-date operating systems and virus protections (or no virus protection at all). 

The tsunami of connections from users’ personal devices to federal networks has resulted in the relaxation of some access and security policies and the circumvention of others.  In addition, even if users are accessing a government network via an established virtual private network (VPN), VPNs were not designed with the capacity to accept this volume of traffic, nor were they designed to provide additional security controls for bring-your-own-device (BYOD) and mobile devices in general. 

The growth of remote workers and network connections has increased the attack surface, and federal agencies and employees are at risk now more than ever. These unanticipated personal devices may lack appropriate authentication capabilities, and many may not be using multi-factor credentials or approved derived credentials.  Identity fraud, phishing attacks designed to capture and compromise authentication credentials (especially user IDs and passwords), malicious code, and advanced persistent threats are all rising. And these threats are increasingly likely to succeed due to the increased volume of remote workers, especially those who are less experienced with security processes and technology.  Over the last several days, we have seen attacks against the US Department of Health and Human Services in the form of nation-state attacks to spread disinformation and increase fear and uncertainty among the US population.  We also anticipate increased levels of denial-of-service (DoS), man-in-the-middle (MITM), and brute force attacks against basic authentication access portals.

 

The challenge

One of the ways that federal agencies are trying to protect their networks and IT resources is by requiring that users employ a VPN.  While there are several different types of VPNs – including remote-access, site-to-site, Layer 3 Multiprotocol Label Switching (L3MPLS), Dynamic Multipoint VPN (DMVPN), and more - they all share common objectives to encrypt and secure end to end communications, and some common limitations.  Nearly all VPNs can operate in different modes, such as device wide, always-on, on-demand, or per-app.  The per-app mode is only initiated when the configured application is launched and only that application’s traffic traverses the encrypted tunnel.  As a result, the battery drain is less than for an always-on VPN, however, it is very specific about the traffic that is protected.  For the teleworker user case, the remote-access VPN is the most applicable. Traditional enterprise network VPNs are expensive, challenging and time-consuming to implement.  Terminated at the edge of the enterprise network, they have limited capacity for the number of simultaneous connections permitted and are bound by license keys.  These VPNs require significant time and effort by network administrators to configure and implement the appropriate termination points.

In addition, VPN licenses are expensive and frequently not dynamically extensible to accommodate a dramatic increase in the number of users and hours per day those users will be connected.  Many federal agencies continue to rely on these types of traditional enterprise network VPNs.  Federal IT modernization efforts have resulted in some agencies adopting a per-app VPN solution, which provides greater fine-grained control over the origination and termination endpoints of the VPN tunnel, stronger encryption, and additional features. However, it also adds bandwidth constraints, license costs, and complexity to the efforts by the network administrators to provide the required maintenance and upgrades, configure the settings of the VPN gateways, and manage the cryptography and required certificates.

In nearly all cases, these VPNs were not designed for mobile devices or mobile device traffic.  Enterprise VPNs do not have the capability to enforce security policies on a mobile device, or to evaluate the compliance of a mobile device with established baseline requirements. 

 

What we offer that’s different and more effective

The MobileIron solution leverages an integrated VPN component called Tunnel, used in conjunction with the native operating system, MobileIron Unified Endpoint Management, for data security at rest and cybersecurity policy enforcement that can validate the compliant state of the device before initiating the application and allowing access.  MobileIron can determine if the device is jailbroken, if the OS is current, if the device is on an authorized (or unauthorized/public) Wi-Fi network, if the application is approved and from a trusted app store, and if the device is currently protected by a mobile threat defense solution that detects and remediates malicious threats and apps. In addition, MobileIron provides stronger multi-factor authentication and contextual awareness of the user, device, and credential, which all become part of the zero sign-on access control. 

MobileIron Tunnel allows agencies to enable any business app, including in-house and third-party apps, to access resources on the enterprise network or intranet using a secure network connection. App VPNs can be established over any network, including cellular networks, to ensure federal data is always secure. Tunnel also leverages MobileIron’s advanced closed-loop compliance engine to ensure non-compliant devices are not allowed to access sensitive agency data.

In addition, Tunnel significantly improves the user experience by establishing on-demand or always-on app VPN connections, without requiring the user to take any additional steps. Personal and malicious apps are blocked so that only appropriate data flows through Tunnel, which provides greater protection for government data and user privacy.

In October 2019, Branko Bokan of the Cybersecurity and Infrastructure Security Agency (CISA), a component of DHS, stated that “To provide maximum coverage against mobile threat actions, organizations must deploy Enterprise Mobility Management (EMM), Mobile Threat Defense (MTD), and Mobile App Vetting (MAV) capabilities together as in integrated solution, and not as a series of standalone products.” 

MobileIron is an integrated, full function solution providing an innovative cybersecurity platform for iOS, Android, MacOS, and Win10 based devices, combining EMM, MTD, and MAV capabilities into a single mobile-centric, zero-trust security solution.  This approach provides agencies with complete control over government data as it flows across devices, apps, networks, and cloud services.

With COVID-19 containment in effect, the need for this deployment of capabilities has rapidly accelerated.  If you would like more information, please click here to be contacted by a MobileIron representative.

Bill Harrod

Bill Harrod

Federal CTO, MobileIron

About the author

Bill Harrod is the Federal CTO at MobileIron. He is an accomplished information security executive and cybersecurity professional with experience managing cybersecurity risk and designing and delivering security solutions to federal agencies and Fortune 500 companies. He is an expert on Federal Identity, Credential and Access Management Architecture (FICAM). Previously, he served as a senior manager at Deloitte and senior principal consultant at CA Technologies.