The year-plus of societal misery and dislocation wrought by the coronavirus pandemic has helped to deliver two mega-trends to the Federal government IT landscape that will far outlast the public health crisis. The first is the permanence of remote work, and second is the urgent need to evolve IT security to defend expanded attack surfaces against increasingly sophisticated adversaries.
Those are the consensus takeaways from officials with five leading Fed IT technology and service providers – Cisco, Pure Storage, Tanium, Zscaler, and Rackspace – who have helped the government adapt to pandemic reality, and who went on the record with MeriTalk to talk about what needs to be done to keep advancing in the new landscape.
Remote Work’s Staying Power
Even as the Biden administration sorts through new work-location policies, the consensus is that remote work in substantial measure – and the technology to securely enable it – is here to stay.
“Work from home is possible at scale and securely, and FedRAMP-compliant cloud and virtual desktop infrastructure (VDI) work are here to stay,” said Phil Fuster, senior director, Public Sector Sales at Rackspace. “We have proven that you see an increase of greater than 17 percent in productivity with work-from-home, and employee satisfaction goes up when they are not spending two hours a day on commute.”
“These changes are permanent,” Fuster said, adding, “Every government CIO I have spoken with or presented with says that this method of operation is the ‘next normal’ … the productivity gains and the cost reductions are evident.”
Carl De Groote, area vice president, U.S. Federal at Cisco, agreed, saying that “the changes will be permanent for the most part, and the opportunity to perform secure remote Federal work and the technology that came out of the pandemic is here to stay.” He added, “IT modernization was already underway before the pandemic – the pandemic just accelerated that modernization. It certainly tested, and in some cases, stretched, what agencies were capable of.”
“This new normal will stay until we can find the acceptable balance between working from home, hoteling, or working from an office,” said Stephen Kovac, vice president of global government and head of corporate compliance at Zscaler. “That is some time away,” he said, but counseled on the security front, “agencies must act now. Attacks are getting more crafty and complex, and in many cases agencies are not equipped to handle such sophisticated attacks on their own. They need to build an alliance of providers who can support their zero trust architecture planning and build a strategy that protects them as they move to the cloud.”
“Technological progress never moves backwards,” said Egon Rinderer, global vice president of technology and Federal CTO at Tanium. “Agencies made necessary changes to rapidly expand remote access early in the pandemic to ensure the mission continued – and the result is a truly borderless enterprise. At the same time, agencies accepted a certain level of risk in order to continue the mission.”
“Now that a year has passed, we need to address the 800-pound gorilla in the room: we’ve lost visibility and control of the majority of the endpoints that left the enterprise perimeter and cannot account for new endpoint growth,” Rinderer said. “The prospect of hoping that things will simply return to pre-COVID norms is not a strategy, it’s wishful thinking. So, we have to accept that while securing an enterprise in the past was already difficult, the problem is now a lot harder because of the distribution of the endpoints. Visibility and control of those endpoints, and the ability to take action and remediate in real time has never been more crucial.”
“The Federal government learned [during the pandemic] that the idea of working from home, or remote work, can actually function at a massive scale,” said Nick Psaki, principal technology strategist at Pure Storage. “Not everything, and not all agencies, but a great many have had 90 percent or more of their workforce remote for most of the year. The reduction in commute times in Washington, D.C. alone made people tremendously more productive, and had a profound impact on environmental quality and quality of life.”
“We also learned that it is not just a theory but an excellent benefit to distribute the Federal workforce across the United States, providing closer engagement with constituents and stakeholders,” he added.
“Having a secure platform in place makes these transitions easier,” De Groote said. “The right collaboration tools, for example, are key to rapidly accelerate remote work. And ensuring that those tools are secure and get the job done makes all the difference. Especially for the Federal workforce – having a secure and seamless work experience that falls in line with FedRAMP requirements is vital to meeting the mission.”
“We’ve seen that moving from legacy technology to modern, multi-cloud environments helps us meet current and future needs more quickly than was ever possible before,” said Kovac. “You can implement new applications faster, scale resources and capacity efficiently, and share information more effectively.”
“But, as we’ve also seen with the growth of ransomware and other cyber threats over the past year, we need different approaches to keep data, applications, and missions secure,” Kovac said. “We must shift the focus from securing the network’s perimeter to securing the user at the edge and at every location and connection with zero trust solutions.”
“The security challenges that already existed before the pandemic were only exacerbated by the rapid shift to remote work,” said Rinderer. “Federal agencies have accumulated legacy cyber tooling based on the concept that operations and security will always be local and reside within the traditional network boundary. Due to the pandemic, solutions were bolted on to accommodate for the shift – but nearly all function in a degraded state when required to support a workforce that is predominantly working outside that boundary, not on-prem. In terms of security specifically, that legacy tooling leaves agencies with a massive blind spot, because the tools can’t see, secure, manage, or report on what’s outside what they were designed to do– so agencies are left guessing.”
“The shift to remote work pushed endpoints beyond traditional on-prem networks, requiring a change in how those endpoints are secured and how users access resources,” Rinderer said. “Suddenly, the context of where the user exists changed, and the amount of data that needs to be factored into security decision-making increased precipitously – and the rate of change (or the ephemerality) of that data is only going to continue to increase with time.”
“We also have seen that network bandwidth and end-to-end security in the form of encryption and identity access and management are things we must improve immediately,” Psaki said. He also spoke about the acute shortages of equipment and staff to meet the government’s needs at the onset of the pandemic, and said Pure has been working closely with supply partners across the globe to minimize future delays in supply.
“The pandemic has shown us that we must focus on the different principles for supply chain, technical support, and delivery: utilizing a geographically strategic approach, implementing capacity plans, and optimizing around supplier relations,” Psaki said “We have been able to utilize artificial intelligence and machine learning to help our customers monitor thousands of storage arrays in the field, and report issues or potential issues before humans detect any problem.” He added, “Supply chain security is absolutely crucial for rapid response to mass-scale events, and these practices will only continue to improve post-pandemic.”
This Time Next Year
What the coming year holds as the pandemic recovery takes hold remains to be seen, but each of the tech execs staked out markers for the Federal government to measure their progress toward security improvements.
Cisco’s De Groote pointed to progress on developing cybersecurity policies, and implementing them. During the pandemic, he said, “We found out who had a cybersecurity policy and who needed assistance to build one.”
“Actively deploying collaboration security as part of an IT team’s security plan is critical, as collaboration tools are a staple of remote work,” he said. “Research indicates the use of digital collaboration tools has increased 75 percent since the beginning of the pandemic, so ensuring cybersecurity is a key focus area and conforming to security policies is paramount. With that, choosing the right collaboration tool with a strong security built-in makes all the difference in remote Federal work.”
“I would say continued investment and improvement to cloud architectures for VDI, DevSecOps, and general computing,” said Fuster when looking to the next 12 months. “Improvements to identity management and zero trust based architectures must get more thought and play in the cloud and edge cloud must be invested in so that we can realize the value of compute close to the worker yet in a secure fashion. Lastly, freeing up data securely from the exorbitant costs around data egress in public clouds is also highly important.”
“The next big focus should be to shift to a holistic security model based on zero trust solutions that push security to the edge and create an ‘exchange-like’ functionality that is negotiating to keep bad actors/data at the edge, out to the perimeter, and through zero trust solutions methodology,” Kovac said. “This only lets authorized users access approved applications and data from any device – and it reduces the attack surface and delivers improved visibility for IT teams managing complex, hybrid IT environments.” He added, “Agencies should also continue to look to the TIC 3.0 guidance for a framework on flexible deployment to securely support their ‘work-from-anywhere’ model.”
“We need to admit there is a problem,” Rinderer said. “The old methods of instrumenting and collecting data don’t work. It’s not that they’re failing, but that they’ve already failed. Rather than exerting effort to make old methods and tools function, we need to accept that those only worked within a well-defined border but that border has been erased. Given our new operational context we can and must retool around security and operations in a manner that sees no degradation in value or performance based on where the user exists or how they are accessing resources. This isn’t simply a problem of endpoint management so much as one of data instrumentation. When it comes to securing and managing IT infrastructure, it’s all about accurate, complete, and timely data.”
“The Federal government is going to operate differently moving forward – and it is important for agencies to continue to have consistent, real-time access to their data,” Psaki said. “Agencies must be investing in rapid backup and recovery, as an event like a cyberattack can take down entire systems that are doing-mission critical work. Modern data protection is fast, simple, and cost-effective. This strategy helps prevent the devastating effects of cyberattacks that could reduce productivity, cost millions, threaten mission-critical work, or create a lapse in essential citizen services.”