Should government employees be allowed to use personal systems? Many government CIOs/CISOs are reluctant and prohibit employees from using non-government furnished equipment. This is problematic for many reasons including:
- Organizations have an increasingly mobile workforce that needs to be able to work from anywhere. On the government side, it may be the census taker, the CDC scientist in a 3rd world country, a DEA agent in the field or our soldiers in the Middle East. All of these roles need access to the applications and information critical to their mission (and sometimes, even their lives).
- The government has had a strong telework mandate for years now, but the scope of outfitting every employee with government-furnished equipment (GFE) at home is cost prohibitive. And requiring a GFE doesn’t fit how today’s workforce operates nor does it address the need for emergency ad-hoc access.
- Many agencies’ continuity of operations plans aren’t practical as they require a “check-out of GFE resources”. Two years ago, during the Potomac River floods, many of our agencies were under water and unable to supply GFE to their workforce…same was true during Hurricane Katrina.
- A younger workforce, or “Echo Boom” generation, doesn’t want to use GFE, they want to use their personal systems! The ability to utilize a platform of choice is increasingly a recruiting/retention issue – especially with mobile devices. The US Government is expected to lose 70 percent of its existing workforce by 2011 and needs to address all of the factors that lead to attrition. This is one of the largest issues in government. (See my recent blog posting)
Aside from the mounting pressure for unfettered access, security concerns for government systems often greatly exceed those of civilian systems. How do you hand someone a laptop with a large hard disk, give them access to a wealth of information, allow that information to be distributed and maintain needed security controls? Even with encrypted hard drives, the control of physically distributed data continues to lead to data loss and distribution worries. The root problem transcends the GFE vs. personal debate.
The reaction we’re seeing from the government in disallowing the use of personal systems and tightly controlling GFEs is indicative of a bigger problem: the client/server computing model implies the deployment of a “trusted client”. Increasingly, the inability to provide and maintain a trusted client at all times has resulted in data loss and compromise. It’s because the “trusted client” model does not allow for the security controls that are necessary and essential for a distributed workforce.
To accommodate security for today’s distributed workforce, consider a model where defined applications and services are delivered – not deployed. By adopting the delivery model, stringent controls can be applied to applications and desktops that remain under the protection of the datacenter, with only keystrokes, mouse clicks, and screen refreshes traversing the network. In this delivery model, authentication, logging, the ability to copy, paste and print can all be controlled on an application-by-application and user-by user basis. Combined with the abstraction and isolation of virtualization, resources and systems are separated from each other with a security boundary that allows sensitive data to be accessed on personal systems.
Embracing delivery and virtualization allows the government (and other organizations) to provide users the freedom of a “platform of choice” and the organization to maintain the required security controls. Don’t make a federal case out of the laptop debate – deliver a solution that truly addresses the underlying needs.
[by Kristin Taylor and Kurt Roemer]