StateTech Magazine - Technology Solutions That Drive Government en Governing from Home: Best Practices for BYOD Agency Telework <p>State and local governments across the country have moved to <a href="" target="_blank">unprecedented full-time remote work</a> over the past few months, migrating practically overnight from highly monitored networks to less secure home internet connections. This transformational shift in the way state and local governments operate creates a host of new security and risk management challenges. </p> <p>BYOD is a major concern. When government workers use devices for both personal and professional functions, sensitive work-related documents sit next to social media, messaging, games and potentially malicious third-party applications. It’s difficult to micromanage employee security practices on personal laptops or phones, even with the right policies in place.</p> <p>As a result, state and local governments need a strategy built on the right policies and immediately implementable tools to provide secure remote access within their organizations.</p> <p>To start, establish a clear BYOD and remote access policy by defining employee, manager and IT administration responsibilities. IT teams should also begin with an assessment of security tools as well as the technology infrastructure to ensure the most secure and appropriate technologies are used. Selecting technologies that have security built in versus added on can lower risk while protecting data. When developing your organization’s policy, industry guidance such as <a href="" target="_blank">the National Institute of Standards and Technology’s framewor</a>k for telework can help. </p> <p>Communication is also key. Keep employees informed about best practices, including new updates to operating systems and approved applications, such as web browsers, email clients, instant messaging clients and security software. </p> <p>Educate workers on ways to keep their devices safe, like controlling device access by setting a unique PIN and automatically locking a device after an idle period. Networking capabilities, such as Bluetooth and near-field communication, should also be disabled except when needed.</p> Christopher Montgomery Virtual Tour Technology: How State and Local Governments Use It <p>Throughout the spring, as state and local governments shut down or closed museums, parks and other public gathering places to help slow the spread of the coronavirus, millions of people were unable to physically visit their favorite attractions.</p> <p>However, they were not entirely shut out. Thanks to virtual tour technology, state and local governments have been able to give residents access to such sites and buildings. The technology, which can provide users with a 3D virtual tour or a 360-degree tour experience, can help keep residents connect to their local haunts and lay the foundation for future visits, which can drive revenue for state and local governments.</p> <p>Such technology may be less pressing now, as states start to reopen their economies and sites that have been shut down. However, if governments re-enact lockdowns in response to a second wave of the virus, or if residents do not want to go in person to sites because of health concerns, virtual tour technology will be a go-to option for many agencies.</p> <p>“The virtual tour is a fantastic opportunity for people to research, watch that dream,” Melissa Norris, travel adviser for AAA Club Alliance <a href="" target="_blank">tells</a>. “It might be somewhere they’ve never been before, it might be somewhere they want to go. That’s the best way to check out a destination and listen to the professional guide talking about all the awesome things that you can see and do and put that on your bucket list.”</p> <p>State and local governments have been using virtual tour technology to give users access to everything from state parks to state-funded museums and official state and local buildings. </p> Phil Goldstein 4 Steps for Installing Microsoft Remote Desktop Services <p><a href="" target="_blank">Microsoft</a>’s <a href="" target="_blank">Remote Desktop Services</a> is a widely used desktop virtualization product. RDS provides users with <a href="" target="_blank">a Windows client desktop</a> that is shared among other users on <a href="" target="_blank">Windows Server</a> and allows administrators to provide a Windows desktop experience for many users at once, using one or more servers and a Remote Desktop Protocol client.</p> <p>As such, RDS is a valuable and widely available tool for operations continuity, empowering government workers with the capabilities to function both in the office <a href="">and away from it</a>.</p> <p>With two servers, administrators can set up an entire RDS implementation in only four steps.</p> <h2 id="toc_0">1. Install RDS Base Roles</h2> <p>A typical RDS implementation has five roles: RD Connection Broker, RD Web Access, RD Session Host, RD Licensing and RD Gateway. </p> <p>Think of the RD Connection Broker, RDP Web Access and the RD Session Host roles as base roles, which need to be installed on the primary RDS server.</p> <p>Within the Add Roles and Features wizard, select Remote Desktop Services installation using the Quick Start option on Windows Server. The RDS wizard will then serve as a guide to installing all of these roles at once.</p> <h2 id="toc_1">2. Install the Licensing Server</h2> <p>From within the Server Manager application, add a server to manage what will become a licensing server. Navigate to Remote Desktop Services and click on the green plus sign for RD Licensing. From there, add the other server under the Add RD Licensing Servers screen.</p> <p>Once Windows installs the licensing server, a green plus sign should be visible above RD Licensing in the RDS Deployment Overview section.</p> Adam Bertram Election Day Is Less Than 6 Months Away. Now Is the Time to Instrument Infrastructure <p>Elections have two critical components. The first is visibility and transparency to the participants. The second takes place behind the scenes and <a href="" target="_blank">may not be apparent to the participants</a>. </p> <p>Voters see how computers have become more important to the election process, whether for collecting individual votes, tallying totals, transmitting results or displaying outcomes. What they have not seen is how these processes take place. </p> <p>It’s impossible to address all network security monitoring components of the election process in a few hundred words, but the overarching role of the network is worthy of an assessment. </p> Richard Bejtlich VDI Serves Up a Uniform Experience for Teleworkers <p>In March, as the coronavirus crisis spread, IT departments at state and local agencies everywhere <a href="" target="_blank">suddenly had their work cut out for them</a>. Charles Ash, deputy director and CIO of the Division of Information Technology at the <a href="" target="_blank">Ohio Department of Transportation</a>, recalled the marching orders for his team involved rapidly equipping ODOT’s office-dependent employees with the tools they needed to do their work remotely.</p> <p>“The good news for us was, we’d already been heading in that direction because so many of our customers had been requesting mobility applications” that would allow them to access agency systems no matter where they happened to be, Ash says. </p> <p>“We have a mantra around here: ‘Any app, any device, from anywhere there’s an internet connection,’” Ash says. They weren’t exactly ready to transition their entire workforce out of ODOT’s offices and into people’s homes. “But we did have what we needed to do it, and in the end it only took us about three days.”</p> <p>Key to the department’s success was <a href="" target="_blank">virtual desktop infrastructure</a>, or VDI.</p> <p>According to <a href="" target="_blank">Andrew Hewitt</a>, an infrastructure and operations analyst with Forrester, VDI solutions using on-premises servers have been popular among early adopters of the technology with highly skilled and well-staffed IT teams. “Traditionally, it’s worked very well for organizations like that. They’ve seen it as an effective way to manage their PC fleets, and as a secure solution for remote working because it prevents the need for data storage on endpoint devices,” he says.</p> <p>This trend has shifted in the past few years, Hewitt says, as cloud-based VDI solutions have come on the market, making the technology more accessible to a wide range of organizations, including state and local governments, which have increasingly adopted the technology. </p> <p>“With cloud-based VDI, the major advantages are around scalability and cost savings,” mainly because it allows IT teams to shift focus from server management. “You save on staffing, and you save on time. You get additional flexibility, and you don’t need as many resources for implementation as you do when you go with one that’s on-premises,” Hewitt says.</p> Chris Hayhurst 5 Steps to Proactively Address Unauthorized IT Among Workers <p>The term “<a href="" target="_blank">shadow IT</a>” has been around for several years — and for years, it has challenged IT departments. The practice of using applications and systems without the explicit approval of IT staff, or sometimes even without their knowledge, poses real risks for a government agency, particularly now that more employees are working from home. </p> <p>Shadow IT is widespread in government. Several years ago, Skyhigh Networks <a href="" target="_blank">found that the average agency was using 742 cloud services</a> — about 10 to 20 times more than the IT department was managing. With the pervasive nature of cloud-based services and the popularity of hybrid cloud environments, the Cloud Security Alliance believes the situation is likely much worse today. </p> <p>The Everest Group <a href="" target="_blank">reported last year</a> that dismantling shadow IT accounted for 50 percent or more of IT spending in large enterprises.</p> <h2 id="toc_0">Shadow IT Can Lead Down a Slippery Slope</h2> <p>Shadow IT grows due to lack of awareness, both on the part of the user and the IT department. A wide variety of tools are brought into the agency under the radar, without explicit IT approval or knowledge. </p> <p>A user needs something to get the job done and, without thinking, signs up for a web-based application: Need online messaging? Why not the same WhatsApp you employ for your personal life? Want to do a VoIP or videoconference call? If you’re a pro at using Zoom at home, use it at the agency as well. Need to transmit large files? It’s easy to sign up for a Dropbox account, <a href="">particularly when you’re trying to get the job done remotely</a>. But in each of these scenarios, no thought is given to control, management or security. Self-reliance is often a virtue, but not when it puts the agency at risk. </p> <p>The IT department may be blind to the issue, with no clue how many unauthorized apps are being used, particularly when those applications are connecting from a home office. It’s not just a question of the apps’ security — frequent reuse of login credentials, weak passwords and phishing attacks leave user accounts on unauthorized services ripe for exploitation; by extension, the agency itself is at risk. </p> Tanya Candia How States Can Secure Public Health Telehealth Deployments <p>At a time when public health departments have been stretched thin by the coronavirus pandemic, telehealth solutions have helped ease the strain by connecting doctors remotely to patients. That has been especially useful during a time when everyone has been advised to maintain social distancing to help reduce the spread of the virus.</p> <p>The Health Resources and Services Administration at the U.S. Department of Health and Human Service <a href="" target="_blank">defines telehealth</a> as “the use of electronic information and telecommunications technologies to support and promote long-distance clinical health care, patient and professional health-related education, and public health and health administration.” Technologies include videoconferencing, the internet, store-and-forward imaging, streaming media, and landline and wireless communications. </p> <p>In March, the HHS Office of Civil Rights <a href="" target="_blank">relaxed its rules on telehealth to increase its usage</a>. The office said it would use discretion when enforcing HIPAA compliance for telehealth communications tools.</p> <p>HHS said it would “not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.</p> <p>“A covered health care provider that wants to use audio or video communication technology to provide telehealth to patients during the pandemic “can use any non-public facing remote communication product that is available to communicate with patients.” </p> <p>Still, it is critically important for public health departments and the healthcare providers they work with to provide as much security for telehealth solutions as possible. Such security technologies, including multifactor authentication, help ensure that patient data remains confidential and that patients have confidence in using such tools to get care. </p> Phil Goldstein The Value of Managed Endpoint Services <p>In nearly every industry, it’s almost impossible to imagine work getting done today without equipping employees with devices such as smartphones, tablets and laptops.</p> <p>As these end-user devices have grown more numerous (and more powerful), organizations and their employees have come to rely on them for virtually all aspects of their business. Previously analog workflows are now faster and more efficient, and employees can work from anywhere at any time, completing once-cumbersome tasks with the help of collaboration software and business apps that have drastically improved productivity.</p> <p>As enterprise device environments have grown, however, inefficiencies have inevitably crept in. Especially for large organizations, these inefficiencies can add up, with untold dollars being spent on underused devices and countless hours dedicated to unwieldy management processes. By optimizing their device environments, organizations can save money, enhance productivity and improve the end-user experience.</p> <p>This is easier said than done. But a comprehensive lifecycle management engagement such as Managed Endpoint Anywhere can simplify device provisioning and management, allowing employees and IT staff to get back to business.</p> <p><strong>Learn more by downloading our white paper: "The Value of Managed Endpoint Services"</strong></p> Review: Microsoft Surface Pro 7 Provides Powerful Support to Workers in the Field <p>Because state governments are directly connected to the people they serve, they have traditionally been supportive of teleworking and mobile technologies that allow employees to reach into their communities. Three main factors are needed to enable those interactions: mobile gear performing as well as office computers; reliable battery life lasting all day; and devices lightweight enough to carry for hours on end. The <a href="" target="_blank">new Microsoft Surface Pro 7 tablet</a> has got all of that and more.</p> <p>Despite its size, the Surface Pro 7 runs a full 64-bit version of <a href="" target="_blank">Windows</a>. Its Intel Core i5 processor didn’t blink when running business applications such as <a href="" target="_blank">Microsoft</a>’s SharePoint, Excel, PowerPoint and Edge, or more creative programs like Adobe Photoshop or video editing software. The Surface even scored as highly with benchmarking software as many powerful desktop systems. With an attached magnetic keyboard, which doubles as a protective cover, it’s not unlike working with a powerful laptop.</p> John Breeden II States Cannot Waver in Election Security Efforts <p>Election security concerns for state and local governments have not gone away during the coronavirus pandemic. In fact, they’ve only grown more urgent. </p> <p>Those concerns are mounting as states argue they <a href="" target="_blank">do not have enough leeway</a> to use the $400 million Congress appropriated for election security this spring, and “a coalition of more than 200 public-interest groups are pushing hard for Congress to include $3.6 billion for the 2020 election cycle in the next coronavirus relief bill,” <a href="" target="_blank">as <em>The New York Times Magazine</em> reports</a>.</p> <p>Some states are considering moving to online voting because of concerns about having residents congregate at polling places. However, that move is something <a href="" target="_blank">security experts are strongly cautioning against</a> because of cybersecurity vulnerabilities. <a href="" target="_blank"><em>The Guardian </em>reports</a> the Department of Homeland Security opposed such moves in <a href="" target="_blank">a draft guidance</a>, warning that casting ballots over the internet is “a ‘high-risk’ endeavor that would allow attackers to alter votes and results ‘at scale’ and compromise the integrity of elections.” </p> <p>The challenges posed by the pandemic are making a complicated security picture even more complex for state and local election officials. They need to remember <a href="">all of the election security concerns</a> that existed in January are still out there and are now more difficult to tackle — and they include malicious actors spreading disinformation and attackers targeting voting databases. All of those concerns need to be addressed between now and November. </p> Matt Parnofiello