Baird Cowan, chief technology officer at the California Department of Consumer Affairs (DCA), and Jose Jaramillo, agency IT risk officer at the California Labor and Workforce Development Agency (LWDA), agreed the workplace landscape is transformed far beyond where it was three years ago. But, in a conversation Oct. 20 at the California Cybersecurity Education Summit, hosted by Government Technology magazine*, the two said that presents opportunity along with risk. Among the takeaways:
- User adoption and training are essential. Asked by panel moderator Mike Driessen, vice president of subscription services at e.Republic* and publisher of Industry Insider — California, how DCA is reconfiguring its infrastructure to support hybrid work, Cowan said that journey has been underway for about a decade, moving from on-prem to California Department of Technology data centers. The COVID-19 pandemic’s sudden emergence, though, meant a quick pivot from, essentially, that one data center to “2,500 data centers or endpoints throughout the state of California” as workers were sent home. “That was a herculean effort,” Cowan said. Officials quickly created the virtual desktop infrastructure (VDI) environment they needed, bought thousands of laptops; and, slightly farther along in the journey, stood up an “always-on” virtual private network (VPN) and required mandatory multifactor authentication (MFA) for access.
“That transition was multiple phases, multiple steps. It just fell on our laps, all of a sudden, like the rest of you. And getting, getting VDI was crucial for us to get it up and running so we can secure that,” Cowan said. “But I think the No. 1 challenge during that time was probably user adoption and user training.” Currently, he said, staff in IT work in the office one day a week, and this may continue. - Security is a shared responsibility. Jaramillo said LWDA’s path into the pandemic was somewhat similar to that of DCA – and officials took the approach that it was “just an extension of a perimeter” – albeit a more nebulous perimeter where leaders might not have had access to hardware and Internet service providers in staffers’ homes. “But we’ve come a long way,” Jaramillo said, indicating remote endpoint protections have been enabled to shut down questionable activity by potential bad actors, along with remote patching, MFA and strong passwords. Officials are asking staff to do their training, to verify devices are up to date, to report anomalies and phishing. “Make sure your information’s current; we may need to get ahold of you really quick,” Jaramillo said.
- Don’t click; report first. The department has some shared inboxes with multiple monitors, Cowan said, but leaders continue working to remove email addresses from its website to avoid scraping. And officials continue working closely with staff to educate them on how to avoid spam and phishing and to impress upon them that if an email looks questionable, they shouldn’t click. Filters are in use, to wrap URLs and links in emails so that if readers click through, they’re checked – but education is vital.
“We’ve ... implemented some of the vendors’ recommendations on some of those. But it’s still getting them to report first,” Cowan said. “If you have a question, report first, it’s a constant struggle.” - Cloud offers security opportunities, risks. Cloud has enabled DCA to operate always-on VPN, Cowan said – without the “bigger pipes” needed to support all its new users when the department went remote: “The cloud has enabled us to ... put those security products, those security devices ... firewalls and secure IPs all in the cloud,” he said. The challenge, Jaramillo said, is ensuring everyone from department to vendor is on the same page on domain policies, their application in the cloud, and endpoint protection. “There's additional exposure there. We’re targeting it with a targeted risk assessment, whatever technology you want to bring up,” Jaramillo said. “And we're going back ... we're identifying those risks, trying to prioritize that mitigation and tracking into closure.”
