Helping the Public Sector Drive Innovation and Security

Author Avatar

by

Posted on March 21, 2023

The public sector, sometimes perceived as a vertical that is slower to adopt new technologies and IT approaches than private enterprise, has in fact largely switched over to standard corporate tools like SaaS applications, business collaboration platforms, and virtual meeting solutions like Zoom and Google Meet to drive productivity. These apps reduce costs, help manage data and IT functions, and enhance communication and collaboration between employees, external contractors, and constituents. For example, the City of Los Angeles’s 100,000 employees use Microsoft 365, Business France has adopted Salesforce and the European Patent Office conducts opposition hearings on Zoom.

The public sector has also increasingly turned to public-facing private web apps to automate and streamline delivery of government services. “Appifying” services reduces staffing costs while allowing citizens and businesses to accomplish administrative tasks without delay, at their convenience, from home or work.

Risks Associated with Increased App Use

While use of powerful applications can help streamline government functions and increase efficiency of public service provision, it also entails some significant cybersecurity risks. These include:

Meeting-Enabled Risks

Online meeting platforms are valuable productivity tools but they present unique risks, too. Employees may share sensitive information within virtual meetings, in chat, screen shares, or even during video meetings, if physical whiteboards, screens or pages happen to be visible in the background. Also, cyber criminals can gain access to user IP addresses exposed by meeting apps; deliver malware via links in chats; and gather sensitive data as uninvited—and unwanted—attendees. For these reasons and more, many defense agencies bar virtual meeting use.

BYOD and Unmanaged Devices

A significant benefit of web apps is their anytime, from anywhere availability—a contributing factor to their growth during the recent pandemic. But while simplifying access for users working on BYODs and 3rd party contractors is key for enabling remote work, use of unmanaged devices creates grave risks since unmanaged devices lack rigid security controls. As a result, attackers can more easily gain access to those devices and use them to steal user credentials, /or access apps to find data, move laterally through networks, and establish persistence.

Unauthorized Access

SaaS applications are accessible from anywhere with an internet connection. Cybercriminals may gain access via stolen credentials or credential stuffing attacks. Even agencies that follow best practices and require users to sign in with multi-factor authentication are vulnerable to attacks due to relatively new hacking techniques in which session cookies are stolen. In addition to risks of data breach, if user policies are not properly set, hackers may perform unauthorized operations, alter data and permissions, introduce malware or otherwise wreak havoc.

Shadow IT

Use of Shadow IT by public sector employees poses a particular risk for government agencies. With workplace and personal apps operating side-by-side in users’ browsers, without proper controls it is simple to copy data from one tab and paste it into another. Whether for innocent (but misguided) purposes, such as continuing work on a project from home, or for malicious purposes, strict controls are necessary to protect sensitive information held by government agencies. This is a particular risk with unmanaged devices, which lack browser controls to limit copy/paste and print functions, and might be infected with keyloggers or other malware.

Securing SaaS and Browsing Activities for the Public Sector

The advantages of using SaaS applications are clear but public sector agencies must implement ways to secure them. Here are some solutions that can help:

Securing Virtual Meetings

Virtual meeting solutions such as Zoom, Microsoft Teams and Google Meet are complex applications that require seamless integration of multiple functions, including video, audio, chat, and screen sharing. Most security solutions cannot effectively protect these applications.

ZTEdge Virtual Meeting Isolation (VMI) provides isolation-enabled protection for organizations that use Zoom or similar meeting apps . With VMI, meeting functions – video, audio, chat and screenshares – are all isolated within a secure cloud-based environment on the Ericom Global Cloud.

Granular browser controls restrict who can share videos and screens, and which data can be shared. VMI also applies Data Loss Prevention (DLP) controls to prevent confidential information from being inadvertently or maliciously disclosed through screenshares or passed in chats, even chats that are end-to-end encrypted (E2EE).

Additionally, VMI extends isolation capabilities to all meeting participants, not just those within the organization, to prevent unwanted eavesdropping. To protect from malware, malicious links are disabled, even in encrypted meeting chats. To maintain privacy and security, participant endpoint IPs are obscured to prevent network compromise.

Preventing Unauthorized Access

RBI (Remote Browser Isolation) solutions can also help protect users from common credential theft methods, such as phishing attacks and keyloggers. By opening unknown sites that may be spoofed or used for credential theft in read-only mode and air-gapping user devices from websites, they block malware from infecting endpoints and networks. RBI prevents malicious actors from accessing user browsers to steal session cookies and thus also protects against new methods of bypassing multi-factor authentication (MFA).

Isolation can also be applied in reverse to protect the public-facing surfaces of government and public sector agency apps. Ericom’s ZTEdge Web Application Isolation (WAI) cloaks app surfaces from threat actors seeking vulnerabilities to exploit, protecting apps from attack and preventing cybercriminals from breaching government systems via their apps.

Securing Unmanaged Devices – Employees and Contractors

To protect government networks from the dangers of unmanaged devices, such as those used by contractors and employees’ BYODs, WAI can act as a type of clientless Zero Trust Network Access (ZTNA) solution, applying web-based controls that transform the browser into a crucial control point. From unmanaged devices, users may log in to agency web apps solely via their organization’s dedicated tenant on the Ericom Global Cloud: Logins from any other IP address, even with valid credentials, are simply blocked.

Within the cloud, WAI restricts in-app user access and activity based on security posture elements including user identity or group. Isolation is applied to ensure that any malware that is present on user devices cannot reach SaaS or private agency apps. Additionally, WAI restricts data capture functionality, such as clipboarding, printing, and downloading, and provides visibility into user access to SaaS apps.

Addressing the Dangers of Shadow IT

Isolation-based solutions—both RBI and WAI—go a long way to addressing the risks of shadow IT. By combining, policy-based controls of browser functionality and in-app activity with DLP restrictions on what can be shared and uploaded to instant messaging apps or private accounts, Ericom ZTEdge solutions protect agency assets without imposing the kinds of IT restrictions that inconvenience users.

To learn more about protecting your public sector agency’s digital assets and apps from malware, ransomware, phishing and breaches, download our free “To Secure the Public Sector from Cyberattack, In Zero We Trust” white paper.


Share this on:

Author Avatar

About Nick Kael

A cybersecurity expert with over 20 years of experience in web technologies, architecture, infrastructure, networking and dev environments, Nick is responsible for solution management, technology strategy and technology partnerships. Nick was previously Symantec Group CTO for Global Service Providers, following his tenure as Director of the Chief Architect Team for Channel and Service Providers at Zscaler and an earlier position in the Symantec CTO organization. His certifications include CEH7, CCSK, BCCPP, Bluecoat Blue Knight, MCSE + Security, CCDP, CCNA, CCSA, VTP5 and VTSP5.

Recent Posts

FTC Issues Cybersecurity Warning for QR Codes

QR codes on ads are a simple way to grab potential customers before they move on. No wonder cybercriminals are using QR codes, too.

Guarding Against the Storm: Insights from Australia’s Cyber Threat Report 2022-2023

Malicious cyber activity represents a growing threat to Australia's security and prosperity. Read on for important guidance on protecting your organization.

New SEC Cybersecurity Reporting Rules Take Effect

Risk assessment is a key factor in investment decisions. Now, with SEC disclosure rules in effect, investors can more easily take cyber risk into account.