Dug Song, co-founder and general manager at Duo Security, now a part of Cisco, is widely recognized as a pioneer in cybersecurity circles. He built the first commercial network anomaly detection system (now owned by Check Point Software) and has successfully launched a number of leading technology companies.
In this StateScoop interview, Song highlights how state and local government agencies can overcome some of the security challenges — and find a potential silver lining — in the sudden shift to support remote workers.
StateScoop: Given how the world has changed, and how virtually every organization has had to pivot to support a remote workforce, where should state and local government agencies concentrate their efforts to keep their employees digitally secure?
Dug Song: Organizations are having to retrain themselves from the inside out on how to deal with a much broader attack surface.
At the state and local level, unfortunately, it’s meant scrambling to figure out how to even get computers for people who may need them to log in from outside an office and figuring out how to manage this expanded BYOD situation, where you have a bunch of at-home workers potentially having to use their home devices. That clearly represents the largest exposure many organizations have ever seen.
The Center for Internet Security and MS-ISAC (Multi-State Information Sharing and Analysis Center) provide a valuable framework for how state and local governments should be thinking about the basic elements of security. In particular, focusing on identity: knowing who your users are and where they are; having visibility into their devices to make sure they are configured securely; and having policies to disable access and control various environments without ever having to think about it. Now, they also have to deal with these mixed environments that they didn’t have to deal with before, like bridging access between home and work.
It would seem identity management and “zero-trust” strategies have never been more important. How can agencies keep up, given all these new and not-always-secure devices accessing their networks?
I think zero trust is something that was aspirational before its name became popularized. As a maturity model, we may be just at step one for now, with multi-factor authentication becoming commonplace, for instance.
I believe this crisis will force every organization in the world to take a bigger leap — to establish and reinforce a zero-trust environment — where they can’t necessarily trust the security of their users, especially when they’re trying to access applications from untrusted devices.
How can agencies ensure the safety and security of employees when they can’t actually manage the devices they use?
All these governments are going to have to figure out how to provide differential access, based on whether you’re coming from, say a home PC that your kids might also be using or a personal smartphone. They may say “maybe we’ll give you access to these three applications, but not the 10 that you usually use.” And of course, you need to know who is on the other side of that connection.
The second concern is device health and having visibility into each endpoint. That’s a basic and fundamental problem for many organizations. If you can’t see it, you can’t protect it.
An important component of this is for organizations to check the posture of endpoints remotely even when the endpoints are not connected to corporate networks. They need to be able to do this in a non-invasive way without compromising on privacy.
And third is really the ability to provide adaptive access — to understand the context in order to provide trusted access to the right users, using the right devices in the right way.
Proper identity and access management controls allow you to set up remote workers much faster and more securely than more traditional strategies.
Where do you see the upsides in this surge to telework?
It’s forcing a lot of organizations to look at other ways to modernize — and consider opportunities to shift work to the cloud where people can rendezvous, virtually, and collaborate.
And we’re seeing folks rethinking how they work outside of the constraints of their office environment — and reexamining the tools and applications they use and how they collaborate. There’s a certain degree of creativity that comes from having the ability to work asynchronously. I’m curious about how much of this will stick.
How do you see that impacting the operations of state and local government IT departments?
Obviously, this is a different experience for all of us as end users. And it’s a different experience for organizations’ IT administrators, who have to figure out how to manage all of this remotely.
This could give organizations a new blueprint for how to think about managing IT — and how can they automate some of these workflows.
That’s a large part of what we’ve also worked very hard to do: deliver automated onboarding and a self-service model that allows users to enroll, remove, reset or self-remediate devices in minutes, all without calls to the help desk, thereby cutting deployment and management costs. We do this all in a scalable, software-as-a-service model.
These platforms can give a small IT team an outsized impact on their organization.
There are a lot of beleaguered, unsung IT folks out there right now, trying to figure out “What do I do now?” The good news is, there are vendors out there like us that spend a lot of time thinking about how to automate and scale their organization’s technology.
This article was produced by StateScoop and underwritten by Duo Security.
Learn more on how Duo Security can help your organization accelerate your zero trust and identity and access management initiatives.