Telework is here to stay for the foreseeable future and state and local agencies continue to build on their efforts to support the remote workforce. One of the security questions that should be top of mind for IT leaders is whether their employees are accessing critical applications from trusted devices.
In a new podcast, security experts discuss how the pandemic is testing the boundaries of security, including identity authentication.
One solution agency leaders are considering is to provide employees with laptop or mobile devices that are owned and managed by the organization, not the end user, says Bart Green, vice president of state, local and education at Cisco’s Duo Security. However, that adds to the strain on IT resources.
And if agencies can’t find a way to offer a simple, consistent secure access experience across all their applications, it will only add to the burden on their security teams, says Sean Frazier, advisory CISO, federal at Duo.
Green and Frazier discuss what agencies can do to make sure security authentication keeps pace with current workforce needs in this podcast — the third in the “Speed to Security” series — produced by StateScoop and underwritten by Duo Security.
How the pandemic is redefining telework
Supporting a large remote workforce for so long is challenging. Though some agencies and organizations did better than others in making quick cloud decisions around applications, leaders should be thinking about a consistent security infrastructure, Frazier says.
Regardless of whether a user is sitting behind a desk inside the agency, or logging on from home or a coffeehouse, agencies need to make sure they’re providing a common security experience.
“Public sector organizations have such a diverse user population, so the more a security solution can simplify the implementation, the more that solution can simplify the change management aspect and rollout to the end users,” adds Green.
He explains that security needs to cover long-term needs, not just a point solution for a specific use case. So, IT leaders “need to take a look at their entire application landscape and determine how to best protect them.”
The role of virtual private networks and security authentication
VPN’s will continue to have a place in an organization’s security portfolio, Frazier says. When a user is sitting outside the network and the application is outside the network, it still needs the same level of protection.
“As long as applications are sitting behind the firewall — and you need access to them — a VPN makes perfect sense,” he shares. “The important thing to think about with a VPN is it’s just an access method. There [is little difference] than going directly to an application over the cloud.”
But that doesn’t exclude the need for stronger authentication standards, like two-factor or multifactor authentication (MFA). Green says organizations have come a long way over the last few years in adopting at least a portion of MFA within their infrastructure. But more can be done to expand MFA across all of their critical applications.
“I think a lot of [agencies] got started by just protecting maybe one or two applications, whether through a VPN, or single sign,” says Green. “The next step for our public sector organizations is to protect all these critical applications,” which moves from a single use case and expands security out to all applications.
The future of security and authentication
Frazier explains that authentication is an evolutionary process. For example, multifactor authentication was adopted to protect users in a password-only world that wasn’t nearly good enough to protect them from attackers. That evolved into adaptive multifactor authentication, which applies policy and device posture to the process.
In the future, Frazier says leaders need to pay attention to the evolution passwordless security.
“We’ll still need an adaptive policy posture, but we won’t need to protect the fact that we’re relying on a password. Passwordless is an area of investment that Duo Security is making to provide open standard technologies like WebAuthn, and to make the authentication experience and the security better for users.”
Bart Green has more than 20 years of experience in public sector technology, including executive roles and J.D. Edwards, Lawson Software, Workday and most recently Duo Security, now a part of Cisco Systems.
Sean Frazier is a veteran systems engineer dating back to the days of Lotus Development, Netscape, OpsWare and MobileIron before joining Duo Security.
Listen to the podcast for the full conversation on making access safer for your workforce. You can hear more coverage on the “Speed to Security” series on our StateScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by StateScoop and underwritten by Duo Security.