State and local agencies can make it easier and safer for their employees to work remotely, with identity and access solutions that validate the security of devices connecting to the network. Increasing the degree of visibility on how remote devices are configured will go a long way to reduce network risks, especially for those who may need to use their own devices, say security experts.
If there isn’t a sense of security around a device that belongs to and is managed by an individual, IT security teams need to assess trust at the time of need, explains Sean Frazier, advisory CISO, federal, for Duo Security.
Once CISOs and IT leaders have that kind of visibility, they’re often amazed at the number of devices they were not aware of. Amazement turns to alarm, however, when considering the number of devices that put an organization at greater security risk, says Bart Green, vice president for state, local and education markets at Duo Security.
Green and Frazier also share steps agencies can take to deal with unsecured remote devices in the second in a series of podcasts called “Speed to Security,” produced by StateScoop and underwritten by Duo Security:
The challenge to accommodate employees working remotely
Green says that historically, a lot of state and local agency employees were using a device that was managed or owned by the organization. Now, probably for the first time, a majority of their users are coming into applications from outside the network – some with their own personal device.
“The new challenge now is, anytime a user is utilizing a device that is not managed by the organization, it can put the organization at risk,” he says.
Simplifying the process to integrating IAM platforms
“Chances are you’ve already got some of the bones, or some of the building blocks of these capabilities in the infrastructure,” to protect against unsecured devices, Frazier says.
“You’re taking stock of your security inventory. You’re building [identity and access tools] in for the long-term, and leveraging the investment you’ve already made,” he explains. But agencies also need to build in added capabilities, like leveraging multi-factor authentication and basic security hygiene practices with users, he says.
Tools and controls for better insight into risk
Having a modern solution that provides an integrated view of security risks at speed is an important factor to consider, Green says.
When “you get immediate visibility into every single device accessing the application, you get insight into the devices that are healthy [and] that are unhealthy and then from there you can start making decisions on putting policies in place to determine who, what and when you’re going to allow access,” he says.
What a holistic security strategy can look like
Green cites the example of one U.S. county that was able tighten up security controls across the organization based on four criteria.
First, that the user’s browser was up to date. Second, to ensure the operating system was up to date. Third, to see if that device had antivirus software installed. And finally, to not only validate that the user was located within the state, but if they were accessing the network from outside the county, the system would flag that activity for the security team.
Bart Green has more than 20 years of experience in public sector technology, including executive roles and J.D. Edwards, Lawson Software, Workday and most recently Duo Security, now a part of Cisco Systems.
Sean Frazier is a veteran systems engineer dating back to the days of Lotus Development, Netscape, OpsWare and MobileIron before joining Duo Security.
Listen to the podcast for the full conversation on making access safer for your workforce. You can hear more coverage on the “Speed to Security” series on our StateScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.
This podcast was produced by StateScoop and underwritten by Duo Security.