Wendy Nather is head of advisory CISOs at Cisco’s Duo Security. She has served leadership positions in security for a number of organizations including Retail ISAC, 451 Research, the Texas Education Agency and for the EMEA region of Swiss Bank Corporation’s investment bank.
When IT professionals originally designed enterprise security controls, the thought was we would be the only ones deploying the technology and controlling how it was used. We had all the knowledge, so we made all the rules. That included issuing and managing devices, writing software and running the servers. We pulled all the cables and controlled the environment.
None of that is working out as well as it used to, particularly in state government, where the users don’t always work for a given agency — they may be regional support centers, nonprofits, health care institutions, higher education or citizens. This puts government IT in the position of safeguarding federal, state and local data without actually having direct control over it.
The pandemic and mass work-from-home initiative is a driving force for the IT community to reconsider their security assumptions. Fundamentally the community needs to address the health of devices connecting to agency resources.
The traditional model assumed that organizations would push security updates from a centralized location. However, now that IT has become so distributed, this model is no longer sustainable. It wasn’t tenable for third parties and citizens anyway, but even agency staff are having to make do with whatever equipment they can find or repurpose. If you can’t manage it, you can’t directly control security on it. Enforcement by contract is not a viable answer either, when vulnerabilities on an endpoint can appear and lead to a quick compromise.
With remote work came a loss of network visibility. Agencies generally lacked the means to fully assess the trustworthiness of endpoints accessing their networks, using security policies and controls that relied in large part on physical proximity. Work-around efforts to purchase VPNs and distribute government-managed devices often fell short due to licensing and supply chain shortages.
This loss of control and increase in remote user demand, consequently, necessitates a more concentrated effort to establish the principles of zero trust.
If you can’t manage and control what devices and networks people are using, they require users to take responsibility for maintaining the health of their own devices. If you can’t scan a device on a regular basis, then scan it when it’s connecting to your agency-controlled resources and enforce your own security requirements at that point in time.
Zero trust means that agencies need to take a collaborative security approach with the end user and give them the means and incentives to keep their devices secure. Designing security to be adopted — rather than enforced — fits more in line with the way people use technology today.
Almost everyone has become a technology consumer these days. It’s time that the security model reflects that. Part of putting the responsibility on the user is taking away the centralized management mechanism that forces a laptop to reboot. Doesn’t that often happen right when you’re in the middle of something? It’s a frustrating part of centralized security.
A collaborative security model seeks to create a culture that makes security more accessible. Duo Security, for example, works to simplify and redesign security controls, and one way we do this is by focusing on device health.
The Duo Device Health Application looks at the security state of a device, but it doesn’t manage it. That is a big differentiator that is deliberately designed so users know the endpoint application is only looking at the security state of the device, know it cannot make changes or deletions, and know it won’t do anything else that will compromise their privacy.
For agencies, this tool gives them certain security assurances because they can set their requirements for a user to login to a specific resource.
The tool doesn’t force the user to do something with their system that they never wanted to do. All it does is alert them that the health of their device may be compromised because they are missing an important update, or the appropriate browser on their operating system. It just says you can’t get in until you meet certain requirements.
The agency can set a timeframe for the user to make changes. It could be two days or two weeks, and if they don’t make the change, they can’t access the resource. This puts the responsibility on their end, but they can update on their own time.
At Duo, we’ve seen this approach practically applied as part of an organization’s incident response portfolio. If they’ve discovered a vulnerability in a software that is being exploited, they can narrow the window in which the user must update their device, depending on the threat level.
Agencies can also set different requirements for different applications. If a user is checking public pages, it may not matter what the state of the device is. But if an administrator is logging into a human resources system, they should be completely up to date. For some systems, maybe the user must be working on an agency issued device.
Duo Security has a mission to democratize security, and that is what we strive to help our partners achieve through this health application. And frankly, I think that’s a better relationship for what state governments have to deal with because they can’t enforce security updates with citizens as they expand digital offerings for services.
In a digital society, security has to be basic knowledge — which means that organizations have to simplify the experience for users and open up the culture.
Learn more about how Duo Security helps you control access to your applications through a policy system.