This content is provided by Duo Security.
When you are on a long journey, it’s sometimes interesting to turn around and get a good look at how far you’ve come and take stock of the steps that got you here. It’s hard to imagine a time before the internet and before the smartphone, but it really wasn’t that long ago that we were able to live life, and work remotely, without these tools. Now we take these things for granted in our “always connected”, “always mobile” world. This new connected-ness gives us a much better canvas on which to paint our telework picture.
The same is true for our federal government’s IT modernization journey. The government has made much progress from a technological standpoint. But there is still work to be done from a cultural perspective to make telework a future that we can all achieve and that we all deserve. Mobile and cloud have focused a sea-change in capability but we still find ourselves trying to manage and support them the same way we had been supporting and managing technology for the past 20 years.
The fundamental building blocks are all around us. The pairing of cloud technology and truly mobile computing have given us scalable, reliable and secure workloads and the ability to work in any scenario, from anywhere, at any time. In the private sector, we’ve all become accustomed to video conferencing using FaceTime and Cisco Webex from our mobile devices. We’ve all taken conference calls and logged into web meetings from inside a Starbucks or sitting in the airport waiting on a plane and we’ve all used cloud-based services from these mobile devices, sometimes without even realizing or thinking about it.
Authentication technology has also evolved to make telework access more seamless. When we login to our devices or into a Webex session we are prompted by strong multi-factor authentication tied to our unique biometric identifier using FaceID, TouchID or the biometric sensor on our device of choice. Easy, frictionless and secure.
Managing the Extended Attack Surface
Mobile is the new normal for compute, but as we discovered in the Cisco 2020 CISO Benchmark report, organizations still struggle with how to manage and secure mobile devices. According to the survey, over half (52%) of respondents find mobile devices extremely challenging to manage. The good news is that we really don’t have to “manage” them – not every device, not all the time. We just have to manage and protect the access that may be initiated from these devices. We have to be able to do a quick security health check on an access request, for things like:
1) Is the device software up to date?
2) Is encryption turned on?
3) If a biometric control exists, is it enabled?
4) Are the security basics enabled (local firewall, etc.)?
If you can get a sense for these things at the time the access request is made (everytime) then you don’t need to worry about the device the rest of the time. After all, in this world of extreme telework, folks are going to have to be able to use their own devices in some cases. Not every agency or organization is going to have a stockpile of spare laptops or mobile devices to hand out and yet, workers still have to work. This is a perfect scenario for a zero-trust approach to security. Zero trust, by its very nature, is meant to reduce the attack surface to the request itself. Devices and users come and go, but with zero trust the access to the data is the focal point.
Building a New Foundation
The work being done today may feel like a scramble, but it is laying the foundation for the more telework friendly world that we all deserve (and, quite frankly, we need). Almost all of the work we do can be done from the comfort of our own homes. If we focus on the security basics, and make the consistent security choices for ALL access regardless of location, we are preparing for continuity under any circumstance. “Work” isn’t a building. “Work” isn’t a location. “Work” is being able to get your job done, from anywhere, on any device, at any time.
Author: Sean Frazier, Advisory CISO, Federal, Duo Security at Cisco