informa

Cybersecurity In-Depth

The Edge

Cisco's Ash Devata on Securing the Hybrid Workforce With Zero Trust

Hybrid work is here to stay, and organizations can apply zero trust's three core principles to ensure a secure workforce, Devata says.

The shift to the hybrid workforce -- some employees working from home or some other remote location, some employees back in the office, and some switching back and forth throughout the week -- has complicated enterprise security significantly. The attack surface for organizations have expanded, while visibility over the environment has dropped. In the latest Edge Chat, Ash Devata, vice president and general manager of Cisco Zero Trust and Duo Security, and Dark Reading's Terry Sweeney discuss how to enable the hybrid workforce with zero trust. (The transcript of the conversation is below. Click here to watch the video.)

Terry Sweeney: Welcome back to this series of Dark Reading Edge Chats. Terry Sweeney here with Dark Reading. Joining me now is Ash Devata, vice president, and general manager for Cisco Zero Trust and Duo Security at Cisco. Ash, thank you so much for doing this today.

Ash Devata: It's a pleasure, Terry, very happy to be here.

Sweeney: Our topic today is enabling the hybrid workforce with Zero Trust, which takes two popular topics and it combines them into a powerful whole. So a lot to cover here. As we know the pandemic accelerated business and employees' migration to enable work from anywhere, using any device. It's also abundantly clear that hybrid work is in some form, is, is here to stay. Talk about what it will take to ensure that this new business model, is, is secure and that it remains secure going forward.

Devata: It'll take a lot. Just to think about what is changing from a security perspective, a lot has changed since March last year. One thing is the attack surface for organizations has gone up significantly because everyone's working from home. They're using different devices, they're using more applications for productivity and whatnot that are replacing face to face, in-person collaboration. So attack surface is going up. The visibility is going down because people are working, not from the office, but from different locations. So some of the monitoring tools are not scaling well. And the control has gone down. You cannot enforce all the policies if the user is using a personal device, for example.

So in all these areas, there is definitely a higher risk that organizations need to think about. And majority of that risk is coming from the users or the workforce, because that is what is significantly changing. So the business model will definitely continue because we are all figuring out how we adapt to this new normal. But the thing we want organizations to think about is, understand the net new risks and figure out how you can systematically address them.

Sweeney: So I'm struck by the fact that the industry has taken several runs at remote security over the last say, 20 years or so. And as with most security solutions, perfect is often the enemy of good enough. But nonetheless, we are in a different situation, different demands, different requirements, different networks. What is there about Zero Trust that lets you believe that this will be different from previous attempts to really lock down the remote work experience?

Devata: Zero Trust is a industry term. Some people like it, some people hate it, bunch of people in the middle, but the principles are extremely strong. They're universally accepted, both proven. It comes down to three basic things and it's all around access. When people or devices or APIs, they're accessing work resources, how do you ensure trust? That's the whole concept. You assume Zero Trust to start with and then you build trust. So the three key things that you think about Zero Trust, one is verification. You want to verify the user, the device, the location, the risk before making a decision, whether you want to grant access or not grant access. So verification has to happen across the board. It goes very, very deep. The second one is about providing the right level of privileges or access entitlements.

If you need access to, for example, just a SharePoint portal inside the data center, the traditional approach is you give access to the whole network through a VPN. That's wrong. If I, as a user, need access to only one portal, why am I being given access to the whole network and a bunch of breaches happen where attackers took advantage of that. So give access only to the things that people really need to get the job done versus giving the complete logical access to the network. That's second thing, least privileged access.

And the third one is you want to enforce these kind of policies of least privileged access and full verification everywhere an access request is happening, whether it's in public cloud, a cloud application, an on-premise component in the medical industry with your ICU management systems. You want to be able to enforce that everywhere. So verifying everything, providing least privileged access and being able to enforce those policies at every control point, is what's new with Zero Trust. And it's not something you can flip a switch and have it. It's a three to five year journey.

I know most of the viewers are probably aware on when it actually started in the commercial side with Google back in 2013. So Google had this major breach called Project Aurora in 2010, and they believe in Zero Trust principles and deployed it across overall Google's workforce. And it took them several years and they published white papers about it in 2013 and 2014 called BeyondCorp. And our model here is all about -- how do you let organizations that are not Google, that you don't have unlimited resources, to have similar value from Zero Trust?

Sweeney: Thanks for that. It also strikes me that a good compliment to the three principles that you just described is simplicity. It seems like it's a key message when talking about Zero Trust/ why is simplicity so critical to address here when we're talking about enabling remote or hybrid employees?

Devata: It is the number one thing we want people to think about. The number one enemy in security is actually complexity and the opposite of complexity is simplicity. And you want to keep simplicity in mind for a couple of reasons. Reason number one, it's for the end user, where the end user is interacting with the technology. You want the easiest workflow to be the more secure workflow. Don't ask the end user to do 10 different things, to be secure. Just ask them to do the easiest thing possible to access an application or access a portal. And that should be the most secure model. So think about simplicity for the user.

And the second thing is simplicity around architecture for the IT and security admins. You should not have 40, 50 different moving components, all stitched together, things slip through the cracks. Security's only as good as the weakest link. So you want simplified or simple architectures where you understand what are the key components and what things are moving. And then, the last one is around how you report all this stuff together. You want business leaders to be in a place where they can understand the stuff, instead of looking at deeply complex, hundred moving parts architectures.

Sweeney: Thanks for that. Address, if you would, about how important is reducing friction to security's overall effectiveness and how does Zero Trust begin to exemplify that?

Devata: Yep. I mean, end user friction and security used to be dramatically opposite, but with modern technologies, they don't need to be opposite. You can have really good security by having very easy workflows. A good example, I'm an iPhone user. I don't do a lot of security stuff, but my phone is relatively secure. I just keep it up to date. I open my phone, face side, it recognizes me. I have access to the apps. If it's a banking app, it asks for another authentication. So trying to take a similar consumer user-first approach into the enterprise world is what we look at. So how do you reduce the friction for the end user at every step of the end user and expect less of the end user.

Don't expect users to think about security every day, every minute, because that's not their job. They just want to click on a link, click on an icon in SSO portal, get the app, and then just get the job done. So thinking about workflows and reducing friction as one of the aspects on how do you design your project, how you design your vendors, is what we recommend. Some of the best customers we've seen actually have a workforce design team or a test team where they select individuals from different departments and have them rate the vendors or rate the workflows or architectures. And then that becomes a pretty important metric on how they decide what architecture they're going to roll up. It's not just technical speeds and feeds, it's about the end user interaction and how likable the solution is.

Sweeney: Ash, what do you say to concerns about the scalability of Zero Trust? Business for example, have their own rhythms. The ends of quarters can be frantic, certainly the end of the year. So, so network traffic and permissions are going to be quite active at various times throughout the year, regardless of the organization. How, how well does Zero Trust scale from your perspective?

Devata: Because it is not a specific feature set and because it's a principle in an architecture, it's extremely scalable. What's good for you might not be good for me. It depends on your organization. For example, in retail, you don't want to touch anything right now because it's coming close to the holiday season and it's a peak season. What we want people to think about is the lowest hanging fruit. For example, do you have strong authentication for all the users in your organization? If not, that needs to be your priority number one, because in the past having strong authentication, means you have to ship tokens, hardware tokens. It's expensive, it's cumbersome, but now you have push technology or U2F standards, where you can have strong authentication, to tens of thousands of users within a week or two. So think about lowest hanging fruit, and then go from there.

Don't try to boil the ocean with... We see some organizations putting a three to five year roadmap. It's a five year roadmap to get to the end state on Zero Trust. So look for the low hanging fruit. The things we look at are user verification. That's one of the must-haves. The second is, get visibility into the user devices. If a CISO asks three people in her team, how many devices they have, she probably will get 10 answers because every tool sees devices in a different way. So how do you get a consolidated view of all the end user devices? And make sure all the devices are properly configured, have full ... labels, for example, and now are up to date on software. So doing these kind of basic things will significantly improve your overall risk posture.

Sweeney: Another organizational question for you at some point, some sort of Zero Trust decision will need to be presented to the board. You're a technology executive. I, I believe you have some, some experience. What would you share with viewers about some smart ways to communicate a Zero Trust security strategy to the board of directors?

Devata: Yeah. If you're not thinking about communicating Zero Trust approach to the board, I would strongly recommend people do that because you want board level buy in to initiate this multi-year project. It changes how the organization operates. So I would strongly recommend. Board doesn't care about the technical feeds and speeds. In fact is, is not that prevalent for them. They care about two main things. One is the overall risk management, so start there. And the risk is not just about security risk, it's also compliance risk. So the problem you're trying to solve is understand the risks you have from a compliance or security perspective and systematically reduce them over time. That's where I would start.

The second is, board cares about business enablement. We want to move fast. We want to expand geographically faster than your markets. How can Zero Trust, help you move faster? We want to open operations in Latin America or opening an outsourcing manufacturing center in Thailand. Zero Trust principles can help you move faster there. And the last one there is you want to use proof points. Zero Trust, for all the good reasons right now is, is a NIST standard that's in the United States. Biden's administration published The Executive Order a few months ago, asking all the federal organizations and also federal contractors to have good Zero Trust architectures as an end state for them.

So you can use these publicly trusted documents and architectures in a board meeting to say, "We are doing what NIST is recommending. We are trying to reduce cybersecurity risk in the next three to five years and quantify these metrics. That's where you want to focus on. What you don't want to do is talk about SAML standards or OADC or CAEP. That is too much geeky technology for them.

Sweeney: Ash, great perspectives on how and why to deploy Zero Trust in your organization. Thanks so much for joining us for this edge chat today.

Devata: It's my pleasure, Terry. Thanks for having me again.

Sweeney: We've been talking with Ash Devata, general manager and vice president for Cisco Zero Trust and for Duo Security at Cisco. This has been Terry Sweeney for Dark Reading. Thanks for joining us for this Edge chat series. See you next time.