Duo Security's Head of Technology Partnerships, Ruoting Sun, talks to TEISS about how organisations can remain secure when the notion of the ‘trusted’ perimeter has become increasingly untenable and why organisations need a risk-based approach to authentication.
Perimeterless cyber boundaries
The way I.T. is consumed has shifted dramatically in the last few years: things like bring your own device initiatives and moving workloads in applications to the cloud have impacted our cyber security.
Previously, I.T. security worked within a rigid perimeter, however, with employees using applications which are not hosted in their organisation’s own data centre, as well as employees working remotely or on mobile devices, the traditional ways of securing workloads and data are no longer viable.
Understanding the cyber risk profile
Ruoting emphasises: “It's really important to understand the risk profile of your corporate resources; the people that are accessing these things, the devices that they're using and then the systems, applications and data that they're accessing - so you can make better and more informed decisions on who gets access to what, from where and when.
That's really the point where risk based authentication or adaptive authentication comes in. It is taking a look at the different risk profiles of each individual situation and making the right policy decisions.
Bad cyber hygiene
80% of breaches that happen today start with a phishing attack or they start with a set of compromised user credentials.
Ruoting states: “Phishing is not just a credentials problem, it's actually an end point problem. So credentials can be stolen, but if you click on a malicious link, you may be downloading a file which can install a virus on any computer and you would never know about it. A lot of those things happen because people tend to have pretty bad hygiene when it comes to maintaining up-to-date software versions for their operating system and browsers.’
How do you take the security models of the past and make them applicable in this new world?
Cyber knowledge is power
At Duo Security, Ruoting explains, they know the risks involved. They can tell whether or not a device is considered a corporate managed device or if it's actually a personal BYOD device. Duo Security protects the access to those applications, so they know when a user is accessing those applications, as well as the IP addresses from where that user is accessing those applications.
This information allows them to make good policy decisions about the level of risk they’re dealing with.
With the upcoming regulations around GDPR, Ruoting adds, consumer data privacy is held to the utmost regard. “It’s not just about two factor authentication. We also want you to be coming from a corporate device that we can manage. Meaning that device has the most up-to-date security patches and up-to-date operating systems,” he says.
The cyber default
“It's more important, now than ever, to make default state security because attackers have been able to find a way to exploit the fact that basic security hygiene is not done properly,” Ruoting says.
Also, systems are more connected now than ever before. Ruoting explains that if a security incident happens, the stakes are much higher because the number of connections between people and the number of connections between resources and applications have increased tenfold.
They launched Duo Beyond last year – a service to help customers make that shift move from the old model security to the new model security.
Ruoting states that organisations are at different stages of where they are on that journey. Some companies are further along - like tech companies in Silicon Valley who’ve thought about this from the start. Legacy industries like financial services, oil and gas companies or retail may still be prone to using more traditional based security approaches because there's more legacy infrastructure there and they can't move as quickly.
Duo combines security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools for the modern era.