Everything is Changing: A Modern Security Model for the Public Sector
I thought it might be worthwhile to provide some insight as to why I recently joined Duo as the Advisory CISO for the Public Sector. Duo will have a very significant influence on the next wave of cybersecurity in the public sector. Furthermore, Duo has the potential to help the government do what it has desperately been trying to do - move to the cloud and mobile, quickly. That’s personally and professionally exciting for me.
For me, the writing is on the wall. First, I believe a few things to be true:
- Public Sector will ultimately move away from the data center business. Everything will be “cloud.” Cost, simplicity and missions will require this change - sooner rather than later.
- Mobile will consume the desktop whole - iOS, Android, Windows 10… all popular mobile OSes.
- Items 1 and 2 will eliminate any need for a traditional ‘perimeter.’
Duo is helping to usher in a new security paradigm through modern multi-factor authentication (MFA). The security model we all grew up on (VPNs, firewalls, etc.) struggles to keep up with this “cloud-first,” “always-connected” world we find ourselves in.
Some funny things happened along this road.
First, to quote Justin Timberlake, Apple brought the PKI (public key infrastructure) sexy back. When Apple built the iOS security model, it relied heavily on PKI for hard security functions, like application and code signing, as well as its trusted boot architecture. It put a whole lot of security power underneath a pretty touch UI. Thankfully, the end user has never really been exposed to the complexities of PKI. Apple made it easy. However, anyone who has worked in the federal market before has had exposure to PKI and its complexities.
To me, SSL has always been the most successful example of a PKI use case. SSL was easy to deploy (for the most part) and didn’t require the end user to jump through hoops in order to use it. Apple’s implementation is not only another elegant example of PKI in use, but it’s at scale, at a massive scale.
Second, mobile begets cloud and cloud begets mobile. This self-propagating “ecosystem” has brought power to app developers in the commercial world - agility, speed to market, whatever. This trend started in the consumer world and has brought this exact same power to the enterprise over the past many years. Public sector agencies are just now starting to realize some of these “powers” and need help to keep up.
I see Duo doing the exact same thing for enterprise security. Our very ethos is that security should be equivalent to a “dial-tone.” It needs to be easy and available. It needs to be easy for users to access and easy for enterprises to deploy.
Most importantly, security should not get in the way.
In future blogs, I’ll discuss specifically how Duo can assist the government in protecting its move to cloud. I will further discuss the concept of ‘perimeter-less’ networks and smart, mobile endpoints and how the two concepts provide agencies (and the government) the ability to do something it has been seeking to do - move faster to support missions, leverage COTS (Commercial Off The Shelf) technologies and solve hard security problems.
I’m excited to be at Duo and to help public sector agencies as they contemplate a move to a modern security model.