No one cares about security. That is, until they don't have it anymore.
Just ask Harvard, Blue Cross Blue Shield, or even the IRS, all of which have been hit by security breaches in the recent past. Despite increased attention to security, we also have an increased inability to do anything about it, largely because enterprise IT keeps trying to make security too hard... or refuses to do much of anything to take care of the biggest security hole:
Your mobile device.
One answer to this problem is two-factor authentication (2FA). Two factor simply means you need something to prove your identity beyond a username and password when you access a network. It could be a code sent by text message, an app on your smartphone, or a biometric reader like the fingerprint sensor on an Apple iPhone.
But as useful as 2FA is for employees, enterprises have wanted something more: visibility into any endpoint device accessing a corporate network, without requiring employees to install a local agent on their smartphone or PC.
Given that 74% of enterprises now report security breaches opened through compromised employee mobile devices, companies need to know if devices connecting to the business are protected and running current and safe versions of software to keep hackers away. I asked Ash Devata (@devata), director of Product Marketing at Duo Security, one of the more popular providers of two-factor security, to tell me more about its expansion into endpoint security.
TechRepublic: Cybersecurity spending is at an all-time high, but it seems there's still a major breach every week, whether it's Blue Cross Blue Shield, Anthem, Harvard, the IRS, or the Office of Personnel Management (OPM). Are we losing this battle? What's going wrong here?
Devata: The recent spike in security spend is a reaction to the rise in the number of breaches. Until recently, most organizations did not really care about security, as long as they passed regulatory audits. Unfortunately, regulations are a bit outdated and do not address all the security risks we have today. There is also a tendency, in some organizations, to invest in the hottest and trendiest security technologies.
What organizations need to do is understand their unique risks and focus on basics first.
For example, hackers are attacking end users directly, stealing their passwords, and entering the IT environment disguised as regular users. Multi-factor authentication is recognized as the most effective way to prevent these types of breaches. IT admins need to address these basic security risks before investing in exotic tools.
TechRepublic: How is the security industry evolving given the movement to cloud and BYOD?
Devata: BYOD and cloud provide significant convenience for end users but make security teams nervous, especially those trained in traditional on-premise models.
Today, there are good tools and practices to secure applications in the cloud. For example, SAML, an industry standard to manage authentication, is now widely adopted by cloud vendors and can be leveraged to secure access to cloud applications.
BYOD is a bit more challenging.
When you enable end users to bring their own devices, you lose visibility and control on what's connecting to your network and applications. You do not want infected or vulnerable devices connecting to your corporate applications and accessing sensitive data.
Security teams need to establish some kind of minimum standards for end-user devices. Some modern security tools are now addressing this use case of unmanaged devices.
TechRepublic: Duo is famous for two-factor authentication. Now, you're extending into endpoint security. What drove this strategy?
Devata: Our customers tell us how hard it is to gain visibility into all endpoints and understand device hygiene these days.
For example, there are more than 1,000 flavors of Android, and understanding which ones are risky is hard for an IT administrator juggling dozens of projects.
And when you look at all the breaches in the last few years, 75% of them involve compromised endpoints. This made it clear for us that we need to expand our platform to address endpoint security. This means, for example, that an enterprise can now easily detect Windows machines with out-of-date Flash plug-ins or rooted Android devices in their environment, all without installing any agents.
TechRepublic: What else should companies be doing to improve their security?
Devata: Most IT organizations focus too much on technology and not enough on the people side of security. If your users are secure with two-factor authentication and up-to-date software on their smartphones and laptops, you reduce a huge amount of organizational risk.
But you have to make security easy for end users. People want to get their stuff done in the easiest way possible. They don't like friction.
Unfortunately, most security solutions add friction for end users and, eventually, end users find a way to bypass the controls or create exemptions.
Another big mistake organizations make is they select complicated security solutions and then just restrict it to a few systems. That's like triple-locking your front and back doors while leaving your ground floor windows wide open. The bad guys are going to look for the easiest way in.
- Pro tip: How to properly decommission iOS devices
- Phone identity fraud is the new low-hanging fruit for crooks
- XcodeGhost malware more widespread than previously believed
- Stop wasting your IT budget on the wrong security threats
Matt is currently head of the developer ecosystem at Adobe. The views expressed are his own, not those of his employer.
Matt Asay is a veteran technology columnist who has written for CNET, ReadWrite, and other tech media. Asay has also held a variety of executive roles with leading mobile and big data software companies.