Insights from Cisco VP/GM of Zero Trust and Duo, Ash Devata
I recently had a conversation with Cisco’s VP/GM of Zero Trust and Duo, Ash Devata, who knows more than a thing or two about zero trust. Ash joined Cisco in 2018 via Cisco’s acquisition of Duo Security. Duo is the leading provider of multi-factor authentication (MFA) and zero trust for the workforce, combining security expertise with a user-centered philosophy to provide two-factor authentication, endpoint remediation and secure single sign-on tools for the modern era. Prior to Cisco’s Duo acquisition, Ash led Duo’s Product Management, Product Marketing, Technology Partnerships, and Advisory CISOs.
Today, Ash heads up an impressive team that is bringing security and ease of use together through Cisco’s SaaS products and platforms, and reimagining access control by providing continuous trusted access. Cisco Zero Trust offers a comprehensive solution to secure all access across your applications and environment, from any user, device, and location. This complete zero trust security model allows you to detect, mitigate, and respond to risks. Ash and his team are already securing access for tens of millions of users across the world and are on an ambitious journey to expand to hundreds of millions of users.
Q: Thanks for talking with me today, Ash. First question, how is the pandemic affecting the need for zero trust?
Many IT organizations focus too much on technology and not enough on the people side of security. If your users are secure with multi-factor authentication and have up-to-date software on their smartphones and laptops, you reduce a huge amount of organizational risk. Especially now that people are working remotely, we need to focus on getting basic hygiene for all the user laptops and smartphones right. For example, do you have visibility into all the ways people can log into your applications and infrastructure? Do you have good
Q: How are you thinking about zero trust and the new way of work?
Because of the pandemic, companies had to enable remote work quickly. Many companies had this on their roadmaps for the next year and a half, but when the pandemic hit, they literally had a week or two to enable remote work for much of their workforce. A recent McKinsey survey showed that due to the pandemic, companies accelerated the adoption of digital technologies by several years, and that many of these changes could be here for the long haul.
Businesses didn’t have time to think about security and compliance as they were implementing remote work. In a recent Cisco study, not only were many people currently working remotely, but a substantial percentage of organizations also said that more than half of their employees would still work remotely once pandemic restrictions are lifted. Now that people are working remotely, we need to think about what this means for overall security and compliance risk. How does the workforce access applications? What devices are they using? What kind of networks are they on, and what are the net-new risks? Do we have security controls in place to ensure organizations pass audits, and more importantly, reduce security risks?
Q: What is Cisco doing to help with this?
At the start of the pandemic, Cisco developed the Secure Remote Worker solution, which incorporates many security components needed to embrace this new work setting. When something like a pandemic hits, defenders need to implement new security measures quickly and the last thing they need is more complexity. One of the design principles we have at Cisco Security is radical simplicity – to provide effective security solutions that offer superior protection and are simple to use. Radical simplification improves the time to value of an actual utilization of security functionality – if it’s simple, people will use it and can see the value in days, not quarters. To live up to that ideal, we launched Cisco SecureX, a cloud-native platform that connects our integrated security portfolio and customers’ security infrastructure to provide simplicity, visibility, and efficiency.
To continue our commitment to simplify security, we have completed the acquisition of Kenna Security, Inc., a recognized leader in risk-based vulnerability prioritization. The combination of Kenna and SecureX will allow customers to address critical challenges by generating prioritized lists of vulnerabilities; streamlining collaboration between security and IT teams; and automating remediation to improve their overall security posture.
Q: Why is it so hard to get zero trust right?
Zero trust principles to secure access are very effective. However, consistently enforcing them without causing friction for end users is difficult. One of the fundamental weakest links in the security chain is people’s behavior. We can lower risk where people interact with technology by taking a more strategic approach. People just want to get work done. They want to take the most convenient path possible to access an application or email and go on with their day. They aren’t thinking about security, so we need to make sure that the easiest path to get work done is also the most secure path. We should be focusing on end-user behavior and how people interact with technology versus only thinking about new features and reports. Duo designs products with this goal in mind – with a UI/UX that is simple, flexible, and user-friendly. As a result, our products are the easiest to deploy, manage and use.
Q: What is the biggest challenge around zero trust that you hear from customers?
I regularly hear from customers that they don’t know where to start. I tell them that the best place to start is an area where you get the highest value in the fastest way possible with a two to three-year strategy. We see the majority of our customers starting with strong user verification, which is multi-factor authentication (MFA) or in the future, passwordless. Then we get into establishing trust with all the end user devices – whether it’s their phone, their personal Mac, or work Windows devices. Once that is established, the next step is developing more advanced, adaptive policies with contextual and behavioral analysis.
Q: MFA has been around for decades – why is it still relevant?
Verifying user trust is the foundation for zero trust. Muli-Factor Authentication (MFA) is a proven control to verify user trust. Historically, MFA was very hard to deploy and maintain. As a result, a lot of companies only deployed MFA to a subset of their employees and this is where we see attackers leveraging these users without coverage. This was evident even in the well-publicized Colonial Pipeline breach where the attacker compromised the primary login credentials of a VPN user that did not have MFA. We made MFA radically simple and easy, and invested a lot to make sure it supports every login screen our customers have. We have more than 25 million users and we are yet to see an application or login we can’t support with Duo’s MFA.
Q: What is changing with device verification?
People want to use the device that they want to use to access work applications. Organizations need to think about inspecting the device in real time for proper controls to enable users to maintain good posture. End user devices, especially smartphones, are a lot more personal than they were 10 years ago. People are mobile and they want to access data from where they are, so this is bigger than just securing a specific device in one place. It requires securing the device, applications, and data at any location continuously. This means that how we inspect and secure these devices is changing and evolving.
Q: What about the new passwordless technology? How does privacy fit into biometrics?
The only people who like passwords are attackers because they can compromise them. Passwordless is one of the major innovations that is coming very shortly. Duo’s passwordless vision is to enable enterprise users to skip the password and securely log into cloud applications via security keys or biometrics built into modern laptops and smartphones. Passwordless authentication promises to provide a frictionless login experience, while reducing administrative burden and overall security risks for your organization. In essence, it’s a simpler, more secure way to MFA. Our passwordless authentication solution is flexible and easy to set up, and it’s designed with the same best-in-class usability you’d expect from any Cisco Secure Access by Duo product.
We are leveraging biometrics and fast ID online (FIDO) tokens to authenticate and move away from passwords. The industry has come together to enable safe, secure, and private user biometrics. For example, when you use your iPhone, your biometric information never leaves your phone. Cisco is leveraging these latest technologies and APIs and allowing customers to deploy biometrics as a main form of authentication without having to purchase third-party biometric dongles, new equipment, or new hardware.
Q: Do we ever actually achieve zero trust?
Zero trust is a framework that you have to employ, apply, and evolve as your infrastructure and environment change. I always say it is similar to staying fit and being healthy – it’s a journey and a lifestyle that you think about every day, in everything you do. In other words, you can technically “achieve” it for a point in time, but you must also continuously maintain it.
Q: What are you most excited about when it comes to Cisco and security?
I get to lead an incredibly talented team of people who are at the forefront of solving big cybersecurity and business issues every day by leveraging design and technology. Together, we get to work closely with our customers to help them be safer and do what they are meant to do, just faster. We’re energized as we continue to focus on our larger mission of empowering the world to reach its full potential, securely. We want to democratize and enable security for everyone and make the journey as easy and affordable as we can. We are hiring and are continuing to attract talented people who want to have a meaningful impact.