blog

Bitglass Podcasts

Bitcast Cyber Security Series is an interactive audio-only podcast series that goes “in-depth” into important enterprise security technology and business issues that matter to today’s IT and security leaders.

Bitglass + Duo: Talking Zero Trust Access Security

By Bitglass | July 15, 2020 at 9:39 AM

 

bitcast-logo

Bitcast Cyber Security Series is an interactive podcast series that goes in-depth into important IT security issues that matter to today’s business and technology leaders. 

In this session we interview Ben Rice Vice-President of Business Development at Bitglass and Ginger Leishman Technical Partnership Manager at Duo on a range of topics related to zero trust access security, including a recent partnership between Bitglass and Duo to help organizations move to a modern workforce environment with adaptive multi-factor authentication (MFA) delivered through the cloud.

About this episode:

Bitcast Cyber Security Series | Episode 1

Duration: 26 min

Host:  Jonathan Andresen

Guests:  Ginger Leishman, Technical Partnerships Manager at Duo and Benjamin Rice, VP of Business Development at Bitglass, Inc.

Bitcast Play Button

Audio Transcription 

Welcome to Bitcast Cybersecurity Series. Today’s topic is Bitglass & Duo talking Zero Trust Access Security.

So in today's session, we're going to go in depth into security issues that matter to IT as we always do in this cybersecurity series. My name's Jonathan Andresen, I'm Senior Director of Marketing and Products at Bitglass.

Today, I'm joined by Ben Bice, Vice President of Business Development at Bitglass and Ginger Leishman, Technical Partnerships Manager at Duo an industry leader in Access Security. Today's podcast we'll cover a recent partnership announcement between Bitglass and Duo to help organizations move to a modern workforce environment with adaptive multifactor authentication delivered to the cloud.

Jonathan Andresen:

Welcome Ginger, Welcome Ben

Ben Rice:

Hello.

Ginger Leishman:

Hi.

Jonathan Andresen:

Thanks for coming. Thanks for being here. Before we begin though, I usually like to ask folks how you're handling the lockdown pandemic environment. Any interesting stories to share about how you're coping with the last few months working from home? Ginger?

Ben Rice:

So for me, I'm super excited about the last couple of weeks because school has been out. So previous to that, I was doubling my job working for Bitglass by also being a at home teaching resource for my son. So I'm enjoying the summer a little more doing some swimming and getting on with things. But I do miss traveling a bit here in this, so I'm trying to figure out how to solve for that.

Jonathan Andresen:

Mm-hmm (affirmative). Excellent. How about you, Ginger? How are you coping?

Ginger Leishman:

Well, I'm kind of a hermit by nature, so it maybe hasn't been as hard on me as others, but I've tried to cultivate a couple of new skills during the lockdown such as knitting and learning SQL. But really I haven't been that productive. Mostly what I've been doing is a lot of reading, watching TV, and I've really gotten into crossword puzzles. It's becoming an addiction.

Jonathan Andresen:

That's a pretty heavy schedule. You're not making sourdough bread or anything?

Ginger Leishman:

I did not pick that up. No.

Jonathan Andresen:

Still on the list. I, for one I'm living in the rural Quebec right now, and the only thing going crazy around here is probably the wildlife. But apart from that, it's just a typical day in this type of environment.

Back to the real reason we're here, which is to talk about the new partnership between Bitglass and Duo, which is now a part of Cisco and a leading provider for multifactor authentication and Zero Trust. So over to you, Ben. I mean, what really prompted this partnership, and maybe you could give our listeners a bit of background into the partnership and how it came about.

Ben Rice:

So in Silicon Valley, people that are in my role of business development oftentimes think about their role, not necessarily as somebody making partnerships, but as somebody who is procuring and curating a vast research and development ecosystem. So to say that, if you work at a technology company, you always have these great aspirations and vast areas of inquiry that you want to get into, but some of the most successful companies are [inaudible 00:04:06] by their partnerships. And people think that's because they have people like me or ginger that do these partnerships in business development but in reality, some of the more successful companies are successful because they stick to developing what they're good at and they partner for the other things. And what that ends up meaning is somebody in my position can actually go find sets of functionality for my company's customers, for my company's partners and for my company's sellers that helps them close more business and provide more complete solutions.

Ben Rice:

And so that's kind of what happened here. Having been in the industry for a while, I've been aware of Duos growth and their continued success as part of Cisco. And so when we were looking at, how do we provide MFA to our customers when users are logging into applications through Bitglass, Duo was one of the top of the list. And so having an integration where people could use their existing Duo MFA that they may have on their phone, they're used to, it's easy to use, and it allows a new application to fit into that Duo customer's environment and that can be a Bitglass, let's say, plus Office 365. And it's a great way for companies to keep their data safe knowing that users really have to prove who they are before they get access to things and it makes it easier for Bitglass and Duo to get their products out in the market.

Jonathan Andresen:

So from a customer perspective or an enterprise perspective, in a nutshell, how does it really benefit customers and how would the solution be deployed between the two companies?

Ben Rice:

Well, so both companies offer cloud services. So that's a great thing for the customer as a customer buys a subscription to each service, and that allows them unlimited access to the capabilities. So in this case, there's a little bit of configuration that's required between the two, but something that probably takes less than 10 minutes. And so users who have mobile devices and they have the Duo app installed, can get codes delivered to them in real time that are one time use and are generated in a very secure fashion. And those codes can then be used through prompts for Bitglass to allow a user to log in. So the way this would work is you, let's say, you're going to log into Office 365, you type in your authentication, your username and your password. And then you're presented with another field, which says, please type in your code.

Ben Rice:

You look at your phone, you open up your Duo app, you type your code that you'd obtain from the Duo app into your field on your computer or your device and then you're automatically logged in after that. So the benefit to the company is that if a device is lost or stolen or a user's password is compromised, there's still a layer of protection to prevent somebody who shouldn't be getting access to company data. And that second layer of authentication has been proven across many studies and real world environments to be a huge inhibitor to data compromise. So if we don't learn anything else from this podcast, understand that you as an individual and as part of an employee at a company should be using multifactor authentication or MFA wherever and whenever you can.

Jonathan Andresen:

That's interesting. That's kind of like a saying in security I've heard for a while is that the user is often the weakest link and so having a solution like this really helps mitigate that. So Ginger, in terms of most companies today, given the way the lockdowns are working and give the way that most companies are structured across geography and different kinds of devices and BYOD policies, how does this joint solution sort of balance the need to sort of secure and control data with the need to be a more agile, flexible, remote working sort of environment for companies? Is there a balance there?

Ginger Leishman:

Well, there is. And first, I just want to say, obviously I completely agree with what Ben said. The user is the most vulnerable point of access and it's not their fault, right? Passwords are clumsy, there's so many to remember, so many applications, it's not the user's fault. But MFA is there to protect you in case something does happen to your password. So it's that extra layer of security. Now, to answer your question, we like to kind of approach things by thinking about the principle of what we call trust-based access. And by that, I mean, it's access based on user trust, verifying the user's identity. It's access based on the device trust, ensuring that the device is secure, that it's updated with the latest OS, something like that, and access based on adaptive access principles. And then that also pulls in the principle of least privilege.

Ginger Leishman:

So unlike the traditional access model of perimeter based access security, which is based on the principle of assumed access. Meaning if you're on a trusted network or perimeter, you get access to everything. Unlike that, Duo allows you to practice the principle of trust-based access, which is also known as the Zero Trust paradigm. Where trust is not assumed, but ascertained every time a resource is accessed, every time a request is made. And an organization can also enforce controls based on the sensitivity and criticality of the applications and the data that you're trying to access. So, as an example, let's say an organization could set the policy based on device trust. So the policy could be that all full time employees can access their work email on a corporate or personal device, but restrict those devices to those that are updated with, again, with the latest OS, maybe there's a screen lock enabled or biometric, and then that supports the BYOD method or the bring your own device.

Ginger Leishman:

But then another example is perhaps for more sensitive data, like say that you're in the HR org and you're allowed access to payroll. You want to share that the access is not only given when they've authenticated themselves, but you want to make sure that that access is given with the authentication. You're using a strong two-factor methods, such as the Duo push notification or U2F token. And they're using maybe a corporate managed device, like a laptop, firewall's enabled on the laptop and on the network from an approved IP. If all of these rules are as we, sometimes say, if the stars align with the granular access policies that the corporation has set up, then you get in because Duo checks all these pieces before giving you access. And so really a big benefit here is that you get the ability to set granular access policies with Duo that allows an organization to tailor their security needs to their particular environment.

Jonathan Andresen:

So is that like where the adaptive comes in terms being able to have flexible MFA policy tailored to different departments in your company? How does the adaptive fit in to the equation here?

Ginger Leishman:

Yeah. So and it is. So Duo gives you adaptive policies and controls to make access decisions, again, based on the user, their identity, the device, the application risk, and every time that they make an access request, we check all of those pieces, the trust of their identity and security of the device before we give them access. As you said there, so that's really what we look at adaptive MFA as, and you can also employ Duo as maybe another step up authentication piece. So maybe you first let me in easily to access my email, but now I'm trying to go to Salesforce and maybe Salesforce can only be accessed from a corporate managed device, something like that. So it can still pop up, if you will, and let the employee know, Hey, you're on your personal device for email and that's fine, but now you need to move to a corporate managed device for maybe more sensitive data or applications.

Jonathan Andresen:

Interesting. So from a customer or enterprise perspective, I heard term MFA is spoken up some sometimes, what's the difference between MFA solutions and what should a company look for if they're looking to implement this kind of security?

Ginger Leishman:

Well, we like to suggest that if a company is assessing different MFA solutions, that they should really look for a solution that enables secure remote work and consider that MFA... so consider an MFA solution that does support and secures personally owned devices, unmanaged user devices, along with corporate managed devices. So that's a really great starting point, especially now with how many companies have to support a remote workforce. We also suggest looking at an MFA solution that's quick and easy, that can be rolled out to all their users. It's not confusing. As Ben mentioned, Duo, we're mobile app, and that makes it something that everyone's kind of used to using and you have right there on your phone and we protect any application on prem and cloud.

Ginger Leishman:

And so that's something else that an organization should think about. You have your hybrid environments, you have your prem environments and your cloud, whatever it is. So you want to think about an application or a MFA that could protect everything. And you also want to think about a MFA solution that gives you visibility and reporting into all the access requests and devices on your network. So you can really see what's going on. And of course you have to think about whatever your compliance requirements might be for your particular industry. So evaluate that too. What regulatory compliance do you need to meet.

Jonathan Andresen:

Interesting. You mentioned a really good topic. We touched on earlier about remote working because I think it's on a lot of people's minds right now. It seems that while a company is not only adapting to remote working, but some of them are thinking, they're upgrading their security, but they're also thinking that this might be a permanent move to remote working given the productivity and the cost benefits. Ben, what do you see in terms of the customers at Bitglass and in the market, how are they thinking about remote working? What are you seeing in the market today?

Ben Rice:

Well, of course, we're a little biased because we've kind of oriented our whole company around serving the remote worker use case. It's always been the case that we were about providing a new perimeter in a perimeterless world. Meaning as people started working from devices and working directly from those devices on cloud applications, those two pieces now started to be outside the control of companies. And so firewalls and VPNs and all the security technologies that we used in the last decade started to be less effective because they weren't necessarily utilized, they weren't in the path of the traffic where the user was going and it meant that the security tools were kind of blind to where the real action was. So Bitglass has always been focused on fixing that problem. And then of course our relevance to fixing that problem has only skyrocketed as the pandemic has taken hold.

Ben Rice:

In any of the countries where we operate, where people are sheltering in place, we see a massive increase in the utilization of our service, through the metrics we see at our service points. And so what we know are our customers are a lot better protected, even though they have their workers 90% or so working at home now. We can see from the traffic they're sending to us that we're able to provide the policy and protection that they need. And of course, making sure that those people are who they say they are in concert with the Duo is helping even more.

Jonathan Andresen:

Interesting. What are you seeing, Ginger, from your perspective over at Duo? Are you seeing companies embracing remote working, and is that sort of fast tracking the move to a modern workforce? How do you think that is playing into things today for your customers?

Ginger Leishman:

I think the recent events have definitely sped up the digital transformation that that most or many companies have already been on. So it's sped that up. And of course the shift in the IT landscape from a traditional network to a hybrid with cloud and on prem, I mean, that's been happening for more than a decade, but with the pandemic, I guess, there's nothing like necessity to really spur action. We've definitely seen an increase there of the need for companies to secure the remote. Not only secure their remote workforce or secure their employees who work remotely, but to make that an option that they can do. And I think that we're probably going to see that even when things are, I guess, more back to normal that working from home, I think that's going to be the new normal and how exciting that is that the employees and organizations have that freedom and flexibility to work from anywhere.

Ginger Leishman:

In fact, just a friend another day asked me if I was thinking of taking a workcation and I had to ask, what's a workcation? So if you haven't heard that term, it's a new one, melding your vacation with work, which might sound awful, but it's not. But it gives you that freedom to work from anywhere. You're not stuck in the office, you're not even stuck in a certain location of being at home, in the city, maybe near the office, you can grab your devices and go and have that flexibility. And I think that that's great. Work does not have to be done in an office. It can be done what's most convenient for the employee.

Jonathan Andresen:

I was thinking a workcation was heading off to the living room to do a bit of work or maybe work plus Netflix or something. But anyway.

Ginger Leishman:

In our current shelter in place, that might be it. Just changing the room that you're in. But I think [crosstalk 00:17:55] some people are venturing out.

Jonathan Andresen:

It's funny how this new environments creating a lot of innovation, people thinking of some new ways of doing things. Hey, you mentioned something earlier that I thought was interesting and I think for our listeners, they'd like to know more about, it's Zero Trust. Is sort of a topic we hear a lot about in the news, but for our listeners and how do you guys over at Duo view the term Zero Trust and why does that matter for the customers that are listening here?

Ginger Leishman:

Well, to kind of set the stage, you'd also mentioned too. I'm part of Duo Security and we were recently acquired by Cisco, so now we're part of Cisco. So kind of take a step back and set the, I guess, the vision for Cisco's overall Zero Trust platform, which Cisco was actually recently named a leader in Zero Trust by Forrester and Duo is the key part of Cisco's Zero Trust platform. So Cisco breaks it into three categories. It's protecting the workforce, the workload and the workplace. And Duo steps in at that first piece of protecting the workforce. And again, we do that by ensuring only the right users and secure devices can access applications, providing a foundation for a Zero Trust framework. So we're not Zero Trust exactly all on our own, it's the foundation. So having that, again, that strong MFA, that adaptive MFA, that's the beginning of the company's, I'll call it their Zero Trust journey.

Ginger Leishman:

So again, we first establish trust in both the user and the user's device, are they who they say they are? Then we apply those trust-based access controls to ensure they have access to only the applications that they should and then we continuously verify the trust of the user and their device throughout a set period of time, which you can customize to be, maybe every new session or each login attempt. So that's the beginning of maybe your Zero Trust journey. And so we sit there in the front helping you to start on that journey to protect your workforce.

Jonathan Andresen:

So we're in the planning process where they think about implementing MFA, for example. If they're looking to implement a Zero Trust policy or a Zero Trust framework, where does MFA sit in that sort of planning process?

Ginger Leishman:

MFA actually sits in the front of that plan process because I like to think about it as... obviously, we protect your applications, we sit in front of your network. Consider maybe you've built this amazing fortress to protect all of your assets but you didn't put a lock on the front door. So Duo is the lock that all access requests must go through to be validated before proceeding. MFA and Zero Trust should be at the beginning of your planning. So first piece, and again, protecting your employees, which are usually the easiest access point into your network.

Jonathan Andresen:

Interesting. One thing that's playing out a lot here at Bitglass and that I think in the market in general is just the move to cloud applications, the digital transformation that's leading that. But also during the current era, you see a little bit where is fast tracking the move to cloud services and people just saying, I'm getting either away from legacy and on premise applications. Maybe it's a question for both of you just to sort of end the podcast with one of these questions, what is it about cloud applications that really require both an MFA solution and a CASB solution? What is it that requires a different level of security about cloud? Maybe I'll start with you, Ben.

Ben Rice:

So I think I mentioned it before, but this whole idea that people are going to use their own devices instead of company issued laptops. So that's the first. So in the traditional security paradigm, we felt okay with a user having a laptop that they might take wherever they want, because it was company issued. It already had software, end point protection stuff, policies, things that IT felt made it safe to be on and off the network. And then secondly, rather than using that device to go to a VPN, into a company owned data center and a company owned app, we're now going to an app that's controlled by a third party, whether it be Microsoft, Google, Dropbox, whoever. And so as we increase the number of interactions that occur with non-company owned apps or devices, the risk goes up dramatically. And so that's the place where these technologies come in, because they can basically rebuild the perimeter for you wherever you want it. Imagine it as a fence that you could even put in someone else's yard.

Jonathan Andresen:

I guess, added to that would be the fact that there's a lot of cloud to cloud kind of traffic going on that's often outside your traditional perimeter. So getting some visibility and control into that cloud to cloud traffic would be interesting and important to have with a CASB. So Ginger, over to you. So for people that are moving to cloud applications and making the company a cloud first priority, why is MFA important particularly for cloud?

Ginger Leishman:

Well, really touching on also what Ben said there too. So MFA is particularly important for cloud because as you said, you could be going from cloud application to cloud application. You need to make sure that whatever the policies are that you're setting up for maybe your perimeter or not your perimeter, your on prem applications, that you're still able to apply that to any cloud applications that are hosted on a third party or hosted by a third party. And it's important to meld that MFA ,again, with understanding, not just that the user is authenticating to verify their identity to access that, but also, again, get that look into who's accessing your applications that are being used by the employees. What time of day is this happening? Where is it coming from? What devices are they using? What's the health of their devices?

Ginger Leishman:

All of that is extremely important for you to know, or for an admin to know. And again, to kind of think about since there's such a large cloud environment that we're now utilizing, to think about your mixed use policy of devices. So again, what critical applications do you want to make sure that you protect with tight access policies and which applications you're going to allow to be accessed by personal devices versus managed. So that's the opportunity to really implement access policies that best fit your needs, or an enterprises' changing needs is very important and something that should be top of mind as you not only enable remote work and continue to move to the cloud, but it should be, I guess, we'll call it a fundamental thought process perhaps all the time on, especially as companies are beginning a journey to Zero Trust framework.

Jonathan Andresen:

Excellent. Excellent. So last question, maybe over to you, Ben, for some final thoughts. So given that customers that want to implement a Zero Trust framework and are moving to clouds, how can they take advantage of this sort of joint solution? Practically speaking, if they wanted to start tomorrow, how would they go about installing and managing this joint solution?

Ben Rice:

So the best thing is to find a local partner that offers Duo and Bitglass. And so there are many companies out there that work with both companies to help customers adopt these products, not just buy them, but get them configured and up and running. And both companies work along with their partners to make these installation successful. Both companies charge for their services through subscriptions. And so a key to a successful subscription renewal is making sure that a customer quickly adopts technologies and gets value out of it. So what you'll find for both companies are easy to use set up guides, easy to use methods of purchasing and deploying the technologies, and then a high ROI outside of just the protection that we talk about just in terms of the efficiency of getting access to applications.

Jonathan Andresen:

Excellent. Well, I want to thank both of you guys for joining us. Thanks Ginger, thanks, Ben. And this is about all the time we have, but thanks so much. And for our listeners, thanks again for joining Bitcast. If you want to learn more about Bitglass, Zero Trust, cloud security, or any of the topics that we've talked about today, you can of course visit bitglass.com or contact one of our sales representatives. If you want to find out more about Duo, just go to duo.com as well, and you can learn more their technology there. And stay tuned for the next series, next podcast at Bitcast where we'll talk about further cyber security issues that matter to IT and security professionals. Thanks both of you stay safe and have a great day. Cheers.

Ben Rice:

Thank you.

 

End of the episode.

FOLLOW US

Resources to Support You Along the Way

duoLogo-web
Bitglass&DUO
Configuration Guide
The integration between Duo and Bitglass provides leading identity management and comprehensive cloud access security broker protections
Download
duoLogo-web
Bitglass&DUO
Integrated Soluition Brief
Bitglass’ Next-Gen CASB provides data protection policies for comprehensive visibility and control wherever data goes. Duo Security ensures secure authentication in the cloud for all users
Download
duoLogo-web
Bitglass Strengthens Security
for the Modern Workforce
Bitglass, the Next-Gen Cloud Security Company, today announced a deepened integration with Duo Security, leading MFA and Zero Trust solution provider
Learn More