For WFH Security, Go Back to the Basics
The CIA’s former CTO, Gus Hunt, shares lessons on how to maintain security in a digitally insecure, WFH world.
Back in 2013, when he was chief technology officer of the CIA, Gus Hunt led one of the landmark IT projects of the last 20 years. After decades of securing America’s most sensitive secrets in government-owned data centers, “The Company” moved to the cloud.
It wasn’t the public cloud, where the rest of us shared our Facebook posts and stored our emails and wedding photos. Rather, Hunt spearheaded a negotiation with Amazon Web Services that led to the creation of a $600 million separate cloud infrastructure for all 17 national intelligence agencies. Though it may have been a bespoke contract for spies, the project, which ended up saving the CIA time and money in provisioning servers and sped up intelligence capabilities, was widely hailed as proof that the cloud was ready for prime time. After all, if it could be trusted with all of the nation’s most sensitive secrets, it was good enough for…well, pretty much everyone.
Hunt left the CIA later that year to create his own consulting practice, before becoming head of Accenture’s Federal Services Cyber Security practice in 2016. In the process, he’s helped companies in every major vertical adapt to an increasingly complicated and dangerous world.
Hunt, who recently returned to his own private practice, spoke to Endpoint about the state of endpoint management, and the WFH security best practices that corporate IT leaders can learn from the CIA and other DOD agencies.
One of the stated goals of the move to the cloud was to get all 17 U.S. intelligence agencies onto the same infrastructure to promote faster information sharing. Were there other advantages? And how could you know it would be secure?
Moving to AWS was first and foremost about driving speed and agility across the intelligence communities, and the ability to quickly leverage the capabilities that had emerged from this new world called the cloud. But you also have to remember that we weren’t using the public cloud version of AWS. We worked with Amazon to create a classified version of the AWS cloud that we could operate in a tightly controlled way, as we always had.
How concerned were you about endpoint security at the time?
That wasn’t as big a deal back then as it is now. Almost all of the endpoints were desktop PCs, so our focus was on making sure that operating systems were kept up-to-date and properly patched, and on maintaining tight control over access to things like USB ports. And no wireless devices were allowed inside the building. So we did a good job of limiting people’s ability to do bad things, or even accidentally do bad things.
Research shows more than 90% of cyberbreaches are due to “bad hygiene,” such as inconsistent patch management. Have you found that to be true in your experience?
I’d have guessed the figure is even higher, in the high 90s. That’s why we had a concept at Accenture called “Be brilliant at the basics.” Make sure your operating systems and applications and devices are up-to-date and properly patched. Clean up your directories to remove people who leave the organization in a timely manner. Make sure your data is properly encrypted.
You’ve talked a lot about the need to always maintain “positive control” over devices. This is the ability to not only identify if a device represents a risk, but to do something about it — say, to force a user to install a new malware patch before granting access to the network.
Absolutely. You always need to know the status of every device, including what’s been downloaded onto it and who the user is. Only then can you make good, automated decisions about who can do what. So if it’s really odd for Gus to be logging in from a Starbucks on a Sunday morning, maybe the system should only let me fill out my timecard but not give me access to the HR system or to any other sensitive data.
Today, these are the basic tenets of “zero trust,” the security model that requires an organization to verify every device trying to connect to its systems, even if it’s a known device. No one gets access until verified. The DOD and intel community have been following that verification model for many years. We just never called it “zero trust.”
It’s one thing to exert that kind of control when you’re protecting state secrets, but is it really feasible for the average company to always maintain positive control?
The military and intelligence community doesn’t do a lot of BYOD [bring your own device]. But it’s widespread in corporate America, and that can be a problem. Most companies are not going to buy every employee a laptop and a smartphone and all the other tools they not only need for their jobs but that allow a company to enforce positive control at all times. That’s where endpoint management systems come in. It allows you to partition these devices, to segment what people are allowed to do with their devices and what software they’re allowed to run on them. Having the visibility that unified management brings is absolutely critical.
[Read also: A conversation about Federal IT and Zero Trust]
What do you say to IT leaders who say they’re too overwhelmed with moving to WFH and responding to the pandemic to worry about establishing positive control right now?
When people say “Wow, that sounds like it’s going to cost a lot,” I tell them the cost of recovering from a problem invariably exceeds the cost of actually doing it right in the first place.
Exerting positive control obviously has implications for what employees can do with their devices. Do companies need to reset expectations for employees?
Employees need to accept that there are going to be some limitations. There are going to be more restrictions. If someone wants to work on their own desktop PC rather than the company laptop because it has a bigger screen, maybe they won’t get access unless the machine is updated with the latest patches. Or maybe they’ll only be able to log on between 8 a.m. to 8 p.m., Monday to Friday, because IT wants to lock everything down on the weekends. If you have an emergency meeting outside of those hours, maybe they need to call a number to get emergency access.
That could make for some tough cultural challenges.
I never want to make light of this. When companies and people are not used to operating in this type of environment, their brains just don’t go that way. Whereas in the classified world, people get a lot of training in security. They’re hard-coded, for example, to put an appropriate classification marking on every document, so it can be handled properly. If you do this day in and day out, you get used to it.
Don’t get me wrong. There’ll be a lot of complaining and moaning and groaning at first. But after a while, it becomes part of the natural work rhythm.