Duo Security CEO Dug Song kept it simple Tuesday when he described the last decade in cybersecurity.
“It sucked,” Song told the crowd at the Zero Trust Security Summit presented by Duo and produced by FedScoop and CyberScoop.
The next decade doesn’t have to be that way, he says, because the technology ecosystem has the tools it needs to make security as seamless and easy to use as possible. Architectures like zero trust can become more commonplace, giving enterprises simple ways to protect themselves against the most familiar threats.
At the core, it’s about ensuring that users and devices are connecting only with the data that they need. In a sit-down with CyberScoop on the sidelines of the summit, Song talked about the evolution of zero trust, how the cybersecurity market is changing, and how cybersecurity can be better woven into campaign operations.
The title of the event is the Zero Trust Security Summit. “Zero trust” seems to be such a big buzzword. When I talk to people, they’re not really sure what it means. What does “zero trust” really mean to you?
It went from being almost a philosophical set of principles to becoming a strategy, and now it’s kind of matured into a real architecture. A lot of that journey began with Google’s approach to Beyond Corp., moving away from a perimeter-based security model to something that was highly contextual. But those principles are evolving into a set of standards, and the security integration that zero trust provides is a much more sensible way for practitioners to be able to reason about what they should be deploying and how they should protect themselves. So it has been an interesting journey and evolution, and I am very happy, It feels like industry is making progress for once.
You said something interesting on the stage: “We should be making things harder for the attackers and not the users.” Do you see that as the way zero trust is evolving, with the ultimate goal being simplicity for the user?
Absolutely. So before I was building all of these companies, I was something of an old, open-source security hippie, writing free software and secure operating systems like OpenBSD, but also tooling like openSSH. Our intent there was to make secure communications between systems ubiquitous in the same way we thought about how to make strong authentication for Duo ubiquitous. What we figured out there was that you actually had to design security mechanisms that could be adopted without all the rigmarole around “perfect security.” Because for security to be effective, it actually has to be deployed and used.
The example I use with this is between SSH [Secure Shell] and PKI [public key infrastructure]. PKI has been around forever, but how far has it really gotten? Because if you have to organize a world with these hierarchical trees of relationships, it takes a long time to be able to do that. I see very few organizations that have actually been successful in rolling out PKI in a meaningful way versus SSH, which is now deployed in every system in the world. It was really a shift in the security model.
We really banked on the fact that SSH had this model called TOFU: trust on first use. That enabled everybody to just go and deploy it and be successful with it, and it kind of created a whole other area: What we call “opportunistic encryption.” That is the opportunity before us with zero trust. We need to re-design our security experiences and workflows into things that can easily be adopted by users. Because if there’s friction, they will find a different path.
In the cybersecurity market, there’s been a rush to consolidate. Your parent company, Cisco, is buying up a lot of security companies. Palo Alto Networks, for example, is doing the same. Do you think consolidating companies is good for the end user or the enterprise users that are looking for things to be easier when it comes to security?
Absolutely. I’m from Detroit, so I think of analogies from the auto industry. There was a time in the industry that seat belts were an after-market option for vehicles. And then you had Ralph Nader, and then, all of a sudden, you had safety built in. That’s what has happened in security, and that’s a very healthy element where security is built in instead of being bolted on. Because who wants to manage all of that?
[The consolidation] speaks to the maturity of our broader IT industry. Security has become more a feature set than a set of products. Now, of course, there are products that you’re going to have to manage and integrate. That’s where a zero-trust approach is really important. But, I mean, half of the industry shouldn’t exist. There are a lot of products that really are just features, but because their products often require teams and people and all this stuff that more and more companies can’t afford and can’t find. I think it’s a natural evolution of this industry to see more products rolled up and built in [to offerings.] At this point in time, user trust makes [security] something that a mere mortal can understand and manage.
Back to the simplicity point: What’s better from an end-user perspective? Getting a product to the point where it is simple for someone to use in a security aspect, or getting it to the point where a user is using a product and they don’t even know they are secure?
All of the above. With Duo, depending on how you are configured, you might see it once a month. The rest of the time, a user is just using applications on a trusted device or a trusted network. That is the experience that we want to provide. Sometimes, the best security system is the security you can’t see. That ultimately is our goal.
Though people think of Duo as a two-factor authentication provider, we really do think of ourselves as a secure access platform. Password authentication is something that we we’ve been working to help drive as well, which is not something users see either. That really should be the goal. Because who wants to deal with all that stuff anymore? So we do have goals to try to make security just get out of people’s way in every way possible.
Campaign security and election security is such a hot topic right now. What do you see with regards to the presidential campaigns and your product? I know your products are used by both the DNC and RNC. But, we just saw Pete Buttigieg’s campaign lose a CISO over “different philosophies” on information security. Is there a different philosophy when it comes to campaigns and are you hearing about it?
The conversation centers around how do we help those organizations. I can’t speak to any specific ones or their specific concerns, but in general, it’s a challenge. These organizations are highly diverse and have high-value individuals within them. In some cases, you are protecting folks that are deeply technical who know exactly what they are doing and way, but in many cases you have the general folks who don’t understand the “why” or the “how.”
An analogy I will take is from banking. In traditional retail banking, you will have, you know, your grandmother in Peoria, Illinois, with her bank accounts. But then you have all the way up to what the big banks call their “whales” — the folks with private banking, private wealth management, private brokerage — and you can’t tell those people what to do. They will take their assets and say “Fine, if I gotta go jump through these hoops, I’ll take my money elsewhere.” So banks have to be really thoughtful about how they design security for those users. Banks are really good at what they call “KYC” — know your customer. Zero trust, is, in effect that strategy taken right to the broader population.
So more and more, what those kinds of organizations are asking us for is “How can we design security for our users?” I don’t know what happened with [Pete Buttigieg’s campaign] CISO, but I wish I would have been able to talk to them.
It seems the temporary nature of a campaign doesn’t really do companies like yours any favors. Campaigns aren’t interested in buying these products because they are coming from the mindset of “Why am I going to buy this? I’ve might be here nine months, tops, if I’m lucky.”
Solving for things like time, cost, adoption and skill are so important. Yet, many folks in that line of work many not have the depth in security. We deal with a lot of organizations that have just an IT person who is managing security for them. They neither have the skill set or experience, or even the time to handle this stuff. We hear the common refrain that “Security sucks, no one has time for this stuff.” So we have to make it simpler and cost-effective.
As an old, open-source hippie, Duo has always had a free edition of our product, because I believe small organizations deserve it. I also think privacy is actually a human right. We all should have some basic digital rights. So we should be able to take cost out of the equation and allow folks to be able to protect themselves. Those are the kind of things that we really are working on as an organization to figure out who or what needs to be protected, and how can we do it in the simplest way possible for them.
“It sucked,” Song told the crowd at the Zero Trust Security Summit presented by Duo and produced by FedScoop and CyberScoop.
The next decade doesn’t have to be that way, he says, because the technology ecosystem has the tools it needs to make security as seamless and easy to use as possible. Architectures like zero trust can become more commonplace, giving enterprises simple ways to protect themselves against the most familiar threats.
At the core, it’s about ensuring that users and devices are connecting only with the data that they need. In a sit-down with CyberScoop on the sidelines of the summit, Song talked about the evolution of zero trust, how the cybersecurity market is changing, and how cybersecurity can be better woven into campaign operations.
The title of the event is the Zero Trust Security Summit. “Zero trust” seems to be such a big buzzword. When I talk to people, they’re not really sure what it means. What does “zero trust” really mean to you?
It went from being almost a philosophical set of principles to becoming a strategy, and now it’s kind of matured into a real architecture. A lot of that journey began with Google’s approach to Beyond Corp., moving away from a perimeter-based security model to something that was highly contextual. But those principles are evolving into a set of standards, and the security integration that zero trust provides is a much more sensible way for practitioners to be able to reason about what they should be deploying and how they should protect themselves. So it has been an interesting journey and evolution, and I am very happy, It feels like industry is making progress for once.
You said something interesting on the stage: “We should be making things harder for the attackers and not the users.” Do you see that as the way zero trust is evolving, with the ultimate goal being simplicity for the user?
Absolutely. So before I was building all of these companies, I was something of an old, open-source security hippie, writing free software and secure operating systems like OpenBSD, but also tooling like openSSH. Our intent there was to make secure communications between systems ubiquitous in the same way we thought about how to make strong authentication for Duo ubiquitous. What we figured out there was that you actually had to design security mechanisms that could be adopted without all the rigmarole around “perfect security.” Because for security to be effective, it actually has to be deployed and used.
The example I use with this is between SSH [Secure Shell] and PKI [public key infrastructure]. PKI has been around forever, but how far has it really gotten? Because if you have to organize a world with these hierarchical trees of relationships, it takes a long time to be able to do that. I see very few organizations that have actually been successful in rolling out PKI in a meaningful way versus SSH, which is now deployed in every system in the world. It was really a shift in the security model.
We really banked on the fact that SSH had this model called TOFU: trust on first use. That enabled everybody to just go and deploy it and be successful with it, and it kind of created a whole other area: What we call “opportunistic encryption.” That is the opportunity before us with zero trust. We need to re-design our security experiences and workflows into things that can easily be adopted by users. Because if there’s friction, they will find a different path.
In the cybersecurity market, there’s been a rush to consolidate. Your parent company, Cisco, is buying up a lot of security companies. Palo Alto Networks, for example, is doing the same. Do you think consolidating companies is good for the end user or the enterprise users that are looking for things to be easier when it comes to security?
Absolutely. I’m from Detroit, so I think of analogies from the auto industry. There was a time in the industry that seat belts were an after-market option for vehicles. And then you had Ralph Nader, and then, all of a sudden, you had safety built in. That’s what has happened in security, and that’s a very healthy element where security is built in instead of being bolted on. Because who wants to manage all of that?
[The consolidation] speaks to the maturity of our broader IT industry. Security has become more a feature set than a set of products. Now, of course, there are products that you’re going to have to manage and integrate. That’s where a zero-trust approach is really important. But, I mean, half of the industry shouldn’t exist. There are a lot of products that really are just features, but because their products often require teams and people and all this stuff that more and more companies can’t afford and can’t find. I think it’s a natural evolution of this industry to see more products rolled up and built in [to offerings.] At this point in time, user trust makes [security] something that a mere mortal can understand and manage.
Back to the simplicity point: What’s better from an end-user perspective? Getting a product to the point where it is simple for someone to use in a security aspect, or getting it to the point where a user is using a product and they don’t even know they are secure?
All of the above. With Duo, depending on how you are configured, you might see it once a month. The rest of the time, a user is just using applications on a trusted device or a trusted network. That is the experience that we want to provide. Sometimes, the best security system is the security you can’t see. That ultimately is our goal.
Though people think of Duo as a two-factor authentication provider, we really do think of ourselves as a secure access platform. Password authentication is something that we we’ve been working to help drive as well, which is not something users see either. That really should be the goal. Because who wants to deal with all that stuff anymore? So we do have goals to try to make security just get out of people’s way in every way possible.
Campaign security and election security is such a hot topic right now. What do you see with regards to the presidential campaigns and your product? I know your products are used by both the DNC and RNC. But, we just saw Pete Buttigieg’s campaign lose a CISO over “different philosophies” on information security. Is there a different philosophy when it comes to campaigns and are you hearing about it?
The conversation centers around how do we help those organizations. I can’t speak to any specific ones or their specific concerns, but in general, it’s a challenge. These organizations are highly diverse and have high-value individuals within them. In some cases, you are protecting folks that are deeply technical who know exactly what they are doing and way, but in many cases you have the general folks who don’t understand the “why” or the “how.”
An analogy I will take is from banking. In traditional retail banking, you will have, you know, your grandmother in Peoria, Illinois, with her bank accounts. But then you have all the way up to what the big banks call their “whales” — the folks with private banking, private wealth management, private brokerage — and you can’t tell those people what to do. They will take their assets and say “Fine, if I gotta go jump through these hoops, I’ll take my money elsewhere.” So banks have to be really thoughtful about how they design security for those users. Banks are really good at what they call “KYC” — know your customer. Zero trust, is, in effect that strategy taken right to the broader population.
So more and more, what those kinds of organizations are asking us for is “How can we design security for our users?” I don’t know what happened with [Pete Buttigieg’s campaign] CISO, but I wish I would have been able to talk to them.
It seems the temporary nature of a campaign doesn’t really do companies like yours any favors. Campaigns aren’t interested in buying these products because they are coming from the mindset of “Why am I going to buy this? I’ve might be here nine months, tops, if I’m lucky.”
Solving for things like time, cost, adoption and skill are so important. Yet, many folks in that line of work many not have the depth in security. We deal with a lot of organizations that have just an IT person who is managing security for them. They neither have the skill set or experience, or even the time to handle this stuff. We hear the common refrain that “Security sucks, no one has time for this stuff.” So we have to make it simpler and cost-effective.
As an old, open-source hippie, Duo has always had a free edition of our product, because I believe small organizations deserve it. I also think privacy is actually a human right. We all should have some basic digital rights. So we should be able to take cost out of the equation and allow folks to be able to protect themselves. Those are the kind of things that we really are working on as an organization to figure out who or what needs to be protected, and how can we do it in the simplest way possible for them.