Identity in a remote world has taken on added importance for cybersecurity leaders speaking in a webinar on the state of security and the evolving role of CISOs at VMworld 2020.
“In the CISO community we’ve talked about the notion of ‘Your identity is your perimeter.’ This put an exclamation point on that,” said Jason Lee, CISO of Zoom, referring to the COVID-19 pandemic. “When I think of the scenario of how do I know when I’m provisioning a laptop it’s going to a new hire? … identity gets really important.”
Jimmy Sanders, head of security at Netflix DVD, agreed, saying that “one of the bad things about this new age is if I go into Zoom and change my name,” how does someone know who he really is?
“As security leaders, we have to make sure we don’t make it a guessing game for employees, and they don’t feel they have to be security experts.” Sanders said his security team is building architecture and tools so that employees only need to think about whether they are doing their job.
Noting that Zoom “became a verb overnight,” Lee said company IT and security officials have become much more focused on business resiliency, especially because the platform is used in mission-critical use cases like telemedicine and education.
Sanjay Poonen, chief operating officer of customer operations at VMware, said that “security is a team sport, and it takes a village.” Poonen said security can get better with event data.
“It doesn’t mean you’re completely safe—in the same way we’ll never be completely free of diseases,” he added, but the more security professionals can start developing sophisticated AI algorithms and work as a team, the better organizations can get at staying ahead of malicious threats.
Pivoting and accelerating projects
In addition to business continuity, the panelists also discussed redirecting priorities.
Lee said Zoom was working on long-term projects around embracing remote work and then “we all had to pivot to doing that in two weeks [when the pandemic began] and get to remote collaboration and innovating together.”
Sanders said Netflix DVD saw “big changes in our viewership,” which went from mobile first to web-based, either on a laptop or web TV to consume and browse content. This made his group change how it architects security because there was more of a focus around APIs and apps, and now more resources are also being placed into web interactions, he said.
Sanders also said his role hasn’t evolved, and the model at Netflix DVD remains about “freedom and responsibility, and we try to live that by giving employees power and freedom to do what’s right but hold them responsible.” However, he added that “COVID has ratcheted that up a notch.”
His role and goal is “to ensure from an emotional standpoint” that employees and customers are not feeling threatened by anything and that their ease of experience is as seamless remotely as it is in the office, Sanders said.
Zero trust and consistent controls
Poonen said his observation is that “the security industry and for the most part, the enterprise world, have made security very complex. It is incumbent on us as we explain things to people … to use analogies to make concepts consumer simple.”
The panelists were asked what changes since the pandemic began are here to stay and what’s the biggest thing that has changed for them? Lee said Zoom put together a CISO council that he consults with on a regular basis. “We’re getting customer feedback and raw insights,” he said. “We’re going to keep going with this. It’s worked very well for us.”
In response to a question about the security concerns or threats that keep them up at night, Lee said, “I didn’t think CISOs were allowed to sleep.”
Identity and zero trust are the areas where the security team has been “really doubling down” to make sure there is the least privileged access, especially because people aren’t in the office right now. “I can’t focus enough on identity access.”
The most important thing for him is consistent controls, Lee said. It’s difficult to have different identity systems for different environments, and Lee said he likes controls to be the same, with the same provider using the same multifactor authentication.
“Keeping it simple makes it easy for everyone to use,” he said. “Consistency of the control structure across the enterprise is the biggest takeaway I have.”