Login
The use of unmanaged and IoT devices in enterprises is growing exponentially, and will account for 55.7 billion connected devices by the end of 2025. A critical concern is deploying IoT devices without requisite security controls.
While these numbers are numbing, their reality is undeniable. 90% of customers believe digitization has accelerated the importance placed upon security. The World Economic Forum now lists cybersecurity failure as a critical threat, and estimates a gap of more than 3 million security experts worldwide, hindering secure deployments at scale. Furthermore, 83% of IoT-based transactions happen over plaintext channels and not SSL, making them especially risky.
Securing an IoT device can be achieved either through securing the IoT device itself, or hardening the network it accesses. Securing devices can be cumbersome, requiring complex manufacturing partnerships and increasing unit prices, thereby reducing adoption. On the other hand, securing the network is always desirable as it helps secure access, encrypt traffic, and ease management.
Being a leader in both security and networking, Cisco continues to bring security closer to networking, providing the network with built-in security, and enabling the network to act both as sensor and as an enforcer. The convergence of security and networking leverages the network’s intelligence and visibility to enable more-informed decisions on policy and threats.
Cisco uniquely integrates security and networking, for instance we recently integrated Cisco Secure Firewall to operate on Cisco Catalyst 9000 Series switches. Additionally, Secure Firewall can be deployed in a containerized form, on-premises and in clouds. Cisco Secure Firewall classifies traffic and protects applications while stopping exploitation of vulnerable systems. Additionally, we offer Identity Services Engine with AI Endpoint Analytics to passively identify IoT devices and apply segmentation policies. Furthermore, Cisco offers management flexibility by integrating with Cisco Defense Orchestrator and DNA Center and with existing customer tools like SIEMs and XDRs.
Let’s look at three use cases where the addition of Secure Firewall capability on Catalyst 9000 Series switches solves real world problems:
Use case 1: Securing the Smart Building: This solution is ideal to secure smart buildings, converging various IoT systems into a single IT-managed network infrastructure. Smart buildings lower the operational and energy costs. Smarter building systems, however, pose serious security risks as these include so many unmanaged devices such as window shades, lighting, tailored HVAC, and more. One of the methods to secure smart buildings is to control access to avoid manipulation of sensors. Such control is attained with a networking switch with enhanced firewall capability. The firewall ensures granular segmentation, directing policies for traffic generated out of IoT devices, providing access to the right users. This integration also brings security closer to endpoints, making policy orchestration simpler.
Use Case 2: Centrally manage isolated IoT network clusters: IoT devices which communicate with each other in the same subnet typically cannot be routed, which is a challenge. By default, most IoT networks are configured in the same subnet, making it difficult to manage them centrally. Administrators are forced to physically connect to the IoT network to manage and collect telemetry. Furthermore, IoT vendors often charge hefty amounts to update IP addresses of devices. Cisco Secure Firewall, hosted on the Catalyst switch, solves this problem and not only inspects traffic from the IoT network but also translates duplicate IoT IP addresses to unique global IP addresses using NAT for centralized management of isolated IoT networks.
Use Case 3: Securely encrypt IoT traffic passing through a shared IT network: At airports, for example, multiple vendors manage unique systems such as baggage, air quality, biometric access control, etc, which share a common network. IoT traffic is usually in plain text, making it susceptible to packet sniffing, eavesdropping, man-in-the-middle attacks, and other such exploits. The IPSec capability on Cisco Secure Firewall encrypts IoT traffic, securing data transfer and reducing risk.
Cisco’s IoT initiatives join the once disconnected worlds of IT and IoT, unifying networking and security. For further details refer to the At-A Glance and see how and an Australian oil company, Ampol, fortified its retail IoT with Cisco Secure!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
For Cisco engineers working on Duo, having a remote-first workplace has helped them reach life goals, connect with colleagues around the world, and be intentional communicators. We understand that working remotely can be an adjustment — that’s why we’ve compiled the 10 parts of remote work that surprised our team members most and their advice for navigating the nuances. If you’re interested in being part of a remote-first workplace, check out our open positions.
Senior Engineering Leader David Rines has worked remotely for the past seven years. He’s found that Cisco’s approach to distributed teams has “enabled us to pick up the right talent, and not necessarily local talent. We are moving towards a global, follow the sun environment,” he said.
One of the aspects Rines appreciates most of this structure is getting “a widely varied set of perspectives and experiences that help build a more reliable, more robust product, which is why we’re here.”
Another benefit to having colleagues across the globe is the sharing of recipes, a perk Senior Site Reliability Engineer Bernard Ting particularly enjoys. Proactively communicating with colleagues virtually “helps you to form bonds with people from other teams. You can always learn something new about cultures elsewhere. I talk to people about food and so I’m always gathering recipes from people from all over the world,” Ting shared.
While some may fear that working remotely could lead to feelings of isolation and loneliness, a different camaraderie can flourish in the structure of our distributed teams. With colleagues across time zones, “there’s always someone there who you can reach out to help solve your problem,” Rines said.
Collaboration hours are another way Site Reliability Engineering Manager Jaya Sistla has cultivated virtual community and problem-solving. These hours are blocked off for team members to talk about what they’re working on. “The main thing is being able to ask for help so you don’t go into the rabbit hole debugging things,” Sistla said.
Ting points out that working in a distributed model allows you to really engage in virtual events and conversations. Given that the team mainly communicates through online chat, Ting has found that “forces you to see everyone as equally approachable, which has made me more comfortable reaching out to people from anywhere in the world.”
For folks sharing an office, collaboration can happen through casual chats over coffee. When facing a challenge, you can ask your neighbor for support. While ideally virtual communication could have a similar cadence and spontaneity, the logistics of remote and distributed work require intentionality and being proactive in connecting with colleagues as people and as co-workers.
When Ting first started working remotely, he felt that every meeting needed to be formal and have a business objective. By sharing his feelings with his manager, he was reassured that “socializing is a very important part of teamwork, because if you don’t have a good relationship with your colleagues you’re not going to be able to have healthy discussions, healthy conflict or be able to critique each other when the situation arises.”
Since that conversation, Ting has been more proactive about catching up with colleagues, which can include sharing a coffee over video chat. Duo’s “coffee roulette” formalizes the process as every month, employees who opt in can be randomly paired up for a quick half-hour chat focused exclusively on socializing. Ting has found being proactive about socializing virtually helpful. “It’s made me more intentional with my time and really treasure the social experience you can get,” he said.
Some folks may be concerned that without a manager observing their efforts and work ethic day in and day out, it may be harder to recognize accomplishments and challenges. Ting found that within his team “when you work on projects and in your one-on-ones with your managers, they’re always very intentional about learning what you’ve been doing and seeing what your progress is like on certain projects. I’ve been asked, ‘How do you think you can improve? What are some of the things you’ve been doing outside of the team work?’”
To cultivate cross-team collaboration and education, there are thoughtfully planned virtual lunch and learns. “We schedule training sessions and common meetings at times that are flexible for everyone. If it has to be repeated, we do it so people can comfortably attend rather than stretching themselves and attending at odd hours,” Sistla said.
For Software Engineer Nick Aspinall, an important and fun part of working remotely is keeping in touch with virtual messaging. One unique perk has been getting to create and customize emojis with team members including a few of himself in “various ridiculous states,” he said.
Connecting with colleagues on themed channels focused on personal and professional interests from coffee to pets “makes it really cool because you can meet people across different teams and still get some of the feeling of rubbing elbows that you get when you’re in the office,” Aspinall said. Participating in these virtual conversations boosts morale while also providing an endless supply of cute animal pics.
Given the multi-faceted nature of our work and the importance of consistent information sharing, having different communication channels and formats to communicate data with varying degrees of complexity is vital. Having information readily accessible, accurate and updated is particularly necessary in a field like cybersecurity.
Senior Software Engineer Mario Lopez finds that the variety of information sources contributes to an easeful remote working experience. For instance, for complex architecture decisions or detailing, Duo’s Wiki is the best source.
Software Engineer Hanna Fernandez has benefited from chat channels dedicated to design and engineering topics to “see what everyone’s up to and what thoughts people have,” she said. Sista pointed out these are great places to ask questions and open up dialogue to solve problems.
Our culture is “video-on,” meaning that it is preferred that during video meetings, as much as possible, attendees have their cameras on. Lopez loves this because “you get a bit of that personal human element.”
“We’re all people behind these screens. You definitely get some of people’s personality through text, but you get it more when you actually see them. It’s infectious when you see someone smiling. You’ve got to smile back,” he shared (while we both smiled).
When Fernandez started at Cisco, she was advised to schedule individual meetings with everyone she would be working with on every team that she joined. That suggestion is one she’s applied even virtually.
“It’s a great strategy because I already know that my team is super talented and very smart, but this way I also get to know them as humans beyond their roles,” Fernandez said. Fernandez also finds it important to check in with co-workers and ask how they’re feeling and how their time off was. “I know a lot of people hate small talk, but it’s not just small talk. I’m genuinely interested in how my co-workers are doing.”
One of Ting’s biggest goals was buying his first house in the countryside outside of London. By working remotely, Ting has flexibility in his location which allowed him to achieve his goal of buying a house and settling down with his partner, while giving their dogs the space they need to be dogs.
When transitioning from fully remote to hybrid, it’s important to recognize that there will be some shifts to get accustomed to. As the structures of remote, distributed and hybrid work evolve, it’s important to stay flexible and notice what’s possible through multiple modalities of team building. Many teams have enjoyed in-person gatherings and connecting through virtual lunches and team games when remote.
Fernandez has had multiple roles with multiple structures at Cisco. As an intern, she was fully in person and shared desk space with other interns who collaborated on full stack engineering. While working in finance IT, Fernandez was hybrid and many of her colleagues were distributed among multiple offices. The pandemic began while she was in a DevOps role, forcing her to maintain boundaries around her work time while working fully remotely. In her current role working on Duo, Fernandez is completely remote but advocates for in-person events if possible, because “humans are social creatures who want to see each other’s faces in real life once in a while.”
For Aspinall, “when we did come back to the office, there was a bit of an adjustment period where you were overstimulated from the office.” He also wanted to ensure team members who were 100% remote were fully included. Now he sees that while half his team is fully remote and the other half is hybrid, “that doesn’t stop anyone from doing anything. All of our meetings feel the same. They’re all seamless.”
If you’re interested in joining our team from wherever you are in the world, check out our open roles.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Related tags
Going beyond the hype, passwordless authentication is now a reality. Cisco Duo’s passwordless authentication is now generally available across all Duo Editions.
“Cisco Duo simplifies the passwordless journey for organizations that want to implement phishing-resistant authentication and adopt a zero trust security strategy.”
—Jack Poller, Senior Analyst, ESG
We received tremendous participation and feedback during our public preview, and we are now excited to bring this capability to our customers and prospects.
“Over the last few years, we have increased our password complexities and required 2FA wherever possible. With this approach, employees had more password lock outs, password fatigue, and forgetting their longer passwords due to password rotations. With Duo Passwordless, we are excited to introduce this feature to our employees to keep our password complexities in place and leverage different Biometric options whether that is using their mobile device, Windows Hello, or a provided FIDO security key.
The Duo Push for passwordless authentication feature is simple and easy and introduces a more pleasant experience overall. Using Duo’s device insight and application policies, we are able to leverage and verify the security of the mobile devices before the device is allowed to be used. To top it off, Duo is connected to our SIEM and our InfoSec team is able to review detailed logs and setup alerts to be able to keep everything secure.”
—Vice President of IT, Banking and Financial Services Customer
As with any new technology, getting to a completely passwordless state will be a journey for many organizations. We see customers typically starting their passwordless journey with web-based applications that support modern authentication. To that effect, Duo’s passwordless authentication is enabled through Duo Single Sign-On (SSO) for federated applications. Customers can choose to integrate their existing SAML Identity provider such as Microsoft (ADFS, Azure), Okta or Ping Identity; or choose to use Duo SSO (Available across all Duo editions).
“Password management is a challenging proposition for many enterprises, especially in light of BYOD and ever increasing sophistication of phishing schemes. Cisco aims to simplify the process with its Duo passwordless authentication that offers out-of-box integrations with popular single sign-on solutions.”
—Will Townsend, Vice President & Principal Analyst, Networking & Security, Moor Insights & Strategy
Duo offers a flexible choice of passwordless authentication options to meet the needs of businesses and their use cases. This includes:
No matter which authentication option you choose, it is secure and inherently multi-factor authentication. We are eliminating the need for the weak knowledge factor (something you know – passwords) which are shared during authentication and can be easily compromised. Instead, we are relying on stronger factors, which are the inherence factor (something you are – biometrics) and possession factor (something you have – a registered device). A user completes this authentication in a single gesture without having to remember a complex string of characters. This significantly improves the user experience and mitigates the risk of stolen credentials and man-in-the-middle (MiTM) attacks.
FIDO2 authentication is regarded as phishing-resistant authentication because it:
Using Duo with FIDO2 authenticators enables organizations to enforce phishing-resistant MFA in their environment. It also complies with the Office of Management and Budget (OMB) guidance issued earlier this year in a memo titled “Moving the U.S. Government Towards Zero Trust Cybersecurity Principles”. The memo specifically requires agencies to use phishing-resistant authentication method.
We understand that getting the IT infrastructure ready to support FIDO2 can be expensive and is typically a long-term project for organizations. In addition, deploying and managing 3rd party security keys creates IT overhead that some organizations are not able to undertake immediately.
Alternatively, using Duo Push for passwordless authentication is an easy, cost effective to get started on a passwordless journey for many organizations, without compromising on security.
We have incorporated security into the login workflow to bind the browser session and the device being used. So, organizations get the same benefits of eliminating use of stolen credentials and mitigation of phishing attacks. To learn more about passwordless authentication with Duo Push, check out our post: Available Now! Passwordless Authentication Is Just a Tap Away.
In addition to going passwordless, many organizations are looking to implement zero trust access in their IT environment. This environment typically is a mix of modern and legacy applications, meaning passwordless cannot be universally adopted. At least not until all applications can support modern authentication.
Additionally, organizations need to support a broad range of use cases to allow access from both managed and unmanaged (personal or 3rd party contractor) devices. And IT security teams need visibility into these devices and the ability to enforce compliance to meet the organization’s security policies such as ensuring that the operating system (OS) and web browser versions are up to date. The importance of verifying device posture at the time of authentication is emphasized in the guidance provided by OMB’s zero trust memorandum – “authorization systems should work to incorporate at least one device-level signal alongside identity information about the authenticated user.”
Duo can help organizations adopt a zero trust security model by enforcing strong user authentication across the board either through passwordless authentication where applicable or thought password + MFA where necessary, while providing a consistent user experience. Further, with capabilities such as device trust and granular adaptive policies, and with our vision for Continuous Trusted Access, organizations get a trusted security partner they can rely on for implementing zero trust access in their environment.
To learn more, check out the eBook – Passwordless: The Future of Authentication, which outlines a 5-step path to get started. And watch the passwordless product demo in this on-demand webinar .
Many of our customers have already begun their passwordless journey. If you are looking to get started as well, sign-up for a free trial and reach out to our amazing representatives.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Few security career paths are linear. For Stephanie Frankel the journey to Cisco Secure was circuitous. The Ann Arbor, Michigan native studied journalism at the University of Michigan before managing communications for the Washington Capitals and NBC Sports. But after several stints at communications agencies, she charted a new path for herself in cybersecurity. Not only has her diverse background served as a strength in her current role as senior manager for strategy and operations, but it’s also informed her management philosophy.
After doing project management and account direction at consulting agencies, Frankel was interested in honing her skills and expertise on the client side. She had heard amazing things about Duo and wanted to stay in Ann Arbor and work for a company with local roots. After interviewing, Frankel realized that “working at Duo was a cool, exciting opportunity with a really awesome group of people.”
Frankel was on the ground running working as a technical project manager in research and development overseeing the Multi-Factor Authentication, applications and mobile engineering teams despite not having worked in information security before.
Duo’s security education allowed Frankel to understand the industry and is something she values for getting more people into the cybersecurity field. At Duo and Cisco Secure, employees come from a variety of backgrounds and some don’t have much (or any) experience with cybersecurity.
Robust educational programs build knowledge about security and specific products which empower new team members to grow and learn. Every team also has a learning and development budget for employees to quench their curiosity and enhance their knowledge through courses, books or other programs Manager of Global Employee Programs Anndrea Boris shared.
“People are open to having conversations and open to ideas and ways to solve those ideas. If you have an idea of how to solve a problem, no matter whether it’s your job or not, people are open and willing to listen to you.” – Stephanie Frankel
Something Frankel also appreciates most is that ideas are valued at Duo and Cisco Secure: “Even in my first job, I would have ideas and go to my boss or our head of engineering and say, ‘Hey, I think this could be a really cool opportunity, and I think it needs this.’ People are open to having conversations and open to ideas and ways to solve those ideas. If you have an idea of how to solve a problem, no matter whether it’s your job or not, people are willing to listen to you.”
After a year, Frankel moved from engineering to marketing to run operations for Duo’s in-house brand team, leading the team through a rebrand. “The team really rallied behind this new brand and it was amazing to see their pride and hard work when sharing it,” she said. With Frankel’s leadership, the team showcased not only the new look and feel of the brand but also the customer research that went into understanding the need for the change.
“Our amazing team knew that for it to catch on internally we needed to help people understand the why. The team put together an amazing training and went around the company to help people understand the security buyer, the industry overall and our differentiators and how we could do all of this within the umbrella of Cisco,” she said.
Recognizing that she most enjoys and feels best suited for a strategic operations role, she had open conversations with her manager. “I told my boss, ‘It’s just not a great fit.’” Her manager was very supportive, and they worked through potential options. “You’ll find a lot of that at Cisco,” she said.
Now as senior manager in the Strategy and Operations Group within Cisco’s Security and Collaboration division, Frankel runs key initiatives for business operations that drive business growth. She is empowered to creatively solve problems and collaborate “with all the stakeholders within each group to move these programs forward, to understand the problems we’re looking to solve, create objectives, a program plan, and continue to track metrics and progress towards those ultimate goals,” she said.
A self-described “over communicator,” Frankel believes that as a leader, “the more you communicate and the more transparent you are, the better.” Frankel loves leading people who are experts in their fields and letting them do what they do best.
On the brand team, for example, she trusted her team’s expertise in producing stories, videos and animations to demystify Cisco’s security products.
“All I needed to do was give them the objective and the goals and they were able to come up with the solutions,” Frankel said.
She fondly remembers the boss at one of her first jobs out of college. In that job Frankel wrote press releases and wanted her boss to fully approve the final versions before sending them to the media. Once her boss told her, “Stephanie, if you keep giving it back to me, I will keep finding things to change. I trust you to know when it is ready to go.” That confidence in her so early in her career “gave me so much confidence in myself,” she said.
Frankel emulates his approach to management by recognizing that each employee has different needs in their lives, in their careers, and in how they like to receive feedback. From that boss Frankel first learned that for every piece of negative feedback, you must give four pieces of positive feedback for “someone to actually hear it because that’s how you balance things out in your mind.”
Frankel believes feedback is crucial for growth. “I don’t see how you can improve or grow without it, no matter what level of your career you’re at. Feedback shouldn’t be taken as negative, as much as it is a way for you to improve,” she said.
One of the most helpful things Frankel learned in a Cisco class for managers was the importance of asking a person if they are in a good place to receive critical feedback. “You might not be in the mindset to accept the feedback and to do something constructive with it,” she said. ”If you’re having a bad day or struggling, you could say, ‘You know what, I’m not going to be able to take it today, but let’s talk tomorrow and I’ll be in a better place to receive it.’’’
Frankel has spent the last year thriving in a role she never anticipated in an industry her college training in journalism didn’t fully prepare her for. The secret, she says, is keeping an open mind to new possibilities and a willingness to take on new challenges, even if you don’t feel 100% ready.
“A lot of it is getting real world experience and learning your way through it and knowing that there’s a lot of opportunities and a lot of people that are willing to teach you,” she said.
To pivot professionally Frankel advises not feeling pigeonholed just because you studied a particular topic or have been in a certain industry for a long time. Take what you can from where you started such as storytelling and communications skills in the case of journalism for Frankel. While trying something new may require taking a different level or type of job “sometimes it’s worth it because you have that opportunity to grow and you might find you’re happier somewhere else,” she said.
When discerning professional steps Frankel recommends having open and honest conversations with yourself and others such as mentors.
“Cisco has so many mentorship programs and so many people that are knowledgeable about a lot of things,” she said. ”Just because your current role isn’t a great fit doesn’t mean that there’s not another good fit within the corporation, or it doesn’t mean that you can’t create your own good fit.”
Did you know that Cisco offers cybersecurity trainings and certifications? Start developing your cybersecurity skills today! And if you’re ready to jump into an exciting new career in security, check out the open roles at Cisco Secure and Duo Security.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
To consumers, the Internet of Things might bring to mind a smart fridge that lets you know when to buy more eggs, or the ability to control your home’s lighting and temperature remotely through your phone.
But for cybersecurity professionals, internet-connected medical devices are more likely to be top-of-mind.
Not only is the Internet of Medical Things, or IoMT, surging — with the global market projected to reach $160 billion by 2027, according to Emergen Research — the stakes can be quite high, and sometimes even matters of life or death.
The risk to the individual patients is very small, experts caution, noting bad actors are far more likely to disrupt hospital operations, use unsecure devices to access other parts of the network or hold machines and data hostage for ransom.
“When people ask me, ’Should I be worried?’ I tell them no, and here’s why,” said Matthew Clapham, a veteran product cybersecurity specialist. “In the medical space, every single time I’ve probed areas that could potentially compromise patient safety, I’ve always been impressed with what I’ve found.”
That doesn’t mean the risk is zero, noted Christos Sarris, a longtime information security analyst. He shared an anecdote in Cisco Secure’s recent e-book, “Building Security Resilience,” about finding malware on an intensive care unit device that compromised a pump used to deliver precise doses of medicine.
Luckily, the threat, which was included in a vendor-provided patch, was caught during testing.
“The self-validation was fine,” Sarris said in a follow-up interview. “The vendor’s technicians signed off on it. So we only found this usual behavior because we tested the system for several days before returning it to use.”
But because such testing protocols take valuable equipment out of service and soak up the attention of often-stretched IT teams, they’re not the norm everywhere, he added.
Sarris and Clapham were among several security experts we spoke to for a deeper dive into the challenges of IoT medical device security and top-line strategies for protecting patients and hospitals.
Connected medical devices are becoming so integral to modern health care that a single hospital room might have 20 of them, Penn Medicine’s Dan Costantino noted in Healthcare IT News.
Sarris, who is currently an information security manager at Sainsbury’s, outlined some of the challenges this reality presents for hospital IT teams.
Health care IT teams are responsible for devices made by a multiplicity of vendors — including large, well-known brands, cheaper off-brand vendors, and small manufacturers of highly speciality instruments, he said. That’s a lot to keep up with, and teams don’t always have direct access to operating systems, patching and security testing, and instead are reliant on vendors to provide necessary updates and maintenance.
“Even today, you will rarely see proper security testing on these devices,” he said. “The biggest challenge is the environment. It’s not tens, it’s hundreds of devices. And each device is designed for a specific purpose. It has its own operating system, its own operational needs and so forth. So it’s very, very difficult — the IT teams can’t know everything.”
Cisco Advisory CISO Wolfgang Goerlich noted that one unique challenge for securing medical devices is that they often can’t be patched or replaced. Capital outlays are high and devices might be kept in service for a decade or more.
“So we effectively have a small window of time — which can be measured in hours or years, depending on how fortunate we are — where a device is not vulnerable to any known attacks,” he said. “And then, when they do become vulnerable, we have a long-tailed window of vulnerability.”
Or, as Clapham summed it up, “The bits are going to break down much faster than the iron.”
The Food and Drug Administration is taking the issue seriously, however, and actively working to improve how security risks are addressed throughout a device’s life cycle, as well as to mandate better disclosure of vulnerabilities when they are discovered.
“FDA seeks to require that devices have the capability to be updated and patched in a timely manner; that premarket submissions to FDA include evidence demonstrating the capability from a design and architecture perspective for device updating and patching… and that device firms publicly disclose when they learn of a cybersecurity vulnerability so users know when a device they use may be vulnerable and to provide direction to customers to reduce their risk,” Kevin Fu, acting director of medical device security at the FDA’s Center for Devices and Radiological Health explained to explained to MedTech Dive last year.
For hospitals and other health care providers, improving the security posture of connected devices boils down to a few key, and somewhat obvious, things: attention to network security, attention to other fundamentals like a zero-trust security framework more broadly, and investing in the necessary staffing and time do to the work right, Goerlich said.
“If everything is properly segmented, the risk of any of these devices being vulnerable and exploited goes way, way down,” he said. “But getting to that point is a journey.”
Sarris agrees, noting many hospitals have flat networks — that is, they reduce the cost and effort needed to administer them by keeping everything connected in a single domain or subdomain. Isolating these critical and potentially vulnerable devices from the rest of the network improves security, but increases the complexity and costs of oversight, including for things like providing remote access to vendors so they can provide support.
“It’s important to connect these devices into a network that’s specifically designed around the challenges they present,” Sarris said. “You may not have security control on the devices themselves, but you can have security controls around them. You can use micro segmentation, you can use network monitoring, et cetera. Some of these systems, they’re handling a lot of sensitive information and they don’t even support the encryption of data in transit — it can really be all over the place.”
The COVID-19 pandemic put a lot of financial pressure on health systems, Goerlich noted. During the virus’ peaks, many non-emergency procedures were delayed or canceled, hitting hospitals’ bottom lines pretty hard over several years. This put even greater pressure on already strained cybersecurity budgets at a time of increasing needs.
“Again, devices have time as a security property,” Goerlich said, “which means we’ve got two years of vulnerabilities that may not have been addressed. And which also probably means we’re going to try to push the lifecycle of that equipment out and try to maintain it for two more years.”
Clapham, who previously served as director of cybersecurity for software and the cloud at GE Healthcare, said device manufacturers are working hard to ensure new devices are as secure as they can be when they’re first rolled out and when new features are added through software updates.
“When you’re adding new functionality that might need to talk to a central service somewhere, either locally or in the cloud, that could have implications for security — so that’s where we go in and do our due diligence,” he said.
The revolution that needs to happen is one of mindset, Clapham said. Companies are waking up to the new reality of not just making a well-functioning device that has to last for over a decade, but of making a software suite to support the device that will need to be updated and have new features added over that long lifespan.
This should include adding additional headroom and flexibility in the hardware, he said. While it adds to costs on the front end, it will add longevity as software is updated over time. (Imagine the computer you bought in 2007 trying to run the operating system you have now.)
“Ultimately, customers should expect a secure device, but they should also expect to pay for the additional overhead it will take to make sure that device stays secure over time,” he said. “And manufacturers need to plan for upgradability and the ability to swap out components with minimal downtime.”
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
At Cisco Duo, we continually strive to enhance our products to make it easy for security practitioners to apply access policies based on the principles of zero trust. This blog highlights how Duo is achieving that goal by simplifying user and administrator experience and supporting data sovereignty requirements for customers around the world. Read on to get an overview of what we have been delivering to our customers in those areas in the past few months.
Duo strives to make secure access frictionless for employees while reducing the administrative burden on IT (Information Technology) and helpdesk teams. This is made possible thanks to the strong relationship between our customers and our user research team. The insights we gained helped us implement some exciting enhancements to Duo Single Sign-On (SSO) and Device Trust capabilities.
Duo SSO unifies identities across systems and reduces the number of credentials a user must remember and enter to gain access to resources. Active Directory (AD) is the most popular authentication source connected to Duo SSO, accounting for almost 80% of all setups. To make Duo’s integration with AD even easier to implement, we have introduced Duo SSO support for multiple Active Directory forests for organizations that have users in multiple domains. Additionally, we added the Expired Password Resets feature in Duo SSO. It provides an easy experience for users to quickly reset their expired Active Directory password, log into their application, and carry on with their day. Continuing the theme of self service, we introduced a hosted device management portal – a highly requested feature from customers. Now administrators no longer need to host and manage the portal, and end users can login with Duo SSO to manage their authentication devices (e.g.: TouchID, security keys, mobile phone etc.) without needing to open IT helpdesk tickets.
We are also simplifying the administrator experience. We have made it easy for administrators to configure Duo SSO with Microsoft 365 using an out of the box integration. Duo SSO layers Duo’s strong authentication and flexible policy engine on top of Microsoft 365 logins. Further, we have heard from many customers that they want to deliver a seamless on-brand login experience for their workforce. To support this, we have made custom branding so simple that administrators can quickly customize their end-user authentication experience from the settings page in the Duo Admin Panel.
Device Trust is a critical capability required to enable secure access for the modern workforce from any location. We have made it easy for organizations to adopt device trust and distinguish between managed and unmanaged devices. Organizations can enforce a Trusted Endpoint policy to allow access only from managed devices for critical applications. We have eliminated the requirement to deploy and manage device certificates to enforce this policy. Device Health application now checks the managed status of a device. This lowers administrative overhead while enabling organizations to achieve a better balance between security and usability. We have also added out-of-box integrations with unified endpoint management solutions such as Active Directory domain-joined devices, Microsoft Intune, Jamf Pro and VMware Workspace ONE. For organizations that have deployed a solution that is not listed above, Duo provides a Device API that works with any enterprise device management system.
To support our growing customer base around the world, Duo expanded its data center presence to Australia, Singapore, and Japan in September last year. And now Duo is thrilled to announce the launch of the two new data centers in the UK and India. Both the new and existing data centers will allow customers to meet all local requirements, all while maintaining ISO27001 and SOC2 compliance and a 99.999% service availability goal.
The launch of the new data centers is the backbone of Duo’s international expansion strategy. In the last two years, Duo has met key international growth milestones and completed the C5 attestation (Germany), AgID certification (Italy) and IRAP assessment (Australia) – all of which demonstrate that Duo meets the mandatory baseline standards for use by the public sector in the countries listed above. Check out this Privacy Data Sheet to learn more about Cisco Duo’s commitment to our customer’s data privacy and data sovereignty.
That is a summary of what we have been up to here at Cisco Duo in the past few months. But we are not done yet! Stay tuned for more exciting announcements at RSA Conference 2022 next week. Visit us at our booth at RSAC 2022 and World of solutions at Cisco Live 2022.
In the meanwhile, check out this on-demand #CiscoChat panel discussion with real-world security practitioners on how they have implemented secure access best practices for hybrid work using Duo. And if you do not want to wait, sign-up for a 30 day trial and experience how Duo can simplify secure access for your workforce.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
FreshRSS