Sean Frazier, advisory CISO at Duo Security, carries an earlier cloud industry pedigree than most, and as such a long historical view of the sector’s ever-increasing influence on the technology capabilities of industry and government.
He cut his teeth in the tech sector as an early systems engineering hire in 2000 at Loudcloud, which has been credited as one of the first companies to offer software-as-a-service computing, and one of the very first to talk about cloud computing.
We sat down with Frazier this week to discuss the evident success of the Federal government’s sharp ramp-up in telework as a result of the coronavirus pandemic, the policy initiatives that foster the government’s ability to pull off that feat, and what lessons may be there to learn when the dust settles from the current crisis.
MeriTalk: Imagine for a moment if you were in charge of the Federal government, what would you be directing the government to do on the technology front to sustain internal operations and service delivery to citizens during the pandemic?
Frazier: The government has done a pretty good job over the last ten years preparing for a situation like this. Certainly we can do better, but we’ve been hit with something that is unprecedented, and we’re straining a little bit under the weight of it.
Over the past ten years, technologies like cloud and mobility have matured to the point of being able to support the government mission, but it’s also the government’s policies built over the last several years from the Office of Management and Budget (OMB) that have helped.
And within government policy is the idea of agility about risk and security – as long as you can prove that you’re doing your security best practices, and you’re looking at identity and access management best practices, and you’re looking at data protection and privacy best practices – you can do what you need to do as an agency. That kind of policy gives the green light to be agile. We’ve been working on that for the last several years; the current situation is a test of that, but certainly we’ve been headed in the right direction.
MeriTalk: Let’s take a guess and say that things get back to normal in six months. What’s important for Federal IT leadership to do between now and then to get ready for that recovery?
Frazier: It comes down to standard planning for capacities and capabilities. I view this as an opportunity to figure out resiliency plans, capacity planning, and nominal capabilities or my nominal service requirements, versus my peak service requirements. You’ve got to be able to provide for those peak service times, and also the emergency peak service times that we find ourselves in now. The capabilities you put in place now for that emergency peak demand can be very useful for figuring out standard capacities in the future.
MeriTalk: Does that need to have the ability to expand capacity to meet emergency demand lead straight to the key advantage of cloud services, and further Federal IT modernization based on more use of those services? It’s hard to say the current situation will have any silver lining, but might that be one of them?
Frazier: You could absolutely call it a silver lining, I certainly look at it that way. When we look at lessons learned, we’ll look at the agencies that have been a little more aggressive on the cloud side, while always taking security and risk into consideration. How resilient were those agencies versus the ones that had to go rack servers in their data center?
My long-term view of this is that I do think agencies are getting out of the data center business. But it’s not for everyone, and there are certain agencies where it makes a ton of sense to still have your own servers in your own data center. But even if you look at the intelligence community, a lot of them have been interacting with cloud services over the last handful of years for just this reason.
But when I say we should accelerate and move faster to cloud, I want to make sure that we’re talking about Cloud Smart, and that agencies are planning appropriately and not just having a knee-jerk reaction and putting functions into cloud services that haven’t gone through FedRAMP and other security requirements, because those are very, very important.
But yes, I see this current time as perhaps an enabling event that can lead us to have additional elasticity and capacity in the future.
MeriTalk: Any other thoughts on the tech path forward?
Frazier: The big thing is making sure you have resilient technology. We’ve lived in kind of a smartcard world in the Federal space for the last ten years. Technology like that is great at some things but is also a little less adaptive to newer innovative technologies like cloud, among others.
And then making sure you are providing the strongest level of security especially for use of mobile devices, making sure you’re enabling biometric and some of the other strong technologies that also lead towards better usability and a better user experience.
MeriTalk: The coronavirus pandemic obviously presents a huge range of challenges for the Federal government, including pivoting quickly to telework while continuing to deliver essential services to citizens. What can Duo Security do to help the Federal government meet its mission in the very short term?
Frazier: One of the biggest things we need to consider – all of us collectively – is continuity of operations and making sure we can help keep services going.
Duo is a uniquely positioned enabler of that capability with modern multi-factor authentication and zero trust offerings. We were born in the cloud, and as the government has worked its way from the Cloud First policy and now to the Cloud Smart policy, it points to what I call cloud inevitable. Cloud brings the kind of operational resiliency needed to do continuity of operations while still making sure that security is part of that DNA.
We are an enabling technology that you can use for telework that can give you a consistent security user experience whether you’re sitting in the office, sitting in a Starbucks, or sitting at home in California with a stay-at-home order.