The a16z Show - Security When the Workforce Goes Remote
Episode Date: March 27, 2020We are in the midst of a rapid and unprecedented shift to remote work. What does it mean for security when the airgap between work and life is gone? How prepared are organizations? And what should sec...urity professionals as well as individual workers be doing to protect themselves and their companies?In this podcast, a16z security expert Joel de la Garza breaks down the current risks and how to defend against them. But beyond just immediate security needs, he explains what bigger transformations may be happening, most notably a shift from the traditional hub-and-spoke, point to point, security architectures to a more distributed approach to workloads as well as trust. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Hi, and welcome to the A16Z podcast Goes Remote. I'm DOS, and in this podcast, I call A16Z security expert Joel Delagarza to chat about what the rapid, widespread move to remote work means for security.
With so many people going remote the same way that we are, what's top of mind for you as a security expert?
There is a concept in information security, which is the belief in defense in depth. And that means that you don't rely on any one thing to protect you. You have a series of things.
that you use and you stack them on top of each other. And you use those series of things to offer
multiple layers of protection. You don't just put a moat around the castle. You also put walls and
you have archers and you have hot oil ready to pour on people that try to storm it. And so in
security, we have those same sorts of controls. The challenge for security teams is that a lot of
those controls for a lot of companies only live in their office and only live in their corporate
network. And so when users take their machines home with them or they're remotely accessing,
they don't necessarily have the same controls in the office as they do at home. And if you look at
some of the large breaches over the last, let's say, five years, you'd see that there are a number
of instances where remote employees using a home computer that's perhaps shared with someone in the
house that doesn't have protections on it is used to access internal corporate information by an
attacker that's hacked it. Are the things that we're dealing with new things,
or just things that were underway happening a lot faster.
We've had multiple scenarios in the corporate and enterprise world
where we've had to make employees work from home and work remotely.
You know, the first real encounter in at least my adult life with this sort of a scenario
was obviously 9-11 when we had fundamentally a city that became unavailable in the workforce
there being mostly unavailable or having to move to disaster recovery sites.
And I think 9-11 really taught a lot of large corporations about the importance of building,
really resilient business continuity programs.
The actual new thing about this is just the scale,
is just the entirety of a workforce for a company being forced to work remote,
as well as their suppliers, as well as their customers.
We had the advent of things like SaaS and Salesforce and box
and all these tools that were basically derived
so that people could access their work materials anywhere.
And it sort of became expected that some percentage,
Usually sales people because they're in the field, but some percentage of your workforce would be remote.
And so we've been building infrastructure to support that workforce for some time now.
This is less of like, oh, it's a new way to work and we have to change everything.
This is more like we have to re-engineer everything to handle the capacity and just the sheer number.
How are the best security teams you know properly preparing their organizations with this really rapid shift to remote work?
You know, I think that the right way to think about it is to just build a matrix in your mind
that sort of enumerates all the different security controls you have available to you in the workplace,
in the office, and have some understanding of how they translate to the different scenarios
all of your employees will find themselves in now. And so I think there's two things that
the really good security teams are fundamentally doing. The first is getting their people
stood up online outside of the office because security teams don't necessarily always have
great disaster recovery in business continuity plans. And then second, making sure that what they're
doing is actually safe and secure. If you were in an organization right now and say you were going
from 20% to now 90% of your workforce is remote, break down for me very specifically how you would
do a risk assessment. Over the last couple years, most things have left the building. And so most
services are provided by third parties. Most of the infrastructure that you run isn't running on your
premise. And so for the last three or four years, most CSOs, or chief information security officer,
has spent a tremendous amount of time thinking about their third party risk. Who are their vendors?
Who are their counterparties? Who are the people that they transact with? And you have to think about them,
not just from a security perspective, because that's a little bit narrow in terms of impact of the business,
but you need to be more comprehensive. And think of terms of like confidentiality. So is shifting all of your
voice traffic to this third party, does that provide you with the confidentiality you need to run your
business? While it may be okay to have a sales call with a customer where you don't discuss anything
confidential over a video conferencing system, now you're having your board meetings over this
video conferencing system, does it meet the requirements that you have? And then you have to think in
terms of integrity, the systems that you're relying on, now that you've moved everybody on to them,
have the controls in place to ensure the integrity of the operations.
of your business. Are they going to lose your data? Is there going to be some sort of a disruption to
the quality of the output? Are the systems of record truly capable of being systems of record?
And then finally, you have to think in terms of availability. Not just you as a company
are moving your entire workforce to this service provider. The entire planet is. Will the service
provider be up and running in the face of this kind of demand? Or will they just fall over
because of the excess utilization? I like the way that you broke that down. So it sounded like
the first bucket there was really around confidentiality and what transactions were happening in person,
providing a measure of security, now happening virtually. So let's focus in on that for a second.
How would you go about assessing that? It really depends on the vertical. And it depends on the industry.
There's a very, very rich tapestry of requirements and regulations that you have to really understand.
And it's very specific to the business that you're in, specifically if you're regulated.
and you have to make sure that the tools that you're using can support those industry-specific regulations.
If you are, for example, in the healthcare industry, and let's say you're a hospital network,
and hospitals right now are rushing to provide telemedicine and to remotely treat potentially sick people,
the issue with that is that there are these regulations called HIPAA and high-tech that mean that you actually have to work to maintain the confidentiality of your patients'
information. So then I guess looking at the second bucket that you talked about, which was really
selecting these new tools and introducing these new third-party vendors that you maybe weren't using
before. So for instance, you and I are using a totally new tool for A16Z that we rolled out as
soon as we went remote so that we could keep running our podcast. How are you or security professionals
thinking about these third-party tools and how do you go about assessing them? Well, it's always about
the data. For example, we're recording a podcast. This is public information.
it's going to be released. And so the sensitivity of our discussion that we're recording right now is
low. It's fundamentally public data. Whereas if we were talking about a portfolio company,
this might not be an appropriate tool because it might not adequately protect those discussions.
And so we really have to understand first the sensitivity of the data and then match that data
sensitivity to the security features and capabilities of the tool. Generally, marketing teams are
kind of free to experiment with tools that are maybe not industrial grade security.
But the moment that you start talking about transferring customer records or transferring personal
information of your customers or any intellectual property, then you really need to understand
the tools. And a very quick adoption and migration path could potentially get you into a not-so-great
place. It's interesting you mentioned quick adoption because that is absolutely what we're seeing
right now. When you suddenly have, in our case, all of A-16 Z going remote, we suddenly need it
all these new communication tools that we didn't use before.
So we are rolling them out relatively quickly.
How are IT and security teams keeping up with the fact that people are rapidly adapting to this?
Things are changing daily.
How do they balance that with security?
At A16Z, we've been fortunate in that we've probably spent the last two years really focusing
on eliminating any kind of custom solutions, not having servers under people's desks,
not having servers at all, focusing on using.
using cloud infrastructure and SaaS.
And so when this event happened and we had to pivot, credit to our IT team, they did some
wonderful work, but we were really well positioned.
There wasn't a whole lot of stuff other than adding a few new services that were disruptive.
I think the way that the modern enterprise has built their data stores is somewhat similar,
so that a lot of the data that a company has that could very easily flow out of the organization
are generally pretty well controlled.
Often we're used to these large enterprise rollouts of new tools.
take a long time. But now you have a workforce going remote and you maybe need to roll tools out
faster. What steps are you seeing people cut or needing to add to get the tools out and into the
hands of workers in order to do virtual work? Usually one of the longest pulls on any of these kinds
of tool deployments is the legal and contract negotiations. It's the kind of thing where the length
of your proof of concept is probably half the length of the debate you're going to have with the
vendor about limits of liability. People complain about IT, but if you really want to prolong something,
bring a couple lawyers. And especially when you have to have IT people, technical people work with
lawyers, it compounds it. So I think where I've seen things getting quicker is just on the procurement
side, on the contracting side. We've gone through a three-year process of large enterprises
telling employees don't use your credit card to buy a SaaS service. That window seems to have opened
up a little bit. And so you're seeing people paying for things with personal or corporate cards to get
services deployed and unrolled. And I think IT and legal, they're going to be flexible. They're going to
keep the business moving. There's probably going to be a lot of contract review and a lot of
teeth gnashing over the next couple months as they figure out what they've allowed into the enterprise.
What in your mind works and doesn't work to be communicating out to the organization at this time?
And what would you be reiterating to individual workers? The user tends to be the weakest link and any
system. And so there is this desire to blame. And then the products that grow out of the desire to
blame users tend to be of the variety that look to shame users into behaving better. So building tests
that try to get users to fail and then highlighting their failure. And we've seen for tools that take
that approach. They're really good at getting the level of compliance up, but only to a certain
point. I think the real key is going to be figuring out how to decatize employees and users, how to
make them feel part of this, instead of smacking them on the hand for making mistakes.
And then that's really hard for security people because we do tend to be a bit pessimistic.
But building systems that reward good behavior, I think will go a lot further than the desire
to name and shame. From a most important tips perspective, I think for me it's always two-factor
authentication. At its most simplest level, two-factor authentication is the way you log into a system
using two factors or two things.
And from a security perspective,
you want one of those things to be something you know,
like a password.
I've got a password, and that's the thing I know.
And then the other one of those things
to be something you have,
like a hardware security key.
And so it becomes very difficult for an attacker
to get access to your system
because not only do they have to have your password,
they also have to have access to your key.
And so it really frustrates
what is ultimately the single largest source,
of hacking in the world, which is stealing someone's username and password. In general,
while using a phone is better than just using a username and password, from our perspective,
it's not as strong as using a dedicated piece of hardware to protect your login accounts.
So that text message that gives you the code on your phone, probably not as good as some
sort of hardware key you're plugging into your computer when it comes to two-factor.
Correct. And for systems that you care about, I mean, you should really use a hardware security key.
And if you're at home and you're not using strong two-factor on your corporate resources or even on your personal laptop, then certainly make sure that you enable that.
I also think at home, if you're not using a corporate issued laptop or workstation and you're using your own equipment to access your workplace, double-click on the security of your own machines, you make sure that they've got usernames and passwords, that you're running some kind of antivirus software, that you're patching your systems.
ideally, you're not sharing computers.
So you've mentioned business continuity planning a couple of times.
Explain to me kind of what that concept means to a security professional.
It's kind of the job of a security professional and more broadly risk professionals in an
organization to sit around thinking about what's the worst possible thing that could happen
to the business.
And so you come out with this list of things that could potentially disrupt your business.
Now, they may be hurricanes, they could be earthquakes, it could be a hacker attack,
it could be a breach, it could be ransomware, it could be a nation-state attack, could be war,
whatever the case may be. You estimate their risk to the business, like if this happened,
how big of an impact would it have? What's the probability of a global pandemic happening,
for example, or an event that forces all of your employees to work from home?
And a business continuity plan is developed to help manage those risks so that you can continue
to run your business through any sort of adverse changes. It's not dissimilar from what a CFO or a
financial planner would do, or they try to figure out their risks from a credit perspective,
like our credit market's going to shut? Do we have market risk? Is our stock price going to fall?
Which industries and orgs are having a harder time with that business continuity and maintaining going
remote? And why? What are the unique challenges if you start to break it down by industry?
I think if you break it down by industry, you'd see that the businesses that are having the biggest
challenges are the ones that have never had a significant disruption. Whereas if you look at bank,
who were primarily the ones impacted by 9-11,
they've been able to fairly seamlessly transition to remote work.
They've been able to take up different locations
and implement their pandemic response plan.
There haven't been any disruptions to the financial system.
We've seen people doing panic ATM withdrawals
and the ATM and banking infrastructure doing just fine with it.
And if you look at Deutsche Bank on 9-11,
Deutsche Bank invested a bunch of money in business continuity.
They could seat their employees on the other side of the river.
they had backups, they were running off site. In response to that catastrophe happening,
they were able to quickly resume business, settle their trades, not suffer material financial impacts.
I'm sure in every meeting leading up to the event, there was probably someone saying,
we should cut that budget. But lo and behold, you hold fast, and it turns out to be an
investment that's worthwhile. I also feel like there's certain industries where either regulation
or the nature of the critical infrastructure, say a power utility. They have some unique
challenges. I'm curious if that's something that you're seeing or hearing about.
I think that power utilities and a lot of these critical infrastructure components,
they sort of have their zombie apocalypse plan. They plan for that. And I generally have faith
that they're doing it well. I think the one industry, the one segment that's going to be really
impacted, and we're seeing that is actually pharma and healthcare. I think that there are just
major capacity constraints in a lot of countries that just won't be able to handle a major flood
of inbound requests for care. And ultimately, the reason why we are all working from home is to
protect our health care system. Whether we're conscious of it or not, we are all engaged in a
business continuity plan for the public health system right now. I mean, that is what working from home is
doing so that we can keep capacity available to treat and care for people. All right, so I want to
shift now and talk a little bit, not just about the security practices, but what this means for
the architectures that organizations have, because as the workforce goes more distributed,
it does seem like there might be a need to re-architect the way that we do things.
What are your thoughts on how this might impact organizational architectures?
I think the cleanest example of where there needs to be a massive re-architecture is when it comes
to like traditional VPN or virtual private networking technology. VPNs are mostly based on IPSEC,
which is an internet security protocol that was developed many years ago.
And these protocols and these infrastructures were designed to be point-to-point.
You would have many, many points around a central hub
that would aggregate all of that information
and then send it to other central hubs.
And so in that architecture,
if one point on the hub wants to talk to another point,
it has to go through a central point.
When you move your entire workforce onto that kind of hub-and-spoke,
point-to-point infrastructure, you get traffic.
jams. And security systems tend to fail closed. So if a VPN or a firewall starts falling over,
they tend to shut down and stop all traffic. And so it's really clear that we have to get away from
the centralized, the ring of trust model. And we've got to go more towards a web of trust.
You're seeing this with a lot of the new security technology that's coming out, where they're creating
these more distributed trust environments. Cryptocurrencies and blockchain are very much about
that distributed trust model. Does it take?
too broad of a generalization to say that the ability for us to scale and to not be real-time
stress testing our systems is really directly related to how fast we can re-architect to
distributed trust.
The point-to-point architecture scales fairly linearly.
And so for every increase in capacity or increase in utilization, you have to add a fixed
amount of capacity.
And it's just not a great way to scale from an infrastructure process.
And so we have to get to a way where we can use capacity that's more at the edge and get away from the centralized
infrastructure. You talked about this process of re-architecting. And I've also heard about this concept of
shifting to zero trust. Is that the same shift or are those things different? They kind of cohabitate the
same space. And I'd say there's a lot of overlap. But zero trust is, it's an idea that was
kicked off, I think, by a forester researcher in the late 90s. And the idea was that you have to
eliminate transitive trust. Transitive trust is basically the principle that if I trust you and you
trust Bob, then I trust Bob. And as you could imagine, that is what attackers would use to exfiltrate
data, to get access to intellectual property, to do generally bad things. Transitive trust is a very
dangerous thing. And I guess the layman's way to say that is, in the old world, if you went to the
office and you plugged into the corporate network, on your corporate network, you had access to a bunch of
systems. And a lot of that data didn't have passwords or logins or encryption because it was on the
corporate network and the corporate network was considered safe. The moment that you got access to the
corporate network, if you were an attacker, you had access to all the data. And so zero trust
is about creating a distributed trust environment. We're taking away the castle and moat and every
person's home is becoming a castle to reuse that phrase. With the changes that you see underway,
with this shift away from a hub and spoke, how would you advise startups to start thinking about
security in their products? I think that you're going to see a lot of companies that historically
wouldn't use bleeding edge technology, actually moving towards adopting a lot of bleeding edge
technology just because of the disruption. And I think it's a really wonderful opportunity
for entrepreneurs that are making enterprise tech right now. I think this is their time to really
get significant adoption from customers that in the old days would have wanted to see something
on-prem, but now you can't get access to your premises. So you've got to try something new.
Generally, we tell our startups, obviously, security is important, but as you get bigger and
larger and later in your fundraising, it becomes more and more important. And then finally,
when you IPO, there are specific public company security requirements that you have to meet
before you even get to go public. So it is a blocker at that level. I think the focus,
on security is kind of shifting. I think it's going to come a lot earlier now. Typically,
you'd see series B companies, sometimes series A companies focusing on security. I think it's going to be
like a seed stage thing. So as we wrap up, what here is a passing challenge security teams have
to meet? And what is just a longer term shift in how we think about security? What's our new world
order? I think the growing pains are a passing challenge. I think a lot of the large cloud providers
and service providers are going to add capacity.
And to be quite honest, a lot of the services I'm using right now are working fine.
So I'm not super concerned about the capacity.
I think the longer term change is just going to be more about keeping the security mentality.
I think a lot of this ultimately comes down to users.
And in a workplace where we see each other every day, you still had people falling for scams
where a co-workers sends you a request for money from a sketchy Gmail account,
you send the money. So I think that when you put more of a social isolation in there, I think the
risk of targeting users going for social engineering to defraud people will potentially become more
successful. And so I think the real focus for these organizations is finding ways to keep
employees who are at home in their pajamas still thinking like foot soldiers in the battle to
protect their company and their data. That's going to be a real challenge. And I think
training is always proven to be one of the best returns on investment.
That is a terrific note to end on.
Joel, thank you so much for joining.
Thank you.
My pleasure.