With the push to upgrade federal IT systems, government agencies risk opening up new security gaps. We talked with Daniel Wilbricht, vice president of public sector at Keeper Security, about the cyber risks associated with modernization, and how the GovCon community can respond.
Why does modernization open up new risks?
The problem is, there are always new threat vectors that need to be addressed. Even as you’re modernizing your systems, you’re still trying to catch up with the new cybersecurity issues that are popping up. People are trying to initiate cybersecurity even as they’re implementing upgrades, but because it is rapidly changing and there’s always new stuff there, they’re missing things.
How has COVID-19 made it worse?
Now, people are bringing their own devices to work and now remote employees, who are used to being in a secure network environment, are connecting from home. IT struggles with securing the applications and all the employees accessing hundreds and hundreds of applications remotely or through BYOD programs.
One of the biggest challenges is the security adoption paradox: If you make security too restrictive, adoption rates will drop. If there is no adoption of employee security measures, agencies are exposed to risks and vulnerabilities.
There’s that fine line where you have to make it restrictive enough, but you also have to make it easy for the end users to take advantage of the technology.
Keeper looks at password management as the key to striking that balance. How so?
Eighty-one percent of breaches occur because of bad or weak passwords. We bring to the table a secure password management platform. It enables an agency to enforce the NIST controls: Your password needs to be this long, have this many characters. And if you don’t follow these rules, our Security Audit will let you know. We can also alert the admin and say: This person has the same password on 20 different applications, this could be a problem.
The other way we’re really addressing cybersecurity challenges is by mapping to CMMC controls for the integrators to show how we can help them reach those different levels, making sure that they’re implementing these rules. We integrate with multifactor authentication and we integrate with single sign-on solutions. We allow you to access applications through one interface, and we make it very easy to do so.
How does this fit in with other GovCons’ cyber offerings?
A lot of organizations have controls already in place, like Single Sign-On, Active Directory. We have the ability to integrate with existing security implementations. We also partner with Microsoft, Google and other ID providers like Okta and Duo.
We’re not trying to do it all here: We’re adding that essential layer of cybersecurity that is often overlooked. Agencies work hard to secure technology, but often overlook securing the user.
What are the biggest challenges you face in telling that story?
The biggest challenge used to be getting through the FedRAMP process. We are a software-as-a-service company and our federal customers need to use us in a cloud environment, so that was important.
I am excited to say that we’re the first password security management vendor available on the FedRAMP Marketplace and we expect to be FedRAMP Moderate approved by the fall. So, that’s less of a challenge now.
The other challenge is in telling the story itself. When a CISO or a CIO sees our product, they see the value immediately. But a system admin may not see the value, because they, again, are focused on securing the technology and don’t think a lot about end-user passwords.
Once they see the product, see the demo, then they love the product. So it is a priority to educate and share the importance of securing the gaps remaining after SSO, MFA and IAM implementations.
What’s the long-term growth strategy?
I’ve been here since February and I came in specifically to help build out the public sector. We built a team with cybersecurity expertise, and identity and access management expertise, to lead Keeper Security into the public sector. My team brings best practices and lessons learned to the federal market and our goal is to educate and ensure the adoption of cybersecurity practices at the user level in government.
Eventually, we will be looking to expand our portfolio: Anything that you want to store inside of a secure vault, we can do that. We also have one of the most secure chat platforms, for example, and we can do privileged access management support.
But for now, we’re focused on the core problem of allowing all users to be protected with their credentials.
What makes this work interesting and meaningful for you?
I moved to the Washington, D.C., area in 1999. When 9/11 happened, I wanted to do more to support the government, to help protect the nation. I feel like I’m giving back by providing applications that I truly believe benefit the government.
I volunteer: I’ve been on AFCEA boards, I’ve been on the USO board. I go to the Hill and talk to senators and congressmen. It’s important to me to support the people who are doing their best to support our country.