Episode 38: Securing the Modern Workplace

Ten Thousand Feet Podcast Episode 38: Securing the Modern Workplace

In this episode:

It’s officially been a year since we all abruptly left the office to shelter at home from COVID-19, and it’s safe to say that the way we work has changed forever.

While some may be headed back in the office, many have embraced working remotely. And these new ways of working come with many benefits: greater flexibility, more time with family, new ways to succeed, new career paths and much more.

But there are also new risks.

In this episode of the Ten Thousand Feet Podcast, we’re joined by two experts from Vervint’s Modern Workplace Team. Solutions Team Lead Chad Willaert and Cloud Solutions Consultant Cyrus Ruel help us break down the new security considerations for remote work.

Enjoy!


This podcast content was created prior to our rebrand and may contain references to our previous name (OST) and brand elements. Although our brand has changed, the information shared continues to be relevant and valuable.


Episode Transcript

Andrew Powell: Hey, everybody. Welcome to “Ten Thousand Feet,” where we share our take on all things digital. Today, we have two members of our modern workplace team joining us, Chad Willaert and Cyrus Ruel. They’ll discuss how the shift to remote work has caused new data security concerns, and point out a few solutions for IT teams to consider. Enjoy!

View Full Transcript

Andrew Powell: The landscape in which we work has changed a lot in the last year. We’ve gone from everybody crowding into an office to get their work done to everybody working from, really, wherever they are. That’s got to have changed, not just the landscape of the modern workplace, but also what we have to do to keep that secure.

I brought a couple of OST experts onto the podcast today to talk to us a little bit about securing the modern workplace. Gentlemen, why don’t you go ahead and introduce yourselves. Cy?

Cyrus Ruel: Thank you. My name is Cyrus Ruel. I’m a consultant at OST. I am in the cloud solutions practice. I’ve been doing—at OST about 10 years. I’ve been in the consulting world for going on 25, 22, something like that. Spend a lot of time implementing Microsoft solutions over the years, and it moved into cloud the last couple of years, and modern workplaces absolutely a part of what we do in the cloud solutions practice.

Andrew Powell: Excellent. Excellent. And Chad?

Chad Willaert: Hey, my name’s Chad Willaert. I’m a Cloud Solution Architect and team lead for the cloud solutions team at OST. I’ve been here a little over four years, I have extensive background in identity and access – been doing that for about 20 to 25 years. And, like Cy said, we have a big need for a lot of our customers in the modern workplace space, so we spend a lot of time helping them come up with solutions that they’ll hopefully be able to use into the future.

Andrew Powell: So I want to start right there. Can you break down what’s a cloud solution? When you say you lead the cloud solutions team, help me understand what that means.

Chad Willaert: So the cloud solutions is kind of the up and coming stuff. It’s been around for a while, but if you think about how IT was generally done in the past, it was data centers sitting in a physical location that someone had to have control over the company that actually had their [inaudible],their servers, and networking equipment, and all that kind of stuff. There’s been a shift of taking that onus off of that organization, and there’s kind of a shared responsibility model that’s moving where let’s let somebody else take care of the data center and the physical boundaries of where that stuff is, and the infrastructure that sits in there. And let’s let businesses and people consume those resources—

Andrew Powell: Sure

Chad Willaert: as a pay as you go, or you can reserve, you know, capacity as you need it, but you don’t have to worry about the capital expenditures of buying all that stuff and have it sit in a data center that you’ve got to cool and provide power to. So that’s kind of what cloud is. Yeah.

Andrew Powell: Really just getting out of the data center business then, and moving into sort of a pay for what you need pay as you go model.

Chad Willaert: Let the companies focus on their products and services and innovate, instead of having to worry about that—the just day-to-day control of IT.

Andrew Powell: Yeah. It makes a lot of sense. Makes a lot of sense.

So when you think of the modern workplaces, is that what you think is a part of that modern workplace? Is it cloud-based computing work from anywhere? Cy, what’s a modern workplace to you? What do you think the future of the modern workplace looks like?

Cyrus Ruel: So I think the modern workplace is really become a product of, like you said, Andrew, the situation we’ve certainly encountered in the last year has really brought it to the forefront, but it’s not new. It’s something that we’ve all been working, I would even say working toward or pushing for, over the last several years. A little bit more flexibility in our lives allow a little bit more flexibility for the organization and the employee. But I think the modern workplace is becoming a do your job from anywhere a solution, this is really what I think it boils down to. Whether you are at home, whether that’s a couple of miles from your office, or several states from your office, I think the idea of having to hire an employed good talent within your local geographic area is kind of out the window, or we can bring in the best person for the job anywhere in the country or anywhere in the world.

Andrew Powell: Yeah.

Cyrus Ruel: But I do think it’s different for each organization, right? I do think it’s going to come down to whatever fits in the organization’s model. Is there modern workplace? And a lot of it is dictated by the applications or the business applications to solutions or even the business, right? I mean, it’s pretty hard to do modern workplace when you’re a manufacturer, because you have to have people there making or creating whatever widget that is, when you get into things that are a little bit more—less physical in the technology business, where modern workplace becomes very easy and very efficient.

Andrew Powell: And maybe then, to build off of what you said, the future of manufacturing probably looks different, too, right? Because there are aspects of the manufacturing process that don’t involve someone standing in front of the manufactured goods. We still have accountants and IT folks and business folks and sales and marketing teams that don’t necessarily have to be located where we do our manufacturing, right?

Cyrus Ruel: Very true. And we have a several manufacturing organizations right now that are looking at how do we get away from our on-prem expensive ERP, MRP solutions and get those into a usable state where we can share it (a) with either other or partner organizations or how do we share better with manufacturing locations of ours that are around the country, and (b) how do we not have to have these people in our facility or how can we better empower them to work where they want to?

Andrew Powell: And that’s what cloud solutions do for us, right?

Cyrus Ruel: Absolutely.

Andrew Powell: Like the idea of having these things in the cloud, I mean, anybody can access it from anywhere.

Cyrus Ruel: That’s the goal, certainly, and not every application is built for that yet, right? That’s one of the challenges. Certain sectors are just a little bit further behind than others. You know, accounting apps have been in the cloud for a very long time, whereas a lot of your manufacturing still integrate in with a lot of physical things.

Andrew Powell: And that just makes it harder—

Chad Willaert: [inaudible] cloud appropriate, right? There’s certain things that function well in the cloud, and there’s other things that are just not ready for that yet.

Andrew Powell: Yeah, that’s great, Chad. Do you think though as time marches on, more and more things become cloud appropriate, to use your words?

Chad Willaert: Correct. Yes. The innovation is changing daily. What the cloud providers that we have that new services and features become available so fast that our customers are actually looking to us to help them figure out how they can do stuff better with more optimization and more automation and make their lives that much better than it already is right now.

Andrew Powell: So gentlemen, this seems really great to me. You’re painting this picture of this future, that people can work from more disparate locations, the servers are easier to maintain, because they’re in the cloud, and you don’t need to have that infrastructure on premises. This all seems great. What’s the downside?

Cyrus Ruel: Well, the downside is that like anything that becomes more available, you also have to make sure it’s secure. And so securing the modern workplace is—it becomes a challenge, right? It really is kind of the next step in I can provide all of these services, I can provide all of these applications, whatever it is to all of these people, but then again, how do I make sure the wrong people aren’t using it? How do we make sure that my data is secure or the company’s data is secure? That intellectual property isn’t running out the door, so to speak.

Andrew Powell: Oh yeah.

Cyrus Ruel: That, you know, HIPAA data or other protected data is staying within the organization’s—not within the organization’s walls, obviously—but within the organization’s control, I guess.

Andrew Powell: Yeah. Yeah. When you just said, we’ve got to make sure our intellectual property isn’t running out the door, that’s the image that popped into my head. Oh, the real challenge is that there are now hundreds or thousands of doors—

Cyrus Ruel: Absolutely.

Andrew Powell: instead of there being just, you know, a front entrance and a back entrance to our building. Everybody’s got a door.

Cyrus Ruel: Yeah, every employee has a door and every employee that, you know, has a family, there’s multiple doors or there’s, you know, shared computers at home, or who knows, right? It becomes a public kiosk type of computers. There’s options. There’s multiple ways that this data could be affected, and trying to secure that, and keep it, so that the company’s data is still their data and doesn’t become a public—public domain is obviously a big deal. And you know, we’re past the point, it used to be relatively easy, as something Chad mentioned a while ago that, you know, you had a network boundary, you could physically secure your stuff. We’re getting away from that. The cost per square foot just doesn’t make that effective, and having to figure out how to secure your network that essentially is now boundless, right? There are no boundaries.

Andrew Powell: Yeah. So let’s talk about how you secure that boundless entity. Like, I’m old enough to know that it used to be when you wanted to access work equipment from home, you had a VPN, you launched the VPN app. Heck, they even like built it into Windows 95, I think. You could launch the Windows VPN service and VPN connects to your Windows NT server. That’s how old I am. Is that still what we’re doing?

Cyrus Ruel: You remember the dial up things? I mean, come on, we used to dial into those servers even before there was VPN.

Andrew Powell: I used to work in a server room where we had the phones that answered those calls.

Cyrus Ruel: The modem banks. Yes, absolutely.

So when we talk about, you know, securing that modern workplace, absolutely VPN is still part of it. Those traditional security mechanisms, those traditional security models are absolutely still valid and still used by organizations every day. VPN is a great one. You can—it is very possible not only VPN into the organization, let’s say, the business we’re referring to, but VPN-ing into a cloud provider, right? You can create a VPN connection to a cloud provider thus securing and encrypting that data that’s transferring back and forth between you and that cloud provider. Good example, I have a customer right now that their VPN controls all of the data and their users are required to VPN in before they access their cloud resources, right? So a lot of, and not to get too deep, a lot of VPNs are designed where your internet traffic goes one way, VPN traffic goes the other way, this one it all goes down VPN, so everything is controlled through that circuit. And more traditional—

Andrew Powell: That’s sounds like a good solution. Yeah?

Cyrus Ruel: It is. The challenge with VPN is it’s—you have higher management costs, you have to deal with upgrades, it’s typically hardware based, right? You have devices that are managing your VPN, so you have to deal with hardware and firmware updates and software updates.

Andrew Powell: And people are managing that hardware and firmware.

Cyrus Ruel: Absolutely are. And it’s—

Chad Willaert: It’s complex.

Cyrus Ruel: It is. It’s complex and it’s based on the same technology it’s always been based on. You have usernames and passwords and password changes and all of these things you have to deal with.

One of the challenges, I think, with VPN, too, that a lot of people don’t think about, not every country supports VPN. If you have people worldwide, VPN is not always feasible in some of your countries. For instance, like, China doesn’t allow VPN per the law without red tape and paperwork and everything else. So those are things to consider.

Andrew Powell: Yeah.

Chad Willaert: And sometimes it’s not scalable, so that’s where we kind of look at the modern workplace that people are working from anywhere and they want to use these resources. Why wouldn’t we just use their regular internet connection, but make sure it’s secure on how they handle that data flow back and forth, but not require a VPN, because trying to manage all of those connection points and being able to scale that for all of your end users that could be anywhere in the world gets to be a little bit cumbersome.

Andrew Powell: Oh my gosh, Chad, yeah, I just connected what you’re saying to what I was just hearing that the notion that we have a VPN and all of our stuff in the cloud means that all of the traffic’s got to come from my computer at home to the workplace, so that the workplace can route it up to the cloud. That’s a whole lot of overhead just for the added security that at the end of the day it’s still only as secure as my password.

Chad Willaert: Correct.

Cyrus Ruel: That’s true. That’s very true.

Chad Willaert: A new boundary is identity. Identity is the key.

Andrew Powell: Identity. Chad, talk to me a little bit about that. What do you mean by identity? Like a driver’s license?

Chad Willaert: Yeah, similar. That’s part—that’s A identity for you. So as Cy was kind of describing there, the network and the firewalls, the physical boundaries that you use to have at your own on-premise data center, that’s kind of gone out the door. With having users anywhere in the world and all these resources that could be in multiple instances, SAS based applications, like a ServiceNow or a Salesforce, it’s not in your own cloud environment, but it’s an application that you use, you need to control who has access to what resources at what times, and are they doing it for the right reasons? So that’s where identity comes in is making sure—and it could be devices even. Identity could be down to a device, not an actual person, right? So you want to be able to track what that—if it’s a connected products or IOT type device, it still has an identity. It may not log in with a username and password, but we want to know what that device is doing at that particular time, and is it okay for it to be doing it or not?

Cyrus Ruel: Absolutely. And to dig into that just a little bit further, when we talk about identity, not just being a person, but a device, we can take that with—let me back up—with proper tools, we can take that to a level of does that device have up-to-date anti-virus, does that device have up-to-date security patches, does that device—is it one of our devices or is it a third-party device? The same thing with user accounts, right? Is this user account one of ours, is it something that’s been spoofed, how do we figure out whether it’s been compromised or not compromised? There are applications, conditional access applications that will help figure that out, as well as, you know, hey, we don’t allow activity outside of this particular IP range. If we were to go to that point with conditional access—conditional access tied to identity is a deterministic process, so if this, then that, in a lot of cases, right? If the user checks out and the device checks out, then we let them in and give them access. If the user checks out the device doesn’t, then we block access.

Andrew Powell: I hear what you’re saying, but this just sounds, it sounds so overwhelming. It sounds like it’s going to be impossible for me to get my job done and impossible for anybody to manage it all.

Cyrus Ruel: Well, the goal is that, obviously, to not have that be the case. There is certainly management involved. There always is going to be. The upside is that most of these tools are very intuitive and they are policy-based, so they’re very flexible.

Andrew Powell: Tell us about—talk to me about what that means.

Cyrus Ruel: So policy-based essentially says that I can make as many granular adjustments to this tool as needed to fit my needs, or keep it as simple or as complicated as is required by the organization and by the security policies written by the organization.

I think it’s important to say that they don’t all have to be as complex as the stated example. In a lot of cases, a conditional access policy can be as simple as: did the user authenticate? Yes. Does the device have anti-virus? Yes. We allow them in, right? You don’t have to check for every security patch and all up-to-date this and up-to-date that, it just needs to be—hit a couple of basic requirements.

Chad Willaert: But the organization needs to come up with those business rules and the workflows and the policies, then you use technology to enable that, so it’s not always just the tools and the technology. There’s a whole bunch of governance stuff that has to get figured out on the front, then you use those tools to enable what the customer and the organization has come up with for those policies to meet those requirements.

Andrew Powell: Okay. All right. All right, gentlemen, I hear what you’re saying, and that makes sense to me. So I imagine that we got this rich, robust policy that helps to keep us secure, but at the end of the day, maybe I just don’t understand identity yet, at the end of the day, aren’t I still only as secure as my username and password?

Chad Willaert: That’s a component of it, right? So there’s that—

Andrew Powell: If my password is still hello123, I’m not—

Cyrus Ruel: There’s a lot to be said for that. There really is. I mean, your password is a lot of it. Obviously, there are still then, as we talk about, some more traditional security, we’ll jump back to that for a second. We can talk about password policies and password protections, and we can also talk about multi-factor authentication solutions. So when we talk about password policies, we talk about complexity requirements, we talk about password length, password age, how often you have to change it, and those pieces. So hello123 is no longer an option, right? Your password has to be—

Andrew Powell: What about password? Can I use password?

Cyrus Ruel: No. No. Common passwords are typically blocked as well. They can’t be password, they can’t contain your pieces of your username, they can’t contain any references to very common known items.

Andrew Powell: What about OST123? Can I use that one?

Cyrus Ruel: I don’t think so. No. I don’t think so. I think they block that as well. They typically have to be 12 to 16 characters, some of them as long as 20 to 30 characters, depending on the organization.

Andrew Powell: 30-character passwords?

Cyrus Ruel: I’m not kidding. Some organizations have it. Yeah.

Chad Willaert: Passphrases, not the password, but a passphrase. “I ran to the store to get milk” and it has case-sensitive and numbers and exclamation points and punctuation and all that stuff in there.

Cyrus Ruel: Absolutely. We can talk about then, you know, protecting those passwords. There are tools out there when we start talking about cloud that are—there are leaked credential reports, so, if in fact, your username or password or identity has been picked up on the internet in use maliciously, it can be recorded into a leaked credential report and then submitted to the organization, so then you’re looking at that report and say, “Hey, three of our users hit this report. We need to then make adjustments to our security and make sure that we get these users obviously cleaned up as well as maybe we need to change our policies a little bit.”

Andrew Powell: So be real with me guys. Isn’t a natural expectation of the idea of passphrases that thousands of mid-level managers all over the world have passphrases written down in yellow legal pad sitting next to their computers, right? You think someone’s going to remember that, something that we see in practice, doesn’t always happen?

Cyrus Ruel: Absolutely true.

Chad Willaert: Yup. One thing that’s nice about that now is if you’re working from home, unless you’re not locking your doors, nobody’s getting in to see that post-it note on your monitor. You’re not posting your password on a post-it note in your organization with thousands of other people that could see that sitting on your monitor, right? But yes, you are correct. If they happen to go to a Starbucks kiosk and have to type that password in and they happen to forget it, there’s also tools that can help them enable themselves without having to call the help desk to change their password. Self-service password reset. I forgot it, here’s the steps that can walk myself through and I can change—

Cyrus Ruel: There you go.

Chad Willaert: the password to something that I remember now, so now I can get into the system and get access to what I need to.

Cyrus Ruel: Yeah. Changing your password for your Starbucks account or your bank account info with the bank now has become just as easy at the corporate level as it is at a regular website level, right? Those kind of self-service password options are out there and very, very popular. It doesn’t require three people to get involved to change your user password anymore.

Andrew Powell: I’ll tell you honestly, one of my security strategies in my personal life is to not remember any passwords and not write them down. I just rely on the password reset functionality to reset my password every time I want to use it.

Chad Willaert: Absolutely.

Andrew Powell: And I didn’t have to worry about it being compromised.

Cyrus Ruel: Seriously, it’s not bad. If you don’t have it, then you can’t—so somebody can’t steal it.

Andrew Powell: Right, right.

Cyrus Ruel: I mean, it’s not a bad thing to go and let the system reset it.

Andrew Powell: So assuming the systems are reliable and I can reliably get a password reset, right? Like the challenge there is, if you don’t have a mature enough system, that’ll give you the ability to self-service reset your password, then you’re creating a trouble ticket or tracking down your IT department or otherwise creating work for somebody just because you didn’t bother to remember your passphrase.

Cyrus Ruel: Which is becoming more of a thing of the past every day.

Chad Willaert: Yeah. Passwords are kind of potentially going to go away at some point. There’s multiple ways to get access to a system, there’s password list, and then there’s—passwords is something that’s been around a very long time, it’s something you know, right? There’s something that you have, which could be a token, a USB token, or a random one-time password generator, so it’s something that you have, right? It’s in your hand, physically in your hand, and it’s changing a number on there and you type that in to get in. Then there’s also something that you are—biometrics. So do I log in with my fingerprint? I don’t have to know a password if I just log in with my fingerprint. As long as I don’t burn my finger, I should be able to get in there, and you maybe would put a few other digits in there to—as backups in case you did burn your finger. There’s retinal scanners or face ID like Apple has where authenticating into systems without having to type a password in. So the evolution of passwords themselves is kind of going away, and then, like Cy brought up about the multi-factor authentication, let’s check the fingerprint and make sure that Andrew didn’t force me to hold my finger down on the fingerprint reader. Let’s do a multi-factor to make sure it’s really him, and let’s give him that second factor authentication before they get access.

Andrew Powell: Yeah. Yeah. I think we’re all seeing that spread of multi-factor authentication. That’s something I’ve seen really blossom in our—let’s call it the year of pandemic, right? Suddenly, as everyone’s saying, how do we make sure our services are secure? They’re saying, “Oh, well, let’s just, when you log in, we’ll also send you a text message,” or, “When we scan your face, we’ll also have you type in a passphrase.”

Cyrus Ruel: Absolutely. I mean, multi-factor authentication has become low-hanging fruit, right? I think that everybody is doing it, from financial institutions to corporations, to every organization—big and small—has really embraced this. And it’s as simple as a mobile app on your phone. It’s so simple it can be a text message, a phone call. There are multiple ways to implement MFA, really, to try and meet any end user’s needs, which is nice. It’s very flexible. It’s very easy, and honestly, it’s relatively inexpensive, too, which is nice. We’re not talking a hundreds of thousands of dollars type of solution here. We’re talking much more affordable and much more flexible and easy to work with.

Andrew Powell: So hit me with it straight though. Are we seeing in your industry this giant growth of actual, nefarious activity, actual services being hacked? Are we seeing more activity today or in the last year than we saw prior to pandemic days?

Chad Willaert: I would say, yes. There’s a lot of bad actors out there.

Cyrus Ruel: There are. And I think that, yeah, I think there are more people at home. I think there are more people with nothing better to do. And I do think that just as organizations move more to the cloud and move more to, you know, quote unquote online business, it just opens the door that much further.

Andrew Powell: Yeah.

Cyrus Ruel: You know, we could sit here and pull up analytical reports of various web apps and websites and see how much, you know, overseas traffic they get, right? [inaudible] so much of your tax now come from overseas—China, Russia, the Middle East, in India—it’s shocking how much traffic they regularly are banging against websites and—

Andrew Powell: Yeah.

Cyrus Ruel: web apps.

Andrew Powell: Well, when you can get to it from everywhere, then everywhere can get to it.

Chad Willaert: Correct.

Andrew Powell: That’s, I guess, that’s sort of the importance of security.

My dad always used to say that my brother wasn’t bad, he was just bored. I think that’s part of some of what we’re seeing in the pandemic, too. That has something to do.

Cyrus Ruel: I think so, too.

So along that line to—I guess the next step in that is to look at—so once we have secured how people get there, we have to secure the data that’s there, too, right? And so looking at kind of like I had talked about earlier about your, you know, intellectual property marching out the door, we need to make sure that doesn’t happen. In a lot of times we’re going to look at employing tools in order to empower that or try and keep that from happening. When we look at a lot of your CASB solutions, which is a cloud app security broker—the cloud app security broker is a big, relatively large piece of software that handles multiple, multiple fronts for what your organization might be doing. At a basic level, the idea there is that it’s a smart application that tends to monitor and watch how people work. They’ll sit and watch an organization, how the people—sorry—how the employees, I should say, interact, how they work with their—with the data, how they work with applications. They’ll get to know what normal behavior looks like.

Chad Willaert: And then find [inaudible].

Cyrus Ruel: Yeah. And then when something looks abnormal, then they will either note that, report it, or block it, whatever the case may be.

Andrew Powell: So you keep saying they, they, they, we aren’t actually talking about people who are monitoring this though, right? We’re talking about, what, AI? Good code?

Cyrus Ruel: Essentially, it is. Yeah. It has become AI. There are AI components built into most CASB solutions,

Chad Willaert: [inaudible] as well.

Cyrus Ruel: And that’s where the intelligence—

Chad Willaert: As more data and telemetry data comes in for us to be able to scope what’s actually happening and what shouldn’t be happening, the ML and the AI will pick up and make things better for the organization without having to be—having humans involved to figure out what’s transpiring and what’s not.

Andrew Powell: So this is the part where I asked Laura Vaughn, our producer, to insert a little audio clip that goes, “I’m sorry, Dave, I can’t let you do that.” It sounds to me an awful lot like 2001.

Chad Willaert: Yes. “You’ve joined Skynet. Dave, you are not allowed to do that.”

Cyrus Ruel: Exactly.

Andrew Powell: Right, right. Is there any fear there?

Cyrus Ruel: Open the [inaudible].

Andrew Powell: Is there any—is there any concern there that we’re getting—that we’re turning over some aspects of future security to intelligent machines?

Chad Willaert: I would say that the humans still have to be involved to set the policy and what is allowed and what’s not allowed. You’re letting the AI and the ML kind of go through that data and give you informed information about if your policy is good or not, and if you need to make adjustments. It’s not going to automatically change the policy just because it saw something. It’s going to notify or stop something, because of an anomaly that came through. It’s not going to adjust on the fly. That might be in the future, but it’s not currently doing that.

Andrew Powell: So then probably there’s a SIS admin somewhere still who’s getting alerted that these things are happening, and is able to make appropriate to appropriate input to the machine.

Chad Willaert: Correct. And escalate it up. You know, the SIS admin might get the data, but then there’s a group of people that are in the governance group inside the organization that decide that, yeah, we’ve gotten a lot of these, we maybe need to adjust our policy.

Andrew Powell: All right, so let me ask you this question. So some of our listeners involved in medium, large-sized businesses, trying to figure out what they should be worried about and they aren’t worried about as they approach their modern workplace. They are moving in the same direction, we’re all moving more remote, less connected, less people who are in one premise, less data in that premise, more data in the cloud. What are the things, give me the one or two or three things, that they should walk away from this conversation thinking, “I’m going to look at that. I’m going to ask about that. I should learn more about that”?

Cyrus Ruel: I would think the first thing they need to think about, one of the first things you need to pay attention to is, am I securing my logins, my authentications, to the best of my ability? Am I making sure that when my people do log in to whatever cloud application or logging in to even the on-prem systems remotely, right, are their passwords and usernames secure? Are they being prompted for multi-factor authentication? Again, like I said, it’s relatively low hanging fruit, so maintaining and securing that identity and password. I would say—I’m sorry.

Andrew Powell: I said perfect. I was just acknowledging that you gave me that first step.

Cyrus Ruel: Sure.

Andrew Powell: That’s low-hanging fruit. Everybody should be doing that.

Cyrus Ruel: I think so. And I think, yeah, if you haven’t been doing that, even you’re a little bit behind, right? So I think you need to absolutely be paying attention to that. I think that, secondly, whatever, again, whatever it is, whether it’s logging in to on-prem or cloud base that modern workplace thing is making sure that the proper people are accessing your data. So it’s a conditional access and it’s a CASB solution. It’s looking at here’s my important data, are my people accessing it, and are they using either correct devices, whether it’s bring your own device or a company provided, that you don’t have compromised people or compromised devices accessing that data.

Chad Willaert: And then the data is the next piece. There’s data loss prevention and identity protection and data encryption. So that if you do have a bad actor get into an environment, they may not have the keys to actually decrypt that data. So you can encrypt your data and then have policies wrapped around that where certain data can’t even leave the organization, leave that cloud environment, and get downloaded somewhere else, or it can’t leave the on-prem environment and get downloaded somewhere else. It has to stay there and you can’t view it unless you have the keys to actually be able to decrypt that.

Andrew Powell: That’s great. It’s almost like an additional layer of added security there for your data. It’s fascinating. For our listeners who like me might not be familiar with CASB, you can type CASB right into your browser and you’ll find a whole bunch of information about CASB solutions offered by a lot of different providers.

Cyrus Ruel: Cloud app security broker.

Chad Willaert: Sometimes it’s cloud access security broker. Sometimes it’s just for the apps and sometimes it’s the access as well, so it’s actually watching all the packets going back and forth, not for a particular application, but anything that’s on the wire.

Andrew Powell: All right, gentlemen, you’ve just given me so, so much to think about, but before I let you go, I’ve got to ask you this question. You’ve spent a year working from your homes. What are you doing to keep yourselves entertained? What games are you playing trapped in your homes? You got some tabletop games you’re playing with the fam, you got video games you’re passionate about, because that’s your escape? What are you doing in your free time?

Cyrus Ruel: I have gotten into woodworking. I’m doing a lot of remodeling, so if you—if I show you my camera, I’ve got a paint and a pile of tools and stuff on the table next to me here, so I’m doing a lot of home projects. And I’ve recently gotten into woodworking. So I have been doing a lot of cold nights in the garage with propane heaters, and I’m building kitchen cabinets, and I am building—buying woodworking tools, and things like that. So that’s what I spend a lot of my time doing.

Andrew Powell: That’s great. That’s great. What a great thing to do in your home?

Cyrus Ruel: It’s so fun.

Andrew Powell: Yeah.

Cyrus Ruel: I enjoy it. I really do. I’m like, this is really fun. I really liked doing this. Yeah.

Andrew Powell: What about you, Chad, what are you doing to keep yourself sane?

Chad Willaert: For me, I live on a hobby farm, so I’ve got horses and goats and chickens and dogs and cats that keeps me pretty busy, and spend a lot of time in the pole barn, working on things out there, fixing things here and there, but we have been playing some Guitar Hero, pull that back out from the Wii.

Andrew Powell: Nice.

Chad Willaert: We haven’t touched that for a while, and also playing a little bit of Call of Duty on the Xbox, and then just catching up on shows that we haven’t been able to over the years, because life was too busy. Now it feels like we have a little bit more time on our hands after the workday’s down. There’s no commuting back and forth between customers or into the office. You’ve got those few hours back to kind of do stuff that you haven’t been able to do, so—

Andrew Powell: This is some good ideas for our listeners who have a few extra hours, too, though, obviously, the most important thing for them is to secure their modern workplace. To make sure they’re—

Cyrus Ruel: Absolutely.

Andrew Powell: securing their authentications and making sure only the right people have access to their data.

Chad Willaert: Correct.

Andrew Powell: Gentlemen, I’m so, so thankful you joined me for a conversation about this. I learned a lot. I’m sure our listeners did, too. Thanks very much.

Chad Willaert: Appreciate your time as well.

Cyrus Ruel: Thank you.

Lizzie Williams:OST, changing how the world connects together.