#trusted
partner
Who's In Your Cloud?
Who's In Your Cloud?
Episode 8: Zero Trust
/

Episode 8: Zero Trust

Jan 4, 2022 | CYBERSECURITY, Who's In Your Cloud?

Who's In Your Cloud Blog Header Image

Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted Technology. I’m Lauren Lev, Marketing Manager for TechOnPurpose, and this is Episode Eight: Zero Trust.

In our last episode of 2021, we discussed the role and severity of DNS in mitigating #cyberrisk from your everyday devices and protecting networks and end users from harmful clicks and malware – at home, on the road, or in the office. We were joined, as always, by an all-star cast of cyber experts who helped us learn how to ensure a secure, private and resilient connection for networks and user endpoints through the use of DNS and web filtering tools. 

Today, as we focus on Zero Trust and how it has become a model for a more effective security strategy, we’ll discuss why you should “never trust, always verify.” Learn why security experts say it might be the best way to stop data breaches. We’re thankful to our cyber expert cast joining us today from ConnectWise, JumpCloud, LastPass, TBI and ThreatLocker, as they help us educate our clients and prospects on the road to #secure, reliable, trusted technology!

Don’t forget we’ll be releasing a new episode every Tuesday, starting 10/20/21 through late spring of 2022, with brief time off for holidays with family and friends. We’ll also follow each Tuesday episode release with subsequent Wednesday, Thursday, and Friday posts highlighting our (3) contributing solution partners from that week’s episode.  We hope you’ll find this an immersive, hopefully simple, educational, and enjoyable experience. So how do you tune in?

To easily follow the journey ahead, we’ve diversified your access options to all (23) of our coming episodes. You can follow along here on our blog or by any of the following methods:

  • Email Newsletter: sign up at techonpurpose.net/blog and have each episode delivered directly to your inbox when released.
  • LinkedIn:  follow here
  • YouTube:  follow here
  • Facebook:  follow here
  • Podcast:  follow here

Buckle up – it’s time to hit the road to #secure, reliable, trusted technology!

 

 

Lauren Lev
Welcome back to “Who’s In Your Cloud?” 21 Steps to Secure, Reliable, Trusted technology. I’m your host, as always, Lauren Lev, Marketing Manager for TechOnPurpose. And today, we have an exciting first episode of the new year for you guys, Episode Eight on zero trust. As you were hanging the mistletoe, cooking the turkey and counting down the minutes until your in-laws left your house, we hope you caught up on episodes one through seven of our series. If not, don’t worry, you can do that now by visiting TechOnPurpose on LinkedIn, Facebook, YouTube, or Spotify. And why not give yourself a gift after you’ve been so generous during this holiday season by signing up for our blog at TechOnPurpose.net/blog for direct delivery to your inbox. I hope you all enjoyed your holidays, especially all of our “Who’s In Your Cloud?” contributing cast. And hopefully we’re all ready to get back into this series and vital journey to secure, reliable, trusted technology. So, in our last episode of 2021, we were joined, as always, by an all-star cast of cyber experts who helped us learn how to ensure a secure, private and resilient connection for networks and user endpoints through DNS and web filtering tools. Today, we’re focusing on the hottest new cyber buzzword, zero trust. And how it has become the new security standard to “never trust and always verify.” So, let’s jump right in and meet our cyber expert cast for today. We have a VIP cast member who is quickly becoming the MVP of the VIPs as he continues to join us again and again, Jim Bowers, Security Architect from TBI. Hey, Jim!

Jim Bowers
So glad to be here. I’ll tell you, I’ll do all of these if I could, but thank you.

Lauren Lev
Hey, we’ll take you up on that. Don’t worry.

Matt Tankersley
Welcome back, Jim.

Lauren Lev
All right, and if you’ve caught our previous episodes, the next two cast members should look very familiar. We have Chase Doelling, Principal Strategist from JumpCloud, and Sid Castle, Channel Evangelist from LastPass. So Matt, again, we must really be doing something right to have all of these returners come back for more. So, kudos to us. All right, and please join me in welcoming Ryan Bowman from Threat Locker. So happy to have you join us. And hopefully, you have as much fun as these guys and join us on another episode.

Ryan Bowman
Thank you. Glad to be here.

Lauren Lev
All right. And hot off the holiday season with his Santa beard, we have TechOnPurpose Founder and CEO, Matt Tankersley, everybody.

Matt Tankersley
Thanks, Lauren. Welcome back, everyone. Yeah, Lauren. I think we missed Frank, who’s our surprise guest for the day. Frank, thanks for joining us. We’ll give you a chance to introduce yourself. You’ve been with us before. And Frank, of course, is from ConnectWise and a very important part of our security stack at TechOnPurpose.

Lauren Lev
All right. So Matt, what do we have in store for our zero trust episode today?

Matt Tankersley
Right. Happy New Year, everyone. Let me say that again. Guys, welcome back and thanks for joining us again. For those who are trying to be diligent about learning- how do I achieve secure, reliable, trusted technology? You know, we created this series for that purpose. And so, let’s break it down now in the new year. And let’s talk about zero trust. And Lauren, I joke often, you know, at moments in the episode about now, but it’s nice to have smarter folks in the room like everyone here and today is zero exception. I’d be willing to bet that some of the listeners have never heard of the term. And for those who have, maybe today, we can fill some gaps and understanding of what is zero trust and how can you and should you be adopting zero trust to mitigate cyber risk? Okay. And so, I’ll preface with, if you spent a time googling the topic, I know you’ve seen lots of results from companies that you probably recognize and perhaps some you’ve never heard of. I think that’s good news, right? Because that should serve as solid validation that this is real, and it’s an important topic that should be considered seriously by everyone. But is all zero trust created equal? Is the industry and the many solution providers like Microsoft, they’re talking a lot about it and everybody else on our cast today, are you guys playing from the same playbook? I mean, we’re using the same definitions and, you know, do we even have the same goals? Hopefully today we’re going to learn some of that. So, let’s dive in and learn some more starting first with a brief introduction to our cast of companies we have on deck, Lauren. Who’s up first?

Lauren Lev
As our surprise guest member, today, Frank, I will have you go first. Introduce yourself and what you do at your company?

Frank DePrisco
Sure, and thanks. My name is Frank DePrisco, I work at ConnectWise. I’ve been there for a couple of years. I worked with a company of security consultants prior to ConnectWise. We were acquired and we formed as part of IT nation, what we call the IT Nation Secure Team. And it’s our responsibility to manage the delivery of cybersecurity education, our certified programs. We’ve created the MSP plus cybersecurity framework just for MSPs. And then we also host the IP Nation Secure Conference, and this year I believe the things got to be zero trust. So, this fits in really well.

Lauren Lev
We’re going to take it over to Jim. Jim, you know how this goes. As the VIP cast member, take the floor and tell us one more time about your role at TBI.

Jim Bowers
Absolutely. So, I’m Jim Bowers, Security Architect at TBI. TBI is a technology distribution organization that enables our 2000 plus partners to provide solutions to their client base. I’m part of the engineering team at TBI resources for our partners. And I’m the cybersecurity arm of that team. But glad to be here, I love love doing this video blog

Matt Tankersley
Awesome.

Lauren Lev
We always love having you on. So, thanks for joining us again and again. As our newest cast member, we’ll have you up next Ryan. Tell us more about yourself and ThreatLocker.

Ryan Bowman
Thank you. Well, I’m glad to be here with you guys today and join in these sessions. So, I actually spent most of my career as an MSP servicing small business clients. And recently, more recently joined ThreatLocker and focusing here on cybersecurity. So, I’m the Director of Solutions Engineering. So, our solutions engineering team is very involved in getting our partners trained, making sure a proper implementation is taking place to get those, get those environments secured, all the way on through the onboarding and post- kind of post support, making sure that things are going the way that they should. Of course, you know, ThreatLocker, looking at the endpoint piece of the security layer that we’re focusing on.

Lauren Lev
Awesome. Thanks, Ryan. We appreciate you being here. Sid, let’s take it over to you. I like your new background. It’s different for today.

Sid Castle
Thank you. I change it up fairly often. Again, appreciate you having me on board. Sid Castle, LastPass Evangelist over here at LogMeIn. And LastPass is all about identity access management. And well, I trust everyone here on the call. I don’t trust anybody else. And that’s what we’re all about. And you know, zero trust, zero knowledge base. And we’ll definitely go into more detail about all that today. But thanks, Matt. Thanks, Lauren.

Lauren Lev
Alright. Chase, you’re last. Tell us what your role is at JumpCloud.

Chase Doelling
Yeah, for sure and thanks again. So, I’m a Principal Strategist here at JumpCloud. Very similar to Sid and kind of evangelism role, but really kind of crafting our story and kind of how we take that in the market. But within JumpCloud, we are a cloud directory platform. And so, within that we’re managing users, right managing access to different applications, we’re managing securing devices, the networks, and all of those different components kind of lead down this path of what we’re talking about today. And kind of how we think about conditional access, zero trust in all the different pieces in between.

Lauren Lev
All right, everyone, that was a good warm up. Matt, will take it over to you. Kick us off for our first round table hot topic for 2022.

Matt Tankersley
You know, I’m just going to fly from the hip today, guys, we say that tends to work sometimes well, better than the script. And I will say, I got a chuckle last time we discussed zero trust. It was right after the Channel Partners Conference. And somehow the word zero trust came up and Sid was real quick to point out that that’s not what his wife had for him when he was in Vegas. It wasn’t Zero Trust. So guys, in typical format here, we just want to kick it around the room really quickly. We want to respect everybody’s time today and make sure we get through both rounds. We want to hear everybody say what’s your company’s take on what is zero trust and why is it important? And then we’ll talk in our second round of questions about what your company specifically is doing in this space. And so, Lauren, I’d say, you tell us who’s going to go first, and let’s start breaking down what is zero trust and why is it important?

Lauren Lev
All right, Jim. We’ll have you up first. Take it away.

Sid Castle
All right. You always put the pressure on me up first.

Lauren Lev
You’re the VIP, you have the most experience.

Sid Castle
Yeah. Well, being at TBI I had the pleasure in my role to work with such great vendors that we have on this call. So, if you look at zero trust in its most fundamental aspect, it really is exactly what it’s saying. Right? It’s an architecture based on the principle that nothing can be trusted. And take that a little further. That means that no device, user or application attempting to interact with any portion within your infrastructure, your data, your application, none of that anybody can be considered secure. So, when you take it from that method, if you look at how organizations historically have done security, it’s all about protecting the perimeter of the network. Well, the problem with that is, that perimeter’s eroding. The problem with that is, that perimeter is changing. And the problem with that is, threat actors are going to get around your perimeter defenses. Right? So, I think we talked about in a previous episode, the weakest link to all of this is the human. So, we have to anticipate using a cybersecurity posture. How can I know that humans are going to click on the link, we give them training? And how am I going to provide richer capabilities around when they do do that. And that’s really the principle behind zero trust: it’s I don’t care who you are, what device, I’m not going to trust you no matter every time you come in. Because inherently, organizations once that user was trusted, they could go anywhere within the organization. And that’s not a good thing. So, that’s really how you see organizations adopting this zero trust architecture methodology. Because of what we’re going through perimeter roading, and being able to provide that layer defense and not trust anybody. So, I’ll stop there, because I will keep talking.

Lauren Lev
Alright. Ryan, no pressure to follow that, but we will have you up next. So, explain to our audience, what is zero trust and what’s the risk that necessitates it?

Ryan Bowman
Oh, that was a great, great intro, Jim. And you hit a lot of different areas there. And maybe, maybe just to add to that, from a risk standpoint, is, you know, that’s been the traditional approach, right? What is the next risk? That’s going to get us and how do we stop it? How do we prevent and protect against that risk? Well, I certainly don’t want to be the one who asked to create a list of all the risks that are out there. Because I can’t even type that fast as quickly as new risks are coming in. Coming about, new every day, there are new methods of attack that we read about, and we just can’t keep up with them. But when you think about the zero trust is, why do we have to trust all of those things that our users are going to do, users are going to click things, they’re going to open things that people send to them, not because they’re inherently malicious, or they’re trying to be malicious, but it’s just they think they’re doing what they’re supposed to do. And we’re never going to be able to identify all of those things. There’s just too many. So, what that zero trust concept is building- what Jim said is, we just need to figure out what our users actually need to do in order to carry out their job. And let’s make sure they can do those things as they need to. But let’s not let them do anything else. If they need to do something new, that new thing isn’t trusted until somebody can validate it and give it the stamp of approval, and decide that we are going to trust that. So, it’s just kind of flipping that script of saying instead of trusting, and then trying to verify, which is really hard, let’s just not trust until that is validated for sure and given that stamp of approval.

Lauren Lev
Yeah. Sid, I see you shaking your head in approval, so you can go next.

Sid Castle
Well, thank you. I like what Jim was saying earlier about the users and what they do do. And that’s obviously, we’re playing on that word that doo-doo that they step into. And as you heard, Ryan said, we have to allow them to do what they’re going to do within their organization. And we need to understand what we can trust and what we can’t. We view it at LogMeIn and LastPass, for that, everything needs to be protected as though it’s already exposed, that it’s already out there and people are seeing it. So, everything about us is a component of zero trust or more on the zero knowledge that we’re wanting to keep this data and authenticate it, make sure that it’s not used or stolen, and that we make sure that we can verify if it’s compromised, but then also authenticate that you are who you are with our various tools. So, that’s the aspect of zero knowledge and zero trust that we work off of, but it partners very well with a lot of the other products you’re going to hear and see. That’s the thing that you’ll hear about this “Who’s In Your Cloud?” and everything that Matt and Lauren are talking about is, that this is something that has to be worked together. These solutions will do things for you, but everything together will be what will protect your organization and help you.

Lauren Lev
Yeah, it’s definitely a layered approach. Can’t have one without the others. Yeah. All right, perfect. Frank, we’ll have you go next.

Frank DePrisco
Sure. In the way we or I look at zero trust, as the compliance person and my background that I’ve had for so long, it’s always been about least privilege. And it’s so hard to implement, it has been so hard in the past. And getting companies to understand it and build their products that way, it’s been so difficult. So now that there’s the focus on the application, person, access, that can be done through products, it’s easier for companies to develop software products, using other tools to help ensure that the people have access to do their work and do what they need to but nothing else.

Lauren Lev
Alright, Chase, will you close out our first round table topic today?

Chase Doelling
Yeah, absolutely. I think usually what I like to do is just through analogies right? And so, kind of thinking about the movement from trust but verify, and then kind of verify every step. And so, I think trust but verify as you walk in the door and say, Hey, you look nice, right? You check that ID, but then you have a great rest of the evening. The comparable to that is kind of almost like going to the airport, right? And so, at each intersection you’re constantly verifying your identity, right, you kind of show up, you check your bag, and you get through security. And then again, and again, and then you know, again, if you make it into the bar there, right, and so that each step of the way, you’re constantly verifying yourself and kind of access to everything that you need. And that’s kind of also how we think about within JumpCloud is we’re managing all the user’s identities, but then also kind of what access to applications they have, their infrastructure, whether that’s devices or networks or other pieces. And so, instead of you know, I’d say showing your boarding pass, right, we were enabling push NFA. We’re enabling other challenges of authentication across that path. And then within that we lay down, I’d say we focus a lot on I’d say, the conditional aspects of that, like, what are the conditions where you want to make sure that happens? Like, well, you’re out of the office, right? So, there’s going to be more challenges, you’re coming from this IP, you’re coming from an unknown device, all these different elements that we’re able to combine into that authentication journey, right? So, because we want to make sure that you can authenticate and all those things, but then, to Frank’s point, you’re authorized to access those things as well, right? And so, kind of making sure that you have the balance of both.

Lauren Lev
Matt, before we go on to round two, do you have any closing remarks on zero trust?

Matt Tankersley
You know, the thoughts that I had, while we were just talking, is you know, what are the productivity impacts, right of least privilege and zero trust. And a lot of people listening might say, really quickly, man, this makes a lot of sense, you know, statistically speaking, and everything, but I can’t afford to have my workforce productively impacted this way. And the reality is- is you’ve got to stop and ask, what’s the cost of not doing it? What’s the cost of having an intentional or unintentional trust compromise that has every system in your environment locked down due to ransomware, or something like that? So, I think the reality is, it’s just, it’s just not an option. So, let’s take the rest of our time, continue to pass the baton around, let’s focus on how each of your organization’s is going to battle with zero trust, and disarming the risk associated with the inherent or default trust of users, devices, data, applications, privilege and storage. What else needs to be part of this conversation? And Lauren, I’ll follow your lead on who we think goes next.

Lauren Lev
Perfect. Alright. Sid, talk about the inherent risk and LastPass’s solution to zero trust.

Sid Castle
Thanks again, Lauren. Obviously, the data is the big risk here. And you know, data is the new currency. So, what can happen to this information? So, we need to make sure that nothing personal is stored, that none of the endpoints are compromised? You know, how do we go between these different locations and different technologies? So, as you’ve heard, MFAs are incredible tools to verify you are who you are, that you’re logging in from where you’re supposed to be. So, these different pieces but LastPass with that identity access management, is all about protecting that data, and those users and making sure that even if we were compromised in some way, shape, or form that nothing was lost that could be used against somebody else.

Lauren Lev
Frank, you’re up next.

Frank DePrisco
So, it’s part of the cash prizes. Security is our top priority for this year, we’ve started to implement a philosophy of zero trust in ourselves. So, while we don’t have a product specific to zero trust, we’re implementing products to make sure that our colleagues and our infrastructure remain secure from cybersecurity attacks. So, we actually- today, at 11 o’clock, we actually rolled out the first phase. And so, with a company our size, and a lot of other companies, there’s so many applications, and it can be such a big thing that we’re doing it as a phased approach with a couple offices, and we’re just doing 18 applications to get started. So, I think it’s important to make sure you understand how many resources you’re going to need and what the scope of the project is, before you get started and have a plan, that way you can implement it and make sure you’re not taking away privileged access or hurting productivity. So, we’re kind of doing a phased approach. And we just started today. So, it’ll be interesting to see how that goes tomorrow.

Lauren Lev
All right, perfect. Okay, so we’ll go to Chase next.

Chase Doelling
Perfect. I think, you know, there’s a lot that we think about in terms of junk classes, I’d say the other piece is layers, right layers of authentication as you go through it. And so, I guess, to kind of give you an example of a day in the life, right. So, as I logged into my machine today, you know, it’s protected with push MFA. So, I have that- kind of get into my device. But then now I’m coming from a secure device, because I also have a certificate on that, right? And so, okay great. And then I can actually log into my JumpCloud single-sign-on, and that is specifically designed because I’m part of a group within our organizations. I have access to all the applications that I need, but then all the other ones that I don’t, right? And so, if I was coming in from an engineering perspective, to kind of use that example, maybe I can get all the way into my AWS environment, but I can only access certain areas, right? I don’t have- I’m not part of the DevOps team, so I can’t, you know, have visibility into that infrastructure. So, it’s even thinking about the granularity of when you want that to happen. And then also upping the ante when you want to, right? And so, I think there’s, you know, one of the pieces that we have around zero trust, and everything else is kind of that that thin edge that you walk between how much is too much security, where you’re frustrating all your users all the time, but then what are all the background components that you can rely on, you know, everyone within this call to kind of make that a seamless experience, right. So, that whole login experience, right, I had to do a couple things. But I was checked at each point kind of on behalf of the infrastructure behind that. And so, that’s a lot about how we think about enabling a lot of small medium organizations to go around that. And so, if you think about even the history of zero trust, and kind of how it came about, another good example of this is Google with their Beyond Corp kind of implementation. You know, the impetus of that was like, how can we access stuff without a VPN? And now the reality is, is a lot of organizations can get their JumpCloud included because for using, you know, certificate base and you’re already able to authenticate the user a couple different ways, then you’re able to kind of, you know, you don’t really need a VPN anymore to kind of get in access to those pieces. So, it’s that ability to kind of make that secure path, but really seamless make sure that you’re not frustrating folks along the way, right? Because to points earlier, right, users are going to be all over the place. So, if you can guide that path for them, that’s really helpful.

Matt Tankersley
Lauren, you know, it’s interesting, we, you know, we work with ConnectWise every day, and we have for a long time, we worked with LastPass for a long time, we have every day and each one of these plays a role. And, you know, if you follow our episodes, and why we’ve developed a layered approach to top cybersecurity one and TOPcyber21, right, and so identity and access management, which JumpCloud plays a significant role in, you know, inventory of your risk assets, right, a big part that Automate and ConnectWise does for us. But if you’ve been listening to us, you know that JumpCloud and ThreatLocker are two of my favorite new folks on the block. And I don’t know if it’s fair to call you new or not, guys, but you’re new to us. And we love it. And I’m actually at a customer site in Dallas right now. And I’ve got MacBook’s all around me, and guess what I’m doing with these things. I’m getting JumpCloud on them. And once I’m done with that, we’re going to be talking about, a little bit about ThreatLocker once we get that Mac agent going on there, right? But we’re really excited about both you guys, thank you for being here. And I’m anxious Ryan, for you to share with the team what ThreatLocker is doing because it definitely makes our propellers spin.

Ryan Bowman
Yeah, absolutely. So, we got that Mac agent on the way, Matt. I told you in the ThreatLocker office and a lot of chatter is going on about that. So, it’s getting closer to reality. So, keep your eyes open for that. But you know, ThreatLocker does focus on the endpoint itself. I mentioned earlier that our users are just going to do things because they just think they’re doing what they’re supposed to do. They’re going to open those files that- they look like it’s a PDF invoice that they’re supposed to pay, but it turns out to have been a ransomware file that they ran. And with ThreatLocker, we’re not going to let those things run because we’re just going to identify the applications that you need. Do you need to run Microsoft Office? Yeah, probably, we’re going to let that run just fine. But when something new comes along that you’ve never used before, we’re not going to trust it. That’s zero trust, we don’t trust it. And so, we’re going to block it. And we’re going to allow somebody on the TechOnPurpose team to look at that thing that you just tried to do and make sure that that’s something that you should be allowed to run. And if it is, very easy for them to add that to the trusted list so that you can then use that application. But everything that hasn’t previously been identified simply isn’t going to be allowed to run. Now, the number one thing, of course, is we’re trying to stop those ransomware and other obvious, very obvious malicious files from being able to run that’s huge. But the other piece that people don’t think about are applications that some people might trust that can still be used for harmful purposes. And I’ll just take the example of a remote access tool. I mean, we’ve all heard about the fake Microsoft tech support calls, right? They call people, I’m from Microsoft, you’ve got a computer problem, I’m here to help you. Why don’t you just launch this remote access tool, and give me access to your computer so I can help you? Well, you know, TechOnPurpose, I’m sure it uses a remote access tool, but probably only one, maybe two, if they have a backup, there’s what 10, 15, 20 options that people could use. If they try to get your user to use one of those tools that isn’t already on the list, it’s not going to work. And then they’re going to call TechOnPurpose and say, let me run this. And you’ll soon figure out they’re talking to the wrong people. So, it’s not only the bad, the known bad, which is certainly a big piece of it. It’s also, the unnecessary, the applications that might be trusted to some, but aren’t needed in that environment, which prevents them from then being able to do harm. And I know, we don’t have a lot of time here, but data access somebody mentioned earlier. The second piece is once your application can run, what is it that it can do in your environment. Again, Office needs to connect to your network shares and get access to your Word and Excel documents, it needs to do that. There are a lot of other applications that you run on your computer that don’t have any reason to ever do that. They don’t need that data in order to serve their function. So, don’t give them access to that data. In the event that that application has a vulnerability at some point down the road, that application can’t be used to get to that data because it never needed that data in the first place. So, control what can run. If it’s not needed don’t let it run. And then if you’re going to let it run, keep it in its lane. Let that application do what it needs to do. Don’t let it do it anymore.

Matt Tankersley
Lauren, I know we’re going to give Jim some last words on- Yeah, buddy. I got you.

Jim Bowers
You bet.

Matt Tankersley
Yeah, I didn’t say, yeah I know you are, so don’t lose it. Don’t let me make you lose your track. I didn’t say this earlier about JumpCloud, and one of the things we love there is very similar to what ThreatLocker is doing right? And we can say, hey, you can only access these apps on these devices. And, you know, I could give you, I could hand you my credential and my username and you could go anywhere in the world. Without these technologies, you could log in, you could steal all my emails and all my contact information. But you know, JumpCloud does an amazing job of that. We’ve worked with similar solutions, like Google Context Aware, technology that says, Hey, man, if you’re not, if that device isn’t approved inside of the console, we’re not going to let you in. I think, Jim, let me set the stage for you on closing. We’ve said this many times, there’s no silver bullet to any of the TOPcyber21 or cybersecurity in general. It is absolutely a layered approach. Hopefully, you’ve heard that over and over and over. In this case, I think what is, it’s safe to say guys, zero trust is a methodology. And we can adopt a zero-trust methodology with what devices we’re using and where we’re using those devices and what networks connecting and what credential we’re using, where I can use that credential and where I can’t, and what role MFA plays. I love what ThreatLocker does with the endpoint. We talked in EDR last week, right? I think it was last week where we last talked, maybe a couple episodes ago about EDR. There’s all the things we know and then there’s what we don’t know. What I love about ThreatLocker is they’re cutting off in the past talking about things that we don’t know. And we’re going to assume it, we don’t know, it’s not authorized. Zero trust, guys, It’s a methodology. It’s imperative. It involves all of these different layers. And we love our solution chef from all of our vendors. So, we can’t do all that without our great friends from TBI and our VIP cast to help us with distribution and procurement and being smarter than we actually are. So, Jim, what are your thoughts on how your team approaches zero trust, man?

Jim Bowers
Yes, so, first of all, dude great, great group of cast members. Dude, this is one of the best ones I’ve done, great intellect here. But another thing, I love the 21 steps to secure reliable technology, right? And I can’t stress that enough, because that’s the roadmap for all, not just your clients, but everybody should take. Because I’m Italian and I will tell you one thing, if you take any layers of that lasagna, it’s not lasagna. I’m telling you it’s not lasagna. So, in that instance, when you take these layers out, your security is not where it needs to be, right? So, my take on it is like you said, I have this great job to work with vendors, like these guys that are changing and pushing and enabling organizations to meet this next generation of how they’re going to do business, right? And I love, Ryan said it, I like to call endpoints starting points. It’s focusing on that endpoint. That’s where threat actors are going to go. That’s a critical component into this, right? We’re focusing on- Sid’s solution focuses on that end user, we’re not going to trust them, right? And he talked about that zero trust and I think I love how Chase used that analogy. I like to look at it as a hotel, right? I have my key card; I walk in the hotel. With that keycard, I may be able to go to the front desk and maybe get a snack and maybe go to a conference room. But if I don’t have a room there, I can’t get into my room. Or now I can’t get in the elevator to the floor of the room. And that’s what zero trust in all intents and purposes is. I’m going to enable you to do your job function, but I’m going to limit you to only that, right? And there’s pieces and these vendors fill those layers in the zero trust, as well as the layers into your 21 steps. So, that’s what is awesome about this type of format. That’s what zero trust is in my opinion. And that’s why you’re having these series to enable our class to see what it takes to have that layered approach to security.

Matt Tankersley
Well, Lauren, we’ve been really efficient with our time today. I think we actually finished up faster than we intended. And so, I say, if anybody’s got any final words that they want to throw in on zero trust, you’re obviously going to close us out and tell people how to get free demos for all of these technologies and trials through TechOnPurpose. Of course, that’s the goal. But any final words, and let me kick us off Hollywood Squares. Chase, I see you up at the top left. Any last thoughts for our listeners that are trying to grasp what is zero trust?

Chase Doelling
You know, I was actually just going to just try to plus one, Jim. I think one of the biggest pieces that we talked about is you can’t, you can’t buy it, right? It’s not like, All right, great. I got some zero trust. It’s a methodology. It’s an approach, and it’s in one of the other pieces too that’s really interesting. When we talk to our customers about it is- it forces them to think about what are all those conditional access points? Like who should have access to what right? And that’s, that’s actually a new exercise that a lot of companies have yet to go through, right? I’m kind of like, what apps, what users, where should they be? And it’s a great thing to think about, because then you internalize all of those, you know, we’re just the software that helps you, you know, provide that, right? But it comes back into like, what’s the best process? What’s the best layer for your organization as you go through this and build out, you know, security and what it means to you. And so, that’s the other piece that I love about it, right, is the different types of lasagna, right? But you still have a lot of those components that amount to it.

Matt Tankersley
Love it. For all our propeller spinning friends, here and out there, if you haven’t heard, it takes seconds to set up a JumpCloud demo, by the way, and your first 10 users are free. So, if you have any curiosity about this, go sign up, play with it, kick the tires, if you want to do it right the first time, call us. We’ll help you with that. So, I’m going to get going around by Hollywood Squares. Frank, any final thoughts?

Frank DePrisco
Yeah, I’ll just say as part of that, make sure you have a test group, right? The trials are great, because you can test it and you can see what’s going to happen. And what’s what you’re going to break by not knowing what you’re doing until you learn it. And then just to make sure you don’t lose that productivity, we talked about, you know, have that test group. Have an initial group of applications or users that maybe it’s a smaller subset, just so you get before you jump in.

Matt Tankersley
Yeah, and ConnectWise, you guys have done a phenomenal job of equipping us as managed service providers and our peers to equip our clients through education. Quite frankly, that’s a significant part of obviously what we’re doing with this series, and we couldn’t have done that without you. And I’m looking forward to seeing what you guys continue to do with zero trust and helping to model that behavior for us and our clients. Thanks for joining us as always, Frank. I’m going to keep going around the circle here. Jim, I see you. Any final thoughts?

Jim Bowers
No, no final comments. I will say one thing that I got to really- zero trust is kind of an oxymoron because you got to trust somebody to configure the zero trust. But that’s a whole different topic.

Matt Tankersley
Episode 23, remember that we’re going to go back to that. Sid?

Sid Castle
You know, we used to talk about trusting everyone, and giving everyone a chance. But you know, trust is easily lost and extremely hard to get back. And the world’s changed. And that’s kind of the view I now have, I used to trust everybody first and hope that they had good intentions and good measures. But today, we have to view it the opposite way. And the best thing to do is to work with a company like TechOnPurpose, and look at what the different factors that we can offer those customers and those partners to make things better and easier. We’re trying to make things frictionless, because, you know, I understand when I go to the airport, I need to do all these things to be safe. But I also see the frustration. So, there’s got to be a compromise in some form or factor. And that’s what we’re trying to do is just make this easier, so we can do what we’re supposed to do. But again, thank you for having us.

Matt Tankersley
Always, always awesome to have you, Sid. Lauren, we’re going to let you close out after Ryan gives us his final thoughts.

Ryan Bowman
Yeah, maybe I’ll just- Jim, you kind of mentioned this- at the friction standpoint, that’s it zero trust scares a lot of people, they’re afraid that well my people aren’t going to be able to do their jobs because you’re not trusting anything. And you have to understand that, you know, well think of all of these solutions, we’re going to identify those normal and expected behaviors, and those are going to be trusted. So, there’s a lot of concern about what’s going to happen. What’s the impact going to be? And the bottom line is it should be very minimal if any. There’s always a configuration learning period for sure to get things fine-tuned. But if your people are doing things new that they never did before, shouldn’t you know about that anyways? Like, why do they need to download a new application game perhaps. You know, depending how strict you are with your policies, you know, if those things are happening, it’s good for somebody to know about that. And if they’re just doing what they did yesterday, and the day before, and the day before that, there is no friction, because those things, those things are going to be allowed. So, a lot of people are scared to jump in and take that leap, but give it a shot. Right? And just you know, the airport analysis, these analogies are great. You know, it’s the cost you pay to get to fly, right? I just flew this week and every time I put my license away because I think I’m done with it I have to get it out one more time. But you don’t even think about it anymore. It’s just you’re not going to go past the next step if you don’t do it and so you just do what you have to do. And you know that there’s some acclamation from that standpoint to just get used to the procedures. Like somebody mentioned, this is what makes us safe and we just know we have to do these things, we get used to it. We don’t like it at first, we grumble and complain. But then we just do what we have to do and we move on. So, give it a try.

Matt Tankersley
And Ryan, you glanced right over this, I’m going to connect some final dots between Frank, something you said and Ryan said. It’s actually part of every single ThreatLocker implementation that there’s a learning period. And it’s a very impressive process that they built into this thing on the front end. We’re able to deploy their technology and begin to get full time visibility and visuals in every single endpoint, every application and every process that they’re running. So, that now you can let that thing run for a few days, and you come back together as a group and you assess. Alright, so when you do reach that point of friction that we keep talking about, it’s well assessed and well documented. And we’re really impressed, Ryan, with what you guys do and thanks for being a partner, man.

Ryan Bowman
You’re welcome, thanks for having me. Glad to be here.

Matt Tankersley
Yeah, absolutely.

Lauren Lev
I’ve heard you guys say it over and over again in this episode, but a lot of this relies on end user and end user education and implementation. So, I wanted to shamelessly plug episode one on security awareness training. So, check that out on YouTube, Facebook, Spotify, LinkedIn if you haven’t already. So, if you would like to start a free trial from any of our solution partners, send an email to us at and sign up for our free cybersecurity assessment by visiting WhosInYour.Cloud today. Again, last reminder, catch up on all of our episodes of our “Who’s In Your Cloud?” series on LinkedIn, YouTube, Facebook, and Spotify and get direct delivery straight to your inbox by signing up at TechOnPurpose.net/blog. Next week, we have a really good episode for you guys on Emailing and Phishing Protection. And as we close out the holiday season, did you know that victims were more susceptible to scans than any other time of the year from attacks by malicious actors banking on you to click on fraudulent coupons and deals. Now, we all love a good deal, especially me, but not at the cost of sacrificing cybersecurity, and Matt would kill me if I did that. So, learn more on how to protect yourself and business in 2022 in episode nine being released next Tuesday, January 11th. Sending us off, I’m Lauren Lev, Marketing Manager for TechOnPurpose. We hope all of you enjoyed your holidays and we are looking forward to a cyber secure new year. That is all from us today. Good bye, everybody.

Matt Tankersley
Happy New Year, guys.

 

Ready for your free cybersecurity survey? Discover potential vulnerabilities for your business and get a copy of our #TOPcyber21 Best Security Practices to help get you started on the road to #secure, reliable, trusted technology! Subscribe to our blog to get episodes of “Who’s In Your Cloud?” delivered direct to your inbox weekly.
Claim Your Free Cybersecurity Sruvey