Techerati Live – Morning Panel Session
CHRIS SMITH [00:00:03] Good afternoon and welcome to this panel discussion for Cloud and Cyber Expo. I am Chris Smith from Blue Chip. And today we’ll be talking about Remote Systems: Keeping Them Alive and Secure. I’m joined today by Richard Archdeacon. Hi Richard.
RICHARD ARCHDEACON [00:00:20] Hi, how are you?
CHRIS SMITH [00:00:22] I’m very well, thank you. And Deepak Daswani.
DEEPAK DASWANI [00:00:26] Hi, how are you? Hi Deepak. Thank you very much for joining us today. So, Richard, you’re from Duo Security?
RICHARD ARCHDEACON [00:00:36] That’s correct. I’m from Duo and I’m part of CISO
DEEPAK DASWANI [00:00:39] And Deepak, you’re from ElevanPaths, part of Telefonica, I believe.
DEEPAK DASWANI [00:00:43] Yeah.
CHRIS SMITH [00:00:45] Okay, great. So today we’re going to be talking about Remote Systems and Keeping Them Alive and Secure. So, you know, there’s quite broad subject. But I think if we look at this through the lens of our current situation, we’re all dialling in remotely now. We’re all on lockdown. So I think. Let’s talk about it through a lens of what happens when a nation’s workforce has gone almost entirely down into lockdown almost overnight. So if we start at the beginning when this happened, I could see two to kind of reactions to this. There was the businesses that had a tried and tested process or were already in place, a procedure for business continuity, and allowed everyone to kind of slip into remote working very, very quickly and almost seamlessly. And then there were the businesses that kind of had to scramble around a little bit, patch work together, find devices for employees and kind of stitch together the security on the back of that for getting people to work remotely so, so focussed in on the second example I gave there. I mean, what do we think about the risks that this presents for these people working remotely on the systems? And, you know, how are we seeing this affect businesses? Richard?
RICHARD ARCHDEACON [00:02:07] Of course, if I kick off on this, I think, first of all, your comments are right there were organisations with business continuity plans in place and those who are trying to invent one as they went along. So the two scenarios. But I think one of the differences is even those with BC plans in place. They were operating at a scale and the speed that never had done before. So those BC plans probably were tested to the extreme. For many organisations, it was a very rapid implementation of whatever solution they could get. Driven by the fact that they suddenly had to explode their workforce. And what I now turning the accelerated norm. This is how we’re going to be working the future we have in the past, we’ve just accelerated it. So for many, it was to try and find a simple solution that could implement to give them some form of security over the remote worker. And what they’re doing now is they’re saying we’ve got a very basic AMFA solution. How do we now take that forward as a strategy to make it a part of the accelerated normal that we’re we’re not going to be working it. So I think we’re having those different approaches. Even those with BC plans have to scale up rapidly that tested them. But those without them are just put in basic systems and they’re now making plans to go forward.
CHRIS SMITH [00:03:30] Yes, I’d agree with that. I know some of our clients that, you know, potentially weren’t quite ready for the extent of this and it was, you know, trying to find the devices for customers to connect and to get everything up and running. But then also, I mean, I think there’s there’s a concern around some of the shortcuts people may have taken to make it happen as quickly as possible. What do you see as the risks potentially that customers have Deepak?
DEEPAK DASWANI [00:03:57] Well, the thing is that the situation that we are facing, as Richard said. Has made that many organisations take a shortcut to keep people working not as fast as possible. And many big organisations, maybe they were prepared to with the systems to a remote solutions for. But many also even the big companies where they were prepared. People working remotely, maybe they didn’t prepared for that that level of the load. So one of the risk that they are facing is that things are made fast. So when things are made fast, they are not made with the care that this should be needed. And many, many organisations, for example, are where opening remote desktops in the Internet without a for example, protecting the network. Sometimes opening sports to give access to some services and that could lead them to expose some vulnerable services or machines or servers that could lead on an attack. Another problem that they are facing is the remote employees, maybe even if they are not well trained in the protocols for working remotely, they can be driven by cyber attackers. They can be… the word is not coming. Attackers can can compromise them using social, for example, now we own the solutions that we are using for to make video calls, for example, or the platform we are using today we’re using this social life. People, are using Zoom, “DT” and then many sometimes even the remote workers for a company they are working with another with people, making meetings with another people od another companies. They could be facing these social engineering attacks. So as everyone is at home, there is no way to control that people are doing things fine. That are true, for example, of big problems that we are facing with this situation. But there are so many other problems that are part of this new scenario.
CHRIS SMITH [00:06:39] I completely agree with that. And I think it does represent new challenges and we’ll come onto that. I have another question specifically around that coming up. But for the meantime, I’d like to also introduced Frank Satyal, Frank Satterwhite from 1600 Cyber. Thanks for joining us, Frank.
FRANK SATTERWHITE [00:07:01] Thank you for having me.
CHRIS SMITH [00:07:03] And just just to follow one, with some of these questions, so we talk about the booming people all of a sudden working from home and the risks that potentially delivers to an organisation that particularly they’ve had to rush to to make this happen. We talk about the burst in all these people. So we’ve seen from our point of view as a managed services provider, we also provide some some networking to our customers. We’ve seen that bandwidth, Internet traffic increase for customers. You know, again, overnight, that was that was a big thing that happened to all these all these guys are now, if you like, reaching the enterprise systems that the companies I worked for have in place they utilising VPN like never before. I would suggest that’s a common theme of how people are connecting. So, I mean, Frank, we’ve spoken about this before. But in your opinion and what you do around VPN? What are you seeing out there for from the start of this scenario?
FRANK SATTERWHITE [00:08:05] So I definitely agree with a lot of the solutions are in scaling or organisations having tested to ensure they scale properly, but with the increased usage. So what’s happening and really dominating in the last couple of months is seeing criminals that are scraping various sites on the Internet to dark web, they’re using a known exploit to get credentials or session credentials. Then they’re taking these credentials and they’re hijacking these VPN sessions from all these work for different workers. And so I hate to say it, but the on us goes back on us, the security professionals, because a lot of the exploits and the VPN can be avoided if there was proper patching, if there was proper protections against for the VPN server, for example, to be protected against potential DDOS attacks, there’s proper incident response. So the infrastructure components, whether we as I.T. or cyber professionals make sure they scale. And also whether we have cyber professionals make sure that even if hackers go and get credentials, are able to fine get credentials being unknown exploits that once they have them, we have done the proper patching on the VPN clients as well as servers. So we protect our infrastructure and our organisation.
CHRIS SMITH [00:09:41] I think that this this meeting quite nicely then to my next question. So let’s move forward. So initially it was a it was a big shock for everyone to work from home all of a sudden, big shock for the I.T. departments, for some organisations as well to make this happen. In fact, certainly from a security point of view, we’ve discussed the areas there. So you’re in home now. You represent an extension of your corporate I.T. at home. What are the dangers around how users employees separates their home use of I.T. from corporate, Deepak you touched on that earlier. Richard, I’m just wondering what your view is on how do we deal with employees using devices and appliances at home and getting that corporate separation from a security point of view?
RICHARD ARCHDEACON [00:10:35] It’s not a new issue. I think we’ve had something BYOD for a long time. And that’s really what we’re dealing with, which is why I say it’s the accelerator. And I think first of all, go back to the point that Deepak was making about the user. Yes, we have to try and make them aware that they’re now using their own device. Personal device, corporate device, make them aware of that. And if you go to the next site, they go great in the graphics, the NCSA it come out with a lot of very good guides at some educational tips. What I think we do is to develop an approach to security, which enables us to make a policy driven check at the time of access. So in other words, when somebody is logging in and Frank mentioned scraped credentials being that’s the favourite way through the front door. Take somebody whose credentials, compromised credentials. So make sure that we know we understand what device is being used. Is it one of yours? Is it one of ours? What levels of… Certified your identity had been searched by the device, then limit your access to a particular application. So we bring in a whole series of policies to build up a level of trust to the point of access. So we can then distinguish between our machine that we might not let them into our finance application if it’s a personal device, we might only and others in managed devices, we might have set standards for using browsers, operating systems and so forth. So we can build a contextual awareness that situational awareness prior to acts being given. I don’t know if we built those. That kind of infrastructure, that kind of framework. Doesn’t matter if it’s my device or your device where I am. All that matters is we can identify you and trust you before you go in to an application at the risk level we’ve set that application out. So I think that’s how we have to approach it from now on.
CHRIS SMITH [00:12:35] So we talk to each about levels of zero trust standard, Richard, in terms of. In terms of access to systems for remote users and those that, if you like it already within the organisation within the offices still?
RICHARD ARCHDEACON [00:12:53] Yes, I think that the zero trust mantra is never trust, always verify. Doesn’t matter whether you’re inside the network or outside the network. Assume the around the perimeter is no longer a defence. Not a new idea. The idea of the perimeter going came out with the “Jerrica” form 16, 17 years. And we’ve been gradually moving to this new way of working. And we have to and more quickly than we were before.
CHRIS SMITH [00:13:21] Yeah. Now, I think as an organisation ourselves, we see we see a lot of that because we deliver. We have a number of certifications and accreditations like SOC-2, PCI, DSS service provider level one. So we’re all the way up to that level of security for our clients and customers within your organisation. And you need to think this is a bringing employees along with that. It’s a journey. And I’ve personally, over the last week, I’ve taken part in re-educate around cybersecurity and that kind of thing because we’re going through an audit at the moment. So I think educate people that’s are employed by a business that are now working from home. We touched on that earlier as well. So how do we continue to deliver security in this scenario to people that are remote? Frank, have you got any thoughts around that?
FRANK SATTERWHITE [00:14:15] I really think Richared made some good points. And because so often people are worried about keeping the bad guys out. But with zero trust approach, we’re at the point in time when you have an application or person or a system price, whatever it is, when it’s trying to connect to something else. And you’re an infrastructure that needs to be a level of verification. And there are many ways we can do that. But looking at isolating each device or entity and agree in understand and their connexion and then making sure they can only connect to the things that they actually need to connect to right now on a network, every device is connecting to many different things they don’t need to. So whether it’s restriction or ports, protocols, whatever it may be, we definitely need to micro segment, there’s a lot we’re a like. Micro segment these enterprises so that each connection, there’s that level of verification.
CHRIS SMITH [00:15:27] You said deliver an application level as well.
FRANK SATTERWHITE [00:15:29] Absolutely.
CHRIS SMITH [00:15:31] Not just a firewall on the perimeter, a firewall between the applications for the layman.
FRANK SATTERWHITE [00:15:39] A very inefficient to do just focus, it’s prehistoric just to focus on the firewall and keeping everyone out.
CHRIS SMITH [00:15:48] Yeah, that makes sense, and I think, again. So if we if we switch some some focus, maybe then from, if you like, the remote users to the security within data centres where there is zero data centre or third party data centre, the actual servers themselves in the applications we’ve just been talking about. So how do you continue to deliver it? That level of security on those systems, given that we are all remote from them now, whether we like it or not, access to the data centres isn’t as easy as it was before. What recommendations do you have around maintaining a level of security in that way when you’re remote?
FRANK SATTERWHITE [00:16:31] Well, it definitely puts more of a more trust and more emphasis on the on the cyber professionals that have to maintain the infrastructures. But usually what you have is you don’t build a security into the way you operate, right? And so, yes, some of these organizations rapidly had to shift to support this really remote style of operations. But hopefully you have people who are agile and can adapt and they can kind of bake in security processes into their operational processes. A one mean would be, to obvious maybe you have to change your policies, right? And then that substance subsequently makes you change your controls. So there is a lot of different ways to do this. But I think it really puts the owners back on professionals like us because we have to be able to interpret this dynamic landscape. And maybe you had a policy before for password protection or access that just isn’t relevant as relevant anymore or if it is relevant. The control has to change because the environments change.
CHRIS SMITH [00:17:50] Sure. Deepak, how do you feel about, you know, continuing to deliver security now moving forwards?
DEEPAK DASWANI [00:17:58] Well, some of the things that I was about to say, Frank has said them very clear and very well, “and also Richard”. The thing you were talking about before. When you were asking how, for example, we are doing in here. In first our example is good or bad example because, for example, we are a company that has people remotely from the beginning or they we have known solution to work remotely since the first day. And we have people that are based in different places. For example, I am working from Tenerife, which is Canary Islands, I don’t know if you know where is that Malaga and also in South America. For example, we, the Chief Security Ambassadors have made our meetings remotely since the first day. Few years ago, many years ago. So when you were talking about computer devices. We for sample work, some of us, what with our personal devices and some of the other with the corporate devices. As far as you take the measures and you apply the restrictions you need to apply. Everything is going to be fine. And so we are talking about a company where all the people are its trained in security and it’s I.T. and Cyber Security Professional. So that is it, for that point of view is another example. But also talking about other organisations that, for example, organisation up here that come to us or come to me. We have seen that many organisations are doing it, for example. They are not allowing some employees to connect to a remote systems with their personal devices. But belongs to our organisation that they were not prepared. They’re in half because all the workers didn’t have laptops. For example they have a physical computers in the tables. Other know that. So these are some problems also that organisations are having in these new essentially, you know, also, for example, for the the VPN services, you were talking about putting servers and other thing from where it was telling before. There are some organisations that, for example, haven’t. But both information solutions, for example, they are using the VPN solution that the firewall has built in.
FRANK SATTERWHITE [00:20:59] Exactly.
DEEPAK DASWANI [00:21:00] And for example that solution was for 5, 6 users. But they use they have a scaling to fifty five hundred users and they say they’re doing fine. So when you talk to people, it depends. Now, as I tell them, the I.T. guys are working out as a system administrator. There are the, the system administrator, they are the people that now have to prepare all this set up for remote workers, are the ones who has the worst work right now. Because they are making hours and hours and hours of work. They have been making hours and hours of work in weeks, in their first weeks of this pandemic and the lockdown. And now everyone, it seems that everyone has reached to a point of one new how, as we say in Spain, new normality. So in these new normality, also, we are organisation that is stable, working as they can. So your main question that how we, is it possible to continue the legal in security? We have to take all these things in health and see how we can help organisations from here.
CHRIS SMITH [00:22:29] That makes sense because we are reacting to scenarios. We have been reacting to the scenario for four months. And when I look it through our point of view as an organisation that can still work for Blue Chip, we are quite lucky because we deploy everything from a software defined point of view. So everything’s deployed as a script from the computer to the actual security itself as well. So we are, I think, lucky, if you like, fortunate to be able to deliver the security, be it from a server or to our users as a script. And then we get it. We get the same thing every time it’s repeatable. It’s predictable and always works. So do you think there’s a needs to be a wider acceptance of, you know, these kind of automation and orchestration tools to deliver security, its predefined, pretested you know, that work that will allow people to continue to operate through this period.
RICHARD ARCHDEACON [00:23:34] If I can jump in here, I think it’s a step back and think about security as 2 points. One is, remember it’s people process and technology, people come first. Never forget that. But to go back to your point, I think security is becoming harder but easier. It’s becoming more complex. I think Frank mentioned that the idea of very granular policies being put in place, but in many ways, the delivery, as you’ve been saying, has become easier in terms of it being software defined. Its platform delivered now. And also, it’s becoming delivered from the Cloud a lot. So we have SaaS security services. We did some research about a year ago and I think 90% of CISO were now happy to have software delivered security. Now, if I go back 5, 6, 7 years, especially in the FSI sector, they wouldn’t have thought about it but now it’s becoming accepted. What does this mean? One, the integrations have done for you? If you’re getting a platform approach. Two, if you have Cloud delivered, software delivered security, you can scale much more easily. You can become a lot more flexible. You can switch solutions should you need them. But you can also build an overall view if they’re integrated and what is happening within your security environment. So we will have far more complex environment. You mentioned the datacenter. We have a lot of data on the Cloud as well. But I think we will change in the future and it will be easier.
CHRIS SMITH [00:25:00] Thanks. Thanks for that, Richard. But we’ve used our slots up now. This is the end of the panel. Thank you very much for your time, Deepak. Richard and Frank. We now go to the lunch break. This wraps up the morning session will return at 3 o’clock. Thank you very much for tuning in for now. I’ve been Chris Smith and please come back at 3 o’clock to watch the afternoon sessions. Thank you.