Welcome everyone to our webinar, minimizing security impacts of a growing remote workforce. This webinar is supported by beyond trust. And the speakers today are Murray J Haber, CTO and CSO at beyond trust. And me Martin Kuppinger I'm principal Analyst at clip call in contrast to many of the webinars within in the past. This will not be more slide based webinar, but it'll be primarily a conversational style webinar. So maybe a little bit like a file based talk or stuff like that.
So remain, stay curious. I think it'll be very, very interesting, very lively. Before we go into our conversation. A quick end, we have a series of upcoming virtually ones on privileged access management, consumer identity, future of digital identities. And for sure, we also have a number of upcoming webinars, state tuned. Look at what we have online and attend. Whenever you can for housekeeping, there's not much to do for your end.
We are controlling audio, so you don't need to control and control any settings yourself we will upload or recording.
In that case, the slides are not really relevant because this is really only a few sort of passwords in the background, but even these we will make available. And then there will be a Q and a session by the end.
However, you can end the questions at any time during the webinar, and maybe if a appropriate, we also might pick the one other question during the webinar. So enter your questions. The more questions we have, the more likely the webinar and talk at the Q and a will be at the end. And with that, I have a quick look at the agenda, which is very simple today. Very straightforward. It will be, as I've already said, it will be a conversation, a discussion, an exchange between Mai and me on the topics we have on the title of the webinar.
So they're exploring the risks around unsecure, remote access, discussing the, the way how we could secure this, how we could use end point privilege management to make work from home, more secure and all the other things which are related to that. And this is basically what we want to do within the next 30 or 40 minutes, depending on how long we take. So we will right now look at a number of topics and I directly wanna dive. So to speak into this, these topics.
First, maybe I've introduced myself quickly. Murray, do you want also quickly introduce yourself? And then we can start with our conversation.
Oh,
Thank you, Martin.
My name is T okay.
My name is Marie Haber. I'm the CTO and C sofa beyond trust. I have the distinct privilege of wearing two hats within the organization, the strategy for our product lines and also the internal security and cloud security for our offerings. In addition, I'm an offer author, excuse me. I have four books to my name, privilege attack vectors first and second edition asset attack vectors, cover vulnerability management and identity attack vectors covering how to build an effective identity governance solution.
So having this opportunity to speak with Martin on these challenges of the remote workforce is my pleasure and happy to have the dialogue.
Okay, great. I have to say, I have written more books I'm around 55. Oh. But I think the last one published has been around 2003 or so, so stopped working books for, for a while. So it challenges of a certain shift to 100% remote working.
And I think this is a topic which affects and concerns probably most of us in the one way or another either that we are responsible for keeping security up or that we are remote workers, which might be sometimes uncertain, whether what they're doing is the right way to do. And, and so there, there are a couple of, I would say, claims or seizes we have put on, on the slide.
So, so does it mean bring your own device through the back door? And maybe also we can discuss if this is good or bad or neutral, the claim is it UN asks the limit of a traditional it infrastructure.
So we should talk a little bit about why is this? So from I think our joint perspective and there's the claim or the seasons, at least that remote working and the shift, it creates massive security challenges. So as I've said, I think we, we all know for many organizations, it's really, it has been really a shift from little remote work to 100% remote working.
And, and so, so what is your perspective and your experience maybe around to which extent did it really bring it, bring your own device through the backdoor and, and maybe also your perspective from a security angle and you're also the CSO. So you have to deal with your own teams.
Is, is it a good, is it a bad, is it a thing?
So I'm gonna put on the CSO hat for a moment and explain it in this context in 2018 beyond trust became a combination of multiple companies, veto and Lieberman all through acquisition. Bogar acquired all of us, but took the beyond trust name. That's now almost two years passed, but one of the conscious decisions we did back then was take all of the infrastructure in terms of security technologies. And we went straight to the cloud.
So instead of, you know, four separate solutions as one entity, we said, okay, we want one vendor doing AV one vendor doing X, one vendor doing Y. And we wanted cloud based. So as the CSO, when COVID hit, I did not have a problem asking people to work from home. They were already getting their policy updates, sending events, sending alerts, and it really was fairly easy, but the problem is many companies did not have that benefit. They still had a lot of on-premise legacy technology in the form of AV or other endpoint security, or even log management.
And they were requiring VPN access in order for those users to work properly and basically manage those devices. That's where a problem started to come.
And some, some have some haven't even solved it today. I think that is interesting thing. My wife is working at a German governmental organization and still a lot of things just don't work three or four months after.
So, so I, I would fully agree with you if you're in a, in a scenario where, where, where you are, so to speak already in a cloud based scenario. And if you sort of have implemented what is behind this concept of zero trust consistently, then it's easier.
But yes, also from my perspective, and still sometimes unsolved or not fully solved, a lot of organizations weren't in depth states, they were not
No, and many of them are still seeing those problems as, as you're experiencing. And many of them to the B Y O D point had no resource to give to those office workers. So they couldn't procure enough laptops. They didn't have the money to procure devices. Some people were even told from my experience, take your physical desktop home. And then they installed VPN clients.
But the B Y O D piece became the big challenge because for peop, for organizations that could not supply the device and they told them to use their home computers, the worst thing that we saw, and we still see is VPN on home personal devices, because you can't manage them correctly. You can't check the patches, you can't check security. Yeah. And that backdoor is huge.
And it, it it's, it's sort of, of either beef or nor fish in some way, because you, you don't say, okay, use your own device, but goes through that VPN into our internal network. So it's, it's, it's not a consequence. So I think consequently, and I'm, I'm a strong believer.
The, the, the, we have a clear trend towards, okay, people have devices, wherever these devices come from and they access services wherever they run. And that's where we care about. But if you trust and say, oh, I, I open up the device, but everything is else is the traditional thing. So it goes, you go in through the VPN. And I assume that the system is secure. The client is secure because that is still my old parameter thinking.
Then, then you're sort of mixing two concepts, which don't work if you don't that, that well together aside of some of the smaller issues, like VPN bandwidth things.
Yeah. And there's better ways of doing it.
Bastion, host, technology, VDI, technology, secure, remote access technology. There's a lot of better ways to do it. If you cannot supply the end user, a device B Y O D certainly can be used, but it shouldn't be the backdoor. It should be the point to some form of zero trust, network access, or remote access, not using VPN technology on their machines to get to the resources that can then basically keep the business running. Yeah.
And my wife, by the way, is using a, your own device device.
At least she has someone who has a little bit of security background as a first level support, which is me, but yeah, but it's not a nor the normal scenario. I think you, you, you could expect.
And, but I think that brings us directly to the second point we have on this list of bullet points, which is really asks the limits of traditional it infrastructures. So that is what, what we heard from, from, from many.
So, oh, we can't go into whatever team zoom, whatever, meeting with video, because we don't have to bandwidth because we're tunneling everything through our internal network. Things like that are our example, not even have to do with security. And when we look at security, we touch some of these points. I think it's even even bigger challenge. But one thing I'd like to ask you, I have opinion on that. It massive security challenges.
So I think two scenarios, we, we could have the ones organizations like beyond trust, which have been in some way prepared, not prepared for what was there, but prepared for, or already 50 to a, to a modern it and organizations, which were not as modern and maybe still aren't do they still have a chance to quickly improve things so enable different ways of working and still not paying with massive security risks for that.
Yeah, there is, there will always be critical resources in the enterprise that have to live on a raised floor.
Those are the ones that you're gonna have to treat a little bit separately, but if you take concepts like zero trust in a software defined perimeter, and you ask this basic question with the person working from home, where are my risks now manifest? Is it that I'm, I'm not getting events, policy updates, I can't verify vulnerabilities or patch management and try to move some of that to the cloud. Many of the vendors that you may be using for on premise technology may have cloud versions of it.
It's not that difficult to lift and shift as bad as that sounds to their modern platforms that are in the cloud, whether that's an endpoint security product, or whether that's going to some type of vulnerability scanning, et cetera, maybe you have to deploy agents cuz you're not doing credentialed scans, but those types of approaches will definitely secure those resources. Working remotely. You also have to consider one really big piece here is that things like penetration tests are now drastically changed with the concept of remote workers.
You cannot do a lot of the things you did in the past and those have to be treated separately.
Yeah, but I think we also have seen that a lot of change is feasible when you, when we look at the, the adoption of collaboration, con cetera tools from the cloud very rapidly, it, it works very, very fast and very well. And I believe a lot of these things, the not the average user doesn't want to get a root of it anymore.
They, they want to, to keep it even while they might want to go back to the office, at least every now and then. But I, I think that this, this, this change in the way we work is also something where, where we we'll never go back to that. And I think this is also very important for security because we can't say, okay, sometimes the vaccination is there and the virus is gone and all back to, as it has been, does that is something where I strongly believe it will not happen. So my perspective would be the trigger change. And as you said, yes, there are a lot of things we can do.
Another point I would bring in for security is turning on multifactor indications.
Oh, absolutely. Something
Absolutely. Probably users upfront tested a little. So because you can't walk to the desk anymore. That is a challenge.
So it's a, Porwal, can't just walk over and say, okay, I'm, I'm in your building in five minutes. No, but you can do that. You can improve things, but absolutely convinced it just triggered and, and, and speeded up an evolution with terms of zero trust and then others, which already had started before. And right now it's irreversible.
I agree. And it is a universal type of problem. We now have to verify identities and the assets state before we allow any of it. Many of the multifactor technologies allow you to verify the, the state, you know, it's not an end of life operating system.
Things like that, that there are the latest patches, the little features that may be involved or that you can enable in an MFA or a step up technology, you definitely should take advantage of, because it will just add that extra layer to ensure that the connection is not gonna become a liability.
Okay.
So, so maybe let's, let's look at the next set of statements. We, we have, so around our discussion, and I think this is direct related to, to what we started talking about. So what are the C considerations or the considerations should take for rapidly expanding remote workforce?
And so, so one of the statements here remote access is to number one, attack, vector. That is something we, we, we might argue a little bit about bring your own I device and shadow it is causing problems. So do we have an uptake in shadow it?
And we, we have new metrics required to achieve compliance. So, so the one thing where I would maybe argue a little is, was remote access is the number one attack vector, because I believe the number one attack vector is still the user.
Okay. That
Sense.
So, and we have seen a massive uptake of, of Corona related phishing attacks and other stuff. So, and at the end, I, I, I have, I would say this is, is really the point where, where it all starts. So the user, as the perceived weak link, I, I think the user sometimes perceived being a weak link.
Then, then, then users are because the, the vast maturity of users really act with a good human sense also when it comes to security. But I, I would say it, it's maybe more the user than the remote remote access, but you might have a different perspective here.
I think we're actually talking the same thing, but it is a semantics thing. So we probably could reword it if we want it to be more precise. I agree.
The user is the number one concept, but the user is working remotely and they are probably based on other data being fished, not necessarily a vulnerability and exploit, but that's certainly up there, but how is that end user connecting to company resources, remote access. So if they are being fished on a system that is potentially vulnerable due to whatever reason, misconfiguration not secure poor password credential management, when they access a system remotely, that is remote access, and that becomes the conduit for the attack.
So
It would be a broad definition of remote access anyway, because remote access to me sounds always a little like VPN.
It does, but if you have an, if you have an unsuspecting user working at home and they've received a well-crafted fishing attack, and there's plenty of them right now, plenty of them that are literally preying on people's knowledge, asking for charity well, backed with good HTML.
I mean, no misspelling, all this stuff that we normally would look for and they do get compromised. Most of the time they might be running with local admin rights, which is the worst thing those need to be pulled. And then that VPN or technology then basically again, becomes the protocol conduit for ransomware or some other type of lateral movement.
And, and how do you fix it? And because if, if it's not your device, if it's a managed device,
Yeah. Then I recommend secure remote access style technology.
Again, I mentioned the Basian host technology earlier. I would also recommend cloud-based services that act as proxies. There's no protocol tunneling, you're re rendering the webpage, the session, all of that with session monitoring and basically real time grabbing of the contents before it's rendered to the end user. And the performance is amazing. So basically they're really not SSH N they're not already PN, they're not using HTTPS. They're just getting a rendered view of what that session looks like. And malware and other techniques can't work, including the password injection.
So with all of the concepts and problems we have with remote workers in terms of not managing them and the risks don't allow a protocol tunneling solution like VPM to be the vehicle that your internal enterprise becomes effective.
Yeah. At least as long as you run your own internal services in, in a traditional way, you need to have some way of remote access to your, to your enterprise. I think that that is the point.
So if you think about a, a pride future where use certain devices and have services, which are all exposed in some way as sort of a cloud service, it might look, look a little different, but even then you have the access challenges, you still need to do it. I still would come back to MFA at here because yeah. Yeah. Because the best way to, to get rid of password based taxes to have more than a password, apparently.
So, so fishing for passwords doesn't work super well when MFA is enabled because then you that second factor anyway,
Agreed. And with the remote access technologies are even using Basian host traditional ones from leading vendors, you don't want the end user working from home to be able to go to your cloud resources directly. You wanna lock those down with ACLS and use that technology to be the conduit with MFA. So their source is always re originating from a, a finite list of IP addresses.
However, you set that up and if credentials or MFA from a man in the middle attack, your two factors compromised. It's not gonna work either because it's still gotta come from that trusted source. I know it sounds like a lot of complexity to set up, but considering users could work almost anywhere.
And at least in, I can tell you from my place, my, my case, we don't have many summer vacations right now due to COVID, but I do have employees doing Airbnb and they're still logging in, I can't guarantee what state they're in, but I can guarantee using a remote access technology they're coming through the same conduit.
I see a slight risk that, that sometimes I think the art will be the balance. So which type of server, which type of data, which type of application do you allow to be accessed and which manner?
So, so, but, but apparently I think there there's even for use, there there's certain type of technology. So if you look at Caspe, so the cloud access security brokers, they they've factually have the concept of bringing things together.
So, so allowing just certain access passes to, to restricted in, in a, in a meaningful manner, which, which fits to the, the modern work style. And I think we have to just accept, yes, we will have these unmanaged devices and we will have probably more of these in the future because of sometimes get used to it. It's it's convenient.
So, so when you look at the perspective of, of achieving compliance, you already touched fantastic needs to be done differently, but, but, but overall, so, so what, what are action items for action clients from Uran to say that this required for achieving more, more compliance?
You know what Martin, at first it's one of the times we're gonna agree probably on the other couple of slides, we won't.
So we'll let our audience gauge from that on the patent test side, when you got people sitting in the office and you wanna scan and do reconnaissance across the network and profile a device, the, the pen testers basically have free reins to the network. When we're dealing with remote workers, you can't do that. You might be able to do reconnaissance through a VPN tunnel, but basically everything else in that home office is off limits. You can't scan, you can't profile.
And if you've got more than one person working from home with other corporate resources on that same network, you basically have some legal issues as well. So the best things for you to, to do as a pen test are consider the social engineering aspects, fishing, fishing from voice smishing, via text, other aspects of that, which are we, as we've just established the weakest points that the end user is going to basically fall for that text. Fake text message is a follow up, oh, you tried to authenticate, or we detected a login to Google click here.
No, I didn't. The user instantly just clicks and then realizes, oh, no, those are the types of things that are better for remote access pen testing. But keep in mind the traditional network that we used before is pretty much off limits. Yeah.
The pen testing market is changing. Isn't it? It at the end of the day, because yes, you can pan test the cloud services, but, and you can do things when it's about a user. A lot of this is I would say, even lesser pan testing than security awareness training in some way. So do that.
And that's, by the way, something you should do and you do continuously, I'm, I'm a strong believer in very sure, very concise, very focused and very practical security awareness training lessons. So at the beginning of the crisis, I recorded a five minute video.
So, so the sort of cybersecurity awareness training essential in five minutes, and there are not that many things you, you, you need to look at. And, and the good thing from my perspective is at the end of the day, the users not only have to look at security in their business life. They are challenged by that as well in the, in their personal life. And so if you, if you educate them in a way, as you say, this helps you in your, your daily private use of whatever it smartphones, etcetera, as well.
And, and why, why not just being careful and conscious as well when you're doing it in the business, and you already did a, did a, I believe a huge step forward agreed.
And, and as a CSO, as the title says, CSO considerations for that rapidly expanding remote workforce, my training has changed my pen tests. My annual pen tests have changed how I approach SOC and IO certification has been altered. It's not as straightforward because I now have admins operating remotely to manage the services we provide.
You have to really think of the different privileged aspects, identity based aspects, everything being two factor in order for that to be properly secured.
Okay. So let's have a look at the next one, implement and protocol to enable long term remote work. So it just goes probably a little into what we already touched in the, the first part, when we, when we also said it will not go away anymore.
So we, we need to understand that remote work will be part of probably virtually every organization's way of working. And, and so, so again, we have, we have a couple of points we might look at. So how do we limit and monitor access to systems and applications, critical sessions provide, manage remote access, wherever required and audit react.
And so I, I would bring up a thesis here, which is, I think behind that is also one thing I, I, I touched a little before, which is we need to understand where do we need, which level of security or we could phrase differently.
Where do we have, which level of risks we need to mitigate. And I think this will be one of the things we, we need to really learn and understand and do, right? That we say there, there are a lot of things where you can be flexible.
And, and that's, I believe one of the, the things is in, in this time of remote work is that in many organizations, collaboration move to a higher level efficient use of tools, collaborate, work, video conferencing in the very flexible manner. A lot of things change positively.
And, and, and so, and a lot of things can have ever acceptable level of risk as well. But apparently, and I think that holds true for a consequence of remote work, as well as if, as when we look at the big zero trust picture, we need to very well understand what are the higher risk assets we want to protect and what are the attack? What are the things we really need to, and on the slide, I think we have a couple of things which are important, like critical access sessions.
Yeah. It's so it, I look at it in a, a top level fashion that first, all communications must be encrypted.
And that goes to the sessions you're referring to you, shouldn't be hitting FTP remotely without something in between encrypting everything, right?
Just if, if, if we talk, if we talk zero trust, it means we have to devise and we have to service and we have a communication. And that communication, because we don't know the network anymore, we don't have to CRI on the network. We don't know if this is secure wifi, or is it wifi in MA's home, which just recently might be, have been compromised changed by some of your family members. You don't know, you know, whatever happens.
We don't know what it is or is it really MA's home. We don't know. You might just have this background here. And so we don't know. So encrypt, apparently yes,
But many times that's not happening. And we even see this with the video conferencing software and some name brands that have had to play catch up on the second half of that is back to the remote session that no one should be initiating the session. The first piece of that session should never be with privileges. It should never be an admin or route.
It should always be a standard user or lower using some form of tech step up or privileged access. And when they elevate where they start using privileges to do administration or critical functions, or even if it's for an HR application, then that's properly session monitored if needed, and everything is then logged and make sure all of those logs are being sent to your SIM. Even if that's still on premise or in the cloud, you gotta monitor that activity for any type of evidence of compromise. So the key piece is, look, you're gonna start that session.
However, you're gonna use tools home based whether it's corporate issue, the VPN, don't let them log in as an administrator. And when they do step up or check out something from a privileged solution or change accounts, make sure it's properly monitored when it's running something of privileges
Yeah. And split accounts correctly. So don't use your domain admin account for accessing your standard outlook and stuff like that.
All the, these things which are done, but, but I think it really, and I'm absolutely, we, this is getting significantly more E when we move to a long term remote work approach, because, and you said, you know, the good thing is you had all your services already, your security service in the cloud, but we all know there were enough organizations, which had only a part of their service in the cloud or none. And that means rock from home causes issue in administration on the other hand. And the same, the same effect comes from that.
We use more and more managed services where we have access and, and all these admin sessions apparently are, are ones we need to protect very well. And by the way, we also need to do it for every cloud service we use. So admin sessions to cloud services are critical privileged sessions, and they need an appropriate session management in the broader sense.
So from a protocol standpoint, Martin, this is one that I've debated with my own it staff. And I'll pose it back to you cuz I'm still on the fence for it. Do you allow protocol split puling with VPNs?
Yeah. Tough question.
You got me a little unprepared for, for that. I, I probably would have to think about.
So, so I, I think that the point is if, if you, if you trust open the, you apparently have to challenge that a lot of things can happen through that tunnel unless you further limited what, what can happen. That would be something where, where I would be so somewhat reluctant let's phrase it like that.
So, so it, it is like opening the door and saying, okay, you can come in and then you're in it. It goes a little bit back to the per sinking.
So, so your tunnel, okay. You, I allow you to go through the parameter and do what you want.
And I, I, I would go more granular and say, okay, what, what is what you're doing? So you're, you're going to this host, you're going to that system. You're doing that administrative task at that service.
And then, then I apply appropriate security measures, whichever way they look, they could be very loose or very tired depending on the criticality and the risk.
Yeah. This is one. And I'm sorry to put you on the spot with that one that I go back and forth with. It is a protocol issue. There are cases where I can see split tunneling and there are cases where I can't, and I have not heard any from any of my peers, anyone give me an argument one good way or the other, but your answer hits it perfectly. What's the risk what's being accessed.
And what are you gonna allow them to hit when you do go through the alternate tunnel? It's probably the best definition I've heard so far. Thank you. But I still don't know what the right answer is.
Yeah.
That's, that's another, another, another thing it's probably not that there's one single answer. It's very frequently. I think it's not the one single answer you have.
So, so I think it depends very much on the environment and it's really what are you doing? And, and then you might have a scenario where you safe. There are certain people which with a certain, with a well managed device might be allowed to do certain things at a certain level in your data center.
And, and then they open up a panel because they need to access so many different whatever network components that it would be hard to manage with the individual sessions. But then again, it would be balancing the, the risks you have with all the other factors and, and the controls you have been in place.
And, and fodder thinks you probably will go for a single session because you say, okay, the one who's doing some administrative work for office 365, that is something which I never will go.
So it doesn't work that way through tunnel, but it, it would be something which is a, a very restricted session. And by the way, the risk thing always helps because we have a last bullet point. We have this audit thing, the audit thing always, you know, when you talk with auditors, always talk about risks, thinking, risks, talk, and risks. That's what the auditors understand and expect.
And that always helps you with auditors. And you say, okay, I started looking at risks and that's why I do it that way, or that way or that way, then, then you never fundamentally wrong.
You, you might have ma made some wrong decisions or decisions for the auditor as a different perspective, but it's not that you're totally, totally wrong in what you're doing. So, and at the end, what is our mitigate risks? R we can and understand the residual risks.
That is the other part of it. So we never will be, there's no 100% security.
So, so the, the, the, the limit of, of cost for security moving towards 100% is infinite. So there's no 100% security. So we need to understand that. And I think based on that equation where we then can balance the risk and the cost of this and the, the impact on the way people can work, that that, that helps us to, to make better decisions and to, to have a small portfolio, a reasonable portfolio of security technologies we apply.
So we must at end up in a Sue of, of alternatives, but don't say, okay, maybe these are the, I, I tend always to, to create clusters and say, okay, this is roughly the same. So let's read it the same. And then you can up with a few clusters of scenarios and apply adequate measures from very relaxed, to super strict.
I I'm in full agreements with that. And I think that risk analysis is balanced with operational and uses security.
In the case of the split tunneling question, many times I've seen organizations basically use them on the VPN clients when there is not enough bandwidth back to our earlier conversation, and they have to basically state look, I can't increase the pipes. So I've gotta accept the risk by allowing X, Y, and Z resources to go directly from the client to the internet or wherever. But that also is just a pure risk measurement.
So I, I agree fully on that. Yeah.
Okay.
And, and we already came to this last larger discussion discussion item before we, before shift to the Q and a. So the challenge of balancing security and productivity of remote workers.
And, and I think there, there, there are two types, at least one is the multi administrative side. So the it stuff and the adversity sort of standard business user, but apparently, and I think you you've been so long and in privilege management, one of the things you, for sure, I've had far more in me is this reaction when, when someone in organization starting with Pam, the first thing is some admin saying, but then I can't work anymore. We can't do that.
Yep.
They, we hear that a lot. And unfortunately that is a misnomer. It's a falsehood. There are so many ways where you could actually become more productive. For example, the concept of passwordless administration, it's an extension of least privilege.
But basically if you are an environment where you're giving ever a user, two credentials, your standard user or login, and then you get your standard UAC popup, or you have PDO, or the challenge response on a Mac where you have to add in a secondary credential to perform a task that actually slows you down and introduces risk because you're keying in a secondary con secondary credential. And if you're doing it a lot, it slows you down even more passwordless administration. A part of least privilege basically elevates the application, not the user.
They don't have those credentials anymore, and it just works. They don't actually enter anything. The policy actually says, you are a trusted user. You're in the proper context, you have the proper attributes and I'm gonna elevate and log. It's another form of zero trust. It's all a part of a universal privilege management strategy where you can actually speed up the productivity with Pam, that balance between remote workers and the office.
Since we have to implement more security controls, to make sure that they are who they are, their identities are correct, can be balanced with a lot of the Pam concepts, but people have to be educated on that.
And I, you know, I think when I look at many of the stuff, much of the stuff I've seen in Pam, then session access can become far simpler. Then it is when you manually go through the hosts through whichever type of technology. And so it can be just, these are my sessions I usually use. I can easily use them. And it's all integrated.
I have very frequently, far less credentials to care about. I have far less authentics to make if the, the initial indications strong enough, if it's trusted.
So yes, we, we can increase productivity, but apparently it is, it is a challenge security versus productivity.
But, but also when you look at, if you go go away from, from the high level Pam to the, the simple MFA, apparently this makes a lot of things easier for the average user, because once the device is, is, is used and, and has been acted as the second factor, the combination of the, the device identification and the relatively simple first factor then for instance, is a, is a pretty good way of balancing security and convenience because at the end takes things like windows, hello, for, for the average user, they make a lot of things easier, not more complicated because you don't have to type just lengthy passwords and change them all the time.
And still you have more than one factor or more the two factors, the two elements, user and, and password. So I, I think there are ways to balance. And my experience is also from time project.
Yes, if you do a project, right, then you will increase productivity in convenience, not decrease,
Agreed and agreed. And if you're thinking of any of your Pam projects or, or old what I would call almost old school, where you are going to a Porwal, hopefully with QFA, MFA, checking out a password, starting a session, pasting it in that is not a productivity increase. The session should be able to start with, to a factor, or basically recognize that your environment hasn't changed and cash it for a duration.
But if you are an it TSM user, or you have your predefined put sessions or RDP sessions that you've been using in the past, being able to launch them or being in service now, and going from a ticket to directly launch a session without the additional steps, the additional mouse clicks, that's what next generation Pam is about. Anytime you have to introduce more steps, that balance is woeful for the end user. So find a way to streamline it
Yes.
And
Increases,
And, and, and, you know, also a lot of things where, where we have to see mounting and which kind help us in the alerting thing, etcetera. So it, it helps us also focusing on those things, which are risk.
So we, I talk a lot in, in my part of I identity manager also about adaptive, about risk and context based on dication, which apparently means in most scenarios, you can work pretty simple. And only when it's really required, we are strengthening this. I think the today's technology really help us to, to, to balance it, to give easy convenience, seamless access and, and inactivity for remote workers at all levels from, from the standard end user to the highly privileged admin.
But isn't, but we also have the option then to add what you need to react
Like the whole point of Microsoft, hello, and all these other technologies, they just know who you are through advanced techniques, user behavior, and let you do the function you're supposed to without you introducing more steps. Right.
Exactly.
And, and, and the solutions also, I think, and the second of these bullet points, the non-intrusive addition, yes. Look at what is, non-intrusive look at what streamlines, as you said, the, the activities, and there's a lot of technology and be careful with adding too many different tools at the end of the day. So for every, every cybersecurity tool you add, think about which two other tools you have. You can remove maybe because I would say probably each and every organization has too many enough, few tools in cybersecurity. It's more about having to write ones,
Agreed.
The dashboard and SIM approach is interesting from my own personal standpoint, I'm very in favor of MSPs, unless you're large enough where you can forward and staff a 7 24 knock worldwide, cuz it's needed. If you're in the cloud today, or you, you host your own cloud resources, you do need that coverage.
So having a good SOC MSP based, or if you're able to build one your own and that single dashboard it's critical for any remote workers, if your organization has gone down that remote worker standpoint, you need to have eyes on all the time compared to what you may have done in the past personal opinion. But so far, I've found that to be a very effective way of keeping an eye on security.
I, I, I'm a strong believer in, in having managed services in the stock space because most organizations just don't have the people and they don't get it on the market available. By the way, if you have managed services, you definitely need a Pam and you need session management and monitoring because they again are highly privileged sessions. So it is in that discuss. And by the way, it's also in mandatory, you mentioned it that all your P data flows into the Siemens it's analyzed and you get information back about what does it mean? Where are risks increasing so that you can react
Agreed.
Maybe we, we, at that point shift to our Q a session also in the interest of time. So thank you. We have a couple of questions here.
And, and as I've said, for everyone in the audience, feel free to enter additional questions, but maybe the first question, I think it's an interesting one. We talked a lot about remote access, but Murray, which other recommendations do you have besides VPN or remote access to sum it up?
So
Yeah, summing it up first, ask where your remote access is going. It's the biggest piece? Is it an on-premise raised floor traditionally? Is it directly to the user's desktop? Like they were virtually sitting there or is it to cloud resources, secure remote access technologies, whether they are hosting your DMZ or in the cloud can get access to all three of those bastion host technologies. VDIs can do some of that. Not all of that.
They're, they're not gonna get you back all the way to your own individual desktop, if, if that's what you have. But if you have a raised floor with very distinct applications, especially in some verticals like healthcare, those are the best technologies for persistent usage. VPN is great. You don't get me wrong.
However, the risks of longterm, remote workers, especially if they're using D Y O D, in my opinion, are just not acceptable and remote access technology with the removal of admin rights and the secure storage of credentials is the best method to go.
Okay. And another point, another question we have here, do you re recommend, do you recommend moving and plant security monitoring technology to the cloud?
I, well, okay. I think we covered a lot of this.
I do look, if you are issuing laptops or devices for people at home and they're corporate owned company owned, you don't have to have that VPN for them to get policy updates, security updates, and just to be even basically monitored. As soon as they're powered on and connected to wifi or a home wired network, they're able to basically stay managed. So I strongly encourage as remote working continues that you find a method to keep persistent monitoring and management of those devices, cloud being probably the best way to go.
And you brought it up also at the beginning to, to refer back to that, that running security as a service helps specifically when the way we work is changing and the way we work work has changed with remote work, but also with sometimes inability to, to, to, to Wellman your, your, your internal network. Because when also the admins are remote, things are getting more difficult. And the other thing is, I think it's the big, as I've said, it's the big trend.
So the overarching trend is from my perspective, definitely diverse an environment where, where we think about we have users and they are wherever they are, and they might access through whichever network and we have services which are run in the best way they can run. And then if we have a cloud first strategy security in the cloud, first strategy has some logic, not super easy, but at least some way to, to proceed. So
Martin, can I add one piece to that?
I think one other question I have here, or you can, can comment and I go to the next question. Go ahead. Sure.
So one of the questions that's probably a natural follow up is what order antivirus first, right? Period, just your antivirus should go to the cloud because that's gonna be your first line of defense. It's required by regulations. In many cases, the second line of defense, I will be biased. I will say a Pam solution and point privilege management hosted from the cloud because that not only removes the admin rights that we've been discussing, but it also gives you application control.
And if you look at things like the essential eight from Australia and other security, best practices, removal of admin rights, full application control with allow block listing and, you know, gray listing type, that is gonna be the biggest bang for the buck. Then the natural extension becomes EDR XDR MDR services, because those are the ones that are gonna be able to react to a problem. If you put those before then you're still allowing admin rights or other things, and they're gonna be reacting to too much.
And then you get into the specialty technologies like web proxy technology or something else below it that might be unique for your individual use case, just my opinion. But I really do believe that that application control and privilege management should be your second line below AV to be managed from the cloud.
In general, we, we need a couple of lines. That's very clear layer security. There's an interesting question.
Also, when you have externals, which need to access some of your services and they don't have the VPN access. So how can you incorporate them with you beyond trust technologies, into a secure working environment, be the customer, a partner, whatever.
So specifically to beyond trust, we have a concept called jump points. This is a technology that can be deployed on windows or Linux within your environment. And they talk to that master appliance. That's either in the cloud, hosted in AWS by beyond trust, or you can even host it in your DMC.
If you wanna keep it private that provides that conduit into internal resources, whether that's traditional protocols like RDP V and C SSH or even HTTPS, because we embed a chromium browser in that jump point to act as a bastion host, or you use agents. What we call, jump clients that jump client then communicates upwards. Never downwards has no listening points to even get you routed all the way back to the help to, to your individual desktop.
That technology can be used for vendors, contractors, remote employees, but it's also critical for the remote workers because you still have to provide them technical support. How does the help desk now working remote help someone else working remote? It allows you to literally jump from the help desk person, wherever they are at home, through the trusted source, with the proper authentication all the way to the end user, and then do the things like sharing desk file transfer, all the tools you need from a help desk to make, say they work. Okay.
And with all credentials stored and with lease privilege. Sorry, that was a beyond just answer, but
Yeah, that's okay. It was a question which, which included beyond trust. So that's totally fair.
And, and right now, one, one final question to you. So to speak, if you could recommend one change to my endpoint security, maybe mine, even what would be the most effective,
The removal of admin rights for remote workers. Don't let them operate with admin rights, pull it from their local accounts. Don't give them the secondary ones. 88% of Microsoft critical vulnerabilities can be mitigated by the removal of admin rights. This will stop a lot of ransomware debt and niche track a lot of malware because there's nothing for it to execute against remove local admin rights.
Yeah.
Even though I could argue, this is something we, we, we are discussing for home long,
Long time
Since I'm following micro security notifications, basically it's always the same, think this is the main thing, but yes you are. Right. And so don't do things in the admin context you should not do and be careful with using admin rights specifically when you're accessing remotely and fully with you. So I believe we had a very interesting conversation today. Hopefully it was as interesting to all the attendees for of today.
Maurice, thank you very much for participating in this call webinar and describing a cold webinar and for beyond trust for supporting it was a pleasure company. Thank
You.
