HOST: David Broussard
GUESTS: Rob Burns, Cybersecurity Practice Director
DESCRIPTION: David and Rob walk through five considerations to reduce your organization’s cybersecurity threats.
5 Considerations to Reduce Your Cybersecurity Threats
HOST: David Broussard
GUESTS: Rob Burns, Cybersecurity Practice Director
DESCRIPTION: David and Rob walk through five considerations to reduce your organization’s cybersecurity threats.
Adelina Kainer 00:00
Welcome to Digital Reimagined, a podcast packed with insights from Apex Systems, world class technology services leader working to reimagine value for our clients.
David Broussard 00:11
We'll bring you the voices of industry experts to showcase our proven solutions that span across digital innovation, modern enterprise, and workforce mobilization.
David Broussard 00:21
On this episode of Digital Reimagined, we are joined by Apex Systems' Cybersecurity Practice Director, Rob Burns. Rob, welcome to the digital recording studio.
Rob Burns 00:31
Thanks, David. Happy to be here.
David Broussard 00:33
Well, we're talking about a topic today that is just of the utmost importance with companies working from home, people logging in from anywhere and everywhere, across the country or even the world at times. We're talking about cybersecurity and five considerations that companies should have to reduce their cybersecurity threats. And I'm excited to talk to you about this, Rob. So we'd love to just hear a little bit about your thoughts when it comes to what you put first. And I think a lot of people would consider the most important part of this new world we're living in is the zero trust framework. Talk to us about that a little bit.
Rob Burns 01:12
Right, right. Great question. So actually, this is a strong topic to start with because I think anybody that's in the information security space or on the network side or infrastructure, everybody has their own opinion and really their own focus from what this means. Right, so the concept of a zero trust framework is essentially a model where you never trust but you always try to verify. And this varies across different industries and different clients. We find that through a lot of our conversations, a lot of customers make the initial determination that most of their endpoints, if they're not already compromised, they have the capability to be compromised very easily. So that model that they take is: the device has been compromised. They identify it, they identify the user, they identify the specific device, they identify, through authentication or authorization controls, what that specific device or user is trying to access, whether that's a specific application, a specific area of a network, and they build security policy based on more the role-based model that they're trying to protect. So a lot of that really is driven from trust evaluation engines, general network access control, and adaptive access control models that customers might put in place. And quite honestly, a lot of this is also driven by the identity piece, right? So at the end of the day, it is based on the identity of the user or the device as it accesses a network. So organizations that start on the zero trust journey, if you will, they're going to come in at different stages, right? Some are going to start at the network layer, some are going to start specifically with endpoints and how they manage laptops or virtual desktops and how they secure those components. And then others will be a little bit further down the road where they've done those things and they're actually doing things based on identity.
David Broussard 02:53
That's a great insight. To kind of parlay that into another one of the concepts that you mentioned in your five considerations is the identity, the user's part of this. So when it comes to that digital identity component and how it ties in with the zero trust framework, what are companies doing? What are the key components of making sure there are the correct policies for the users at those endpoints to do what they can to not compromise things?
Rob Burns 03:21
Yeah, I think when you look at the identity landscape, and traditionally, I think most organizations think of it as just a user-based model. Our thought process is shifting a little bit more to more of a digital identity approach. Right, so it's not only the end user, or the individual identity, but it's the other access or the other attributes that are part of that. What applications do they have access to? How can we manage at least privilege model, where they only have access to the things that they truly need to do their roles or do their jobs? I can't think of a single customer that we've talked to over the years at Apex where they're not at least down that path, or to the point where they're actually improving upon their privileged access models where, you know, they're verifying two factor authentication components, or they're looking at how do they do, you know, service account management for applications with tools like HashiCorp or CyberArk or other capabilities to increase application security space.
David Broussard 04:14
Rob, the third component that you mentioned is DevSecOps and embedding security capabilities, policies, procedures into your DevOps lifecycle. Can you expand on that?
Rob Burns 04:25
So when you look at organizations that are in this kind of DevSecOps journey, how do we deliver a secure code model for the lifecycle development that's happened. Delivering creates secure gate reviews, whether it's static code analysis, dynamic code analysis, security assurance framework capabilities across the entire lifecycle. But ultimately, what we're seeing is not only is this a model where you can embed security, but it's also an area where a lot of organizations are starting to do more automation. They're starting to do a lot more as it relates to their capability for building application containers and other environments in a more automated fashion. So they can eliminate a lot of the manual effort that happens. And that's important because if you identify and research data breaches and compromises and things that happen within organizations, a lot of it ends up being kind of what I would label an IT hygiene problem. So that's where, when you look at the DevSecOps model, you can embed security and operational efficiencies, you know, protections in everything you do.
David Broussard 05:24
And you mentioned the data management piece of that, and how that ties into DevSecOps, and just whether it's content you ingest, or buying patterns that you have. As a user, how are companies making sure that our data is secure?
Rob Burns 05:39
Right. Yeah, so when you look at the entire data management space, you know every organization, regardless of industry or size is in somewhere on this data protection journey. So one of the key areas that I think is probably most prevalent is in the data protection control space, right? So when you have organizations that are leveraging information across their on-premise data storage but then also in the cloud, so now you're dealing with multiple environments, you're dealing with your structured data, unstructured data, you're dealing with data in use, with data in motion, how is it being transferred from one environment to another, then of course, when it's at rest, right? So that plays into a lot of the traditional data loss prevention capabilities, data protection strategies, how is that data flow analysis going within the environment, and what does that lifecycle look like as far as the access control? I think what we're seeing here is a blend of digital identity, data protection, and the whole DevSecOps model coming together to protect information, protect identity, and protect assets.
David Broussard 06:40
You're right, it's interesting how these are five individual kind of subjects, but how they so closely tie together in terms of a company's overall security posture. And you know, when you think about the digital transformations that so many organizations are going through right now, Rob, you mentioned data management, whether it's on prem or in the cloud. So many companies moving their data from an on prem type of environment to the cloud, and that I'm sure creates other security risks for organizations. And coincidentally, it's also your fifth consideration, is security in the cloud. So give us your thoughts on what the key components there are for organizations.
Rob Burns 07:20
Right, right. Well, I think today, one of the key concerns, I think, is really around the infrastructure or even the cloud infrastructure entitlement, right? Who has access? How is that access managed? How does that model evolve from the traditional on prem access control capabilities to what you're using within the cloud? Part of it starts with establishing continuous visibility and having assessment controls in place on a consistent basis. It's no longer a quality due diligence effort if you're doing it on a quarterly basis, like maybe you could do for on prem systems, right? You need to be doing this consistently. You need to be evaluating user access, data access, different applications, the network level capabilities. How are you managing or segmenting specific applications from others? But I think the most important factor here is that you know, all these areas that we're talking about today, the reality is they all come back to kind of adopting an approach to data management, digital identity, DevSecOps and cloud security that takes into account some level of a zero trust model. You have to have the capabilities to then say, "Okay, I may not trust what's happening here, but I'm going to verify what's going on."
David Broussard 08:26
Rob, it's a good segue when you think about what our customers are talking about and what they're asking us for, to give the listeners a little bit of insight in regards to what Apex is doing to help our customers improve their security posture. And there's a solution around privileged access management and authentication of applications that fall into those digital identity and DevSecOps considerations. Can you talk a little bit about what we're doing there?
Rob Burns 08:52
Sure. Yeah, actually, we have a team that's engaged with one of our customers in a couple of different areas. One is the privileged access management components. We're actually deploying one of the leading vendor solutions for some of their application admins, system admins, and even some additional users. Not only within their production environment, but we're also building that into the DevSecOps lifecycle, so that as they're testing their applications through the development stages, they're going through the right access management reviews, based on what they would see in production with those tools. The secondary piece there is we're also working directly with them with a specific vault that's being leveraged with the customer where they have service accounts and passwords that are vaulted. They're used during runtime of applications so that the end users within the application areas aren't storing passwords, they can't be used. It's basically an automated way to protect those privileged credentials that can be used within the scope of those applications. So we've worked with them to embed this into their process and lifecycle. But I think the reality is when you start looking at the increase in the application security that this provides, at least for this particular customer, where they actually had audit findings and other things because of this, it's an incremental increase in the way they secure their applications. But then downstream, we've also helped them with some application logging, anomaly detection, and other things so that the applications that are across their environment or their enterprise that aren't using these tools can be identified and then remediated at a later date.
David Broussard 10:20
Very well summarized, Rob. Always like to try to leave our listeners with a final thought. When it comes to these five considerations we've talked so in depth about, can you summarize it with something that that our listeners can walk away from this podcast thinking about?
Rob Burns 10:33
Yeah, a lot of the security space is driven off of, you know, models or conversations around data breaches or data protection and what's happening with information. But again, at the end of the day, your security program is only as good as the relationships and the capabilities that you can build across teams, right? If you look, even at the five things we covered today, it's not just security resources or security personnel that are doing these functions, right? You're interfacing with database teams, application teams, infrastructure peers, structured data, unstructured data, network groups, business resources that're used to identify the right roles and access control that needs to take place within an organization. So what I would say is that the concept of security and data protection isn't just a reliance on a security team of 500 people. The reality is, it's an organizational model that has to be adopted and be maintained across different teams and organizations. So the more collaborative you can be on creating these processes, the more willing people are going to be to accept them and build upon them and improve them.
David Broussard 11:37
I couldn't think of a better final thought when it comes to this concept, Rob. Thank you so much for hanging out with me in the digital studio today. Great to see you again. And thank you for all your insight.
Rob Burns 11:48
Great, appreciate it. Thanks for your time.
David Broussard 11:51
Please be sure to subscribe to Digital Reimagined wherever you listen to podcasts.
Adelina Kainer 11:56
To learn more about Apex Systems' offerings, visit us at apexsystems.com/insights. You'll find our podcasts here along with success stories, articles, news, and trends.
David Broussard 12:09
The music you heard was Do Ba Do by Otis Galloway.
