Ain’t No Mountain High Enough: Achieving Zero Trust for a Mobile Workforce (feat Art Ashmann from VMware)

Hank Schless  00:09

Hi, everybody, and welcome to this episode of Endpoint Enigma. I'm your host, Hank Schless. And today we're going to flip it around a little bit and do a little bit more of a lighthearted topic. We're gonna talk a little bit about how mobile and cloud technologies have enabled us, you know, kind of the positive side of this. So how we can manage to work and carry out our personal responsibilities pretty much from anywhere in the world, which is definitely one of the more positive things that's come out of, you know, this massive evolution in the way that we conduct our day to day lives. And to talk about that with us, I'm pleased to be joined by Art Ashmann, who has over 15 years of experience in the IT industry, is currently a staffer, EUC Solutions Engineer, over at VMware –– or actually has a total of 17 years in the industry. So I'm really excited to have you on here, Art, and, you know, 12 years with VMware, the primary focus on UC and has worked from home exclusively for over a decade, actually. So you're definitely the guy to talk to. And my guess is you've done a little bit of that from the outdoors, as I understand you're a pretty avid mountain biker and snowboarder as well. So welcome to the show, Art. Glad to have you.

‍

Art Ashmann  01:10

Thanks. Glad to be here.

‍

Hank Schless  01:11

It's gonna be a fun conversation. So, before we dive into kind of the meat of things here, could you just give our listeners a bit of a brief summary about your background and how you really ended up at VMware?

‍

Art Ashmann  01:20

Yeah, what's good, as you said, it's 17 years worth of experience. I think I had the upbringing of any IT professional, starting out maybe in desktop support, moved in different organizations, taking on different roles, finally coming over to VMware almost 12 years ago. Had a vast portfolio to support, but still had an attraction to what was going on in the end user computing space. And I stayed there. I think the thing that really kept me in this position is the flexibility and the passion that I find in the solution. Based on what you just said, I've been able to just have the convenience of carrying my work in my pocket. And I've been quite productive in the backcountry, snowboarding in, like, three feet of powder up to my knees. And I think the big thing is I've been reliable. But we'll talk more about this.

‍

Hank Schless  02:16

So, yeah, well, honestly, I mean, what I'd really love to dive into is where you're recording in three feet of powder. But you know, maybe that's a different conversation. But kind of bringing security into the conversation, you know: With mobility being a huge part of productivity from a security standpoint, in your opinion, do you think there are kinds of cultural shifts or adjustments and strategies, that kind of overall corporate enterprise security strategies, that need to be made to make sure that you as the individual and your entire team are able to leverage that mobility, but really that reliability safely without putting really anything at risk?

‍

Art Ashmann  02:49

Absolutely. Especially in the digital age, computing policy was created based on the technologies that were at their disposal when those policies were created –– I mean, some of these policies and how offices and organizations operate. They wrote these policies, I'd say, maybe 10 to 20 years ago, with some evolution, I would imagine, right as the advent of certain technologies brought things more accessible to folks outside of the corporate network, if you will. You know, strategies around firewalling and VPN and things of that nature; those things were the solutions to help take those policies and move them forward. However, in today's world, and the technologies that we have at our disposal today, everything that these technologies are intended for is to make sure that the enterprise or the use of the data and the applications are safe to use. But also, of course, we want to be able to foster the easy-to-use aspect of this as well. And I think organizations can take solace in knowing that the solutions are out there in the world to help solve problems and help maybe accommodate a more mobile workforce. And organizations absolutely going through these exercises today, trying to navigate this in COVID, was an unfortunate circumstance. But at the same time, it was somewhat of a blessing and opened the eyes of organizations to say, hey, maybe mobility is a reality. And it's something that we truly can embrace. Because there's folks across the entire planet that are successful in maintaining safe-to-use and also maybe making things a bit easier to use, because it can be confusing when we start to take less legacy policy and architectures and once again, make them mobile. So, but the fact that the technology is there, it is absolutely paramount that people recognize that those technologies are there and rewrite policy to accommodate this new way of doing things.

‍

Hank Schless  04:52

You know, I'd be curious to know if you know… VMware is a well known name. You guys are an exemplary company in many ways. So I'd be curious to know Is there anything that you guys do internally or have put in place in the last couple of years, I mean, what have been some things that you've seen that maybe folks who are going through this process could take back as a couple, almost a couple action items, but also just as an exemplification of maybe some of the greater trends across the industry.

‍

Art Ashmann  05:16

I hate to use the marketing term. But it's an easy one to attach to, because we're talking about, on a regular basis, zero trust. From a security standpoint, we talk about zero trust. And I think the model is just talking about what should be considered. I think, number one; what I'm seeing in this is maybe a focus on identity, and identity that's very broad in subject matter. But I think about what we're kind of replacing. I trust this user that I hired from my HR department to go into my building. So security automatically might be afforded through a card, like an ID badge. So I badged into the building, I'm physically in the building, we know that whatever I'm going to interact with as an employee is safe, because that ID badge made it safe. And then the walls of the building made it safe as well. So now I go to my desk, I sit down, I login with my active directory credentials. And everything that I'm touching is internal to my network, and it's just safe. But all of that, what I just talked about with active directory credentials, and then there was a credential at the door. That's identity all day long. It's me, Art Ashmann, logging in and badging into the building. So I think identity and knowing who your user is, is one line to the equation, but it's a big one that I think organizations maybe will… it's like a good first step. Of course, with the concept of zero trust, there are other pieces to the puzzle than just who the user is. But you cover a lot of bases just by starting with identity. And then from there, the multiple layers. So we've got the user, the identity. We've got the device; this is lookout, ensuring that the device is safe to interact with the enterprise. And then the other layers that we have in here are network –– what applications of what data they get to interact with. As long as you're covering your bases from this perspective, not to say that the hackers and the malicious folks in the world can't find ways around this, but we're in the business, I think, in security, to plugging holes on any of these aspects. And then as the new holes are exposed, well, got to figure out a way to plug that one as well.

‍

Hank Schless  07:33

Yeah, no, I mean, you bring up an interesting point, which is zero trust has kind of become a damned if you do, damned if you don't turn on the marketing external facing side. But when you look at it from an internal perspective, you know, part of the issue with that whole phenomenon is that it makes it seem like when you're standing there, you're looking and you're like, “Oh my gosh, I have to do what I need to do to achieve zero trust.” But it'd be in my opinion that –– you should let me know if you agree with me or not –– it's almost like you're standing at the bottom of a mountain, you're looking at the peak, and you've got 15 different trailheads you can start at, and you have no idea which one is the shortest, which was the longest, which one's gonna have the bears on it, which one's gonna have looser rocks, which one's going to be smooth sailing. You know, it's like you're kind of looking there, and you're like, what direction do I take? And on top of that, it happens to be this mythical mountain where the summit constantly moves from left to right. So who knows if the path you're taking is the right one. I mean, that's sort of how I think a lot of people feel when the market is so inundated with this terminology. And I think it's really important for the solution providers to collectively say, like, “Alright, we need to bring this back to earth world.” The way I've looked at it, it's almost like it's become this, this series of just-because statements –– right? Like, just because it's a user ID and password that works doesn't mean it's the user that they say they are. You know, just because a device is connecting from where they usually connect, doesn't mean it's trustworthy. I mean, would you agree with that type of approach to it? Or how would you take it?

‍

Art Ashmann  09:02

I'm always a big fan of bringing it back to what do people want to achieve? So even talking about going into Starbucks, right? A, is that truly an outcome? First of all, we're an organization. So they understand that this is a possibility. And now they're starting to massage policy to saying, “Okay, we're going to invite this organization and saying, ‘Yes, I want users to be able to interact with my enterprise from Starbucks.’” Let's say that's the outcome. Once we've gotten there, then we can look at who that user is and what they truly interact with. And we can make some decisions. And you don't have to have the entire mountain applied to that one user. Because maybe the user doesn't interact with the most highly secure data. It may be. It's very public facing data anyway. So, in that regard, I think what customers can do when they're looking at this mountain and all the different trailheads is understand where the destination is on that mountain. If it's only a third of the way, because a third of the way is all that you needed, then only climb a third of the way. You don't need to conquer the entire mountain. But it's always important to just know what it is you're trying to achieve, and what are the requirements to getting there. So when we talk about device trust, and that we truly trust the device, and it's malware free, but the only application that we're securing is, I don't know, it's a bad example. But, like, “Angry Birds.” You know, obviously, if that's the case, let's say you're a video game tester, and you want to deliver your unique code of an IP video game into the hands of your Q&A folks. What do you think about? Does the device truly have to be malware free to successfully test that app? Is there really any security ramifications around the testing of that app prior to going on the shelf? So, in that example, there, you could make a decision and say, “No, maybe I don't need to.” But the organization has to make those decisions to say, “Where do we need it?” And here, admittedly, is the unfortunate part around purchasing around this. Everybody, for the most part, sells in packages when you make an investment in technologies to deliver applications to users. Once again, motive is: safe to use, easy to use, how much of either of those sides of the equation do you require? And then who you decide to make an investment in the investments is intended to be based on just a package of goods. But it tends to be in those packages that you might not need all the bells and whistles because you don't need all the bells and whistles to protect the QA version of Angry Birds, as an example. So organizations also have to kind of make a decision now that they've said, “I have my requirements around securing this application. I’ll go and look at a package of products to secure it. How much of that do I really need?” So I think it's an interesting world we live in here, navigating this, especially when we've got customers out there that are not necessarily familiar with the concepts of mobilizing the workforce and what does it truly take to do it. But I think customers can take an educated approach on how they solve these problems. And I think the idea is kind of going back to your mountain analogy. Even though the market is saying “buy zero trust and here's the mountain,” just know you don't have to buy the whole darn thing. You just don't and you don't have to implement all it. It's knowing who you are and what your business requires.

‍

Hank Schless  12:42

You say you don't have to achieve the whole mountain. I completely agree with that, you know, especially when it's something like, okay, we want to be able to control access, you know, implement policies, whatever it is, where, you know, what if someone is on a device, and you know they're just trying to access like Evernote? Do we really need to implement some policy that says, “Oh, my God, you're being profiled as low risk based on the device profile; you can't access that?” when we know that all they really use Evernote for is personal notes. It's about resource allocation, right? Do you need to allocate the resources to build out policies for that particular application, wherever it may be within your organization? Versus being like, okay, when someone wants to access Salesforce or whatever use for like your back end finances or your R&D tools –– whatever it may be –– like, that's where it's, like, “Okay, somebody's even at low risk; we want to be able to make sure that they are under the policy of like true zero trust, when even from an organization, like, who the user is…”

‍

Art Ashmann  13:36

Actually, I like your example of Evernote because that seems somewhat innocuous, right? That it's not an issue of an application because the use of it would be personal notes. But as soon as that user –– here's a good example of where you start to climb higher on the mountain –– as soon as those personal notes start to take on PCI data; you know, somebody starts putting in Social Security and credit card numbers in Evernote; wow, now listen, we really need to start protecting this. Now interestingly enough, Evernote, they might have some functions that, and it’d be… I would, as a customer, shop this way and say, “Hey, Evernote, can I bind to a package that has DLP functions and afford to do it?” And if Evernote says, “No, we don't have that feature function,” now I have to turn and shop and say, “Okay, in the pub, the bubble or the map of zero trust, where do I start to put some focus and start to expand on securing this user walking around with credit card numbers on their Evernote in their pocket?” So there's the weird part about this and zero trust that I love is that you can look at DLP and and know that there's functions in different layers: the data layer, there's the application layer, data itself, Social Security and credit card numbers. The application layer arrow would be: does or don't have that function. If it does great, we're golden there, but also guiding even going back into the networking layers. And then of course, the device and user layers is where we're operating it, usually end user computing. But the networking layer is a very interesting one. Because if you think about networking, every device ends up traversing a gateway in some form or fashion. There are products, typically, what we understand as cloud access security brokers, that have implemented functions within them, to understand what that data is, and where that data ends up going digitally. So that's how customers can kind of navigate this a little bit and say, “Okay, I, I have a specific use case that requires more climbing of that mountain.” And I love this as an analogy of the trail heads and everything, right? Which trail do I want to pick? Maybe we can even look at each trail of these different layers and saying, “Okay, I am going to satisfy this on the network layer.” And the reason why is because we don't want somebody taking the data out of Evernote and maybe copying it into Gmail, as an example, and sending it off to some random person on their own personal Gmail account, whatever that is –– right? It's… but I think the idea is that this concept of zero tariffs at least gives customers a map to understanding where they can put their focus, depending on the different use cases.

‍

Hank Schless  16:37

Yeah, absolutely. So we're coming up on time here. So I don't want to keep everyone too long. But you know, you've offered a lot of great perspective through our conversation here. And, you know, see if you set like two or three things that, whether it's an individual listen to this or somebody who's saying, “Hey, I want to go back and take this back to my team,” how can people really take advantage of mobility in the way that you're talking about and do so securely, in your opinion?

‍

Art Ashmann  17:00

Yeah, I think I, you know, I think the biggest part –– and I think I've already highlighted some of this –– is it really is dependent on use case for you. And I think we get to adopt this world of mobility because we work digitally, right? Everything we do, in some form or fashion, is on our computer. And then if it can live on the computer, in the end, it can live on your cell phone or on your tablet. So that's not a big deal. So first, you got to look at your role, of course, and just say, “Hey, can this specific role be mobilized? And why would you do it for one? But once you've made that decision that, yes, it can be mobilized, what? What value are you really bringing to the organization by doing so. So, the  pandemic was an easy one. Everybody's gotta social distance; it's being mandated across counties across the country. And, obviously, there's different feelings on this subject matter. But that was a good focus of just saying, hey, gosh, everybody's just got to get out of the office. And thankfully, some organizations were already in a great position to mobilize anyway. And so they adapted and had very little disruption to the organization because of the pandemic. But yeah, but either way… But there's, of course, besides social distancing and mitigating the impact of disease is one of many values that mobile mobilizing can bring to the table. So I think a big one that I love to talk about is quality of life. We want to bring a better quality of life to a particular use case. Mobilizing absolutely is a big part of this. So last thing I'll say, based on what I just said, Who are your users? How do they interact? Is their main job digital, number one? And then how do we rewrite policy to allow IT organizations to start rethinking how they're accommodating different users in this idea. And then the last piece to it, of course, is, now that we have this room for creativity, because the policy has been rewritten, then the IT staff can now be creative in saying how do we mobilize and ensure safe and easy to use? So I'd say those are three things to maybe take away. After all of this.

‍

Hank Schless  19:27

There you are. I's been great to have you on. Thank you so much for joining us. Always great working together with you guys. The Lookout-VMware partnership is strong, and we take a lot of pride in that from both ends. So thank you for joining us.

‍

Art Ashmann  19:38

Absolutely. It was a great pleasure. Thank you for having me.

‍

Hank Schless  19:42

Absolutely. And so for all our listeners, thank you for joining us today. If you want to learn more about this partnership between Lookout and VMware, you can go to lookout.com/vmware. Pretty straightforward one there. And as always, you can find the latest from Lookout on LinkedIn and Twitter just have to look out. Thank you for listening today, and we will see you next time.

‍