<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

Ep17 | Protecting Customer Data in the Cloud

Air Date: January 19 , 2024

 

As organizations increasingly transition to cloud-based systems, safeguarding data has become a top priority. Whether dealing with protected health information, client financials, or other sensitive consumer data, stringent regulations necessitate strong security measures, and customers rightly expect their information to be kept private. Despite efforts, concerns persist regarding data breaches and unauthorized access.

In this edition of Hash-it-Out, Virtru Senior Solutions Engineer, Tony Rosales, is joined by Brandon Ferreira, Director of Client Success at UpCurve Cloud, a Virtru Platinum Partner and Vanguard Award recipient. Together, they shed light on this complex issue and explore practical solutions for organizations. We will explore  the intersection of industry and technology, addressing the fundamental question of how to harness the benefits of cloud computing while ensuring the privacy and security of sensitive data.


Transcript
Alright. Well, Welcome everyone. This is our Hash It Out. This is, we're talking a little bit about, you know, kind of the state of cloud today and how things are are working out in in kind of the environment. And, I've known Brandon for a long time. You know, we used to work together. You used to do a lot of cloud migrations and stuff. And so it's nice to kinda get to talk to an old colleague and an old friend, and really kinda dive into some of the modern challenges and things that, you know, we're kinda dealing with. And so Brandon, again, just wanna give you a second to introduce yourself, and kinda tell us a little bit about yourself and UpCurve.

Yeah. And thanks for having me Tony. It is great to work with you again and speak with you. Always a pleasure. So, yeah, like Tony said, my name is Brandon Ferreira. I am the director of Client Success Center for Cloud.

And, basically, what Upcurve Cloud does is we are a premier partner for Google. So when organizations need support or services regarding Google Cloud, Google or space, etcetera. They typically come to us and we provide that to them. We manage all sizes of organizations and all sides. So verticals and industries and trying to find things that are going to benefit their organization the most and a lot of things that are coming up recently is security and bolstering security posture. So perfect timing. Yep.

Yeah. So yeah. That's kind of interesting. I think that's really when I wanna start today is, what I remember especially, you know, from back in the day, it was definitely one of those things where once you start looking at moving information to a public cloud, a more collaborative suite situation.

You immediately have to start looking at different pieces of data security. You know, are we making sure that our network perimeter is there if at all. If it's still there, is it hardened? If it's not, you know, where did it go? And so those are the types of things that immediately pop into my head. What would you say are kinda some of the the key things to talk about with clients as they move into that public cloud arena.

Yeah. There's a lot of things to consider when moving into that, especially if they're moving from something like an on premises system.And then moving to the cloud, then moving from one system to another. A lot of times people under the false assumption that while we're in the cloud, it's safe. We're secure now. Everything's great. Whereas, it's probably a little bit more secure than like a bordered in house kind of environment, just because you can see things a little bit better and you can address them a little bit quicker. There's still some safeguards that we have to put into place. So some of the things that we immediately wanna talk to our clients about are access control and managing the data, and then also the end user actual training of it, making sure people know how to use the systems that they're being given access to and how to stay safe and here within them. Yeah. Yeah. No, that's funny. So access control always in my mind kinda starts keying in. Okay. Well, Well, what compliances in government regulations are requiring these things, and maybe they're not government. Right? Maybe they're regulatory in terms of, like, certain business verticals and things like that.

But those are all things you have to start kinda putting together because, again, things aren't kinda secured behind your firewalls. And in your network, now we're kinda out in the open, and we have to make sure that we're doing things like storing data properly and making sure communications are properly secured and stuff like that. So That is a really interesting point. What other kind of key things would you say besides, you know, securing the communications collaboration things would you say are kind of, prevalent to bring up on those onboarding calls, right, or those initial conversations?

Yeah. I mean, outside of communications, it's really important to see basically what their security posture is. Okay. Well, how do you have your service account set up? Do you have factor authentication enabled or multi factor authentication? What are you using if you are in a regulated industry? Like you mentioned earlier, oftentimes, a driving factor for security conversations is that because they're in a regulated industry. The government's come out with this new compliance and we need to meet it. That's not always the case. There's times where IP needs to be protected or just general sensitive information that would be detrimental to an organization if it got out of that kind of environment.

And so kind of trying to find all those paths and where things are flowing to how things are ingress and ingressing are probably the first points and some other things that we like to look for, initially talking and doing that a lot more to procedure.

Yeah. Yeah. And you said something I think is probably one of those things that's more on the practical side than, you know, here's all these tools that you can buy to kind of fix things. And that's training the users.

Right? Because what we have found, it is really, whether it's on prem, cloud, or whatever, is that the end user is kind of the key threat or the thing that that attackers are keying in on. And so making sure that those users are informed, educated, and kind of, made aware that they can actually do things to benefit the company as opposed to, you know, just kind of hiding things. Right?

Like, the old, I I remember, you know, the old IT shows of, like, oh, man, I I just gotta phish him out. I just won't tell anyone. Right? Like, that attitude won't do anymore.

That is something that has to kinda come out and and and and be trained so that they know not to do that. Right? Not just go along with things as they go.

So do you think that you with the customers you're working with, do you think that they're kinda coming at a situation of, well, I wanna move directly into the cloud? Are they looking at more of a hybrid environment where it's Public Cloud and a little bit on prem? Are immediately adopting the cloud and moving into, like, multi cloud where they've got something kinda everywhere? What what are your conversations kinda looking like when it comes to moving forward? Is it baby steps?

You know, what are you seeing?Yeah. What kind of the beauty of not being verticalized or only working with specific industries as we come across kind of every different scenario, which is good. That makes us pretty diverse in being able to answer complex questions regardless of where they're coming from. And so the answer is, yeah, we see all of that.

We see some people taking baby steps and just putting one or a couple other applications, maybe their productivity suites into the cloud. And then we see people just saying it like a big cutover. Okay. We're done On-Prem.

Everything's going to the cloud today. Everyone pulled on that kind of thing. So, yeah, we're definitely seeing that. And those each create unique challenges in regards to security because the more kinds of access points that you have, the more difficult it is to manage.

But, there are ways around that so you can make that less. So it doesn't feel okay. We have all these doors open. How do we lock all of them? There are better ways around that.

Sure. Sure. Yeah. I mean, like, what comes to mind immediately is, like, single sign on.Right? So the first thing to do is lock everything down under one, you know, main tenant or one single strategy. Right? And kind of, and when you start thinking about, like, best practices for data governance, then then or in and network and and access governance.

Right? It's hard not to start thinking about the different pillars of zero trust where you're saying, okay. Well, I have to make sure my network is secure. I have to make sure my communications and my users are secure and that we are authenticating against something that is a little higher level with MFA and things like that.

So I think what ends up kind of coming into focus is what are we doing about the actual data? And is the solution I know I found at least several years ago, the solution was we'll keep the data on servers in house and we'll put all of the applications in the Cloud. And that's a good answer because all of this stuff is behind my castle, you know, that I've that I've guarded and and and and put a remote around and it's protected. But that's really not a good way to make sure that that information can travel and can and can be collaborative.

Right? So what are you seeing your customers doing in terms of that data now? Right? Years ago, that was one answer.But what are they doing now? Are they trusting cloud systems a little bit more, or what do you see?I mean, sometimes you do see that, but we definitely advocate for zero trust control.And like you're saying to kind of further the metaphor of the castle, yes, it's great. You've locked it down. You have your walls and everything. It's protected.But what happens when somebody needs to leave the castle or come in the castle? And you're kind of opening it up to bad actors or kind of any men in the middle attacks or anything like that. So really, what do we need to protect? And that's the data itself.

That way, whether it's in the castle, it's moving out of it, it's going into your different cloud applications On-Prem. No matter where it's actually flowing, you're protecting the data itself. Not saying you shouldn't secure your endpoints because you should in your applications, but it's a lot less troublesome and a lot less to have to worry about. If you know that no matter where the data actually goes, you still have access to control over it.

You still can put different rules on it. And so that way, if something were to occur, you're able to kind of take action on that regardless of where it's sitting at that time.Great, great points. And what I feel like is ultimately the goal that everyone was striving to kind of starts taking less and less manpower to get there because, you know, all of these goals have been around for a long time.Right? In terms of making sure that things stay secure and protected and whatnot. And like you said, sometimes you have to open the doors to the kingdom to kinda let that information in and that you don't wanna do. That's not good practice. But sometimes you simply didn't have the manpower to do that.

And I think that's probably one of the biggest things I've seen in terms of when people start moving into a public cloud system and scenario is that the need for all of those, engineers and techs and overseeing bodies to be able to kinda make sure that that happens, starts to become less. And so it becomes a lot more realistic, right, especially for your SMB and mid market teams that may not have a giant IT team, right, may not have that ability to be able to invest in things like that. So, to me, I see it as a really, really great thing, a really good way for everyone to lead with a security mindset, right, as opposed to just, well, if we can get there, we'll get there.

Yeah?Yep. Yeah. Kind of tying back to what you said earlier about the kind of the practical ways that we can safeguard data and a lot of that comes from the user. I think the number is eighty percent of data breaches are from human error, which is natural because that's what we do.

But as you kinda get to the small mid market space like you were saying and we kind of have sort of having these more complex problems. What often tends to happen is not necessarily all we need to know, hire a bunch. We need to invest a bunch to make sure this is secure. Kind of goes the opposite direction.

People start being less secure. They're like, well, there's too many things to do here. There's too many controls, too many this is just making it hard to get my job done. I just need to send this email.

Why do we need to worry about all that? And then that's where problems start occurring. So it's easier we can make that and the more knowledge we can provide them. So kind of attacking from two angles, both the training, and then also real controls that kind of just help as a backup when they might not accidentally, we hope people aren't doing things maliciously, but accidentally there might be a breach, then we wanna make sure we can cover all that too.

Yeah. Hundred percent agree with that, especially because you know, I would love to say that that everyone is security top of mind and and as much as people want that to be the case. If it's not easy to use, people aren't using it. Right?

I mean, people have work to do. And they just don't have time to jump through twenty hoops they're gonna find some easier way to do it because they've got fifty other things to do on their plate that day. And so that has always been my experience. And so I think you're spot on when you say that if it's not easy to use and if the users are not properly trained, and we don't have all of these things in place, where it's just comprehensive, then it's just not gonna get used.

And it doesn't matter what level of training or what fancy software you purchased, it's just not gonna happen. And so that that becomes, I think almost the most important thing, right, is making sure that your product is easy to use, and then everything else kind of falls into place. Is it secure? Is it meeting compliance and things like that?

But that ease of use piece and being able to not only be easy for your users to use, but for your recipients and people that you're collaborating with to be able to use in a simple platform is something that is paramount in my viewpoint.

Yeah. Definitely. Awesome.The harder it is to use the less likely they are, and that's not really a good thing when it comes to security.No. Yeah. Thank you.

So the other thing I kinda wanna talk about a little bit is In terms of your onboarding, what would you say is the priority as far as teaching those users best practice during your, like, change management. Right? Is security in there? Is it the first thing you talk about? What would you say, kind of bringing on that new customer, where would you say that that information is kind of brought up and talked about?

Yeah. For most of our onboardings, we do provide end user security awareness training.That's part of the training that starts to come into place once they have access to the system. We kind of peppered in to begin with being like, well, you might have done it. This way in your old system, be prepared. You're gonna have new controls, new rules, new, protocols and procedures going into this new system, but really once they have access to it or right before they do preferably, that's when we get into the training and start teaching them, okay, this is kind of what you should be looking out for in this environment.These are some of the messages you might receive and things like, you know, watch out for the old go get a gift card for your CEO, scams. Those kinds of things are still as prevalent as they always have been. So that's kinda when we start getting into it. But ideally, the environment is set up. So once they get into it, once they're dropped into it, they're as set up for success as they can be from the get go.

Yeah. Yeah. Absolutely.Yeah. No. That sounds about right because ultimately, you know, when you start talking about those things, there's a lot of change. Right, from what it looks like in an On-Prem environment to what it looks like in a cloud and remote worker environment.

Right? And sometimes there's a little in between. Sometimes there's not. It just really depends. And so I think introducing that training at that key step is probably a really, really good place to start talking about different tools and start talking about different solutions.They're gonna help meet those data governance requirements, you know, in terms of that thing.So are there any and again, just simply because it's been a while. Are there any emerging technologies or emerging applications that you guys are seeing, apart from Virtru of course, that that are, something that you're like, man, we've we really like this, like, a cloud management software or or what are are you seeing that's like a tool that really leads that security first or or making sure that the data is secure first type scenario?

Yeah. I mean, outside of Virtru, so Google is definitely making some big strides in that. They certainly lean on their partners, their security partners, but things like, making their client side encryption more available or accessible.Of course, that still needs to have a key management system or server in place for that. But we're seeing that becoming more and more popular in Google's pushing that more in their lower tiers.Yeah.Outside of Google, we're working with some tools now that protect for things like, ransomware scanning and security posture kind of, dashboard, if you will. Showing you that these are the controls you have set up. These are the ones that might meet your compliance. You should configure it in this way. Just kind of, again, taking down the barriers that make it difficult to manage your data and manage the security of it. So that way, an admin who may not have all the time in the world to just sit and look at security dashboards all day can be able to make decisions on the fly and make sure that they're secure. So we're using a lot of applications in that regard to kind of give you a better look at the data that's in your environment and then having actionable items for it.

Yeah. And I mean, the more things change the more they say the same. Right? It's that onion layer approach to security. I have a lot of things looking at a lot of different things. And as long as I can have some sort of cohesive report, then that actually greatly helps me. Right? And so that's awesome.

Yep. Well, awesome. I have asked a lot of questions. Do you have any questions of me?

No. I think it's been great. I think we kinda covered some of the biggest points that are coming up with a lot of our customers right now. And just more and more so, like I said, at the top of the call, I think more industries, more organizations are finding out that this is important. It's not really a back burner item anymore. We'll get to it when we get to it.

Because the other side of it, the bad actors are just getting better and smarter and more sophisticated with their tools as well. So we need to be able to be, kinda on the front lines, combating that.

And Absolutely. I think all these things that we've talked about are in the right direction for pretty much all organizations at this point.

Yeah. Absolutely. Well, Brandon, thank you so much for your time today. I really appreciate you kind of carving this out in your day. And, look forward to doing more business in the future with you guys.

Absolutely. Thank you. Talk to you later.

Thank you. Bye bye.

Enjoy a coffee on Virtru!

Fill the form below to claim your gift.