Hash It Out: Utah Schools' Cyber Checkup with Troy Lunt and Virtru

Transcript
Welcome, everyone to today's Hash It Out session. We have the, honor of being joined by Troy Lund. My name is Tony Resales. I'm a solution engineer here at Virtru. I will turn it over to Troy. Why don't you introduce yourself, Troy, and then we'll get into it.

Yes. Thank you. Troy Lund, as Tony has stated I'm the technology director, but also the data privacy manager for Iron County School District. We are located in Cedar City, Utah. I've been with the school district for ten years before that, about twenty five years working for software development companies.

Awesome. Thank you, Troy. Appreciate you being here today. Today, we're gonna talk a little bit about the kind of the cybersecurity checkup that the state of Utah did with the schools recently and and kinda what the findings were there. And I'd like you to, if you wouldn't mind, kinda getting into, your experience with that and, where if at all Virtru has been able to help?

Yes. So we, you know, understanding and knowledge and being immersed into this stuff is most important because if you don't have somebody like in our case entities of the state that are helping us along, and you're trying to figure this out on your own, you're going to miss things. And so fortunately for us, we started out on a much smaller scale for situations where our, like, for example, our special programs director needed a way to secure data that was being shared with different entities of the state. We just found that by starting to use that, all sorts of opportunities opened up. And I can go into multiple different opportunities there, but one of the things that has really come through the state that has helped not only Iron County School District, but every school district in the state is the need for an adoption of a technology framework.

And so up until about two years ago, this was new to everybody. And so, but having those guidelines in place as a way for us as a template for us to, to not only follow, but to measure how far along we are in that process is most helpful. And the framework that we use is as noted by the state is CIS controls or CIS's Center for Internet security. And it's one of many different frameworks available for use, but that just happens to be the one that we use and that has been designated for our use in Utah.

Gotcha. Any reason why that is Troy is Is there something specific in there that you find really useful for the state's particular needs?

It's probably the most useful in the way that it works with school districts because we have a lot of different things that we deal with.

Gotcha.

We deal with inventorying of devices. If we don't know what we have, there's no way for us to manage it and be able to track that and make sure that we're keeping the users on the end of those devices safe and secure. And so there's a lot of, what we use is the CIS controls that is implementation group one. There are eighteen different implementation groups and all of these deal with all sorts of things all over the place. And so as I mentioned, one of them is inventory having an inventory of your hardware, your devices, your items. And there's eighteen of these, one of which gets into data security, and that's where Virtru falls into, is that data security implementation group of that framework.

That was, yeah, that was gonna be my next question for sure. Is that, you know, the different controls, one of them being a little more data centric. Do you find that apart from making sure that the end of end point devices are securing some of the other controls that are in place. What specific hurdles or what specific, blockers have you found with data security and actually protecting that information, that, you know, Virtru's helped with or has Virtru helped with and and just, yeah, maybe maybe kinda digging it out a little bit.

Sure. So I think the greatest achievement, and this isn't actually, I wouldn't frame it as a feature of Virtru. It's more of what you brought to us in terms of knowledge.

Gotcha.

Until we had Virtrul, we had no idea that this was even a problem. And suddenly, out of the woodwork came all of the individuals that were using and controlling data and finding that they were, in the open, sending things that they should not be sending. Yep. But in their minds, they knew it wasn't appropriate to do that, but we haven't provided alternative solutions for them, and I recall the time when I first sent this out when we first implemented, and I sent this out to a group of secretaries which was our actually, our third group that we implemented.

Mhmm. The number of emails that I received with just thank you. Thank you. Thank you. We were wondering if we were ever going to have a solution or if we were gonna be held accountable if something should end up in their own place. So you brought an awareness to it and then solved that awareness. So now it's really been a beneficial core product of our district.

Yeah. No. That's a really great point, Troy. And it's one of those things where if you're not tracking it, you don't know.

And if even the end user should that person want to actually do the right thing and follow protocol and procedures if they don't have a means to do it, what can they do. Right? And so, you know, with our tools, it's like secure share and the email plugins and even the gateway, gives you all of those mechanisms to be able to actually take the information and just deal with it in your standard workflows without having to, change the way you do business just to make sure it's secure, which I personally have always found as the right way to do it because an end user is going to do what they need to do the most efficient way possible because that's their job.

Right? Their job is to do what they need to do and to kinda move on to the next task as opposed to having to reinvent the wheel or having to start over or go to something else, when we can meet them in that workflow, that's when I think Virtru becomes a really powerful solution.

Very well said. Absolutely. And that was our experience. And has been our experience.

That's great. No. That's really good. In terms of the CIS controls, would you say that you're pretty much there. Are you just at the tip of the iceberg? What tools are you leveraging specifically to actually meet these guidelines to make sure that you're moving forward into the future in the right way.

Right. So we have gone through self analysis and everything. And of all eighteen of these implementation groups, and we're certainly not there. We have work to do but we've made great progress. I think we're we're ahead of other districts in some senses because we have been fortunate to to be able to get on top of this early, and that that really is the key is getting on top of it early so that, when the time comes that we do have to demonstrate our compliance, that we have all of these things taken care of. And for example, when you get into the data security aspect or element of this, which happens to be the implementation group number three or actually implementation group one, but it's control three of the CIS controls if you're looking for the specific control is control three.

And it goes into things like ensuring that we have, any kind of that personal data, whether it be student data, whether it be, employee data, any of those kinds of things that has to be encrypted from beginning to end. So end to end encryption is most important.

Yep. But, I really like some of the things that come along with that. So, you may have been a recipient lately of emails that you come through and say, I I don't know if it is really meant for me if I trust it. And when you get an encryption of data, that's something that it's easy to send something encrypted. But if you're the recipient, you might question that saying, I don't know if this is safe or not. And so part of our, yeah, part of our practices have been take this take a few minutes and take this offer that Virtru has to enter some free text that does not get encrypted and it's shared with the the and recipient so that they feel comfortable that what you're getting is is something that, they they can trust.

And even more so than that, being able to put, timestamps and and things on it so that we're taking care of one of the other controls that are part of this group controls three, which is making sure that it that data does not remain in perpetuity if you don't intend it to, that it if you're sharing something and you need to make sure that that data is shared with somebody but doesn't persist.

You can very easily put dates and times on those. One of our processes to remove the forwarding options, just things that normal users may not think is important, but on the security side, it is very important that they're compliant with those things.

Yeah. Yeah. No. That's exactly right. And kinda one of my favorite things from within the control center is the ability as an admin to go in and say, these things must be there, whether a user does them or not, you actually as an admin can go in and say, okay. You know, this expiration day must be set. There's a minimum of thirty days we'll say or something like that. And that's kinda one of those things that lets you ensure that the controls are being followed rather than just saying, okay. We're training our users. We're gonna make sure that they understand what to do, and then we're just gonna hope for the best. Right? And that is just not good enough in today's world. So, yeah, I know that's really, really good stuff.

Troy, the last time I was in Utah with you at Saint Con, we talked a little bit about a use case you've had with I believe your school district nurses and kind of the information that they have to send that is kind of a subset within a subset Right? So there's obviously the greater stuff that CIS controls are really pointing at. But then there's also that, you know, we've got HIPAA data within this smaller niche group. Tell me a little bit about that use case because I just found it so interesting.

Yes. So the easy resolve to that in the past was the sharing of data with the state. We have a responsibility that if a student has an IEP or a 504 that they're working from, these are essentially, programs for students of special need or that might be, under the care of a nurse while at school, those kinds of things. We have to share that information with the state, and there was, a single, like, evening process that would run where we would connect through a secure connection or secure tunnel and send that data, but that very quickly became not near enough because we had to be able to communicate at, you know, on demand whenever we needed to send anything. And so being able to take that function that required us to create a sync process, to schedule that sync process ,now users if they have a request, and it could be something as simple as a transcript request or it could be as you say something that delves into the the area of HIPAA and the health care needs of of a student. Those kinds of things now can be handled by the end user without having to coordinate that with anybody else. And it's as easy as just taking, creating an email, attaching any text that goes with it, any documentation that goes with it, clicking a button to say, okay. I've got it all set and off it goes.

And now users are not having to contact the end party saying, you know, at some point in time, you're going to receive this. They can say be watching right now because you're gonna receive this right now and it just improves their ability to take care of the students that we have. And whether that be, something that they're sharing that requires a parent's approval that is, you know, those communications with a parent or or legal guardian for a student. Or maybe it's a historical record that's kept in a, in a separate file so that other nurses can look back on that, but it's not necessarily meant to be a shared document with parents and legal guardians.

We know that whether it's going by way of email or whether it's that, at rest document will say this is not not collaborative at the time. Those are also being encrypted and secured through the secure share part of that. So whether it be email protection or secure share, it takes care of all of those needs very well.

Yeah. No. And I think you hit a critical point, I think, in that some stuff is meant to be shared between the school or the or the nurse and perhaps a medical practice. Right? And some stuff is meant really just as a report that a parent should get. And you don't have to worry so much about all these extra steps just to get from one thing to another and making sure of all that. Right? It's audited. It's trackable. There are rules you can set as an admin, and the end user can simply just use their normal workflow that they were using before with the added benefit of that end to end encryption and access control, which I think is really kind of the win here. Right? It's being able to let the users do their job without having to think of alternate means of getting that information in and out, and that we have multiple communications slowing everything down. Yeah, Alright.

Then the worry on their end is gone. They don't have that worry anymore of what where this data is going and am I going to be responsible for somebody, for this data getting into the wrong hands. You know, they know that if they follow these procedures that we put in place, that they're doing everything possible to secure that data and we know that, we're not gonna run into those problems.

Yeah. Exactly. Right. And it's just one of those things where It can be cross agency. It can be within the school. It doesn't matter. Right? It's just it's just the, any old person that they need to get in contact with, It is a simple flip of the switch in a way we go.

Now that's great stuff, Troy. Thank you. You bet.

Awesome. Well, We only have a couple more minutes here. The only other thing I was kinda wanting to talk about is is there anything that you would say having gone through all the stuff that you've gone through. Is there anything that you would kinda say is a key takeaway? Something that you would want to mention as, you know, if you had to do it over again, you would have focused on this, maybe that, or or anything, of, kind of, along those lines.

Well, there I think there are two things that I can comment on. One of them is our initial assessment of our users and the rollout.I think we said there are ninety users that might need to have this. We grossly underestimated that.

And we should have taken the time to really assess that to begin with, then we wouldn't be having to go back time and time again Yep. Because in the end, what we found is that all users that have anything to do with communication in our district from time to time are going to run into that. And so we've moved from a, you know, a single, individual licenses to now going to more of a domain wide, licensing model. And so it's really going to make a difference for everybody in our district, and we can't wait to begin to roll that level up.

But the other thing that I wanted to mention is something that was a little bit of, I don't wanna say it's problematic, but it's something that when we talk about our nurses and our special needs teachers and those and the collaboration side of it. Sometimes when you've got an encrypted file and they want to look at it you know, off in another location that the looking of that is to, take possession of that document and open it up and look at it. But now I just saw a couple of weeks ago where Virtru released a new feature that actually allows for the viewing of these things. So you can open that up and view it.

And that is going to open up an opportunity for so many that all they need to do is view something that is an encrypted document. They don't have to really take possession of it or do any kind of collaboration with it, but just through the contents of that. And that is for us, that is huge. And I wanna thank you for that because I didn't know it was coming. And then I saw an email and I was like, yes, they are hitting all the right buttons on this.

Awesome. Thank you for that, Troy. Appreciate it. Yeah. That and that's the name of the game with access control, right, is how much access am I willing to give as the content creator or data owner?

And, being able to kind of control that to your, you know, as you said, to the very point of I need them to see it, but nothing else. It can be very powerful. So, yeah, thank you for all of that. That's right.

Troy, I wanna thank you for your time today. It's been great. I really, really enjoy talking to and kinda about all this stuff. You're very, very knowledgeable.

So I really do appreciate your unique insight. And, thanks again for everyone listening.

We appreciate your time. And, thanks again.

Great. Thank you.