Transcript

Hailee Zapata:

Welcome to our webinar: Securing Access Everywhere: Best Practices for Identity, Device, and Access Management.

I'd like to introduce myself. I'm Hailee Zapata, and I will be popping on and off your screen as the host today.

So over the next about 45 minutes, we'll talk about how to implement zero trust security, enforce secure authentication policies and manage devices seamlessly. We're going to learn how to automate identity and access management across all endpoints, reduce security risk with the multi factor authentication, and streamline IT operations. And then like always, we're going to do our live Q&A session with our presenters.

Before we get started with that, I want to talk about Promevo just a little bit.

Promevo is a Google Premier Partner that sells, services, and builds Google products. We specialize in ChromeOS, Google Workspace, Gemini, Google Cloud, and we have our own proprietary workspace management tool, gPanel.

Promevo has the best of partners and we are very excited today to be working with our partner, JumpCloud, on today's webinar.

So let's get started with Chase. He is the principal strategist at JumpCloud, and he's joining us today, along with Colin McCarthy, who is our Change Management Leader at Promevo.

Chase Doelling:

Perfect. Thank you everyone so much for joining us today. We're really excited to be here.

And for those that haven't heard of JumpCloud or not quite as familiar, I just want to just briefly cover.

So we offer an open directory platform. So we unify your identity, your device and access management all into one. And we're happy to serve over 200, 000 organizations across 160 countries, which is just crazy to say now. I think JumpCloud ourselves, I think we have folks across 17 different countries, and it's just been amazing to see part of the growth and, stretching close to 1000 employees, which is really awesome to see.

And here are some great customer of ours that have leaned in the technology with us. And but more importantly, I like to focus on the lower half, our G2 crowd.

We spend a lot of time working with our customers or admins, making sure that it's up to snuff that the software actually solves your problems.

As we lean into that and we really encourage folks to check us out there to make sure that, you know, it's not just us tooting our own horn, right? It's a lot of organizations that are leaning into it with us today.

But enough about that, let's get into the fun stuff. So this is what I really hoping to hop on and talk about today.

In terms of how you're thinking about best practices, especially involving identity and device management, all those other elements. And I know Colin and myself, we've dived into this a little bit beforehand in terms of there's a lot of different, I'd say, compliance frameworks and other things that especially evolve around it.

And one of the things pops up is zero trust.

Colin McCarthy:

Yes, a lot of people think that Zero Trust is just a product you can buy off of the shelf, plug it in, turn it on, deploy it, and you're done. But it's a lot more complicated than that. As you say, it is, it's one of the frameworks. And part of zero trust is trusting no device, no user access, and verifying all the time.

And it's... when we look at our additional IT networks that a lot of people probably on the call have inherited or maybe built from scratch over the last 25, 30 years, they don't really lead themselves too well to provide the services that we need today and give us most importantly the security that you get from having a sort of a zero trust mindset and philosophy when it comes to device management, user management, and security.

Back in the day, managing a network, it was so easy. You knew who the identity was. People had one account. It was the active directory account, probably, or a noval or some other directory service account.

They would log onto one device and you knew exactly where the device was because it couldn't be moved. It had a big CRT on the back or on top of it. And access was in, in a physical location, everybody would go into the office. And I think COVID, even in the last sort of four years, there has been that dramatic change in how access is thought about devices that people use.

And we all know from the explosion of SaaS applications and certainly adoption of Google Workspace and other web based collaboration platform platforms that are out there, the identity part and knowing where your users are signing in with your corporate identity has just exploded.

And there are a lot of people who have that nailed down, but there's a lot of companies that are still struggling with some of this tech debt and legacy systems.

Chase Doelling:

Yeah, I think this has become really hard for folks. And when you're thinking about transitioning and say, okay, where am I at now?

And I want to get closer to kind of these zero trust frameworks or compliance or kind of whatever the that end goal for security teams might be. It really is, kind of, this combination.

And so this is a little bit more I'd say the IT perspective kind of device there's a whole other mountain of process and making sure that people actually follow the documentation and other things.

But when you're looking at the technology, especially around identity, I think a lot of organizations are suffering for what I call identity schizophrenia, right?

Got 10 different logins. They're all, kind of, doing the different things, and it's really hard for people to have kind of one unified or centralized identity in order to understand that access.

And then for devices too, right? And so this is by default has become, the most important piece of equipment. And oftentimes, honestly, it's the only piece of equipment that organizations are shipping out, right?

So everything is happening on that device. So you want to make sure that no matter where that user is it's secure, it's managed, you understand what's happening across those different areas, especially as it relates to SaaS applications and access. And then understanding how all of these kind of play into each other and really what it is able to do there.

And as you mentioned, we're catching a lot of organizations here where it's like, okay, great. I want to adopt that. I want to bring on AI, whatever that new initiative might be. But now I'm forced to modernize, you know, kind of how I think about my Active Directory instance or kind of, for those on the call that get the Nobel reference, like you get 10 points. In this notion where, hey, if I'm on prem, I know my identity and access is within these four walls.

And now what we're starting to see is, access has become much more domain-less, right? So no matter where you are, and we're actually seeing more people coming back into the office. So hybrid is actually becoming much more of a pain point, right? IT's actually come back and say, all right, we've got to make sure the networks are up.

And so all those different pieces are really falling onto organizations and how they set their employees for success.

Colin McCarthy:

Yeah. And thinking about employees coming back to the office that, causes another layer of complexity when they're not using the corporate device and if they're using a BYOD Device.

Thinking of that old way of working with Active Directory. I know we talk about, what has changed in the last four years. I know a lot of companies did really struggle at the start of COVID and in the early 2020s with forcing people to connect to the VPN.

If the only way you have to manage applications and the devices is to force them to be on the network, physically on the network, which was fine when everybody came to the office you had no other way of pushing out GPOs, group policy objects which is a policy that says this piece of software is going to do this, or it's going to get updated.

And of course there's a whole bunch of problems with devices becoming out of patch compliance makes it very difficult to push out those patches over a VPN.

I think it has really hindered a lot of companies in being able to provide the services not only for their staff, but the security that they need to be maintaining when you're reliant on those old models. But it's good that there are, new directory services that we can use and you can consolidate people's identity.

I have heard of and I'm sure you have as well, and people who are listening, horror stories of companies having multiple identities and they're not being a source of truth. And even different naming conventions on each identity as well. Just not sustainable.

Chase Doelling:

Yeah, absolutely. And this is typically what you hear in terms of, okay, how do I either change the model or how can I extend or modernize what I have now in order to take advantage of it?

And I think it's been a slow rolling trend that we've seen. A lot of folks really focused about that, in terms of their out products or how they operate as a business, but not so much the identity.

This has been one that's been stuck in side of the server room. And it's one of those last pieces to make it into the cloud, and it really allows folks to make that holistic cloud transition.

One of the pieces that we have every six months within JumpCloud, we run this global survey across IT admins.

We get a good cross section in terms of, what are the different habits? How are people evolving? And even just some interesting stats, right? So 84 percent are leveraging mobile devices just to get into their day to day, right?

And so this kind of adds in another layer of complexity of BYOD, but it's making sure that there's multiple different devices and also the device type. And so 32 percent of devices are either Mac or Linux.

And we've seen too, that this trend continues to rise. Organizations that bring in Apple devices are less likely to remove them. They become a little bit stickier. But they also have organizations that are planning on investing more and more in Windows as they come out with different types of tooling. So this number continues to fluctuate.

But I think what you can take away here is that most organizations are living up and growing with a heterogeneous environment. So how do you make sure that you can manage across all those different pieces, especially when people are remote, right?

And so I fit in kind of the green category of all these different areas where I use my mobile device and running off a Mac. But then I've also been hybrid remote for the last few different years. And so how do you make sure that? All those different changes, right?

Whether I'm recently joining the organization or I'm changing roles or I'm leaving the organization, having all those different policies and securities that, as you mentioned, kind of, you know, what is your GPO type of scenario across all these, making sure that you're able to enable your workforce, to have a valuable contribution versus limiting them into only what you can access.

Colin McCarthy:

Yeah, it's amazing the diversity in devices that there are now in a network, being an admin for 13 plus years of experience before then, we tended to just have one standard device, one operating system. And you can essentially put all of your eggs and all of your knowledge in one basket.

I do think admins now and IT professionals, do have to be jack of all trades, master of most, be able to expertly manage their Windows devices, provide access and management to Linux devices.

There are a lot of companies that have developers, a lot of companies that probably on office on Google Workspace, you know, working in the cloud, in the development market where they're building something themselves, they're all going to have developers and those developers, you give them a choice. They're likely to choose a Linux based system.

They're very difficult to manage with a traditional stack of tools that we have. Yeah, and it's that... that change has been great because it does put the right tool in the right hands for the right person.

It just does add that terrible layer of complexity for us admins to be able to manage them and get a good single pane of glass, although a lot of us will strive for getting an application that will give us a single pane of glass view of all of our devices and and and settings, it is very difficult to correctly manage all of those devices to the right patch level and application deployment level that you would need.

Chase Doelling:

Absolutely. And I think it's and that becomes a really important part for organizations. You think about is the consistency across different devices, making sure, hey, are all my drives encrypted, right? Do I have all the lock screen policies available to you?

And then even when you talk to Linux, yeah. Are there different favored versions or flavors, if you will, of that, are you Ubuntu or kind of the mint? We're seeing that kind of distro grow a little bit and they all have different nuances in terms of are you able to manage that? Are you able to provide it? And then you get wild cards, right?

I was actually having a conversation right before this webinar around, Apple intelligence. Great. How do we deal with that? What is the difference between the Apple intelligence here versus actually on my laptop? Because there's this difference between the personal and kind of corporate feeling.

And all those things are questions that we now have to think about as we start to evolve and have a much more heterogeneous environment and how people start within the organization and operate.

Colin McCarthy:

Yeah, you're right to point out even the different versions of Linux that are available on some of those device level settings that need to be considered across...

Certainly when looking at the Apple ecosystem, a lot of the stuff that's available on the Mac will also be, have corresponding settings or admin functionality on iOS, you know, the phone and iPad devices.

Chase Doelling:

It's coming into the fold for sure.

And I think one of the bigger pieces that we talk to a lot of organizations on is processes are different. And one thing that I wanted to poke out a little bit is onboarding, because this is typically been one of the largest time sucks.

And oftentimes it's unexpected and they're like, oh, they're coming in on Tuesday and you make sure you're all set up. How do you make sure that you're all set from that environment?

And so I got a couple different icons that I'll walk you through, but really gives you the perspective of elements that you need to think about first is that person's identity, right?

So we talked a lot about having this identity schizophrenia and let's make sure that you're set up for success with one centralized identity that allows you to get you access into those different types of pieces, including those devices, right?

And so you typically want to lean on a platform and pieces of technology that, as much as you can, creates that single pane of glass. So that way, regardless of what device they want to operate on, you're able to give them that choice. So again, coming back to that example of saying, hey, I'm joining as a, maybe a senior dev lead. And I want to have this type of Linux machine.

If you can't offer that might be a deal breaker, right? And so you need to come with the people team, making sure that, Hey, we're able to acquire the right talent. Because you're able to work on the tools that you want. And then also networking, this has become more fun, shall we say, right?

Kind of going from a VPN based world into a coffee shop world, and then back in between, depending on what your Tuesday looks like. But a big key element of that is these next few layers where you're thinking about the types of policies that you want to have on those machines, making sure that they're consistent and they're secure.

So that way you know that no matter where they are, they are who they are, and they're working from a secure device. And then another element of that is also some more of the certificate space, as you start to think in and device trust has become much more of a crucial conversation that we're having a lot of different IT and security folks where say, hey, we know that's ours. That's step 1, but we also know that it's trusted and that it's managed by us and we have the certificates put in place that's becoming much more of a conversation.

And then the next couple of pieces are really the day to day roles, right? So I put Chrome in here one because it's a circle and it fits the nice little icon.

We've actually found that almost 70 percent of our customer base within JumpCloud is leveraging Chrome in some capacity, whether it's the primary browser or secondary, and people are really leaning into this. And I also bring it up because guess what? It's also the most attacked and most patched version of browsers out there.

And so it's another element where you're thinking about how to manage that holistic user experience, right? As they get into the next pieces, which are the applications. And this is really where people spend a lot of their time. That's where I spend a lot of my time. And it's really where a lot of organizations are building up their own IP.

When you think about it, your IP isn't stored in some walk in closet down in the third floor basement and other pieces, right? It's in all these different applications. It lives within your AWS. It lives within your Salesforce, right?

All those different elements of information and how they're tied together. That's really how a lot of modern organizations are formed. So making sure that you have access into those applications, primarily leveraging SSO if possible, is really helpful.

And then for the, or the applications that don't, then you also want to think about, okay, how do I have those different pieces of access across password managers, and then also challenging that.

So it's one thing. I know we've talked a lot about getting into the stuff, right? Authenticating into it. But then you also, on the other side of the fence, you want to make sure that you have the authorization available to you. So just because I brought you on right as a senior teammate doesn't mean I necessarily want to give you prod access right away, right?

What are the conditions that you see for the organization? Making sure that you hit a good balance in terms of authentication as well as authorization and making sure that you're accessing the right things and nothing else at the right time from the right device in some of those pieces.

And so, Colin, I'd love to hear your perspective on kind of that flow and other pieces that you've seen in terms of how organizations are thinking about onboarding and all those different complexities there.

Colin McCarthy:

Yeah, modern onboarding is often a hot topic because everybody does it slightly differently and there isn't, generally, one size fits all for how you're going to do it.

I am very glad that you have got the logo for Chrome and mentioned it because the management of Chrome is very important, but it's often overlooked. A lot of companies are just saying, oh, I just need to install it and it'll be fine.

But if you're on Google Workspace, which hopefully everybody is, you can easily manage it with Chrome Premium Core, which gives you the ability to do a cloud based Chrome management. So you don't have to do, you don't have to manage it through a traditional GPO, which we've we've decided that everybody on this call and everybody else listening in the future is going to do their best to get off of the idea of managing their devices through a group policy objects.

Yeah. But with Chrome Premium Core, you can manage the actual Chrome instance so you can make it more secure. You have visibility into extensions that might be installed. And it's really is a an underutilized facility inside Google Workspace.

And then there's also the enterprise browser part which is also very important when we're thinking about the security aspects of a device and access as well.

So with Chrome Enterprise Premium, you could do much deeper, more granular access controls. And that's something that I know a lot of my colleagues have been looking at, but um, modern onboarding is something that there's still a challenge.

I've mentioned, I don't want to, I'll mention it again. During COVID, we --cause even though it's a few years ago, I think a lot of the struggles that people had back then are still relevant today, certainly with hybrid and remote work still happening-- is in IT myself as an IT professional and a lot of my colleagues and other companies, their biggest challenge during COVID was not the tech side because we know tech. We've got the tech down. The biggest challenge was logistics.

We went from being an IT department to a logistics department. It was getting the right people the right device at the right time, wherever they were around the world or around the US.

And a good modern onboarding system that wasn't reliant on network connectivity, sending somebody a laptop and then trying to give them instructions about how to connect to the VPN so that the laptop could finish setting up or policies could be applied isn't going to work.

Everybody is expecting that out of the box experience. Everybody has a perception of how their home, cell phones work. It just turned it on. It knows your number. You can easily install the applications you need.

You have to provide a similar sort of experience tied into your HR, HRIS system for giving, as you said, the right person, the right access to the right information at the right time.

It is a terrible experience to start a job, get a device, doesn't have what you need. Every time somebody sends you something and say, oh, look at this application. You don't have access to it. Either something else has to be installed, which is wrong. We shouldn't be installing any applications in 2024. Everything should be web based.

If you don't have access to the resource, that's a blocker. And that should be part of not just the modern onboarding of new hire starting also when people change, when we have people moving inside a business, there's the JML process, the joiners, the movers and the leavers. And each part of that needs to be very robust, if we want to succeed as an organization.

Chase Doelling:

Yeah, absolutely. You hit on a good point, too, in terms of there's so much more of an international aspects now, and I think organizations are starting to grapple that.

Certainly we have, right? And as I mentioned, we got JumpCloudians across, I think 17 different countries now, but that didn't happen overnight.

Understanding how to make sure that those people are successful, set up in their time zone. And so now you have organizations that are smaller dealing with problems that, it was typically reserved for just organizations the big multinational corporations that have business units in India, Mexico, Singapore, all those different areas.

Now it's just like a squad of folks, but you still have to grapple with the same types of issues in terms of access, how to make sure that they're productive and coming from there.

And I think coming into our next topic as well is are you privileged to do that in the first place? And so making sure that you're set up for success, but because you're all over the place, how do you make sure that you're able to dive into that, especially from a privilege access?

So I'd love to have your thoughts on how you think about this and setting up clients for success when you think about those.

Colin McCarthy:

We've talked about privileged access for a long time, the principle of least privilege, and that was often referred to about access accounts.

As admins, we always wanted to have our day to day account as a global admin or super admin so that when we were doing our maintenance, we didn't have to switch out of our normal production account and do an elevated privileges.

That's a very bad idea. People should not be using, their super admin account or a global admin account as their daily driver of accounts that they should be using. So that goes for least privilege with account access.

But then I've also been thinking a lot about privileged access or least privilege for devices. It's not only with the software that it has on it, and I know we talk about the old idea of gold images back in the day, but also, the type of device that is being issued. And it is giving the right tool for the right job at the right time.

And this is an area that can spin off to a couple of different IT security focused topics. Because the other one when I think about privileged access is, it's contextual access. Not only it's understanding that user, but also understanding that device.

What can that what is the status of that device? Where is that device? Where is that account? What can it access and how can access it?

If it's a corporate machine, yes, it can download files. If it's a personal machine, no, it can view the files, but it can't download them. And you can do that, with DLP rules.

But yeah, this is our that the old way of working when we think about the traditional office and GPOs generally was built around that gold image.

Certain parts of the it team would be squirreled away for a couple of weeks. They would download the latest version of. Windows XP, Windows 7 or whatever, Windows 2000, they would build the image, they would install all the applications. Every application that anybody in the company would need would be on that gold image hard disk, and they would then use that image to work with that, if you're a very large corporation, work with, Dell and HP and get that image pre added to the computers as they get shipped, or your company would use some form of imaging software.

When computers came in to put that gold image on and then that was it. That's, every computer had every, potentially every vulnerability that every piece of application, any piece of software, anybody would need. And it, I think that was, it had to work back in the day when we didn't have the ability to do good over the air app updates, cloud based patch management. And we didn't have software stores.

I'm a big fan of shipping somebody a very vanilla computer just has a browser on it. They sign in, they get instructions to go to a store. Direct them to there and then they can pick the applications that they need. And then, that device only has the software that's needed for that person's role.

And I think that, comes into some of the privileged access for devices when you look about the security risk of not having to patch software that's not going to be used on that device.

And I think that really does raise the security standing of your IT organization by operating like that.

Chase Doelling:

Yeah, absolutely. I was... previous conversation we were having where it was in the context of shadow IT, right? And say, oh, now we have the opposite problem of people are pulling in this and, gone were the days of this kind of golden image because, hey, we knew the security, we knew the vulnerabilities because we are the ones who put it there in the first place.

But that inhibits a lot of different organizations, especially now as you have the boom about any AI application ever, right? For all the different teams and it's becoming more specialized, but it has been over time where everyone's set up is a little bit unique, right? And so making sure that you have the device choice that you want in every team and kind of the applications that they use and how they orchestrate themselves is a little bit different.

And I think the final part is there. All evolving faster and faster, right? The tools that teams are adopting using and then moving on from is a much faster pace, right? And then whatever Windows suite we were currently on. Now it's hundreds of applications could be across the organization.

And to your point, yeah, now we need to pay attention to all those different nuances. Do we need to patch all 100 at once? What are the primary use cases? Can we just make sure that vanilla laptop that we shipped is the most secure thing that we can? And then we're monitoring all those different pieces that come into the device and kind of what are those different ramifications and ripple effects that people can get themselves into.

I think an element of this too, that we haven't spoken directly, but I bring it in from the meta level perspective is people are operating. There's no longer this, especially, you know, kind of work from home, right? You're just switching from corporate web browser, personal web browser, but the experiences are the same, right?

Our experiences in terms of how we interact as humans, the types of devices that we're leveraging are now almost universal and just it's a difference in terms of how we spend the hours in our day and where we spend our time and attention, but those corporate and personal experiences, there's a lot of users that expect them to match.

And I think this caught a lot of organizations, particularly in IT off guard early on in terms of, hey, mobile devices are starting to show up. I'm just going to do this from my iPad. No problem. All those starts and nuances because they expected that.

And now I think we're starting to finally catch up to that new and then kind of understand that from, I'd say, a business application perspective, and especially from the security perspective of also retraining users and making sure that those corporate experiences and security best practices, we want to make sure that they are funneled and enabled for personal experiences as well.

Colin McCarthy:

Yeah. I often relate the story or relay the story about cell phones when talking to people about software packages that they might have or services that they have.

That, uh, end users always, they expect their Android or iOS phone to work all the time. And it does. They never have to think about, it's connectivity, the applications that are on there, it, to them, if you ask, it probably has a hundred percent reliability all the time.

And there is that expectation quite rightly that if my $500 cell phone can work fine with all my consumer apps why do I have, not the same sort of level of reliability with corporate applications when there's a whole large budget behind the IT department, there's a whole bunch of people, working to support these devices?

So I think there is very much an expectation, which is raising the standards of what IT admins have to be able to provide.

And thankfully, operating systems have got a lot better. I think. I think last year working with a client, somebody did talk about DLLs and I hadn't thought about a missing DLL file for five or six years. IT admins always were having to replace DLL files in a folder and reboot devices and get them working. We don't have to do that anymore.

Things have become a lot better, but they, it is, it still does require a good system and good service to provide everything that the end users are expecting. And I am very happy with the expansion of software stores that does make the deployment of company applications so much easier and then in the patch management of them as well.

Chase Doelling:

Yeah, absolutely. And I think there's two angles of this, if you will, right? So we have the user perspective and they expect their corporate kind of master personnel, right.

And I think one great example here is kind of Google Workspace, right? That's one element that, I know I started personally, especially on my side businesses, other pieces, that's typically where you start.

And now you see this evolution into a very enterprise focused, security driven. Type of software, but it still has the main usability. So even though it's our primary shop, right, in terms of how we collaborate and work with others and share documents and other pieces. We also know that it's evolved over time, right?

It matches my personal experience. And so even from I'd say a training and understanding and just general wherewithal of how Chase operates, right? It matches within that. And I think that's a really great example, which we lean within the Google suite where they continue to have a seamless kind of user experience, but also hits on the security side.

Colin McCarthy:

Yeah.

Chase Doelling:

Oh, go for it.

Colin McCarthy:

I was going to say thinking about the security side, and I'm always cautious of Somebody's deploying security or ways of managing devices that ends up being a blocker for users. So any, any piece of any way that you have of managing a device, certainly when we look at what users are expecting, it all has to be seamless.

Because if they, if we do give them hurdles to, to jump over hoops to jump through, blockers to their work, that they'll find ways around it. And then you end up with more security vulnerabilities.

Chase Doelling:

Absolutely. And you set it up perfectly because I'd say the other side of this is we now have that user expectations, but now sometimes in some organizations, they also expect everything to operate the same way, right?

And so they're shoving, hey, we need full operating systems for things that might not need it. And so here's a good example of that where it tends to crash. And it ruins the experience around it because you expect it to go both ways.

Users expect to go both ways, but IT security, you gotta be a little bit more pointed in terms of, really like, do we need it? Is that creating more blockers for us in terms of the types of experiences that we want our consumers on that side of technology to have?

Colin McCarthy:

Yes. Yeah. I'm very much a fan of the right solution at the right time and for the right people.

It is mind blowing when we look back to July, June, July? July, I think it was, when, devices that didn't have to be full blown Windows machines that were just telling you, where your plane was taking off or ordering your food or the grocery store was running on a full, what we would term a fat operating system a full Windows 11, Windows 10 device, heaven forbid there weren't any Windows 7 devices. I'm sure there were, there's still some out there somewhere.

But yeah, there's, there needs to be. And I don't understand the resistance for some companies not to choose the right generally ChromeOS based kiosk application to let you know when the trains are coming and going, display your menus in your store.

Um, it's it's all about least privilege and IT professionals have been talking about that for years. As soon as you went to, college, probably day one of any computer science course would talk about, some of the basics and the principle of least privilege, least access. So why is that not done with devices?

Certainly when if you're on Google Workspace managing your fleet of ChromeOS devices is just so seamless. It's built right into the admin panel for you.

Chase Doelling:

Yeah, and I think that does the trick as well because they say if we just deployed across everything, It makes my life easier because I only have to think about one thing, except there's still a lot of gaps, right?

And I think another example that you and I talked a little bit about, a little bit more on the horse short, but it still serves in terms of how you're setting yourself up and managing those vices in and what happens if you let them go, right?

Colin McCarthy:

Yeah. Yeah. Wannacry is a classic in today's history lesson of vulnerabilities. Was it 2017? I believe.

But it's, it will happen again. It does happen. These virus attacks, malware attacks. It's not really a case of if, but when companies will be potentially attacked, certainly with so much reliance still on those old legacy systems, to have a broken patch management, or to not have the right security tools to protect end users from falling foul to some of the malicious ways that bad actors will try and take advantage of devices.

Wannacry was easily avoidable. We're talking about something that happened seven years ago, but I think, what happened in the past is still very relevant to what happens today.

Are people keeping up to date with their patching? Are they confident that all of their devices are patched to the right level? Are they confident that all of the devices that their users are logging into, not just the corporate devices that you have issued, what is their patch level?

Because obviously BYOD is always an avenue of attack, compromising people's personal accounts to then break into a corporate account has happened on a number of occasions in the last couple of years. There's been a couple of large companies that have fallen foul of that.

Yeah. WannaCry is, it was easily avoidable, but millions of companies didn't have their Microsoft patches deployed and updated.

Chase Doelling:

Yeah. And there, there is an element of that type of access. And I think another people say well, great. Well, then we'll just add an MFA on it, right? So we're making sure that we're reducing those attacks.

And even a more contemporary example as well. So I think it was The Internet Archive, I think, about two weeks ago, they suffered a breach of it's the Wayback Machine, if you've ever used that.

They keep track of that. And so all those records released. And so, but it's like, all right, let's look at it. And it typically falls down into, hey, was it a priority? Did we have the budget, but then more often than not, did we even have kind of the simple MFA kind of gotchas on those different types of access?

And so this is one of those that I typically harp on, every chance I can get, and I typically like to go through a different exercise that we'll get to here shortly, which is just, what do you go throughout the day and making sure that you have MFA and your organization is up to snuff.

Colin McCarthy:

Yeah, it's terrible that in 2024 we have to have a slide on the need for MFA.

Chase Doelling:

I know.

Colin McCarthy:

It really is, but I laugh because some companies, still might not have it, might not have it fully deployed for everybody. I realized in 2013, so 11 years ago, that we needed to enforce MFA and I made the tough decisions and talk to the leadership and we deployed MFA to our company of about, I think it was 600 people at that time, and few people complained and it worked there.

There's no justification for any CIO not to have deployed, fully deployed MFA to all of their accounts. And also educate their users on the use of it.

There's a terrible story of the town near me in North Jersey that got a ransomware attack because the town users were not using MFA because the CIO wanted budget for an MFA solution that they preferred, rather than using the MFA that came free with the cloud based collaboration platform that they'd already paid for. And I think he was only needed like $35,000 for his budget but didn't have it.

They didn't use the MFA that they had. And ended up paying $600,000 to Bad Actors to get all of the township's data unencrypted. There should be no budgetary constraints for deploying MFA because if you're on Google Workspace or Office 365 which you're probably going to be on one of those, they have MFA, uh, for free out of the box.

Use them. You don't have to be saving up your money for Okta or Jiro or another version just because it's your preference. Yeah. Everybody should have it.

Chase Doelling:

Absolutely. All right. Perfect. I think we're starting to round up a little bit more of the panel conversation. So the next couple areas I wanted to hop in and then we'll dive a little bit more into the Q&A.

So if you have questions that you've been thinking about something that kind of triggered you, feel free to go ahead and throw that in the comment section. I'll get those addressed shortly.

But really quickly, I wanted to look at and say, okay, great. What does success look like? We spend a lot of time covering what are the different gotchas, how to think about all these different pieces.

And I just wanted to mention a customer of ours, I think really highlights this. A company called Article, which if you'd like some new furniture, they are amazing. I highly recommend checking them out. But they were suffering from those symptoms that I was talking about that identity schizophrenia and saying, hey, look, we had passwords and identities into 10 different systems. We really needed to centralize it, what that looks like.

And so the, through the combination of JumpCloud and their Google Workspace environment, and we're able to extend that access so that way people could get into their devices, networks, applications, all leveraging kind of one unified identity, which really helped them uncover and see a little bit more of a security vulnerabilities and making sure that they were set up for the right success.

And so I know we just kind of talk about them in terms of what that, but what does that mean for you? What are some of the next steps that you can take? And so we are brainstorming a little bit more about this and say what are things that you can walk away from this webinar? What are some of the elements to, to think about?

And I'd love to just challenge you with this today on a beautiful Tuesday afternoon. But what would things look like for you? And so typically I like to start, what I call is just the back of the napkin transition, right? So understanding what your environment looks like today, what are some of the transition points that would really set you up for success?

Another element too, that we just talked about is what do you use today? Keep track. It's almost like a diet and exercise log, but almost for your authentication. What are you authenticating into? Pay attention on what applications, what areas are demanding MFA, which ones you can option into, and where are the gaps that you might need to have some conversations?

And those are great conversations to have with your partners.

Colin McCarthy:

Yes. Yeah. And, for anybody who's listening to this webinar live or later on and thinking, how do I get started? How do I think about making a change in our traditional network? And I would say by having a conversation with a partner, getting some ideas, and then breaking down the project and there are partners that can help you do that, other professionals.

Because none of what we have talked about moving from a traditional system to a modern system is impossible. It can be done. It just needs to be broken down into little steps. We often talk about in it when we're faced a big challenge, it's like eating a whale, how do you eat a whale one bite at a time?

In my career, I have changed networks a number of times going to different technologies. You just break it down. You support and educate your IT team. You have a clear plan. You over communicate your users so that they know what's happening and you also explain to them the better end goal that they're going to get, the better end state that they're going to have and how much better things will be while going through a bit of change.

So, I would ask every admin who's listening to seriously think about what they can do to, to change how they currently operate.

Chase Doelling:

Absolutely. Perfect. And Hailee, I see you hopped on. Welcome back.

Hailee Zapata:

I did. Thank you, Colin and Chase, for all of that wonderful information and walking us through it.

I feel like I'm always like so versed in it. And then I listen to these webinars and I always learn more. So it doesn't matter like what level you're at. They're so fun to attend because you always learn something.

And I just, I did want to point out that with JumpCloud 's top notch products partnered with Promeo services, we really have the best support. So if you'd like to check out our website for more information below, there's also a link to the latest JumpCloud blog.

So it has all great information. It's about unified identity, device, and access management. So it's like a deep dive into our partnership.

So let's see here. On the right, there's also upcoming webinars you can register for. This is just your all encompassing contact us. We answer all your questions, walk you through the process, introduce you to the JumpCloud guys. They're great at jumping on calls, so we'd love to hear from you guys.

And now I think we did have a few questions come in before the webinar and then during, so let's go ahead and move to our Q&A.

Okay. So guys, what do you think about BYOD? Does JumpCloud support these kinds of devices?

Chase Doelling:

Yes. It's a loaded question, right? Cause I think it's, as we talked about earlier, there's This notion of kind of devices that aren't corporate owned have been continuously entering organizations, whether you like it or not.

And so people are busy and you got to assume the best intent, I'm also going to be doing my email or Slack or whatever this might be, how do I have some of those different elements? And I think it's really on the second part of hey, how do we support those kinds of devices? What does that look like?

And typically it's you know, hey, it's still on these, it's their stuff. And you enter a very interesting conversation of hey, I know that you work here, you're doing things from a device that isn't owned, right? And we don't have visibility into that.

And so what we found over time is that there's a happy medium, right? And a lot of organizations will think about this either conditional access policies or just access policies in general, where one of the main methodology we've seen is put in a shared box, right? Just like you do on any other good relationship, you have this kind of notion where say, hey, applications within this device, those are corporate owned, you understand that there's a contract between us and we give you that freedom and flexibility.

So that way, when you're on vacation and you need to urgently do something, hopefully you don't cause you're on vacation, wherever you are. You're able to access that. And we're making sure that there's business continuity across that. However, the give and take there is the organization can decide, do we want to remove those apps? Do we need to manage them on our own schedule and other pieces?

And so that's really what we found in how JumpCloud has approached that solution in creating those access policies for different types of applications. But then also having some awareness too. And I think it's one of those different pieces where it's like, hey, if I see you coming in from an iPhone 12, probably not going to grant you AWS access into our product environment, right?

So we're also making sure that there's known areas where it's appropriate and where you actually need to be on a company managed laptop, where we're seeing those certificates, where we can identify that audit and authentication chain. That's really what we're missing a lot is the data and the visibility around that.

It's not that we don't trust you. You're a nice person, right? And we'll see a bit around the Monday, but it's for everything else in terms of that visibility that creates those ripple effects for other teams, especially IT.

Colin McCarthy:

Yeah. And whenever I think about BYOD, there's always the two halves of it.

There's the mobile cell phone, Android, iOS BYOD, which virtually everybody has. Very few companies issue cell phones nowadays. And I think the majority of employees expect there to be some type of MDM, mobile device management, tooling on my personal phone.

And if anybody listening who doesn't, who isn't using MDM on your Android and iOS devices, please do it. Please make that one of your key goals for 2025.

You can do that in, obviously JumpCloud. You can do it in Office 365 and Google Workspace. Google Workspace's great. And then there is that corporate laptop device MDM and also BYOD where people aren't using the corporate device because the corporation wants to issue a heavier Dell and somebody wants to be using their own personal MacBook Air.

I think there are companies that I know of that do block non corporate devices from accessing data, but for the most part, I think people need to be sensible and have policies for all of it.

As you say, Chase, it is segmenting out the data and having that understanding with the the end users saying we respect your device, however, we need to know these certain things about it so that you can access our data.

Chase Doelling:

And I think, another good example of that it helps people in their own hygiene is the security probably be like, oh, your pin is not long enough. I remember when those first came out and be like, sorry, you need to use this amount of password to kind of, if you want apps. It was like, oh, that actually changes my user behavior to match a little bit more of a corporate.

So there, there is a blend, and hopefully that gives everyone's security a little bit more of a bandwidth.

Hailee Zapata:

So a couple more questions. I know we're coming up on time, but these did come in. So, what if an app doesn't support SSO?

Chase Doelling:

Then throw it away. No. Yeah.

Colin McCarthy:

Yeah. And I would rethink it talk to your account manager or the company there. Often you might have to pay an additional fee to get those features. They are often part of a premium tier.

But there are ways, Chase, on there to manage that individual access. If you need to.

Chase Doelling:

There is. And as you mentioned, it could be, hey it's a tool that we really like but, honestly, like there's not a lot of folks that have their pricing and packaging lined up to enable those organizations to have SSO out of the box, right?

Slack is a famous example. And if you go to sso.tax, there's a whole running list of kind of the upgrades that, that people are forced with and say, hey, I want better security. I want people to just get into their applications and not have to think about passwords, because that's less password resets that I have to think about. But is it worth 5 a user just to enable those types of features and functionality, where a lot of people get caught up in this, okay, now what?

This tried and true password manager still comes into some of those folds where you want to manage that access you want to make sure that people are doing that and they have the right hygiene to do it.

It's not the best experience right, because you want to just have more of a seamless. You don't want to think about it I just want to hit You know my logo tile and be in my instance So I can be productive But there are some guardrails that you need to think about in terms of segmenting access and say great, here's where I can have really seamless access. Here's where I can have okay access, but it's still secure.

And so that, and that's really where we'll lean on IT teams and making sure there's implementation because, at the end of the day, you don't want the other opposite end, which is a whole bunch of shared accounts or passwords that are all over the different place where that makes it really hard to leverage and stand by those applications, because if you want to think it on a scale of a gradient, that's really where we're starting to enter more of the shadow IT type of realm where people are just using applications. They're not thinking about it.

And so if it doesn't work with SSO, I'll just do it on the side, or they find workarounds. People are really good at acting like water and it, they just go around things and then just, get into the access stuff.

Colin McCarthy:

Yeah. Users will always find the path of least resistance. That's why, seamless with regards to security and access.

Thankfully, a lot of applications, even though they won't have SSO, when we think of it in the terms of SAML based SSO, they probably do have OAuth where people can just click a button to sign in with the Google Workspace or Office 365 or other identity account.

Chase Doelling:

Startups, thankfully, are leaning into that in terms of earlier frameworks. Cause I always have this ongoing debate of, do you want to build features that sell or do you want to build features that add in more security?

And so if you add in SSO capabilities, it really comes down to a product management type of role, where if they're able to offload that authentication and to federate it into Google Workspace, Microsoft, Apple, all those different areas. Pass keys is another technology. I'm super bullish on the, I really think will be exciting where you start to transition some of that conversation.

Hailee Zapata:

Very nice. So we are in time, but I do want to ask this question quickly.

What is the strongest feature set from JumpCloud?

Chase Doelling:

Asking which kid is your favorite.

Hailee Zapata:

I know, I had to ask it.

Chase Doelling:

I'll give you, I'll give two examples. One which doesn't answer the question, but one, I'd say the strongest feature set that really sets us apart from the market really makes us unique is our cross OS device management.

And what I do that is in the context of imagine you have a centralized identity, right? We've centralized that from your HR system. But now you can really have kind of device choice and making sure that you're able to manage all those devices from one pane of glass.

You typically don't see that for a lot of vendors, I'd say within the small to medium enterprise space. And that's more of an enterprise feature. Or worse, you have multiple different features to make sure that they're managed. But it's hard, right? And so that really ties in and really helps a lot of folks understand what's happening across their environment, how to make sure that their devices are secure.

Because again, it's the most important, crucial piece of equipment. And oftentimes the only one that people interacting with. So really unlocking that.

The other fan favorite, I'd say my favorite thing to set up in 10 seconds is RADIUS server. Honestly, because it's like you can walk in, you can secure your network, throw it in a web, and you're all set.

And that's one of my favorite where it's like we instantly up level baseline. And that's one of those features that I think is a little bit more unsung, but it's a personal favorite that I like to see.

Colin McCarthy: And that's going to excite all the network nerds that have listened this far. You listen to the end of the video.

That's very exciting. I haven't thought about RADIUS servers for quite some time.

Hailee Zapata:

That's great. I know we went a little over. So thank you guys so much for your time. I really appreciate it. Colin, Chase, we learned a lot.

Thank you. Thank you all for watching. We really appreciate your time. Happy Tuesday. Happy Halloween.

Have a great week.