Budget for IT is not always easy to come by. You know, kind of fighting our way out of that cost center mentality. If they don't have any money left or the twenty five budget is done, how can they get started with no money with what they have today? Welcome to the latest episode of Unraveling IT Expert Tech Talks. Sarah Benz. I'm the Director of vCIO Services here at Corsica Technologies. And today, I'm sitting down with Garrett Wiesenberg. He's the Director of Solutions Engineering here at Corsica. And, I'm really interested to talk to him about what zero trust is, why it's helpful for businesses of all sizes, and how to implement a Zero Trust framework on a budget. How are you? I'm doing well. It's great to be here. Yeah. Good to have you here. So this is kind of a hot topic for us lately. We had a webinar. We had great attendance at the webinar. You shared a lot of great information that day. So I'd really like to use today as a follow-up for me to ask some engaging questions Yep. To you directly, you know, on behalf of, some of our clients or the perspective of some of our clients. So if we can just start off by explaining what zero trust security is and why it's important for businesses. Yeah. So zero trust is a framework that's designed to really work with the the modern landscape of where IT is at today. So if you think about in the past, we kept everything on prem, and everybody was trying to put a wall around their network to protect their network from people getting behind that wall. Now with workloads in Azure, AWS, you know, more and more SaaS based applications being becoming prevalent, that single point of entry into a network no longer exists. And so zero trust really was created with that sort of mindset of securing your workloads no matter where they're at. Yeah. That makes a lot of sense. Anymore finding a client that's got a true castle and moat Mhmm. Setup that fits their evolving landscape is rare. I mean, every once in a while, you might come across someone who still has that infrastructure that still warrants that method, but that's not gonna last for much longer. So okay. So key principles of zero trust. You know, when I think about the concept of zero trust, when I talk to clients about this, a common question is, well, we're already doing a lot of things in terms of security. I mean, partnering with Corsica as an entry point to security is a great first step. Yep. How much overlap is there? How much are they doing already to get them closer to zero trust? There's probably quite a bit that they're already doing. I mean, a great example of this would be multifactor authentication or MFA. You know, that's a that's a big piece or identity is a big piece of the overall zero trust framework. So securing your identities with multifactor authentication, making sure that no matter where you're logging in, there's two forms of authentication Yeah. Is really huge. And that's something that most organizations are doing today and that, you know, if they come on board with our services, that's one of the very first things we're recommending to them. So there's overlap from that perspective. Yeah. So MFA feels like the basics. We finally got to the point where MFA is the basics. Right? Low hanging fruit. Yep. Low hanging fruit. I think in our everyday lives, outside of our professional lives, we're doing it with our LinkedIn Yep. Banking apps Yep. Social media. If you're not, you should be. So that seems like something that we can pretty easily check off the list. What about beyond MFA? Like, if you can think of what's the next thing in terms of the low hanging fruit conceptually, like, what should they be thinking about next? They should be thinking about where their data resides and who has access to it as well as what they are accessing it from. A great example or what we typically do talk about at SharePoint Mhmm. A lot of companies are already in Microsoft's email platform. They want to leverage more features that are included with the licensing that they're already paying for. That's when SharePoint comes into the conversation. We move their file shares from on-prem to SharePoint. But now that they're in the cloud, the way that you're accessing them, them Mhmm. It becomes different. Because now you can access them from anywhere at any time. Whereas before, you had to be on a, you know, your client VPN or the VPN that connected you to the network. And so that's typically where you should begin is figuring out where your workloads are at and figuring out how you intend on accessing those and then putting controls and restrictions in place to make sure that no user is accessing things that they shouldn't Mhmm. And no user is accessing things that they shouldn't, from devices they shouldn't. And that's where my mind went. Yeah. When you said, you know, we're just working differently now Yep. People are accessing corporate data with devices that the company may not even know about. Yeah. We run into that. And so often, organizations have people that work from home or remote staff and, Organizations have people that work from home or remote staff, and, we often find that they're using their personal computers or personal cell phones to access company resources, and that's a huge cybersecurity risk. But has it always been? You know, that BYOD concept, people working from home, you know, starting with COVID, when everyone had to figure out how to do it. Has bringing your own device always been as risky as it is today? Yes. What I'm thinking, I'm going back to that castle in moat concept. Right? If there was a castle and moat, and that's really the framework we're all operating on, it's always been as risky. We just weren't as aware. It wasn't as prevalent. I mean, if you think back pre-COVID, I mean, remote work was nowhere near what it is today. Mhmm. Some companies might have done it, like some of the big tech startups and things, but your average business was a hundred percent in office every single day of the week. Yeah. So you didn't run into these issues as often, and there were still the occasional stragglers here and there, but it became incredibly prevalent almost overnight. And then everybody's struggling to, you know, figure out how do we do this, how do we get everybody working. But, you know, with the remote workforce and, you know, back in the days of the castle and moat, it's just like the Trojan Warhorse, you know. Soon as it's behind that wall, whatever's on that computer Yeah. Can infect the entire network and take it down from, you know, the inside out. Yeah. So all a hacker had to do was get on to a system that was unprotected, you know, at home because we don't typically purchase the software to purchase it. We don't typically patch it. So as soon as they had full access to that, we connected to the network. They have unfettered access to all of your company data. Okay. So multifactor authentication. Know where your data is and who's accessing it. And from what they're accessing it. And from what they're accessing it on. Okay. Alright. So those all seem like pretty basic concepts that are part of the security conversation day in and day out. Yep. Or they should be. So we talked about devices. What about identity? You can have a BYOD device. Right? Can I use a personally owned device if we're effectively managing identity? Yes. So there there's sort of two separate schools of thought there, two separate avenues to secure the your people, your staff. Mhmm. You have the identity, which is going to be secured more through, you know, Entra ID, formerly Azure AD, through M365 or whatever identity source you may have. Could be Google or something else. And then you have the devices, which is going to be pulled more from Intune, which is going to set policies and making sure that, you know, certain devices can access certain resources at certain times of day, and that's really where you get into the conditional access policies. Okay. When it comes to BYOD devices, we have options for how we allow them to interact with the corporate data or the workloads. So for instance, our company's cell phones, I mean, yours and mine, we probably have Teams on there. We have the Outlook app. We can access, you know, our Teams chats and our email. No problem. But I don't know if you've ever tried to copy, like, a message from Teams and feel like a text message and send it to somebody. Yep. But as soon as you copy and paste, it says- Your organization does not allow this action. You cannot, you know, copy and paste. And so that's called MAM, mobile application management. And really what that's designed to do is just secure your company's data no matter what device it's on. Got it. Then there's mobile device management, which is really more focused on managing your company out of your corporate owned assets. Okay. So I'm still hearing a gap where if it's not a corporate device and it's my laptop from home, I can access the data via the policy so the data can be protected. However, if the device is not protected and monitored for potential malicious software, that can still be a risk. So that's still a no no. Yeah. It can still be a risk. Mhmm. But the risk is reduced. I mean, the if you have permission set up properly within SharePoint within OneDrive, you know, in your cloud applications, the risk of, a virus or a malware transferring from your device to those environments and spreading, like, wildfire, like, the days of old Mhmm. It's reduced. It's not zero by any stretch of the imagination, but it's not as as big of a risk as it once was. Got it. It's no secret that zero trust as a concept is kinda hard to wrap your mind around. That's why we're having these conversations. That's why we did the webinar because we want to kind of demystify it, and make it easier to understand. What are the biggest challenges that we've seen businesses face as they move towards adoption of a zero trust framework? The biggest challenge I typically run into day in and day out of just mindset. Mhmm. It's the people aspect of zero trust because one thing we've learned is that security is never convenient. Never. And so it's a matter of balancing the, you know, security with the convenience and finding that happy medium. And so I like to tell, you know, clients that, you know, if you hate your employees, you can absolutely turn on every single security feature and their life is gonna be a living nightmare. But maybe you don't need every single one. Maybe we can find the ones that are really going to benefit you the most. Start there, and we can start small. Yeah. And it's really just getting that that mindset throughout the entire organization and getting everybody's buy in to this idea that, you know, we need these security features in place because it's going to secure our environment. Yeah. Getting that buy in once you have it is great and that starts at the top and it's got to work its way down through every member. So while, you know, we often may be working with just IT points of contact, you know, we really need executive buy in all the way down to, you know, the lowliest of lowly personnel within the organization. So Yeah. Because if you're hearing support of the initiatives echoed in the meetings from the executives, from the directors, from the leadership in an organization, it's gonna trickle down. And, you know, when we think about even flipping on something as simple as MFA or, you know, adopting conditional access, I hear a lot of hesitation. It's not uncommon for clients to say, I understand the importance, but my employees are never gonna buy in. Yep. They're gonna grumble. It's gonna impact productivity. I'm not gonna be able to make as much money because time is money and every minute counts. Yeah. So messaging and making it a nonnegotiable is going to help the workforce get on board. And it can be a trickle. Right? Like, when we start having these conversations, you know, ninety days out, you can send out an email summarizing what's coming, what is the timeline, what's it gonna look like, and we can share screenshots of what their screen will look like. And, you know, change is hard, but we adapt pretty quickly, especially now with the way that technology is changing and emerging every day. So it shouldn't be something that you're afraid of as long as you've got a mindset that it's not always gonna be easy and there's gonna be tech moves. Right? Well, and you'll have to adjust your workflows at one point or another to, you know, abide by the new policies. And so that's really just as soon as you can get people brought in, that's really gonna make it so much simpler for the entire rollout. Yeah. So if I'm a business that is on the fence, I've got Corsica Cybersecurity today. I feel like I'm in a pretty good place, but I'm interested in exploring zero trust, and I wanna learn more. What resources are there if I just wanna go out and do my research and try to start learning and wrapping my mind around the concept? Yeah. So Microsoft has a pretty vast, you know, library of documentation surrounding Zero Trust, you know, as it specifically pertains to them. Yeah. Other vendors have the exact same thing. I know Google does and so does Amazon. So you can go and you can find these articles online and read through them and better understand the overarching themes shared amongst the, you know, every platform. Yeah. Also you can just ask ChatGPT. You know, I mean, just go ask it, hey, you know, what is zero trust? And it will spit out, quite a bit of information now granted we have to still vet some of the information it's sharing, but there's a lot of basics. Yeah. There there's a lot of good foundational items just at your fingertips by Google. Okay. So I asked ChatGPT what is zero trust and, you know, how does it apply to business and whatever vertical and Yep. You know, how do I know how close I am or how much work it's gonna take to get me there, and will I ever truly be zero trust? So there's no official zero trust certification. There's no certifying body that's, you know, doing an assessment or an audit to make sure that you abide by it. Yeah. So there's never going to be the state where you are 100% zero trust. You know, we've completed the journey. It's always going to be ongoing because by the time that you get to where you're trying to go, that goalpost will have moved, you know, over time. Yeah. When it comes to, where are we at today and how do we assess ourselves for, you know, where do we need to start? Mhmm. Typically, you perform an assessment. I mean, and there's some, frameworks that you can follow online that could maybe try and point you to different things. Mhmm. But there's partners in different, you know, resources or different companies online that offers your just assessments and Okay. You can, you know, look into them. You know, we're obviously one of them as well. Yeah. Right. But, you know, look into having somebody come in, a third party come in and and really take a look at where you're at today to figure out, you know, where do we need to go and how do we get there. Okay. For a lot of managed clients at Corsica, budget for IT, strategy, and infrastructure is not always easy to come by. Mhmm. A lot of times we're operating within constraints of, you know, previously allocated funds, whatever's left over. Yep. You know, kind of fighting our way out of that cost center mentality. If they don't have anyone left this year or the '25 budget is done Mhmm. And it's too late to get anything else in there, how can they get started, with no money, with what they have today? So most of the platforms that our clients are already using, like Google, Microsoft, already have a lot of these features available to them within the licensing that they've already purchased. So if we look at Microsoft, a business premium license is about $22 dollars a month. A lot of our clients are using that license or even some variation of that license. And so within that subscription that they're already paying for monthly are a lot of these security features and all you have to do is just enable. Right. It's the act of enabling them and making sure that you're enabling them, you know, with a clear goal in mind or a clear objective in mind and, you know, getting that buy-in from everybody. Those are gonna be the crucial items. Yeah. But the features are available to them. Right. So it's really just a matter of trying to, again, assess where you're at and leverage what you already have. We're not asking anybody to throw, you know, the baby out with the bathwater. Yeah. We have access to a lot of these features already that will get us, you know, at least somewhere along this zero trust journey, you know, keep moving forward even if it's baby steps. So what you're saying is they've already budgeted for it. Correct. They've already budgeted for it. They just don't know that they budgeted for it. That's a nice little gift. Right? Yep. It's Christmas. Right? Yeah. Christmas. There you go. Zero Trust all wrapped into your budget for 2025, which is a whole different podcast that you can check out. Nice little bow on top. Nice little bow on top. That's right. So, you know, we like to think of zero trust as so much more than a buzzword. We're trying to really put some great content and substance behind the idea. We believe in it a lot. And, you know, as an organization, we've begun to adopt Zero Trust. And while it's not always been easy, it's definitely been valuable. So I appreciate your time today. Thanks so much for talking with me and for sharing this additional information with our clients and viewers. Yeah. Thank you. Alright. Thanks.
