This is the business tech playbook, your source for it. Help for your business man. We're finally back on the podcast. This is the business tech playbook. I'm your host, Rob Solzen.

And I'm your host, William Pote. E top technology.

So we are going to talk about methodology that you use with me after learning some of the pranks and the Prank podcast, which is Zero Trust, you have zero Trust in Rob's moving forward after you have heard some of the devious stuff I've done, at least the stuff I'm willing to talk to you publicly.

Well, I mean, the fact that in the last five minutes, I didn't realize you were recording and I said something and you've already played it back to me. So the answer is yes, I do have zero trust for the fact that you're probably going to make a funny button for me at some point.

It's well worth it.

It's well worth it. But I'm not talking to you very.

Much anymore, just during the podcast only and is nothing but Quietville. All right, well, talking to the audience about Zero Trust. So to get started with the topic about what is zero trust and why does it matter to you in it, I'll begin to kind of crack down the background in it. We started with different systems, and we just wanted them to do a thing. If it was to calculate accounting, if it was word sheets, it was simple tasks into building into everyday business applications. Then we thought, hey, it'd sure be great if we had HR stuff or sensitive information underneath a password so someone couldn't walk into my computer and get it. And passwords were a need all of a sudden. Then we connected everybody online. So it wasn't just the network in the office. They wanted to communicate with other people outside. And the moment they did that, they're like, I wonder if outside people can get into our business? And that's where security really kicked off. So the normal security method is trust, but verify. I think that's the key word people are normally used to, especially in parenting. Trust your kid, but verify. Make sure there isn't a bag of green in their room. People take that to security, and it worked for a while. Only shut down things that were a problem, only stop things that were verified, and make sure to do audits, keep things open to have business going, and only close pipes when you see they were a problem that doesn't work this day and age. So it's gotten to a point now where even for us, it's a big change. Even now. Today in 2023, where we're changing, it's no longer trust but verify. We don't trust anyone. So Zero Trust has to be a point, a real methodology of your IT infrastructure from the get go, meaning no one has access unless they are absolutely whitelisted. Now I'm going to explain that because again, we're not doing alphabet soup. Blacklist is. We're blocking only the people that don't need to be there and everybody else is open. So unless you know of it, we're not going to block them. Whitelisting is in reverse. We only allow the people in that we know that need it and block everyone else. That's the core fundamentals for Zero Trust is beginning to blacklist as you need it and only build business cases and give connectivity well.

Right, and it's kind of the exact opposite of what everyone has been doing for the last 20 years where it's assume everything's safe as long as it's inside the building, or assume everything is safe because it's a company owned device with Zero Trust. It's really flipping that on its head and assuming everything is breached and making sure that the access is really just tied down to the absolute fewest people possible. And what makes it work well is we have to start assuming that literally every single user is working from Starbucks. We're assuming that every single user's, we're treating people's offices like Starbucks now. And so now we're locking their applications down to their zero trust application. There's a lot of misleading things out there about Zero Trust. And so we're going to try our best to really kind of clarify what things mean with as little jargon as possible and hopefully give you some ideas to chew on about how you can think about your business going forward.

Now this podcast again is for those that are listening, that own a business, manage business, C level executives that aren't an IT professional, but have to be versed in it. So to explain that a little bit better, when you talk about Starbucks, for us it's pretty native, but for the listener they're going, what's so bad about Starbucks in the IT world, especially way back when, if it's in the building, it was safe, and if you left the building, then it's a problem. You have to connect from wherever you're at to the business to do your work. So if you were at Starbucks, you're on their network, their wireless network, and supposedly anyone could tap into the network, see the traffic, and it was a real security nightmare, especially going to these new internet cafes. So for IT professionals to see a salesperson at a Starbucks made them uncomfortable for years. Now we have applications and we'll talk about it later in the podcast on how we can use zero trust even in a Starbucks location. So it's no longer scary to us.

And that's exactly it. The goal is to make everything as flexible and resilient as possible so people can work when they need to work, where they want to work, how they want to work. And so the very core of this is making it accessible anywhere because you want to be able to work for 2 hours while you're traveling in Europe. Great. Let's do know, besides that at the end of the like, the more you can kind of work through keeping yourself secure, but having as much flexibility as possible is absolutely huge.

So where would you like to begin? There's a lot of different topics we can talk about zero Trust today.

Oh goodness. I think you'll probably hear this, a couple of different things. So there's a lot of companies out there just talking about Zero trust. And so I want to be clear that zero Trust can be an application, but it's much more than that. You can't just buy a single zero trust application and suddenly everything'S magically safe. Like that's not how it works. It goes back down to thinking through your methodology for how do we not trust, who do we need to trust and how much should we trust them? And really backing up your, you really have to back or change your thought process as much as possible. Are there tools? Yes. Are there multiple tools? Yes. But it's kind of thinking through how do you make this all work together so it is as seamless as possible kind of thinking through it. There's a lot of, like we said, marketing jargon and myths around it. But could you imagine maybe a diet trend that said weight loss without exercise? Most of these tools, if it sounds too good to be true, it is.

Welcome to the tag rules of marketing. You used to have all these different backup advertisements. There was that whole mysterious advertisement we saw for a better part of a decade about this mysterious place called the cloud and no one could explain it properly. Well, Zero trust is right up there now getting into the lovely security marketing everybody uses, no one explains correctly and is very confused about, well, they haven't.

Stopped the cloud part.

It's gotten a lot, it's gotten a lot less. Now we just see Amazon football commercials and saying how they can change your business, right?

Man, Azure's is Microsoft's version. Amazon's cloud.

Excuse me? It's entra. You got to put your pinky out.

When you say it.

They changed the name still.

Okay. No, they still have Azure Cloud.

That hasn't changed. Now you understand why we're so confused as well. We just roll with the brandings as well. It's not just you guys. It people are very confused and sick of the changing as well.

That's what happens when marketing gets a hold of it. But that's beside the. And honestly, part of this conversation is really just to kind of work our way through this, because it's something we are starting to brace internally pretty heavily. And we've rolled out for a couple of clients, and so it's still a little bit of a black box. And so we're hoping that by kind of exposing what we are learning and the outcomes that we are achieving, that it helps demystify it for you.

So as we're going through these, what we call asterisks, another thing that you need to know is this is not just an it thing. This whole zero trust methodology should be your entire company process. This shouldn't be just. Well, it's just for the computer guys that have to worry about that. No. If you have physical work, physical assets, a process that doesn't involve a computer business in general, especially if you have special sauce, if you're the coke company and you need to keep coke under wraps, your special recipe for all these years, you need to have zero trust in all things, not just it.

So, okay, now I'm going to do a long pause. Shut up, Rob.

You make it so hard to laugh quietly.

So you're talking about zero trust, like the Coke recipe, where you need to not trust. It's very hard to talk when somebody's giving you winky eyes over the video chat. But see, this goes back to why I don't trust Robbie. Because he's going to totally mess with me while I'm talking every time. But at the end of the day, and twice on podcast recording day. But you got to protect what makes your company special. But then a lot of that's putting in good processes and understanding what you do and you don't trust. So whether that's whether your wire transfer, like, if you have a process to verify your wire transfer every single time, the chances of you getting taken advantage of are a lot less. And so it's really working that thought process and mentality through the entire company.

I mean, if you hired an external company to come in and clean your offices and you just let them back in the HR vault to find people's Social Security numbers and the actual cash in the safe. How secure is that? I would have no trust in any vendor. Give them only access to what exactly they need. That's exactly what we need to do, the network and the rest of your business.

So I'll kind of lay out what we're at ETop technology working through with Zero Trust. So we happen to be personally using a tool called Cloudflare. So Cloudflare is a gigantic suite of tools, and zero trust happens to be part of it. As far as it goes for a vendor, they're one of the ones we do recommend quite a bit and or we just include inside of our service, because it's just a great value and it works. So what that allows us to do, by setting up zero trust for all of us, every single one of our endpoints. So in endpoints like my laptop that I carry with me everywhere, all of our teams on laptops all over the country, and they're working at home. I go to Starbucks quite a bit, take my laptop, work from there, work from home, wherever. But we want to lock all of our applications to one IP address, so that way it reduces the risk of somebody logging into it. But the only way for me to do that is to go through that zero trust application. So now we can lock it down to the Cloudflare IP as an example. We have a different methodology in place, personally, so I'm not telling you what our secret sauce is, thank you. But we do a lot of things along those lines where we lock down our applications, we lock down our access, and it all has to flow through that zero trust methodology. But then what happens is every single piece of traffic that I generate goes back through their data center firewalls. That means everything is being scanned. And so now it means that my computer is effectively inside the wall, even being completely remote and anywhere I want to be at any time.

So to go just a little bit higher level for those that are listening. We used to connect. If you went to that Starbucks location and you wanted to have a secure connection. We used to. And most businesses still have what's called a VPN. You have a client that you log into. Generally, it's a multi factor authentication. So you type in your password, and then it sends a code to your phone, and that encrypts a connection from your computer to the business, wherever you're at. So then we are less concerned about you going to a place like an Internet cafe in California and having your traffic be seen because it's all encrypted and they can't see what's going between your computer and the office. That is very handy. It's a little bit slower than you might expect being connected right to the office, but it does the job and it gets people going in a much more secure manner. What this zero trust takes an upgrade to is instead of having a traditional VPN application, you would have ZTNA, zero Trust network adapter or access, depending on how you're using that acronym. You install this piece of software.

It's such a jargon filled thing, we don't even know what it stands for. I'm going to go Google that right now.

It's both. It's either adapter if you're looking for the piece of software, or access if you're talking about the suite of applications.

So it's zero Trust. Network access is what it technically stands for. There we go. That's what I was thinking, but then you totally threw me off.

I got you good. So you install this software and it works similar to your VPN. You sign in to the application and instead of it connecting you and encrypting your traffic to your laptop to the office is much more intelligent. It doesn't connect you to everything broad spectrum in the office. It only gives you access to what you need. Because again, we don't trust you. We don't trust where you at, and we're only going to give you exactly what you ask for in an encrypted manner. So instead of you having access to everything at the office, you'll have access to maybe just your accounting software, maybe just your point of sale system, maybe just your company email, whatever you need. It'll only give that and block everything else, no matter if it's at the office or not. It's much more intelligent. And then instead of you having to worry about disconnecting, or are you on the VPN or not, we just leave that application running. It will work in the office, it will work at Starbucks. It is now out of sight and out of mind. You don't have to sit there and ask yourself, am I or am I not? It's just there and it works and it works well.

And that's exactly like the more we can make the technology. I'm not going to. Thoughtless is the word that comes to mind. But the less people have to think about it and the more we can tie all of your different applications into it. And actually this would be a good conversation for future dates called single sign on SSO, but effectively with something like zero Trust, it allows you to have that always on, always available access anywhere. And we can assume that if your machine is connecting through it, that it's safe because of how it scans your traffic and whatnot.

Now people are asking what type of softwares do this? There's a bunch and there's a bunch coming out all the time. It's again a newer platform that people are getting into. So again, find out what's already existing. Generally you'd see these coming out of the same companies that did the VPN. So if you're using some sort of Palo Alto firewall, guess what? Palo Alto probably sells you a ZTNA software package. You can go anywhere. Like we use Cloudflare, there's plenty of different ones out there. Check their actual security levels and make sure they're reputable before going into it, because people are just going to say that it is secure without being secure, just to sell you the cool new and latest marketed technology they don't clearly understand.

So to your .1 of the vendors we use is called Sophos, and so they are basically all things security and they happen to be the firewall that we prefer. So what's nice about the new Sophos Zero Trust is now the actual firewall can be an endpoint, so we don't have to install any applications internally to the organization. That's actually one of the nicest things about that.

Can you explain that to people that are confused?

So the endpoint, your laptop ultimately connects to the SofOs cloud, and then the SofOs cloud connects you back down to your firewall. And so what happens is it does all the routing for you without having to be over a VPN. So like right now, we happen to be using Cloudflare pretty heavily, but that requires we install a little agent on the servers that we need access to. And so the benefit to that is when it's installed on the server, the server connects outbound to Cloudflare via a secure tunnel, and then you connect to Cloudflare via secure tunnel and Cloudflare goes, okay, you have the rights and the permissions to touch it and it sends you through. That means we're not punching holes or we're not poking holes in the firewall, which if we do put holes in the firewall for port forwards or whatnot, that can really show up on a PCI compliance scan. If you're dealing with any kind of IRS compliances, if you're dealing with pretty much anything in a compliance basis. You want nothing open to the outside world.

So instead of having the application, you can use your firewall to do the same. Zero Trust access without having the application in some instances. So you don't have to have that piece of software.

Thank you. Yes, effectively that is accurate. Now the firewall ends up being the endpoint and so the firewall actually just connects to the cloud versus having to do it on a server application.

You'll have to forgive us, this is an extraordinarily deep topic for those that are not it enthusiasts. We are doing our darndest. And if you want clarification, please email us to [email protected]. Is that the.

That's [email protected].

We didn't buy that domain yet. I thought we routed.

No, we bought the domain. That's where the podcast associated.

So scrap that [email protected]. I promise you we will go in as deep as you want. And we did buy that domain, by the way. I did look it up.

We do own the domain. Yeah, right. At the end of the day, like I said, this is a deep topic for it people too. There's a lot of misconceptions and misunderstandings and we're really doing our best to understand this, just like you are. And we're trying to explain it in a way that makes sense. So if you want to know more about something, please ask. Please send us questions and we'll be happy to do like a subsequent YouTube post or something like that.

So I think the next step that we can go to, we try to explain how we use these new ZTNA tools instead of a VPN. We told how it can connect and change. That's no trust and it only gives them exactly what they need. Now we need to talk about what the impact is, what is it going to improve, what's going to be a little bit painful for a while.

So I would say the things that it improves, it's extremely easy to make always on. You can set it and kind of forget the fact that it's on. Some of the pain points initially are it's probably going to break your conference calls unless you have them excluded. So it's learning. Are you using Zoom? Are you using Teams webex? What tools are you using for conference calling? Because it messes with video.

Well, I'm not done with.

Oh, sorry, Pros.

You don't have to worry about it. Shut it off or on. It's always on. That was good. I think the next Pro is it's significantly faster in most cases than a VPN. People don't really understand that when you have a VPN, it hard encrypts all data indiscriminately. This, because it's only getting what you need is so much faster. Like people experience, especially salespeople that really do use those Starbucks locations are tickled pink. They're like, I don't know what you did, but it's working better than it ever has. And they're smiley and happy. It makes me feel like a wizard that we just waved a wand and suddenly they can work better.

So that is true.

We have had people praise it on top of it. And then you explained that video connections and conference calls might have a bit of a struggle unless we open specific things. I would go as, when you install this and you have your IT person say, hey, we're going to do the ZTNA rollout. We're going to have all the computers on this cool thing so we don't have to use VPN anymore. The next, you got to give this guy a break. The next week he's going to have to pretend to know what you need because now it's zero trust. We've blocked everything. We only think you need access to three things and in reality you need access to 14, so you're going to mess.

In fact, we were only told you needed access to three things.

Yeah, you told us you only use three things and in reality you didn't remember. We didn't know. So that next week to two weeks, you're going to have to message him, hey, this won't load. Hey, a conference call won't work. The videos, the video cut out and you'll have to tell him these things and he'll have to play, essentially whack a mole for the first week to two weeks, opening things that he didn't know you needed. So once he opens it up, after that two week period estimated, sometimes it's a week, things will just work great. And that may continue because we have customers, and I'm expecting this after our onboardings with our customers, that we're going to have the things that they only do twice a year come up and we're going to have to open those, too. I mean, let's be real here. We're not going to know it until they ask for it.

And oftentimes people just don't even know until they run into it. We had a client yesterday submit. They needed a website locked for audit reports they needed to submit for the state, they hadn't used it for two months. They've only been a customer for three weeks. So you work through this, I think they submit those reports once a quarter for prevailing wage audit reports. And so that's not an every week or month kind of thing. And so now let's go ahead and get that fixed for you.

So it may seem inconvenient, but it's so much secure. And then when we do get it opened, it's so much faster.

Well, and so part of what makes it more secure is that it literally is every single bit of traffic being scanned. With a traditional VPN, you're not routing 100% of your web traffic through the home Office VPN because it would really bottleneck your speed. So what you do is you route what they call interesting traffic. What that means is something that the VPN goes, oh, hey, that's the office that's interesting, and forwards it over the network, but then literally everything else. So you're going to your bank website, you're going to all of these other things. It's not in your local network, and it's not interesting to the VPN, and so suddenly it's not being scanned. And so what happens with a cloudflare with a zero trust type model? Literally 100% of your traffic is getting filtered in their firewall at their data center before it routes it anywhere. So it allows you to be much more secure, in my opinion.

I've had a handful of people that I'm friends with in the industry across different places in the country, and they've began to use this ZTNA thing, and they state, because, again, we're going over pros and cons here. It's not just for the user, the pros for the IT admin, the representative that's actually taking care of the issue for the IT company said that he's now able to finally see everything that no one tells him they're using. He's not going to sit over your shoulder and pretend to know what exactly is going on. Instead, he gets all these requests, he's well documented, and then finds ways to improve the network, improve how they're doing the applications. And now he has this whole audit list that he never had to ask you for of all the different traffic and can actually do his job because you've given him now the tool for visibility, and he can maintain and open those connections for you. So it's not just for the end user and security, it's also a tool for your IT people.

So I think part of what makes zero trust so cool is it allows you to catch a lot of that kind of that shadow it, the rogue it that we've talked about in the past where it's suddenly like, I didn't realize so and so was using Monday. Maybe we should find out about that. I didn't know so and so was using XYZ. And so a lot of this is just kind of working our way through. Hey, are you actually using these? Okay, let's get that documented now. We can support you better. Let's lock it up, make sure it's actually secure. I was filling out an audit report for a client yesterday and I answered it to the best of my ability, but I knew they had at least two different applications that we don't manage for them that are for file sharing. And I made the recommendation on the form and to the client that we needed to kill those applications because we don't have control. And I can't say with 100% confidence that this is safe and this is one of their biggest clients asking them this.

So you mentioned from the perspective of shadow it, I want to do the positive spin on this as well.

Awesome.

Seen in the same scenario where someone was sending and they're maxing out emails and they're sending out multiple emails to the same different groups of clients and they have to do this on a regular basis. So they saw the traffic. A good amount of email traffic come the same time every week from this individual user. So of course it wants to inspect the traffic. They find out that this person doesn't know how to use their special sauce application for their company and is instead building manual reports that were supposed to be done for her in the program. She's uploading them, maxing the amount that she can send in an email and then emailing 20 or 30 of those emails out to the person that needs the data. And she's doing this once a week. So they've cut down an entire half day person's time just sending out these reports when their tool can automate those reports for her and then bundle it all in one email to send out to whoever she wants. So her job of doing that task once a week was completely cut off. Like here, you can still do it, but this tool makes it 90% easier.

Isn't that it's job like, literally to try to make people's lives easier and more like, yes, we are here to secure things. Yes, we're here to protect the company, but we're also here to maximize the company, if used properly, if encouraged, it can be a force multiplier for anyone.

I'd much rather be that guy than be Big Brother, let's Put it that way, every day.

So we use a tool called an RMM, remote monitoring and maintenance. And when people hear me say monitoring, they're like, oh, are you watching what we do? I don't care as long as it's HR approved or it's not an HR issue. We monitor the PC, we don't monitor the user. And so again, the goal for us is always to maximize the company. We'd way rather work on helping you automate something, build something, grow the company scale than deal with HR issues. Because that's not what we're here for. We don't like it. We obviously are there for that too. But it's more fun to build for.

Those that are listening. And if you have a normal VPN solution and you want to approach your IT department of Hey, I heard this cool thing about ZTNA and this podcast. You can share this of course with them, that'd be great. But secondly, what are the steps to get this done? Say that you are interested in this upgraded security. You want a faster form of VPN. You don't got to think about and log into. It's not done overnight. You can't just snap your fingers and make it happen. The first thing you have to do is inquire. You do your best. They're not going to know everything they use, but you need to have a list from your different departments saying, these are the tools we use. Then it's it's job to make sure that we're opening all those ports, making sure to assign access to these specific applications or even reach out to the vendor saying, hey, what's your addresses? So we can make sure that we're communicating with just you and only you. And once you have that data collected and you're doing your best effort, you're never going to get 100% of all the stuff they use. Best effort. You find a time, generally not a Monday morning, and roll it out. And you can do it segmented. You don't have to do it all, the whole company overnight. You can pick department by department or team by team. Then once you figure that out, you can rinse and repeat with the data you've set. Let's say you started in accounting, then the next department was HR. Well, now you have two departments and you can reach out to the rest of the company because you know those two departments use 90% of the tools.

Anyway and you save it for salespeople last. Let's be honest.

Yes. Those people are the squeakiest wheel of the Walmart cart. You know what I'm saying?

You guys have Walmart? I'm joking.

We got Walmart.

We're fancy people and only have target. Oh, goodness.

Minnesota is the home state of target. Thank you.

Oh, that's right. That's right. I forgot about that. I think you're so most of these things can be run in conjunction or parallel with your existing systems, so start small. That's a good point. Try choosing several power users. Make the IT department figure it out on themselves first. This is what we do at ETOP. We believe heavily in what we call dog fooding, which is we test everything on ourselves first. And sometimes that sucks.

I didn't know the name of it. Dog fooding is fantastic.

Dog food, right? I mean, isn't it great?

You eat the dog food, drinking your dog.

All right, I see how it is, right? Drinking your own wine, I don't know, whatever. But we practice what we preach. At the end of the day, it's like we break a lot of our own stuff on accident because we're trying to figure out the best way to apply this to our customers, to our clients, because it's not fair to our clients to try it on them first. So make your IT department roll it out for themselves first. Sometimes it people are the most resistant to change, and we deal with the highest rate of change of almost any industry in the world.

I'm an aquarium aficionado after dark, when I'm not playing the IT role, and I always tell different people that if they really think their water is filtered enough, go ahead and give it a taste. You know what I'm saying? So if your IT person isn't willing to put ZTNA on his computer first and give it the full try, find a new IT person. He should be the first guinea pig. And if you thought I don't drink.

My company, I recommend us. We're incredibly good looking and decent sense of humor and we apparently dog food things.

We dog food. And if you think I don't actually taste my tank water, you got another thing coming.

I'm not sure how I feel about that. I guess I'm glad you live in Minnesota and I'm in Southern California.

We have a lot better water than you guys.

That's for know you should come taste. Have you tried the water in Yukaipa Redlands area? I did, actually. Really good.

I did. They offered me what makes it better. The hotel I stayed at Very Nice hotel when I was out there last February. They actually gave me bottled water because they said, don't drink the faucet. We're doing some things. So that was my luck.

Well, okay, that's different. I'm in a different water district. Okay. So most of our water is coming from, like, the mountain wells. It's so good. Yeah, it's a little bit Sandy. My faucets have zero trust with the water, and so after a while, it stops flowing.

We're going to use this analogy all day long.

That's right. We apologize. We've started going, dad joke, goofy over here.

Last one drive through, you make an order, you get the bag, you look in. I don't trust the person not to put my ranch in there. Why wouldn't you do that with your it? Certainly. Consider it.

So we ran this topic through chat, GPT, and one of the analogies that they recommended was the VIP club approach to security. They said, just not everyone gets automatic access to a VIP lounge. So in zero trust, no user or device gets automatic access to company data. Every request is scrutinized. And so, honestly, I thought that was a really good kind of thought process. And instead of those darn it people are trying to make me more secure. They're trying to take the VIP approach to our data and how our company is secure.

I'm going to change my title from Tech admin, engineer, whatever it is, to bouncer. I am the ET IT bouncer. That's 100%.

To be fair, you're also like six foot five and like a big guy.

I like no numbers. I like that. That's decent of you. I didn't play football. For your knowledge, I should have.

Yeah, well, yeah, same here. Sadly, I'm sitting at a desk is not great for my physical health right this moment. But one thing at a time. So with that said, we appreciate you listening. If you have any questions, we're easily available and findable on LinkedIn Discord [email protected] We will respond, we will work with you and just answer any questions.

And again, you can go right to the Businesstechplaybook.com. On the bottom of the website, you'll find that discord link. You'll find the other episodes for this wonderful podcast to catch up on, share it with a friend and know. Send us, like subscribe, send us weight loss advice, because clearly we sit in chairs.

Five star reviews. Yeah, those guys need to lose some weight. Five stars. That'd be a great review for us. Five stars. That means we know you would at least listen to the podcast, and we really appreciate you doing that.

Until next time.