TRANSCRIPT FOR GRIP I.T. WEBINAR
NEIL DAMANIA: Today, we’ll be discussing why you should be protecting your data, preventing internal and external data breaches within your firm.
Joining alongside myself will be Goldstein Ramball, who I will introduce shortly. But the agenda for today will be discussing, talking specifically about GRIP I.T. The data breach trends that we see occurring for 2019 and 2020.
The compliance’s requirements for HIPAA, PIPEDA, GDPR and a brief history of them.
Internal and external data threats that could potentially harm the organization. Cloud infrastructure that goes beyond 2019, followed up by any Q and A’s that we might have.
About GRIP I.T., we are an organization that was started in 1996. We are fully Canadian owned and operated. We have 45 years of industry experience, and we have SSAE 16 compliant data center. We own and operate our own routes that stay specifically within Canada – that whether in transit or at rest.
Goldstein Ramball would you like to give few talking points about yourself.
GOLDSTEIN RAMBALL: Great. Well, thank you everybody for joining us today from all locations – local and global. I do appreciate you working with us and you know for some members that we currently work with and in the legal and bio sciences. It looks like there are also people that are joining us from legal side from the show that we have done recently.
I’m Goldstein Ramball, I’m currently the CTO of the organization. I’m responsible for all the technology and the technology direction, operational values of the data center specifically, and cybersecurity.
My background – dating back probably 20-25 years of experience roughly, dealing with CISSP (Certified Information Systems Security Professional) as a cybersecurity. Dealing with project management, dealing with a lot of virtualization such as VTSP (VMware Technical Sales Professional), VCIPs and couple of other ones. From a virtualization data center operations perspective as well.
Random fact would be, I speak 3 and a half different languages. How’s that?
NEIL DAMANIA: Awesome. We’ll stick to English only for today.
GOLDSTEIN RAMBALL: Excellent. Good call. Let’s do that.
NEIL DAMANIA: Well, just to kind of brush everything up. As a reminder it’s not when, it’s if. We always have to remain on guard. As you can see Air Canada has been recently hit – Equifax, BMO & SMIPLii, as well as Yahoo. These are scary times that we live in terms of vulnerabilities that are dealt within complex networks. And, the size and the impact could be as small as twenty thousand whereas the largest ones that we have seen in Canada was with Yahoo, which equivalent had three billion dollars impact on their Bottomline.
So just recently as well, we had another attack that happened to Docker that almost a hundred and ninety thousand different accounts that came into play.
So, where is this headed?
It is expected that further cybersecurity spend is almost going to be 6 trillion dollars – amount that will be invested into the security and compliance of the complex digital networks that we have. As they all interface with each other along with the Internet of Things and all the BYO devices that we have. It’s important to see that we are investing into the future and make sure that our data is safe.
GOLDSTEIN RAMBALL: That’s an excellent point. I mean, just recently – maybe I’m stealing some of the information coming shortly but we know in last two and half weeks there was a significant impact on six branch offices and one main organization in one medical & dental version hit by ransomware just recently. It was on CBC; it was also on our CMP and C sister rulings on how we are actually trying to get a head of an area of governance. But also, vigilance on how we will be going to click on things.
NEIL DAMANIA: On that note! We can definitely see that the average amount of data breaches that have been occurring from 2016, 2017, 2018 and beyond, it’s trending upward. So, it’s a very scary time that shady actors are seeing that there’s definitely a bounty and a reward that comes with finding vulnerabilities within your firm.
GOLDSTEIN RAMBALL: And, coming back to that. It’s not always about the dollars, per se. It’s also about the reputation that has a very hard impact on what’s the employability of the prospect of your clients, youth potential and users coming down the road, working through areas. Where we are trying to not only stabilize reputation and the security protocols are embed, but how are we actually accessing data.
NEIL DAMANIA: Now one of the most interesting parts and building my research along was seeing that 43% of cyber-attacks are targeted towards small to medium-sized organizations. It’s one of the missing chain links that the focus is not generally on the security and the vulnerability assessment. It’s a very troubling statistic. Whereas, the enterprise-grade level they definitely fall below the thirty percent threshold.
So, one of the safeguards that we do have in place, the first one of the three. And GOLDSTEIN RAMBALL will start to introduce HIPAA.
GOLDSTEIN RAMBALL: Great. It’s important to see where HIPAA kind of stem from. What were the internal reasons and mandate, starting from its origins? Going into what kind of business impacts it has been and what type of applications there are for this.
HIPAA mainly was dealing with and was more e-compliant on the US side. That’s where the origin started, actually back in 1947 and then there was a bit in 1954. Thereafter, lot of the acts and legislation after the US side for compliancy and DA. De-regulation of personal data and thereafter de-regulation of what kind of kind of data have been shared across and excessively to. It has become significantly impactful for the areas of governance to the US side that where it started and the idea around the Do Not Track Act was our equivalent on the Canadian side of PIPEDA, which we’ll discuss shortly.
The idea around business impact was, who was getting access to data and what available information. One of the key aspects of business, impacts and application is whether you are an organization that isn’t healthcare, what we can call as service provider or the provider or you are actually dealing with the organizations such as yourself I.T., or software vendors, cloud providers. They are also considered what we call business associates and in that term by default any client or any vendor dealing in the healthcare is now mandated under HIPAA and also shortly in PIPEDA as part of next year and also part of this year. Now this year business associated will have to mandate access and security of data, what we call specific to three terms – CIA – Confidentiality, Integrity and Access.
And these applications were developed for HIPAA around what? They were developed for access to your personal demographic data – your blood type, your actual residency information that extends who was getting access way back, when and how they were actually storing it. And, they have wide widespread implications from not only data protection perspective but also data access perspective.”
NEIL DAMANIA: Moving on to the next control board that we have from the Canadian side, which will be the PIPEDA.
GOLDSTEIN RAMBALL: Yes. The same idea around the origins of the PIPEDA was essentially the concept. It was approximately if member search criteria are almost ten years apart from the original status of when the US start to legislate a lot of HIPAA compliancy. In the past twenty years, especially in the last fifteen that has taken a significant uptake on who is actually getting the governance around what organizations and healthcare organizations and the government and the Healthcare Canada.
Healthcare information, access and providing information of services across Canada. And, how access is being originated and accessed. Now that has created a lot of legislations and bigger part C 16 ruling has been relaxed and the latest bill has been taken. And, now what we are dealing with now is the wording on that perspective. Given our political landscape, it will be very interesting in the next few weeks to determine what that next four-year term is going to look like.
But the idea around the base rules of access to data, the integrity of where it’s being stored and how it is going to be accessed is always going to continue to become a paramount record. EMR is a great application – Electronic Medical Record – how and what the data is and where it is stored and how it is being accessed.
Now on the I.T. side, our Information Technology and Information Systems perspective, but also onsite local storage, actually how’s your data. That kind of trends into your PCI, that is your Payment Credit Card Industry for your e-commerce applications. If you are PCI compliant, creating and storing your credit cards is not allowed. It has to be shredded and has to have a certain process and types of shredders to go through. Same thing actually implies to PIPEDA and healthcare environment as well. Shortly we’ll be seeing a lot in the accounting and the legal world as well – in those particular verticals.
NEIL DAMANIA: Now moving across the pound which we. I think will be the most stringent one out of the three would be the GDPR.
GOLDSTEIN RAMBALL: Well, in fact they are. Kudos to the Europe and EU side of the things. Where they are in the European side, they didn’t go to lot of facts in fact while transcribing all this. They’re actually one of the strongest organizations that are actually creating a lot of not just on healthcare, not just on access to information, but also on consumerization perspective. So, how and what is being accessed regardless of verticals – the general data protection regulation is how consumers is being protected and how the providers and business entities are going and regulating this information. So, you’ll see a lot of business impact and how old school was just taking things down, piece of paper, emails, sending them back and forth. And that’s actually gone away.
And, they have also gone further into what kinds of tracking information were available for what I know, what in business intelligence we call big data. These are the aspects where there’s a lot of room. We get around Facebook and the AWSs of the alternative capture log. This provides better services. They are based on giving (as a consumer) access to larger organizations and governments unknowingly.
So what they did is they brought in together a regulatory body and a process that was able to ensure that not only consumer, the end user or visitor knowing of what their rights are but also things as simple as when you’re on the website, things as simple as we are tracking your cookies, etc.
The idea today in phase one GDPR, is a lot about knowledge, a lot about education and awareness. And, how that goes forward is the application, website development, access to data, does the consumer actually know that they are giving up all this information, involuntarily or voluntarily, that’s of course we’re going to see.
NEIL DAMANIA: So, that’s every website we go to and we accept, ‘Yes’. The root to that is from GDPR.
GOLDSTEIN RAMBALL: That’s correct. They are the instigators and they’re doing wonderful to start and educate the environment.
NEIL DAMANIA: Excellent! Hopefully, we’ll see a broadened security paramount from that.
Now almost thirty-eight percent of global organizations claim that they are prepared to handle a sophisticated cyberattack. But we have seen time and time again that vulnerabilities will come into play and will be highlighting from a very high level to a very granular about how shady characters will be able to access your network.
GOLDSTEIN RAMBALL: Really, where we look up for the areas of applications, areas of access. So really, we’ve taken the time to segregate the GRIP I.T.’s perspective on how we are handling, dealing with layers of application and layers of security. And we’ve really created two pods here. So, one is on the infrastructure side.
Those who know me, know me well. I always boil two aspects of the bucket. So, one is I.T. side, the information technology, the information hardware and the IS side which is the Information system, the application level, level, programming. On the infrastructure side, we always continue to, we always want to break these into two perspectives to keep security manageable in the conversation. Otherwise, the security becomes were tacky or becomes very dry where people are not really interested and understanding what the risk is, what is the criteria to medicate that risk.
So, what we’ll have here today is the infrastructure side of getting secure. You’ve to understand that you’ve DDOS – Distributed Denial of Service, which is where you’ve an infrastructure where somebody can hit your traffic, your Internet pipe, create a lot of intrusions by going onto whether it is browsers or whether it’s going to creating partners of searching. By just going to a website for example or access to USB which is not protective property. These layers of infrastructure penetration occur, even from getting emails, which to a certain degree we’ll also talk about the application side. But also, from access to physical infrastructure. So that becomes an issue and concern. How do we stop that – that’s the discussion we have usually with every organization.
On the application layer, when a user goes out to website through their network, whether it’s at home or whether it’s at your office directly or what we call as VPN – Virtual Private Network to go out to the Internet, whatever type of application gateway, filtration systems available in your environment today. And, what levels of misuse are there from an employee-employer relationship. So, these are the conversations that we started two years ago but these are the four main areas between the bucket that we typically use.”
NEIL DAMANIA: Excellent. Now as scary as it is – somewhere sixty eight percent of breaches take almost five months for the admin and the management team to discover. So, it’s something that happened five months ago and now we only see the impact of it. And, with the new regulatory boards that do come into play, there is a shorter window of time that any end user impact that has to get notified, it is much quicker than five months.
GOLDSTEIN RAMBALL: That’s correct. Why does it take so long?
NEIL DAMANIA: I’m not sure.
GOLDSTEIN RAMBALL: Well, small business or large-scale enterprise. It’s relative. So, work in the teams and understanding how to remotely monitor and maintain your architecture. If I come to the system that comes with pair one key whether you’re a two user, twenty user, two hundred user group, two thousand user group or twenty thousand user group, there are different layers of architecture that needs to be addressed and providing these type of monitor and pickup on these things much quicker.
NEIL DAMANIA: So, the other two ways that shady actors can come to the network is through social penetration and data penetration.
GOLDSTEIN RAMBALL: So, this is more specific and deeper dive into hindsight of things, as we call it Information systems as I call up. As we are now looking into social media, identity theft. Many of them are in attack as we are essentially into the situation, where you go to a website, even with the trap that the data that goes from your work, from your device out to the Internet and the back can get hijacked. They are men in the middle attack and there are ways hackers can do this and piggy banks on the data transits and data information.
And this is why you may have heard a lot of buzz around when data is in transit, it is when it is at rest. And, when it is at rest, it’s when it’s still encrypted. Typically, before three years ago, some of the data was never encrypted at rest. And, this is where the vulnerability came in from and the mill attacks as well as social engineering, going to the Facebook, hackers start their I believe or not to gain access to basic accounts and then start to abuse that from up work perspective of authorization.
Same idea of data breach. This is a lot more sophisticated. This is where we are talking about how to handle access to what we call, in our buzz words DLP – data loss prevention when do you monitor that, when are you knowing – Oops, by the way I sent off a NSI number for a client on an email. How do you track that? And is that, good or bad? I mean, is it loud? Yes, it is. No, it’s not. So that's what on PIPEDA compliancy.
Same thing with the science. So, healthcare numbers, we know driver licenses, this is all personal demographic data that not being encrypted and sent by an email. So how do you monitor that? You know, how and when somebody does get that information, how can they end up with it?
So, identities have become like that. And, and certainly, you know, from data penetration comes the idea around malware. We're going to bring this back to things like the recent trend of a ransom. For example, ransomware, as I'm sure everybody has heard about, locks down, encrypts your profile in nine times out of 10, you really, even if we never suggest paying the attacker. You know, where and how do we as an organization protect you from that? You know, those are discussions that are very important to have with your provider or for us that matter, because that does lead to corruption of data.
NEIL DAMANIA: Well, that's a, that's a good segue. We've heard the doom and gloom, which is, but it's not all bad. Now I think it's important for us to also highlight how we prevent these disasters from occurring. And one of the rules that we always hear, I have heard at GRIP I.T. is to always have a plan.
GOLDSTEIN RAMBALL: Uh, yup. Like my, my grandfather used to say 80% perspiration, 20%, uh, sorry, 80% planning, 20% perspiration. So, a lot of things occur when you work with our organization is to how we plan this and actually emulate and prevent certain thing from happening.
So, thank you to Neil putting this slide together. Of course, you know, we talk about disaster. There’re three levels of disaster act – vandalism, software corruption, hardware corruption. So that, that would be kind of how we start to work about a DR – disaster recovery process. Or, now the more important discussion is around business continuity and containerization above multi-cloud approaches that we'll perhaps talk now in the session.
But how do we do this? How do you today? By 100% certainty, you have your provider or your internal I.T., you have a greater asset man, MA inventory system allowing you to provide a protection right to the end point level. This means not only from the server protection for antivirus, etc., etc., but also right down to the desktop or mobile level.
You know what is a plan in place for training? Educate your staff on a quarterly, semi-annual, or annual basis to say per year. The threats of the system and the environmentally click on not like.
Is there a system that you provided this if you're governed like us? Because we are SSAE 16 II, environment and we are actually externally audited for all of our security and our vulnerabilities as well – Where we have to, we have time to mitigate and remediate the risks. So, we provide that situation right down to the health care level as well as from the legal perspective is – what kind of compliance here, we are doing for document management systems. So, if you have regulatory bodies, you are hard mandated to provide a DR and VC situation.
Can we help you with that? Absolutely. Because what that stems from is really a trust threatened risk assessment.
Where are we vulnerable and what other tasks can remediate those processes. So that's where we start and we create a plan in, in troubleshooting and sorry, determining, enacting or if you have an external, bias, or unbiased perspective from an external audience. Auditors such as ourselves to come and say – okay, perhaps you also need to consider this as a vulnerability risk and create that as a part of your disaster recovery plan.
NEIL DAMANIA: That's a, it's a good plan to have. And when an attack does occur, whether it's from an internal, external front, it's time to implement that plan.
GOLDSTEIN RAMBALL: That's correct. And so, what does happen in a situation for disaster with a disastrous scenario? There needs to be a handbook in place. Now, you may have 20 users or 10 users that say an overkill, um, or you may have 200.
And it may not be as defined as it should be. When a disaster occurs, there's really no time for you to think through the process. It's more, more typically a time to react. The natural reaction is when somebody sees a fire, there's two things that goes through their mind, escape or put out. And, depending upon what your role is. And you can think clearly during that time. And that's the key thing as humans is what happens when the disaster comes to you.
You know, there's a lot of emotional aspects tied to the fact that you are trying to deal with a scenario. So, the key ideas to not notify it, assess and audit, um, thereafter you're going to instigate or initiate the disaster recovery business continuity plan with the agreement with management or leadership and then start the rebuilding process. Sometimes it could be two days, it could be two months, depending upon the level of disaster that you're dealing with.
So that needs to be really now in a government us, right in that governed, uh, audited environment. We're mandated to have a binder that allows and shows this. So that's where you need to have that plan. You need to have it tested and you need to actually practice it at the very least, at least once a year.
NEIL DAMANIA: So, an organization should be performing a mock attack, whether it's from an internal or an outside actor.
GOLDSTEIN RAMBALL: Correct. As well as, um, you know, whether it's an attack or as disaster, they're really in that same bucket, I think.
NEIL DAMANIA: I think this gives us a good segue in terms of, uh, understanding where the state of the, the, the land is in terms of the security and as well as ensuring the safety of our data. But where are we headed as a whole industry in terms of cloud.
It just expected that by about 2020, 83% of the workload that is, it will be run on the cloud. It is important for us as organizations, small, medium, and large, to invest into the future.
GOLDSTEIN RAMBALL: That's a very important, and I think I may have to battle that. But, you know, we're talking into a lot of environments today. This is typically, you know, the 50 to 400 employees or group that are starting to look at even some of the smaller the sub 50 groups are looking at this. And they're saying, you know, they consider themselves small. And that's such a relative term in my opinion.
Um, whether you're scrolling called small, medium, large, really the approach to cloud is very important because a lot of environments understand that there is a requirement to stay on the fact that – Hey, hi, need to be focused on some level of cloud services because that's where everything's pretty much going. Uh, yes, you're right. Um, we're, we're almost there. I think that number, um, it's obviously a statistical information that's kind of high.
You know, it's a little over 80% is that 80, 20% rule is out the door. And I think what's going to happen and what is already starting to happen is we get these conversations. Quite often nowadays is, well, I've got Microsoft Azure, Oh, I'm in the AWS cloud.
Right? Well, what's also happening is that there's a significant start-up disconnect of support and services between the organizations and organizations such as ourselves that are tier three that are data center owner up here. That have these services actually are providing what we call a multi spoke, a multi-cloud approach.
So, you know, they are looking at diversifying their risk, onto multiple clouds. So, the advent of what we call in our world – cloud containerization is using a Cuban attics or OpenStack to integrate – to do a transition between different clouds. This actually becomes a very strong point for the mid to the 50 plus user groups as to managing their costs, ultra-managing the type of service agreements they have in place.
NEIL DAMANIA: It's very interesting. We were just recently on the show called TLOMA and there was a lot of conversations that we're going to be highlighting in terms of the questions and misconceptions as well that were had specifically related to cloud. So, some of the questions that we were faced. We'd love to debunk, right, is that the cloud is not providing us security from my law firm.
I think one of the most important factors for that is that data centers typically have a lot of stringent policies in place on multiple layers from the redundant security policies to as well as, the duplicate duplication of the servers – whether it's on multiple sites or throughout Canada. Or, it could be the States that are looking specifically at vendors that are Canadian army.
It's important to ensure that there's multiple locations for that.
GOLDSTEIN RAMBALL: Well, let me take that one step further. Rather than using the word data center, I think it's more about the cloud service provider at this point. So, the cloud service provider GRIP I.T. owns and operates their own certified tier three data center whereas we know all the data and the data routes reside here and in Canada. So that's a, that's a big thing most of our clients.
Now the differential between us and your other service provider is we have end to end point visibility on where the network routes are, what the data and transits are encrypted.
Yes! And we're not looking into data, but they're encrypted and then on the routes. And that's an important part.
So, filters, so how does a cloud service provider and a data center operator combine those two?
This is, I think, one of the biggest unique offerings that new GRIP I.T. has today. We're one of 22 organizations in Canada that actually have these types of certifications. It's a culmination of not only a data center operation as well as the cloud service but a provider perspective.
Now our focus is typically never on what we call co-location as a data center operator, but actually as a, a hybrid and virtual, a hundred percent virtualized environment where it gives us the ability to provide additional. Like you said, triggering of alerts and filtering of data should you have a data compliancy, loss or breach. So those are things that become very important in understanding that how, who is your provider and what are the steps they're taking to enact these types of transits of traffic and data.
It's not just hosting your server; it's not just hosting your website. It's actually getting down to the brass tacks of, well, when this application is sending this data out, how is it, how are we protecting ourselves against? And those are the questions that are important.
NEIL DAMANIA: The one of the other questions that we got to was that the cloud is a passing tech trend. I had a greeting. Yeah. I had a few agreed. The beats of all, why that conception was, and I think it's completely the opposite. I think it'll be the new standard.”
GOLDSTEIN RAMBALL: I think I can see their viewpoint from one perspective. It's again, the size of the person's organizational abilities. They might not see a 10 or 15 user group, may not see that the cloud is the way for them to go. There might be a case be made for that, but also for a hundred user group, that might also be the same case.
What's important to understand is that our cloud is not one size fits all. And, and as you may know, uh, of course you know this NEIL DAMANIA:, but as most people actually that are on this that we've talked to in the past have known the fact that we're not just about 100% cloud, we're actually a hybrid and private cloud provider.
And it’s a, you know, there's three buckets here and that's, I think we're going to be discussing that a leader state, but really, it's a matter of hybrid cloud, public cloud and private cloud.
What does those mean? How do we get into that? And I think that would be a great conversation for education, a forum for discussion and for determining what, as at the proper approach for that, for that individual or that entity.
NEIL DAMANIA: There may be a quick to stay, but I think it's now becoming more of a topic of conversation and I think it's perceived that it's a very immature technology. But I'm sure you can highlight some of the history that's around it, that it's been around for more well past the decades.
GOLDSTEIN RAMBALL: Well actually a, yeah, no, it started way back in 1962-63 roughly. Where we have something called mainframes. So, you know, cloud was really started on a situation where, uh – well virtualization, let's start there. Where we had our computing's segregated in three letters processing RAM, which is, and then storage and those is how, how the mainframes are actually. And, I'm dating myself now, but that's how it started.
And we had, I mean I remember, well we had a room that filled up what we take out and like have a computer or laptop today. And what ends up happening in that perspective is that we really condensed the type of microtechnology available to us today.
What, where am I answering this? Computing has evolved significantly, but the cloud is from certain aspects of glorified VPN. Yes, and or no, the answer to that is yes, it depends upon what you consider cloud and how you define cloud.
You know, it's, everything from an application is true cloud where everything resides in the cloud, which means that in somebody else's environment. You just go to a website, you log in and you get your desktop, which is called Visual Preceptor Processing, or you log in, you get your applications in the way you go from a web portal. That expansion, that's it.
So there is those aspects of how we consider cloud, but there's also certain older legacy software that says to us that we cannot provide or we can rather provide, not necessarily a true cloud experience, but you still have to remote desktop and so that you can access your legacy. So, one size does not fit all.
But, computing the cloud computing has significantly advanced, you know, technologies even as voice over IP phone systems have significantly in drum and bass in the last 10 years –
compared to what they would consider immature.
NEIL DAMANIA: One of the more interesting ones was the attendees that we spoke to at the show, they were, they were quite content in the current infrastructure that they had. Whether it's specifically related to physical. Do you think that there's an important choice to be made at a certain parallel that you have to move over as opposed to staying to just the physical hardware?
GOLDSTEIN RAMBALL: Great question. I think the, and it's a challenging one because of what has happened. I ended up having a conversation more about the infrastructure as a service. If comments like that typically comfortable our financial people, you know, where we're happy, not necessarily service-oriented or service related from a service level agreement.
From what we call the environment managed service providers today. What that comes a traditionally, if you dig down and remove or all the hooks and anchors out of that remark is typically around its situation of balance, of financial, uh, abilities to deploy those types of services.
The question really becomes is your infrastructure well enough, and you ask these four questions that we've always asked is, what was your BCDR plan? Have we tested it? You know, like you said 80 was it 83% of them, sorry, 68% of them said they have one, but they've never tested one, for example.
You know, that's a high percentage and this is a continuing code, a discussion that we continue to have. So, even from an auditing perspective, we're doing a lot of penetration, cybersecurity tests of vulnerability assessments for our clients. And people at TLOMA and, and our legal industry that understand that well, that may be well enough, but is it an unbiased review of that approach to what well, enough really means. Now if they do decide to take the plunge and kind of make that migration in terms of the transition from going to a physical to a private or hybrid environment, how, how difficult is it?
GOLDSTEIN RAMBALL: Oh, um, if it's not done right, it'll blow up.
NEIL DAMANIA: So once again, planning for success.
GOLDSTEIN RAMBALL: Absolutely. Um, there weekend, uh, we again, talk about in approach this in actually not two, but three different layers.
What's the infrastructure like today? What's your security like today as far as a gateway, perimeter security, on the servers and endpoints? And then the third part is, is your application or what is your application? Then what's the workflow? And the question becomes is what do we do? Cloud is great, it is a piece of cake. I defer that, that's not quite accurate. It can be, but it has to be done correctly.
NEIL DAMANIA: Now, one of the, one of the benefits of having a cloud environment is that your data is stored with environments that have manned 24 hour, monitoring of the app of your dinner to ensure safety. Would that also include support?
Well, absolutely. Absolutely. You know, and that's the difference between perhaps a situation where 24/7 Knox support and monitoring and maintenance comes into play compared to how well, I mean, I would love to say trust me and it that I'd love to say, you know, I show up at nine and leave at five. And, the hackers at Eastern time and the hackers work from 9:00 AM to 5:00 PM Eastern time. There is no such thing from that perspective.
You know, we have multiple countries aware. We have confirmed sources a lot of these attracts and then they're not in our time zone. So, that being said, yes, we are responsible to monitor.
I mean we are as GRIP I.T., the traditional trend is that the MSPs typically outsource a lot of that from where they're purchasing their services and they don't necessarily get that direct in heart heartbeat if you will right away.
So that's where potentially a lot of these five-month delays for identifying the breach actually does comment.
NEIL DAMANIA: Now it's, so as we had highlighted before as well, cloud-managed cloud providers are the number one reason for data breaches. And I found that statement to be, I have heard that statement a few times from the attendees and there was a curious bit of research that I did and they actually found that it was more of the end-user was the cause for the data breach or, or the warranted issue.
GOLDSTEIN RAMBALL: Uh, well okay, fair enough. I see both perspectives. I can say that, you know, tomato, tomato, not really, um, what you find as cloud providers from a public perspective and somebody like us because hybrid private cloud providers that are public, you've got the Azure, the AWS as the one riser, the officer's 85.
You know, what they're doing is they're providing a set service but they're not taking the full responsibility or the engagement process today of dealing with the client with where these data breaches can and will occur. So, they're only responsible to host set services, whether it's data, whether it's the application, but as the end-users or the client's responsibility to how they get access to it and manage what kind of data's there. Right?
So, it's 50-50% responsibility perspective from the fact that the cloud provider is providing the services. Now, where does it say, unless you have a line item seeing, you know a hundred percent responsibility for security and data loss, how does that show that this is a responsibility of the cloud provider?
This is where somebody like us comes in and we are able to provide that huge gap where data loss, access to data of what's the security requirements around requiring requirement for that.
You know, there's something called virtual private servers. We have clients that have been held I.T. that will do what access to their servers and they will manage you on security. As a cloud provider. We're not at that one responsible for a data breach because we weren't tasked with that.
So, it's very important to understand who's responsible for what and at what level. It becomes a little bit detailed, but it actually gives everybody a sense of responsibility.”
NEIL DAMANIA: And that provides us, a good segue in terms of ensuring that, uh, we, we have a full review of the workflow that does happen once we do migrate over.
GOLDSTEIN RAMBALL: Correct. I mean, I mean it's again a, when we also do software development and what happens in that perspective is, is very simple. A similar type of software to my cycles is that when we create application security development life cycles, it's really testing.
We're staging, sorry. We're developing, we're testing, we're staging, we're testing, we're deploying and we're testing. So, so there's, there's four cycles in that and we follow that before it goes up. Goes to production or goes live. Yeah.
So, the workflow becomes a very important thing and I think we're working today is understanding what kind of file share, what can have access to data. You know, as the W's and the H, right. Who, what, when, where, why, and now is, is when we deal with those on a component level for each of our clients, we're actually starting to address the the aspect of security awareness, but also how are they accessing so that we can educate or say, you know, this is not going to work securely.
NEIL DAMANIA: So, it's not necessarily preventative. It's more of an education in terms of making the right decisions. From the time that you started your work with the first email to the last email. Absolutely. I mean, and you mentioned this earlier, is, is why do we, why do we make sure that from our team, we educate our clients at least once a quarter on what the new issues and what to be aware of, you know, at least clients regardless of size, should at least have an annual perspective or yearn response, a yearn review and a yearn forecast if that's what they're going to do. Because security is, and threats are always evolving today.
So, that's great. So anything, and then really where we're, where I'd like to kind of look at is, is how are we dealing with those type of discussions today with our clients, with our cross, you know, clients that are, like we work with us and vice versa.
We're, whereas the end of the day, what we are as in just recapping this really is, is 20. We're, we're almost celebrating 24, 25 years soon. And, uh, you know, that's a great milestone. We've our environment has grown from a base, starting with infrastructure, networking, cabling, which we do today still.
You know, we do IT relocation when, when we have clients moving in, we take the whole nine yards of project management, of delivery, of infrastructure and architecture from point A to point B. We get right into, you know, the software devil creating multiple of our middleware.
But we're also recognizing that we are, whilst we might be a data center and cloud operator, we're another acronym. Matching will be an ITSP, which is an IT solutions provider.
And at the heartbeat of all of our guys, whether it's sales or tax or somebody like myself, we're always focusing on dealing with how we can ensure that the gaps and the threats and cybersecurity.
So, things that you can version and cannot see. And those are the physical access to data and, and, and architecture and infrastructure become important, you know, and how can we actually control that?
So, I would say 95 to 97% of the environment. If you have outsourced it of it company that does everything for you. For example, today a good chunk of that they're outsourcing themselves, right? And they're just focusing on where they can kind of look at providing some of these gaps.
What we've taken that step for their, for the last 10 plus years is building our data center, um, in creating that certified compliancy. Look at us this way. We are talking about SSAE 16 certification. Everybody knows what ISO 2000 - 7001 for security is. ISO 1001 for compliance is where that for the I.T. world.
NEIL DAMANIA: Now we'll open up the form up for any Q and A's that we do have and for all the attendees, we truly appreciate your time that you've invested in this knowledge, a speaker series and uh, I'll leave it to the admin. But for now, I'll put on the splash screen.
GOLDSTEIN RAMBALL: I agree.
NEIL DAMANIA: So, just give us a minute as we tell you the questions and then we'll, we'll go ahead and start asking them as they get fired in.