Duration 44:42
16+
Play
Video

Citrix Synergy TV - SYN231 - Architecting the workspace for high security

Kurt Roemer
Chief Security Strategist at Citrix
  • Video
  • Table of contents
  • Video
Citrix Synergy Atlanta 2019
May 23 2019, Atlanta, GA, United States
Citrix Synergy Atlanta 2019
Video
Citrix Synergy TV - SYN231 - Architecting the workspace for high security
Available
In cart
Free
Free
Free
Free
Free
Free
Add to favorites
275
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speakers

  • Kurt Roemer
    Chief Security Strategist at Citrix
  • Mike Nelson
    Solutions Architect - Microsoft Solutions at Pure Storage

About the talk

Topic: IT

Optimizing productivity and user experience for highly secure environments is not an easy task, especially when highly privileged users can be easily impersonated by bad actors. Attend this session to learn how to architect a workspace that dynamically manages contextual trust across the endpoints, networks, clouds, apps, and services that must operate at the highest levels of assurance. See how analytics and augmentation provide greater visibility and control, and explore design considerations for a workspace that balances security and experience for the privileged user.Note: This session will be available for on-demand viewing post-event on Citrix Synergy TV.

Share

Good afternoon, everyone. Welcome to the session. We really appreciate you coming out and if you're in the right place, that's why on 231 00:04 architecting for the workspace for high-security. My name is Mike Nelson. I am a solution technologist with rubber. I am also a 00:14 Citrix ETA former Citrix ETP. Welcome to the TTP Community that's here today, and I'm almost 00:23 as your advisor with me today. Thanks, Mike. Hi everyone. I'm Kurt Roemer cheap security strategist for Centrex. 00:33

My journey was Citrix began back in the early 90s as a customer. I was responsible for rolling out the Citrix environment and integrating it with iOS 00:43 to and doing all kinds of fun stuff after 4 years of that moved on around the services Organization for net frame the big super servers 1/3 of our 00:52 business was running Citrix on those switch was tremendous back in the day Randy consulting firm that specialized in Citrix is one of our practices 01:01 and along the journey. That's where I met Mike. We've always talked about presenting together and this is the first time we're doing it here live so 01:09

so great to be here and just so everybody knows you can hash tag for the session. If you feel free to go ahead and and 01:16 tweet this out the Citrix Synergy future of work. I'm you can always contact me on Twitter at nail media says he's a little bit too old for that 01:25 Twitter stuff. So Place for everyone today. There's a brand-new ebook out on helping you to 01:34 Envision the workspace when you go back in your sharing this information with your with your team with your management in particular your line of 01:43

Business Leaders. This ebook is very focused on explaining the business the value of the work space and expanding on a lot of the concepts and use 01:52 cases were talking about today. We're also going to have some very deep architectural content back behind those. So we're releasing very soon. So 02:00 you're in the right place to to get a great intro right? And I'll also like to introduce our third who is actually a virtual guest 02:07 presenter. Her name is Joan and I just to give you a little background. I had the opportunity to interview Joan for different areas 02:17

of a topic areas around security and such but she was graceful and allowing us to ask him specific questions and get her feedback from a 02:27 Christian perspective. introduce yourself So my title is a 02:36 systems analyst I work in health and human services for a local government. I'm actually an IT person that's located within the business 02:46 unit of Health and Human Services. I've been there for about 20 years and I've been doing what I do for about 30 years. I'm working 02:55

basically for seven different agencies within one Department. I am a HIPAA privacy security compliance officer. I'm responsible to ensure that staff 03:05 within the department have the appropriate minimum necessary access to information both verbal written and electronic within all of our local 03:15 application as well. As over about 60 State applications has quite a bit of you know, security responsibilities 03:25 not around just users but also devices and now will get into a little bit about the you know, the workspace. 03:35

Microsoft recently introduced the second Frameworks and where do the Defcon framework different levels and when you look at this 03:44 you realize that there's a lot of varying security responsibilities within most organizations ranging from Fairly basic security needs up to the most 03:53 stringent security needs the people who are managing your keys your certificates. Yeah, your domain administrators or Cisco administrators other 04:03 things along those lines. What were focusing on today is talking about the privileged portion of this chart and so one to show this job helps 04:11

to frame a lot of lot of the discussion out. We're going to focus on some of the things to help your most privileged workers. Write to go from here 04:21 with saying that with you know, the same with great power comes even greater responsibility. Right and this can't be sure then when you're dealing 04:29 with a privilege workspace because if you think about it, not only you if you're in this situation where you have this privilege, which I'm sure most 04:39 if not all of you. Do you know you have unwilling power over things that you can control from the user's perspective Vice applications data. So on and 04:47

so forth and what you need to do is you need to understand that anyone also that can become you or impersonate. You also will have that power 04:57 and it's it's it's important to understand that it's important to understand how wide that that privilege can go. So we're going to do is 05:06 talk a little bit about that. If I became the bad after given my current privileges I could delete I could edit 05:15 I could copy and I could sell a whole lot of information about every consumer that is ever entered our facilities 05:25

both their family information medically and financial information. I could print off every social security number and all the medical 05:35 diagnosis is on every client that has ever come into our facility and I'm pretty sure I could probably make pretty good Dollar in the black market 05:45 with that information. This is a real person. This isn't someone reading a script. I think it definitely qualifies as privileged and you'll hear a 05:54 little bit more from Joan but it's not just about locking somebody like that down so that it makes it almost impossible for Joan to do her job in the 06:03

rest of us. It's about really making sure that we're balancing security productivity and cost and being able to dynamically dynamically balance those 06:12 two battle. We've got the best experience at all points in time, but we're protecting very sensitive resources at the utmost level one. We need to 06:20 write so this is frame up a little bit while we're going to be talked about during the rest of the presentation. We are going to be talking to 06:29 different aspects defining and defending okay privilege as as we talked through that you're going out you're going to see the different aspects that 06:35

I'm going to be looking at the privilege work face and how to actually design it. Then contextual trust if it will explain that a little bit will talk 06:44 about how did dynamically manage that then we'll go on to what curtain I put together. He has some thoughts tools techniques so on and so forth 06:53 for optimizing the security product of 80 and the cost. Okay, so we're going to start with a fairly basic definition what is 07:03 privileged and I'll go ahead and read those cuz it's a little small up there on the screen privilege is defined as a special right advantage or 07:13

immunity granted are available only to a particular person or group. All right, how 07:21 many members are gone. It's interesting. 07:26 When you look at the definition of privilege doesn't always match through to what we think it is. Let's explore that little further 07:35 who is privileged. Right? So we're to look at who is actually pretty as you look at yourself you look at the the folks that you work on on your team. 07:43 The people that are around your department your organization. It's not only in that area a lot of folks tend to kind of compartmentalizing 07:51

containerized it into just you know, your your immediate your media teammates and such but it goes beyond that it goes outside to go to third party. 08:00 External worker even going so far as Auditors internal external board members don't even know that actually board members have privileges that could 08:09 affect, you know, your users and your data and so on this test is anybody who has responsibility for people process 08:18 technology or strategy at a material Level is privileged. Okay, take a 08:28

look at this list not going to run through this because I'm sure everybody in this room is familiar with things in around here. But one thing I bet 08:37 you haven't thought about. How to beat the by Your Privilege Workforce, are you doing anything different for your privilege users to help address a 08:45 lot of the threat sit around this list. NFL why not? We really should be right. So we've got to think about that but 08:54 we can't make anything more complex because complexity is not just the enemy of security. It also deeply affect productivity and costs. We got to find 09:04

a way to address this book makes life a little more easy to manage. Let's hear John has a situation that she she has we did have a situation occur a 09:13 couple of years ago where a user clicked on something in an email beyond that something brought ransomware into our environment. 09:22 If something like that had happened with my login, it would be devastating right absolutely would be devastated anyone in this room you can attest to 09:32 that it would be devastating to to not only you but the organization in the people anyone that's involved. So in that scenario having an actual, you 09:41

know privilege workspace to find is critical. So when you take a look at this, how would you architect a privilege workspace? Okay, think about that. 09:49 How would you actually start even conceptualizing a design of privilege in the workspace? It has to be to buy so we're going to hear another example 09:58 scenario where Public Works base could be created and security could be situationally aware. He can be contextual an automated. 10:08 I have the ability to have access to information that no one but our director has access to as well. I have the requirement to do 10:18

background checks on all of our staff all of our physicians as well as our managers and our director as a result of that I have access to driver's 10:28 license numbers Social Security numbers and highly confidential information as well as the results of those background check. I find that incredibly 10:37 interesting. I really do because if you think about it the amount of information that she has just dinner daily job and doing this types of 10:45 Investigations and background checks and such like that in a government situation in a public sector type situation that can be almost unnerving and 10:53

is it really something that you know you want to do? I don't know if I want to do that now, you know, so I give her a lot of credit for that end of 11:03 the extent of the secure information that John has access to you know, as well as how high up the chain and goes How high does it go? How how much 11:11 does she information does she actually have on elected officials? Okay, things like that to me from a security aspect. That's 11:20 something that just has to be that has to be to find it has to be that, you know put into some kind of a process in a container if you will in order 11:29

to exercise the privilege UK. What I want to do is I want to take this a little bit differently. So my history is I've been 11:39 in it for 35 some year long time, but I started out and I was actually a part of a break-fix part-time break-fix type scenario 11:49 and then I moved your system administrator. So what I like to do you through a little bit of what I went through as a system administrator and some of 11:59 you may experience the same things if we have a lot of this admins virtual admin Citrix admin, I'm not sure if we haven't even really see levels or 12:07

management in in the audience. I don't know if you want admit it, but you know, okay so good. That's good to hear. So I 12:16 started out, you know as a young sysadmin. Okay, this is actually my my 12:25 son. My oldest man. Next week. He is graduating high school and he wants nothing absolutely nothing to do with it, 12:34 which is you know, kind of a good thing and a bad thing really, but this is my home office as it stood 20 some years ago when I started to work for 12:43

a tax and accounting firm and when I take a look at this I think back because the things that I would do remotely, you know via modem dial up at 12:53 that time, but I would be able to access that data and be able to bring it in my home office and I would actually have that information in my home 13:03 office. So I started to think about how I actually tried to secure my workspace secure. Let me lose. My son could access the information 13:10 wasn't secure at all. Really. But I'd like to take you on a brief we know walkthrough of the experience. So 13:19

you really given the keys to the kingdom, right? That's that's what you're giving and these Keys unlock so many different doors. They are unlocked 13:27 so many different privileges. They allow you access to things that you know, sometimes you don't necessarily want access to kind of like and somebody 13:37 might relate this time like images in your head. You just can't forget that you don't want to have in your head because you know, you see here and do 13:47 things that you know have a history trailing and may affect other people in different ways. And it looks like all those keys and access privileges 13:54

just accumulating are not taken away forever. They keep on growing because people just throw them at you know, they're 14:04 like, oh you take care of security here. We bought this you can take care of that you bought that you can take care of that but also one thing that 14:13 really really got to me as a sysadmin. Kind of cross boundaries. It kind of went into my personal life. Not just my professional life and that the 14:20 reason for that is because like I said I had information at home, right but I was also had information when you like an interpersonal Communications 14:28

sitting down talking to someone having a beer with somebody or something like that. You never know when something, you know might slip out something 14:36 might you know, we might get another conversation about something and I didn't have any boundaries around that back. Then there was really No 14:43 Boundaries around it. We have a security was like there was no investigation when you know, we never did any investigation may be in the larger 14:50 organizations. Obviously they did but in smaller shops, they never really did anything like that. So it when you think about it a lot of what I did 14:57

was quite honestly acting like a Cowboy until kind of shooting from the hip and hope I get something that's about you know, what my job was when it 15:05 came to security So in the Kingdom okr proves extends to a whole bunch of different objects, when you're talking about objects that are around 15:12 all of the different things that you interact with the people going from the home down to you know, that even the recycle bin 15:22 audio male communication all kinds of different things that that can affect that okay and when you think about all that, how 15:31

do you think about it compared to what some other people think? Okay. So when have I was going to get asked you what is the definition? What do you 15:41 think about the privilege Works Bay? Okay. How would you answer that? Why would around and I asked a few people. I feel really smart people that I 15:48 know not to give me their thoughts on that. What album was Brian who I work with in the insurance industry was a ciso and he said on paper securing 15:56 the privilege workspaces easy part gets the people part. That's hard how many people can relate to that? Really? I mean, it's it's it's really I mean, 16:06

you can put stuff down on paper. You can create processes you can you know right until you're blue in the face, but if you can't get the people 16:15 actually do it, that's the hardest part. That's where you get affected. That's where your you know, you get making steaks and things like that. 16:22 Another one. This one comes from Dennis who is here at the conference by the way independent security consultant and an offer not on security, but I 16:32 need to see he's a privilege causes problems and depending on how those problems are handled. They very well could be career-ending ones. Let that 16:41

sink in for a second. Privilege can cause problems and if you don't handle it, right? Yeah, you could be in a lot of 16:50 trouble or actually, you know moving responsibility to someone like your boss or something like that and then get them in trouble. 17:00 Next up we have open it as a good friend of mine. I'm from Wisconsin. He's a part of the hospital Healthcare. Everyone is 17:09 privileged from the basic user to the seat. What matters is what date is being accessed what app is being used and what physical space they are in 17:19

when it's you that's true. It really is because you have to think about all the different aspects when you're looking at the overall workspace. 17:27 And then lastly we have Mark who is Elite security analyst Consulting Partners security privileges a very Broad and diverse subject with people 17:39 honestly identifying what it is isn't the hard part for me, but getting people to agree on it is so he even took Brian's and took it even the step 17:46 back and said I can write all this stuff up but getting someone to agree that that's what it should be is the hard part. We haven't even gotten to the 17:54

real people pardoned implementing. It's just the agreement on it. What's take a look at how we would design a privilege workspace to help 18:02 address? A lot of the issues we've seen when you look at the design considerations, you have to be able to combine the people the process technology 18:12 and strategy and it's got a bridge both physical and cyber. It has to be very comprehensive because we have physical and cyber Integrations with iot 18:20 with robotics with a lot of Virtualization technology The Sandlot of visualization Technologies, and it 18:29

brings in safety aspects as well. So this really needs to be able to help across all of our usage. And of course it's got to be focused on the 18:39 business. It has to be zero trust from the foundation because if you don't start with zero trust and verify and 18:49 roots of trust and build on top of that you're building on top of Shaky Ground, so be able to get all the way down to a verifiable route to trust and 18:58 then build on top of it. The next pieces probably though the key point on this slide. It has to not just be identity enabled but also Persona 19:06

enlightened. Why is that? Well, what's identity if you ask most people I don't need to use their credentials, right? That's 19:16 kind of a common definition. We all know it's a little more than that, but often times even if you express the absolute strongest identity in the 19:26 world, what if you've got multiple personas what if you're an administrator for multiple different domain different clouds different applications 19:36 should you be applying the same identity as you make major changes to each of those environments maybe even across competitive boundaries, I would 19:44

argue no identities great, but it's not granular enough. We need to move to being able to manage personas a big part of what 19:52 we're going to be is designing Automation and augmentation into the workforce and Mike's got some really really great thoughts around there that 20:02 that will work on. And another key aspect is resource delivery. We've got to rethink resource delivery right now resource delivery has 20:12 been based on Portals and all kinds of other things. Let's think of a resource delivery in a little different. So take a look at what that might be. 20:22

If you're delivering resources any resource you have one of the four ways to do that you can go direct do is known as native access 20:31 this once somebody go right to the technology you pick up your brand new laptop tablet smartphone, whatever and you go right out to the web your sass 20:41 App Store cloud. The second way to deliver a resource is through a proxy forward reverse content filtering scrubbing rewrites Reader X all the 20:50 great things that proxies do I caution you on one thing here by the times when people think proxy they think Network proxy one aspect you can have 21:00

proxies all over the place including embedded in browser Frameworks, and we're going to talk about that proxies are going to be even more useful as we 21:10 move to the cloud. Birdway, no big surprise virtualization virtualization allows you to deliver a representation of 21:17 the experience without actually having to deliver the data down to the endpoint without having to push. I'll let HTML every time somebody clicks on a 21:27 new link or hovers over something so virtualization gives us some really interesting ways to deliver resources will talk about that more in a second. 21:35

The fourth way, of course is containerization when you think a containerization to think Beyond just Docker and kubernetes, very important 21:44 container Frameworks. There's also mobile container Frameworks, there is project-based container Frameworks containers are basically for mobilizing 21:54 the experience and they also help to enable an offline use case. So regardless of what resource you're delivering you're using one of these four 22:03 methods today, but I would argue though is you should use a mix of these four methods and instead of determining this when you purchase the 22:12

application or publish the application, you can dynamically determine this based on context and so you can pick the right delivery method 22:21 for the right situation getting you a couple examples of that. One very common example is using the web web browsing 22:30 is really easy. Right? Click on the browser. Go to a resource. Well, that's the way it should be but web browsing is also very complicated in the back 22:40 end most web browsers are extremely over configured. They've got every framework known to mankind built-in from flash Java JavaScript Silverlight. 22:49

You got at blockers integrated with their other extensions things that you might have plug-ins for other applications. You've got certificate chains 22:59 for your country other countries countries, you might not completely trust But guess what? It's all there. It's got access to your file system. Your 23:08 registry your key is your passwords and browsers are completely over configured, right? Big deal. What do we use browsers for 23:17 everything these days they're used from the Casual watching a couple cat videos or catching up on some current news 23:25

events to while being able to go through and administer the cloud and Cloud resources and then one click be able to create or completely destroy an 23:35 entire Enterprises Cloud presents. We have to do a much better job at protecting browsers. So with that is it a quick setup for the slide when 23:45 you look at delivering browser on point run the native one as you see all the way on the left. Typically what 23:55 comes in batted usually it's a very OS embedded browser with a lot of connectivity. I would say that's only used for some fairly low risk type of 24:05

situations increasingly on the device. You can also have a containerized browser and you see that weird things like bromium. You see that with 24:14 Microsoft with what they're doing with Edge in integrating the chromium aspects even see that was a text with workspace app and some other features 24:22 that we've announced this week that help you better containerize the browser experience and make it more specific to purpose. So you can launch a 24:31 containerized browser that only has access to a single application doesn't have all the Frameworks turned on just the ones you need doesn't have all 24:39

the different domain access. Just the ones you need the same thing with certificates. You can make your browser much more specific to purpose now I 24:47 cannot because I can attest to this cuz working on Kirkwood kirtan his presentation. He was using that type of browser and he made that a vehicle. You 24:56 said he couldn't help me create the dark because he couldn't know you have the right extensions. You didn't have all that stuff 25:04 and the data center and you're familiar with that. If you're a Centex 25:09

customer, you can publish a Windows or Linux experience. You can use any of the browsers that are out there and you can deliver this through 10 25:19 apps on desktop. You can go ahead and deliver your virtual browser on top of each bi as well so that it's got hypervisor introspection and 25:29 capabilities to protect that the hypervisor level and then you can also Cloud host browsers. And why would you want to do that? Well, 25:39 sometimes I cloud-hosted browser is a lot closer to the application which makes it faster. Sometimes a cloud hosted browser is within a specific 25:48

region which helps make it more compliant sometimes as well as cloud-hosted browser will allow you to have access to a non-strategic 25:58 traffic things like Facebook that you don't want on your network. You don't want on your systems. You don't want any of that in your lot. You might be 26:08 running a library where you have to have open access within the United States and no content filtering but you know, people are searching for a 26:15 not-safe-for-work material. Why have that come across your network and be in your logs? Why not just have that stay in the cloud people are using this 26:24

for a lot of reasons and it's one of the other options we on the right hand side. Also a lot of the technologies that you want to integrate with these 26:32 browsers so that you got additional security capabilities. And now I'm one that I like to call out. Is web app firewall if you have any 26:42 browser-based portals that are accepting credentials, you know, you're asking somebody to login you're asking for their password their multi-factor 26:51 credentials. Make sure you've got a web at firewall in front of that. It gives you some additional protections to be able to look for people are 27:01

hacking against that site and give you some additional disability more detail on this web browsing actually had a session on this yesterday with 27:08 bitdefender that went into quite a bit more detail, especially with the HPI aspects welcome you to watch the recording it out. If you want to get into 27:16 more detail obviously resource delivery applies across everything from Windows and Linux workloads. All kinds of different apps. I want to use 27:24 browsers and I want to use SoundCloud web-based apps cuz that's the future and the future is here, Trey. So we have the five W's of context. Yes, 27:34

we do. So like talked about being able to dynamically pick the delivery method you do that based on context in the contacts is what I like to call the 27:44 5 W's who what when where and why for every single access request for every single usage request for every single transaction that's significant. 27:53 You have to re-evaluate these five W's a contacts and make sure that the device is still at 11 o That's trusted enough to be able to perform this 28:03 transaction that the location is sufficient to be able to access this resource live here in the office and you get direct access because you're in the 28:12

office if you're going to be working on an airplane, that's probably going to need to be containerized in most places. What if your workspace did that 28:21 for you and it put information out in your container that because of its situational awareness of knowing that you're working on an airplane is only 28:29 risk appropriate stuff that you should be working on when you're on the Play when we talked about automating the privilege workspace. That's what 28:38 we're talking about taking these aspects of contacts that previously would have just been a static power login and applying it to everything that 28:46

people do so that your situation is constantly being evaluated part of situational awareness and you're always working in a 28:56 risk appropriate fashion. And by the way, if there's any violations to that you can either just gently nudge the user and say hey I look you're you're 29:06 trying to send something that would violate company policy or did you know that there is social security numbers in the back of this Excel spreadsheet 29:15 you're sending and be able to give them some active coaching without calling out the dogs and turning on all the alarms and sending an HR and legal. 29:23

But when there is something that's a serious violation you now have disability and do exactly what where and why and you can take more appropriate 29:36 action even automating that that's right. So now we're going to talk a little bit about that. Some of the thoughts tools techniques that curtain I had 29:45 come up with that. We think are really important kind of takeaways for this session. We'll start with some of the Insight. No, one of the challenges 29:53 that we have is privileged workers these days if we don't always have all the intelligence that we need all the insights to be able to do our jobs 30:02

properly. Give me a little bit of an example, you know, you get up in the morning which one of the first things that most people do. No, not that for 30:10 information you go out and check your news weather and traffic you want to know what's going on what's relevant to you. What's important? You want to 30:19 know what the conditions are what the threat is. Are you going to be able to just go outside on a nice clear day or do you need to go hide in the 30:27 basement somewhere and then from traffic perspective, you know what your experience is it going to be fairly straightforward. Are you going to have 30:34

any challenges working with other people or there certain things that are going to be causing latency your other concerns or what if we built this 30:43 into the workspace and you had intelligent that was curated just for you telling you exactly what you need? New smartphone or ability came out 30:51 yesterday on Adobe Flash. Everything needs to be updated. Guess what While You Were Sleeping the workspace took care of that and said everybody is 31:01 accessing a flash-based app neither patch that for you or we remediated it over by sending you to a virtual session that 31:10

has the Flash Player containerized so that somebody can't remotely attack it. And by the way, the guy who is supposed to update flash for everybody is 31:19 on vacation this week. So we sent it to the next in command. We automatically noticed that sentence here's what's going on in by the way. Here's how 31:29 the remediation is going for you. The attacks are coming in and here's what you need to tell your customers and suppliers. So think about automated 31:38 intelligence. It'll be very similar. I'm sure there's a lot you can think about in terms of threats. But what if you had Direct 31:46

information on threats that were relevant not just your technology but also to your business pulled from the news pulled from internal sources pulled 31:56 from applications curated on things that are actionable for you and if they're not actionable for you or you don't need to make a decision they been 32:05 automated for you and then similarly with the experience, how can you make sure that your understanding exactly what to expect as you're working with 32:14 others as you're making changes to the environment as baby down time when the clouds service causes some some blips. How do you make sure that this is 32:22

handled and any of the constraints her noticed as well so built this into the workspace and make our lives a lot easier. This is the first and 32:32 most basic stuff right and now we have here from Joan here. Maybe not. 32:42 There is so much time waiting for someone else to do something. When if we just spent some time creating the Automation 32:54 and did a proactive approach to protect me as well as my employer to make sure that I have the access in the information that I need at a 33:04

minimum level. It just seems like the right thing to do. So I personally found that that part of the interview that I had with her very compelling 33:14 because she's basically saying that it would not only make things easier for her and her her supervisor 33:22 her management, even her users from an aspect of implementing security. If you can automate if you could bring some of those controls 33:32 and make it easier for them and make it easier on their lives overall. It would make her her professional life and her personal life a lot easier and 33:42

I'm in what would Kurt was talking about Autumn? Things is really key. So I'm going to talk about Jones interview here in a couple takeaways. I 33:51 want you to want you to get I headed this interview with Joan lasted about a half an hour. I miss recording was cut down to about 12 and a half 34:01 minutes. You'll be able to download the entire recording on edited except for you know, the bloopers and outtakes and you know, stuff like that, but 34:09 you'll be able to download that with the deck so you can hear the whole thing in its entirety like we didn't doctor anything or edit anything and you 34:17

don't make Jones say something. She never really said the only thing is that she didn't want to give her real name because she works for governor 34:24 government entity and she didn't want her likeness use because obviously she's not at a position that you can do that but some key takeaways the 34:30 public sector isn't that much different from the private sector? How many people in your actually work in the public sector? I work for government 34:38 anybody in here? Okay, so you can jive with what Joan is saying right in terms of you know, how did the processes prophecies and 34:44

policies and and hierarchy a little bit more bureaucracy and red tape in the public sector, but it's pretty similar to private-sector today. They're 34:54 kind of lining up together. You still have to do the same things. You still have to architect for privilege. Are layers and layers and layers as 35:03 if you listen to the whole interview she goes through and talks about the different things. She has to go through 12 steps just to get just to get 35:13 someone permission. She has to go through a 12-step process and the 12 steps to know to go to the 12-step process 35:21

application processes and policies. Like I mentioned unfiltered access to privileged information both personal and 35:28 professional. This is what I talked about for when she has access to, you know, private information personal information for people that are elected 35:38 officials management, you know director so on and so forth that are above her pay grade time that itself can be, you know empowering but at the same 35:46 time it can be detrimental as well. And I'm finally part of her interview. That wasn't in the clipse was that we I asked the question I said if she 35:55

could actually estimate the amount of automation that she currently has today. And if you listen to it you hear her say that she estimates about 20% 36:04 of what she does is automated now, I think that's extremely generous because we went through some of the things that are automated and some things 36:12 that aren't automated and I can tell you that we spent a lot more time on the stuff that isn't so I think she's being a little bit generous there, but 36:21 I think it's a step ahead for her because what she came from 20 years ago with pencil and paper what is now, you know of automated to you 36:27

know, what she thinks is automated what what you know, it is better than what I used to do, right? And then finally light would just be easier with 36:37 automation. I can't impress that enough everyone in this room should you know, I automate all the things it's really it really can do justice in terms 36:46 of helping you out in your career and general life life in general. Look at home automation things like that. It's Spritz. It's spreading out 36:55 Beyond just the workplace. So, finally some more thoughts here. I'm not going to go through all these what I would like to highlight 37:04

is the first one automate the Monday like I mentioned before I take the opportunity if he doesn't have to cost anything, it could be your own 37:14 experience learning how to automate learning how to use tools to automate but also, you know take a look at how you do security. Maybe they're just 37:23 some simple steps. You can break down from five steps down to down to two or you know, and Implement work clothes things like that. And then finally, 37:32 I believe and it's time to launch your digital twin now I can tell you from personal there. Probably a lot of people that don't want to see a second 37:41

me and what I mean by digital twin is the ability to have you know that AI that ain't that that Persona be able to do 37:50 those tasks for you to automate those tests and Dad Persona would be a virtual Persona that can go out and you just tell it Go do these things 37:59 take care of this for me and it knocks it out. You have to be careful with that. Obviously a lot of tests you involved so on and so forth, but the 38:09 digital twin is and what we believe is inherently the future of how security is going to be handled in the workforce 38:17

wife. Think of all the time that you're not 38:24 spending working attacks are still coming in business issues still happen customers still have needs and desires. So the digital twin will be there 38:34 helping to take care of that for you. But even when you are working one of the other things on this slide that we really need to address is the 38:43 disruption and distraction house backed up all of our jobs if we could just take that away. We would be so much more effective and so much happier. So 38:50

that's also something we build into the workspace and have to concentrate on that. Couple of other things to think about 38:59 passwords. We all know we have to get away from multi-factor off is something you have to have if you are privileged and we've got to make sure 39:07 that that's out there and look for anybody who is privileged to his does not have two-factor multi-factor a table and get that fixed right now as we 39:17 talked about dynamically deployed resources, and we talked about the five W's of contacts and being able to do everything so that it's situationally 39:27

aware and risk appropriate that's not just for Access. That's not just that login. That is all throughout life cycle usage. That is another really big 39:36 change as we move to the privilege workspace is we're focusing on usage lot of technologies have to be integrated. We have to constantly 39:45 be thinking about how to how to reduce the attack space or how to properly mitigated based on those deployment options and Does the last 39:55 pieces one that I want everybody to think about quite a bit because their projects out there for infrastructure as code and probably many of you and 40:05

this rumor engaged in those those projects and that's great to be able to automate your your it processes but take that even further so that 40:13 configuration is code is working for not just the infrastructure technology, but other Technologies and also as business 40:22 processes and practices onboarding off-boarding, so you have somebody who gains a certain level of privilege their flag and as they leave rolls or 40:32 leave the organization that privilege is appropriately reduced or taken away and that's something that can be completely built in and scan for 40:41

as you have code. And as you're making changes to privacy policies because you're making changes to appropriate use policy in some of your internal 40:51 it best practices if those were expressed his code. Much easier to look at the impact of that change model the impact that change and be able to 41:00 go back and do retrospectives on where things were in the past and guess what the ultimate expression of that takes it all the way through to your 41:10 culture. So they're many organizations that are embarking on improving their culture to be able to better manage security and get people 41:18

to have more of a security-focused if you can express culture is code and build that into the privilege workspace. You're helping to constantly be 41:28 coaching people to do the right thing. That's right so I can take away from the session we're down here to our our final minutes privilege is the 41:37 currency of digital transformation. Okay buzzword alert digital transformation. Everybody's kind of using that those buzzwords but really black cats 41:46 and white hats already know. This is not a secret. It's you know is something that everybody knows so protect your privileges, but not only yours, but 41:54

any highly privileged That you have you as a responsibility even as just from a good citizen standpoint. You need to help out in the end do that as a 42:03 cyst. Admin has it administrator in it in general personas are the new perimeter. We've got to make sure that we're moving beyond just simple 42:11 Expressions that identity and will really thinking about what is the Persona that you need to be expressing? What are the boundaries that Persona how 42:21 does an interface with your other personas or isolate from your other personas and make sure your building that into the workspace as well. And now 42:29

the definitely helps as your further automating and augmenting and engaging your digital twin because you definitely want to set some boundaries 42:37 there. Right and finally, you know, just like it says in vision and embrace the fairways were stationed as a massively, you know, disruptive Force for 42:45 transformation you now have super powers when I wish I had the superpowers and I realize those superpowers that I had because I would have probably 42:54 use them, you know in a much better way I would have I would have thought about a lot of things before I actually acted on them and with more 43:03

forethought to use them wisely. App that is it for us? We'd like to thank everyone for coming we have about a minute-and-a-half here 43:10 if anybody has no quick question for us you have anything else you want to add before we intro the bond. 43:20 So this is just been posted. Nobody else has this right now and it's something where the links up on the top if he 43:27 can take a quick picture. Otherwise, you'll get get this is part of the slides. Like I said, this is something that you can hand out to your line of 43:37

Business Leaders to people who don't even know what a workspace is why some of the concepts were talking about in here? So essential it's going to 43:46 help you intro what you need to do to the rest of the organization. This is step one of a lot of content that we've got developed that will get you 43:54 into developing the privilege workspace Concepts that Mike and I have talked about her today. Stop with that we have about 30 seconds left. We 44:02 thank you very much for coming over tonight. And we hope you enjoyed it. Then you learn something. If you have any questions for you can talk to us 44:12

afterwards, or you can reach me on Twitter right now media, and I'm sure if you, you know, send a homing pigeon over the 44:19 Kurtz way, you'll be able to answer. Thank you very much. 44:28

Cackle comments for the website

Buy this talk

Access to the talk “Citrix Synergy TV - SYN231 - Architecting the workspace for high security”
Available
In cart
Free
Free
Free
Free
Free
Free

Video

Get access to all videos “Citrix Synergy Atlanta 2019”
Available
In cart
Free
Free
Free
Free
Free
Free
Ticket

Interested in topic “IT”?

You might be interested in videos from this event

September 28 2018
Moscow
16
122
app store, apps, development, google play, mobile, soft

Buy this video

Video

Access to the talk “Citrix Synergy TV - SYN231 - Architecting the workspace for high security”
Available
In cart
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
505 conferences
19653 speakers
7164 hours of content