Ask the Experts: Compliancy and Network Security Strategy

Welcome to Ask the Experts, brought to you by In this video, Intelisys’ SVP Cloud Transformation Andrew Pryfogle discusses how compliancy effects your customers’ network security strategy with Evolve IP’s Scott Kinka. Find out more about network security and cloud services from from Scott and the Evolve IP team here:

Andrew: All right guys, we’re into our next Ask the Experts session. We’ve been talking about network and data security, and building a security strategy for your customers. I wanted to bring in one of our smart guys in this portfolio of ours: Scott Kinka, who’s the CTO of Evolve IP. Scott, welcome, man.
Scott: I’m glad to be here.
Andrew: Appreciate you carving out a few more minutes for us. This is an important topic. I want to ask you about a network security strategy, and how compliancy drives or interacts with a network security strategy. This is coming up a lot, more and more, as people are more fearful about being in compliance with different regulatory agencies.
Scott: Yeah.
Andrew: Talk about how that should effect a strategy around network security.
Scott: Yes, I think there’s two–there’s sort of two precursors before we get into the technical aspects of talking about what to do in compliance. I think there’s two things. Most compliance standards have two pieces, right? One is, have a plan and be able to demonstrate it. Right? While they’re not all always completely specific about doing this one thing. But they’re very specific about, “Meet these general standards,” “Have a plan, document a plan,” and then, “If we come in to check that you can do that plan, make sure that you can actually do it,” right, so …
That’s largely what our customers are facing. The second piece to that is really about standards but not precedents. There are certain compliance standards out there that are very specific. They say, “Data needs to be encrypted at rest,” and that’s a technical conversation. But many of them just say, “Typical industry controls need to be in place.” Right? Well, who’s going to necessarily say what that means? Right? It’s either going to be your auditor–and are they a nice guy or a gal or not, right–or a judge. Which, if you are in that position, it’s not a great spot to be in, right?
Unfortunately, in not all of these cases is there precedent set. In other words, there would have to be a violation, with a marketing court case out there that people were aware of, and the judge to pass something down, to say what “industry standard” means. But what our partners really need to consider in this process, the things that are generally part of these scenarios are:
Firewall and security policies, that’s fairly obvious. Right? Making sure that they understand who is using all of their applications, so that’s around authentication. Right? What are the methodologies used to get into corporate stuff. That’ll involve password strength; it’ll involve factor authentication, which is a password and something–a token, an ID–you get the idea. They’re very specific in a lot of cases about monitoring and logging, which means that it doesn’t … No compliance standard says you can’t ever get infiltrated, because that’s impossible. We’re not all going to always keep up with the bad guys. But what they do say is that when you are, you have to be able to tell us what happened. Right? Which means that logging on everything–routers, firewalls, IDS, the servers where these applications sit–have to be able to be produced. It’s very important that customers consider a logging and monitoring methodology on these servers.
And then, I think you’ll hear there’s probably another category that specifically attaches to the cloud. One is encryption. You’ll hear a lot about encryption, and what does that mean? Very simply what that means is, is my methodology to get to this cloud service, and then the location of the data on disk. Is it encrypted where it sits, and is it encrypted in transit between me and the endpoint? So encryption. And then the other one would be privacy.
This is in some places where lack of precedent sometimes effects people’s willingness to buy cloud, because in a lot of cases cloud is a multi-tenant environment. So you do have some compliancy scenarios that will say, “Okay, you can use somebody else’s data center, but let’s make sure that there’s not something else on that piece of gear.” And that will depend on the auditor again. It’ll depend on the specific requirement. But in most cases your service provider will be able to answer the appropriate questions. It’s really a matter of steering that customer into: write down what you’re doing; make sure you demonstrate that you can do it; make sure you are logging in case you get infiltrated; and then of course, making the appropriate selections from a service provider’s perspective on technologies like encryption and privacy.
Andrew: Perfect, perfect. Great stuff. There’s some great pearls in there. Hey, thanks for going deep on that. I appreciate it. And I’d really encourage Sales Partners–and tell me if you agree, Scott. I mean, if you get into this kind of conversation with a customer, the answer is, “Yes, this is really important. Yes, you should be worried about it. I’ve got a great idea. I’ve got access to some of the smartest guys in this business that can come alongside and design this type of solution for you,” and get the engineers at our key suppliers at the table that can help them do this. I know Evolve IP, it’s right up your alley to be able to do that. Is that true?
Scott: Yeah. I mean, our job is to empower the Sales Partner to look really great on these types of deals, so what we always encourage is: don’t be afraid to ask the questions, and don’t be afraid to have your answer be, “I’m going to bring in my team.”
Andrew: Yeah, perfect. Perfect. Love it. Hey guys, that’s Scott Kinka, guys. We know him. We love him. He’s a stud in our cloud portfolio, and specifically as a member of the faculty here at the Cloud Services University. Check out Evolve IP’s learning center here at the University, and check out the stuff that Scott’s saying, man–what he’s blogging, where he’s out there talking. He’s a smart guy you’ll learn a lot from, and Evolve IP can come alongside and help you close a lot of these big, complex deals in the cloud. Scott–hey, thanks, man. Thanks for jumping in again.
Scott: Pleasure.
Andrew: All right. Good selling, everyone.