Welcome to the VMblog 2022 Mega Series where we'll be covering a number of important topics throughout the coming months.  In this series, you'll be hearing from the industry leaders and experts in order to help you make important decisions within your own organization.  Follow along for a chance to better understand a number of topics and find out more about some of the best technologies available out there in the industry.  

In today's Q&A, we're speaking with industry expert, Neil Riva, Principal Product Manager at JumpCloud.  And we're diving into the topic of Security.

 

VMblog:  Tell us a bit about JumpCloud and what does the next twelve months look like?

Neil Riva:  JumpCloud created the Open Directory Platform^TM to fulfill our mission to Make (Remote) Work Happen^TM. At the end of the day, end users just want to be able to do their job, and their organizations want to make sure their employees can be productive and be secure. We make that happen. By that, I mean that JumpCloud securely connects users to virtually any IT resource - devices, networks, programs, systems, servers - whatever. We work with over 180,000 small and medium-sized enterprises (SMEs) and our product-led growth (PLG) model means that we're really in tune with what IT admins and our MSP partners need. So our platform is designed to make it easier for admins to secure users and easier for employees to do their job.

VMblog:  In 2022, should small businesses be worried about being a target for cyberattacks? Or should only big brands be afraid?

Riva:  The threat landscape continues to evolve, and unfortunately for small businesses, security threats continue to evolve. SMEs are often relying on point solutions, which introduce risk at a number of different levels and integration points. Verizon's most recent DBIR (Data Breach Incident Report) showed the SMEs are experiencing nearly the same frequency of attacks as their enterprise counterparts. SMEs, even the smallest ones, have to be vigilant and intentional about security.

VMblog:  With more people working remotely, what should security awareness training for employees involve?

Riva:  Establishing security best practices is critical, but you have to make sure you're communicating them regularly for them to have much impact. We think that your security perimeter needs to be drawn around the employee and their device.  And I think that you have to be honest about how employees work - again, at the end of the day, they just want to be able to do their job. Security measures that make that more difficult lead to employees looking for workarounds. So security awareness is good, but orgs should also be looking for ways to shift the security burden away from the employee. If you have company-managed devices, a mobile device management (MDM) can help mitigate if there's theft or device loss as you can wipe the machine remotely. For orgs that allow BYOD, it gets trickier as employees may be sharing their device with a family member, or introducing risk through unsecured networks or downloaded apps. You can alleviate some of that by offering antivirus software. Better would be to have company-managed agents that can give security control to admins in the cases of a breach.

VMblog:  What are the top 3 things that make a good IT security provider?

Riva: 

1 - They can adopt a layered security approach that addresses risk at the user identity, device, application, and network levels.

2 - They look to make security easy for the end user, which in turn, makes security more robust for the organization. Centralizing identity is a critical step here - SSO, passwordless, any way that you can make it easy for users is good.

3 - They can adopt dynamic security. Step-up authentication and conditional access policies mean companies can adopt least privileged access and maintain strict security controls that are relatively easy for the user to navigate.

VMblog:  A company tells you, "I have antivirus and a firewall, aren't I fully protected?" How do you answer them?

Riva:  Security threats are constantly evolving and becoming more sophisticated. Instead of thinking of threats as something that comes from the outside, I think it's better to consider an inside-out approach. I mentioned conditional access policies before but let me say more. One of the most critical layers of security is identity. By ensuring that you can authenticate and authorize the right identity with the right level of access, you can establish a powerful level of protection against potential compromise. Consider that by focusing on identity, you can authorize each person or machine for the minimum level of access, then use conditional access to set rules for access and authorization based on context - like the user's identity and permissions and the location and time of attempted authentication and what device is requesting it.

With this kind of approach, you can fine-tune policies toward roles and behaviors. For example, if an employee is known to work from home, you can set a policy that prevents access from unknown IP addresses, or if an employee travels, you can allow unknown IPs but require MFA or biometrics for step-up authentication.

Essentially, seeing risks as discrete points that you can protect against isn't as effective as using identity as your core and extending that protection out.

VMblog:  If a company has moved things from on-premises to the cloud, what types of security should they be focused on? What things should they be implementing?

Riva:  Infrastructure-as-a-Service providers like Google Compute Engine and AWS have displaced corporate data centers, and most servers and applications are now cloud-based. SSO now means connecting to a variety of both cloud and legacy apps (MySQL, Slack, Salesforce, etc.), a mix of Windows, Linux, and macOS device types, VPN and WiFi networks and physical virtual file servers (Google Drive, NAS, Box, Samba, etc.), and other IT resources, from anywhere.

A cloud-based directory can provide a central user database focused on securing access by supporting all major authentication protocols (RADIUS, LDAP, SAML, SSH, REST, and more).

With a cloud directory as a company's backbone, user identity can be leveraged in the proper format to access virtually any IT resource. The best part is that it can be centralized both for the employee, who needs only one set of credentials - what we call True Single Sign-on - and centrally managed by the IT admin, who doesn't have to juggle multiple endpoint solutions.

VMblog:  What are the critical pillars of cybersecurity and is it different for SMEs?

Riva:  Organizations need to verify users, devices, networks, and authorization rights while confirming the context of each transaction. Doing this will essentially create a virtual security perimeter around each access transaction. It's the same for SMEs as it is for larger enterprises as bad actors are looking for weak spots everywhere. JumpCloud's vision is to deliver enterprise-level security in a cost-effective and convenient manner for SMEs.

VMblog:  Why do you think a directory approach is the best?

Riva:  As opposed to protecting from the outside in, a directory approach allows us to protect from the inside out.

Let me back up and give a quick history on the directory to help explain.

Back in the days of on-prem work, the directory was often in the form of Microsoft Active Directory (AD) or OpenLDAP for those preferring open source. Most machines were Windows-based, everyone worked within a physical office, and using Microsoft as a directory - essentially the on-prem identity provider - made sense. Then, the directory would connect users to IT resources - they could log onto their Windows laptop and have instant access to resources within the on-prem network.

With the shift to the cloud, on-prem AD couldn't manage user access to AWS cloud servers, macOS and Linux machines, Google Workspace, or the raft of non-Microsoft, cloud-based resources. To made AD work in this new reality, teams had to extend AD with identity bridges and point solutions for SSO, privileged access management, MFA, identity governance, and more. This patchwork served to extend AD, but it didn't cover the full identity picture.

That's why JumpCloud created its open directory platform - to give a holistic solution for protecting identity.

Our platform securely managed and connects users to systems (Windows, Mac, Linux), web and on-prem applications via LDAP and SAML, cloud and on-prem servers (e.g. AWS, GCE, Azure), physical and virtual file servers (Samba, NAS appliances, Box, G Drive, etc.), and wired and WiFi networks through RADIUS. Our SSO and MFA options are native to give greater coverage, we offer patch management for ongoing security, and our platform Insights offer data and analytics for full system visibility.

As a directory, we sit at the inside and give 360 degree protection around each employee, everywhere, instead of trying to plug holes at different parts of the security perimeter.

VMblog:  Can you list out some of the common types of cyberattacks that people should be concerned with and explain how the security landscape is changing?

Riva:  I think ransomware is the biggest issue that has IT admins on their toes. Credential theft or loss is still a big one and will continue to be as long as there are password-based systems. I think the industry is moving, slowly, toward passwordless, but I don't see them disappearing anytime soon.

VMblog:  Can you talk about how digital transformation and new cyberattacks have changed the way SMEs protect against threats?

Riva:  The move toward cloud-based applications and remote work has converged into a need to think about the security perimeter as being drawn around each employee.

We conduct a twice-yearly survey of SME IT admins to see what they're dealing with and get insight as to their concerns. For the first half of this year, we've found that admins are most concerned about outside threats. The three biggest security concerns are network attacks (40%), ransomware (31%), and software vulnerability exploits (31%). And what's interesting is how these concerns reflect greater changes in remote work. In 2021, the top three were software vulnerability exploits (40%), use of the same password across applications (40%), and use of unsecured networks (38%). What I think we're seeing is that IT teams feel that workers have learned and/or become more responsible about working remotely at the same time that the new normal has translated into greater external threats.

To manage these concerns, we're seeing an increase in IT budgets, and also a turn toward MSPs to help shoulder some of the security burden.

VMblog:  Cyberattacks are making the front pages on a regular basis. What does this climate of continuous risk mean for security leaders? What does this mean for MSP partners?

Riva:  There's a reason why IT teams at SMEs are often the least rested group of employees. I do think that IT teams are stepping up to the plate in their recognition that vigilance has to be continuous - there's really no time to let your guard down. So you need to ensure you're keeping current with threats and managing known risks as they arise. You also need to ensure that you're establishing processes for managing and tracking issues. Even with the economic downturn, IT jobs are still in high demand, and orgs do not want to lose all institutional knowledge if one person leaves.

We're seeing that MSPs are poised to do very well as increasing numbers of SMEs turn to them. Again, our most recent survey found that almost 90% of SMEs are either already using an MSP or are considering it. So MSPs should expect continued growth, and be prepared to responsibly scale as more clients come on.

VMblog:  The COVID pandemic changed a lot of things for a lot of people and companies. Can you talk about some of the security impacts that came about because of COVID, i.e. networking, remote work, internet usage?

Riva:  Obviously 2020 was kind of a giant trial balloon by fire (please ignore my mixed metaphors). That sudden shift to remote work caught a lot of organizations by surprise, and I remember reading that the number of hacking attempts skyrocketed. Not surprising, that bad actors would try to capitalize on systems that weren't adequately prepared. But I think that by the end of 2020, organizations had really met the challenge and established IT environments capable of handling remote work. Not only were they able to make sure employees could access what they needed, but they'd also deployed more security to ensure those resources were protected. That's when I remember seeing Zero Trust coming up more and more in even smaller organizations. So I think that COVID really accelerated the shift to establishing that every access transaction needed to be protected, and that trust nothing, verify everything was the ideal approach.

VMblog:  Where are organizations not doing enough to combat cyberthreats?

Riva:  I think the first is relying too heavily on single solutions. Complexity introduces risk. And I think we have to be careful about burdening employees. I'm not alone in that - our survey found that 66% of IT admins agree that adding security measures generally means a more cumbersome user experience, an increase from 58% who said the same in 2021.

But I think this is a false assumption, that added security means more friction. More and more, companies are looking for ways to eliminate friction and improve the employee experience and SSO is a huge step toward that.

VMblog:  What impact would you specifically like to achieve in the cybersecurity/privacy space?

Riva:  We really want to be the all-in-one solution that SMEs rely on as they Make (Remote) Work Happen. It sounds lofty, but really, we can deliver a holistic, secure, simple solution that boosts employee productivity, secures company assets, and makes the lives of IT admins easier. And we can do it without costing a fortune or creating complexity. In fact, we offer our full-featured platform for up to 10 users for free, forever, so admins can see how we can centralize security and user and device management.

VMblog:  What specific problems are being solved by JumpCloud?

Riva:  The cost and complexity of managing users and their devices. Some identity vendors offer SSO or directory services, others offer device management or access analytics. JumpCloud's Open Directory Platform is unique in that it unifies these features into a single, secure platform, easily and centrally managed with an admin console.

Our customers report a 6.3X reduction in the cost of typical IAM and device management tooling. The reduction comes from the elimination of a number of tools required for a robust identity, access, and device management program (ex: separate MDM and SSO vendors), and a reduction in labor hours required to manage IT infrastructure due to our centralized admin portal (ex: lower helpdesk ticket requests, and reducing the learning curve for IT teams by moving from complex AD integrations to JumpCloud's simplified platform).

VMblog:  What would you say are the key features of your solution that people should be most aware of?

Riva:  I'd want people to know that JumpCloud's platform offers secure directory services, unified device management, SSO and user lifecycle management, secure network authentication with cloud RADIUS, secure app and server authentication with cloud LDAP, directory-level integration with Active Directory, Google Workspace, and Microsoft 365, event logging, reporting, and monitoring, and API automation and tools.

On a higher level, we offer one pane of glass for IT admins to manage user identities and resource access, secure Mac, Windows, and Linux devices, and get a full view of an IT environment.

VMblog:  Why would someone prefer JumpCloud to AD extensions or a mix of SSO, MDM, endpoint management, etc.?

Riva:  Again, I'd turn to cost and complexity. One customer reduced their IAM cost by 80%, from around $190,000 using Okta and AD to around $37,500 with JumpCloud. And because we're a PLG company, our feature releases and platform developments are always designed to make life better for IT admins.

VMblog:  I know your tagline is to Make Secure Work Happen so why is JumpCloud uniquely positioned to do that? And why target the SME space?

Riva:  We believe that SMEs ought to have the same tools at their disposal as their enterprise counterparts, and we don't think that securing an organization has to be cost-prohibitive simply because of your size. We saw a way that we could empower IT admins to protect their organizations and keep their workforces productive. And since SMEs are often nimble, cloud-forward, and tech savvy, we saw a perfect opportunity to target a market that could quickly realize the value of our platform. Since we offer it for free for up to 10 users, we also aimed to give smaller organizations the chance to experience the benefits of JumpCloud and then take us along as they scale.

##

Neil Riva is a Principal Product Manager at JumpCloud focusing on identity & authentication. Neil also served as Director of Product Management at HID Global IAM, Crossmatch Inc & DigitalPersona. With 20+ years of experience, Neil has led & developed products in the authentication, biometric, network management, security & artificial intelligence areas. He was the CTO of noHold Inc. designing & developing a patented Artificial Intelligence cloud-based technology to improve enterprise services. Neil's graduate school practicum project was conducted at IBM Scientific Research Laboratory focusing on artificial intelligence and expert systems used for Information Management.