Mobility and UEM Part 4: Cooperation

Where is the balance between cybersecurity, IT infrastructure and mobility? The answers you get may depend on who you ask.

Cybersecurity team: “We need a protected organization!”

Infrastructure technology team: “We need an organized and sustainable organization!”

Mobility team: “We need a flexible organization that enables our workforce!”

You might have heard this argument in some form or another around the proverbial water cooler, and it’s worth exploring further to reach a more satisfying consensus. That’s precisely what we’ll do in this final installment of our enterprise mobility podcast interview series featuring BlackBerry Vice President of Global Sales Engineering Alex Willis and Senior Director of Solutions Marketing Baldeep Dogra.

We framed this series of discussions — about unified endpoint management (UEM), and how it helps solve security challenges with mobility — against the backdrop of four pillars of IT: people, process, technology, and cooperation. The first three pillars, which we tackled in Parts 1 through 3, are well established. However, the fourth one came to my attention late last year when it was cited by Ukraine’s  Deputy Head of the State Service of Special Communications and Information Protection Victor Zhora, when he appeared as a surprise guest of BlackBerry CEO John Chen during the annual BlackBerry Security Summit event in New York City.

Viewed from the harsh lens of protecting his country’s infrastructure against highly skilled, state-sponsored cyber saboteurs, Zhora noted that the broadly acknowledged pillars of people, process, and technology cannot succeed without an underlying foundation of cooperation. “In a contemporary interconnected world,” he explains, “there's no chance to be isolated.”

So it was that in Part 4 of our UEM podcast series, we’re focusing on cooperation as the fundamental layer upon which our three-legged people/process/technology structure must be built. As often happens, establishing that cooperation means first doing a deep dive into the quagmire of conflicting priorities that sometimes hamper interdepartmental collaboration, and figuring out how to effectively work together to achieve an outcome that serves all parties equally.

To learn more, watch the podcast, or read the excerpt below.

Steve Kovsky:
We're here to talk about challenges for rolling out mobility and securing mobile devices in the workplace.

Picking up where we left off brings us to cooperation, that fourth and final pillar we mentioned at the beginning of this series. You, Alex, mentioned supply chains and how we've got to collaborate and look holistically at our businesses. I think some of the things that Alex has described are the reasons why BlackBerry’s customers for UEM tend to be organizations that really care about safety, certifications, and that take regulation seriously. They tend to be branches of government, branches of the military, as well as large banks and financial institutions. That’s changing.

Bal, you've been looking at some other trends that are affecting the marketplace. Do you see this preoccupation with securing mobile devices moving down? Is it spreading out to other verticals?

Baldeep Dogra:
That's a great question. We're looking at, as Alex mentioned, supply chains, but there's a lot of emphasis right now on older legacy environments and those environments that are “OT” based: operational technology. There's an Industry 4.0 trend around the convergence of information technology (IT) and OT. When you think about OT systems themselves, which tend to be based on industrial control systems (ICS) and supervisory control and data acquisition (SCADA). Industrial control systems, you know, they're their own beasts. They're connected to IT-based human-machine interfaces (HMI) that are typically legacy. They're older operating systems, a lot of them are isolated as well.

And then it goes back to what we were talking about earlier. How do we start thinking about cloud and on-prem? How do we build something around that for our customers? So, that's key for us to understand and help our customers understand, too.

From a cooperation perspective, we need to think about who's responsible. In security, you've got your endpoint management teams — how do we get them talking to each other? We also don't want to leave the end users out, right? For users, the level of productivity they experience is critical. So we need to get those teams who are responsible for end-user experience involved, as well. And that provides the overall customer experience that we want to help our customers achieve with their outcomes.

Alex Willis:
Industry standards are a big area for collaboration, as well. We large providers have to get together and work these out. These standards have already been useful for things like supply chain. They’ve helped address questions like, “How do you know that you can trust that partner?” “Do you really have to go do a security assessment of them?” “How do they get a rating?”

That's an area that we work in, too. Insurance is one example of that. Insurance companies can provide a “grade,” so that if I'm going to work with a supplier, I want to understand their level of security before I allow them to have connectivity.

The modern way to do that is zero trust. For instance, you still shouldn't give a site-to-site VPN capability to a partner without having done a security assessment. But even then, it's not enough because you would have to do continuous audits. With zero trust, that gives you a much safer connectivity point, where everything is prevented or blocked unless it's a just-in-time need, and an actual need based on ACLs (access control lists) — what they actually need access to — which is another big difference between things like VPN and something like our zero trust network access (ZTNA) product called CylanceGATEWAY™, where I'm replacing an older type of protocol around VPN to provide connectivity. It's a lot easier for users because there's no lag time in connectivity. My contextual security posture is assessed before I'm given access, but even once I'm given access to the front door, to get behind the firewall, I only have access to the endpoints that I need.

This is a good partner, or provider, solution because if I can limit what they can access, that's a much better security policy than just giving them VPN access and then relying on the backend servers to do authentication and protection. I'd rather just limit where they can possibly go. It can be IP-based network segmentation through a virtual local area network (VLAN), but even down to the protocol level.

So, some of the bad actors are now hijacking other ports. For example, a standard allowed port on a firewall is DNS, like Port 5350 DNS. So you say, “Alright, I'm going to allow anybody to connect on 53.” What some of the bad actors are doing is changing the protocol that they use in connecting to their command-and-control (C2) servers so that it’s just port 53. So to a firewall, it might look like any other DNS traffic, it'll just allow it through. What you get with ZTNA in CylanceGATEWAY is it'll examine the traffic to make sure that it's the type of traffic that you're allowing for that purpose. So, that's another thing to look at around the supply chain and providing partner access into your environment.

Bringing it back to collaboration in the supply chain. The big companies like us, we have to get together — and we do — to provide input and guidance, and to inform these policies that make it better for all customers to work with. And we do quite a bit of that.  

Then there's the other collaboration that Bal and I mentioned, which is getting the teams inside of these organizations to work together. It's one of the cool aspects of our job as we get to be that intermediary, especially because we provide services for both cybersecurity and unified endpoint management. We're already interfacing with both the mobility and cybersecurity teams. So, we've been able to deliver things to both sides that, in effect, end up bringing them together. For example: reporting the security posture of mobile devices into our console that the security team has access to.

It's the first time we've seen that, instead of the security team just setting up policies and having the mobility and IT teams implement and hope it's okay. We can do that, but then provide functionality and reportability back into the security operations center (SOC), in effect bringing the teams together.

Alex Willis:
If they're already connected with us, the first thing to do is to conduct a security assessment or a design discussion. You can engage with us through either your sales team or go to blackberry.com and get in touch with one of our experts. Another area of really good information and understanding of what we do, and how we help our customers, is to go to the BlackBerry Security Summit webpage. Look at some of the sessions that we've done and some of the things that we offer.

But as the first type of engagement, I think that you get the best results from like, “Hey, let's just have a discussion,” and we can kind of understand where you put your current assessment at now, in terms of security. What are your plans from both a security posture standpoint, but also from a general business perspective? What kind of organization are you? What are your company goals? What does your organization do? How do your people work, and what pain points do they have? What could be better if we could mobilize your organization?

Then, we can have some discussions on how to do that in a secure way. On the cyber side, we can of course talk about zero trust implementation and what moving your workforce to a permanent work-from-home or work-from-anywhere model could look like for your organization.

We just need to start with a discussion to better understand your goals from both a technological and company strategy standpoint. Then we can see where we can help your organization achieve those goals, like a better return on investment at a lower total cost of ownership, for example.

Steve Kovsky:
Bal, any other takeaways or final words?

Baldeep Dogra:
Alex is completely correct. If I was to underline what Alex said, I would say to those listening and watching: Be better prepared.

You mentioned at the beginning of this series Victor Zhora's approach of “people, process, technology,” and how he's looped in cooperation, or collaboration, whichever you prefer. You know, to me that's about binding the other three together. And my take on that is along our narrative of being able to prepare, prevent, detect, and respond to threats.

You can do that with the collaboration of the various teams involved, and work with us. Like Alex said, let's get some discovery sessions, let's understand your outcomes, and let's understand your goals. We are here to help our customers achieve their goals.

If there's any key takeaway from this, it's this: Think about security as not being an afterthought. You don't want to keep thinking about adding layers of security later. That's not how security works. It should be built into whatever you do. That's my takeaway.

Steve Kovsky:
Thank you both so much for spending this time with us and helping us parse some of the potential vulnerabilities or gaps that folks are trying to address in their mobility management and in their business.

Related Reading

• How to Avoid Endpoint Chaos: BlackBerry LIVE Interviews Experts on Mobility and UEM
• BlackBerry LIVE Interviews Experts on Mobility and UEM Part 2
• BlackBerry LIVE Interviews Experts on Mobility and UEM Part 3