Commercial Integrator September 2021 - 21

our primary mechanism. Unfortunately,
passwords are inherently fl awed because
of the humans that make them. Generating
and keeping track of random passwords for
every system is complex.
Excel is not a solution to this. That said,
leveraging a multi-factor solution that fi ts
your client's risk profi le is not only a good
idea, but it should be a requirement for access
to nearly everything (especially for us!).
It has become trivial to phish credentials,
giving you the confi dence that your clients
are who they claim to be.
Building individual identity systems, each
with its multi-factor solution, would become
burdensome for anyone to manage.
Standardizing on a single multi-factor solution
will help so that you don't have to play
MFA-Application Roulette each time you
log into a site, or you can look at a singlesign-on
system using a Federated identity.
In the early 2000s, when I was still in corporate,
we had just started creating these
Identity Management Systems built around
Active Directory. IT could step back and let
HR provision their accounts as employees
were onboarded, off boarded, or transferred
by integrating them with HR systems.
Ultimately, this may end up becoming
the holy grail for the next generation of
MSPs. The client's representative fi lls out
a form that automatically provisions the
accounts, adds them to appropriate groups
and application systems, and starts a
ticketing workfl ow for any human fi nishing
touches. I can dream, can't I?
Because identity becomes so crucial
in a cloud-fi rst company, defending that
identity wherever possible is also essential
to consider. For example, from what location
is the person allowed to log in? If we
are alerted that the identity connects from
outside of their approved region, what
should we do?
Data
Backing up data is critical for recovery from
failure. Whether these are direct to the
cloud, syncing local fi les, BDR appliances
with cloud off site, backing up SaaS applications,
making and testing backups are still
things we need to consider as part of our
primary off ering.
For example, if a client loses their laptop
(it's encrypted, right?), they should still
commercialintegrator.com
be able to get their information back and
continue work. Similarly, if they accidentally
delete that SharePoint folder or email message,
you should be able to restore that.
With backups - I believe in belts and suspenders.
Sync the local main folders, add a
laptop backup, back up the email accounts,
and add email archiving.
Also, if someone doesn't need access to
data, don't give it to them! Give employees
the information they need to do their job,
but no more than required. The only way to
do this is to have control over identities.
Systems
Confi gure your systems to ensure the right
people (identity) and the correct devices
(endpoint) are accessing the right information
(data). In a cloud world, it is as easy to leak
data as it is to collaborate; controlling what
can be shared and by whom is something
you should consider. Mapping out data fl ows
in the environment will help document and
understand what needs consideration.
If you still have on-premises servers that
you manage, ensure that you implement
their protections (like Windows fi rewall)
and close exposed ports to the Internet. I'm
talking about you, RDP.
Remote Work is Just Work
So, what is so special about remote work?
If systems are architected in a cloud-centric
world using zero-trust concepts,
then the answer is nothing. Remote work is
just " work. " It's the same as everything else.
Now that you've gotten through the
past 18 months helping your clients set up
remote access (hopefully securely), you
can start making incremental changes.
Start tightening up what systems VPN
users access (it shouldn't be the whole
network). Better yet, plan for its removal.
That VPN system is the one gate holding
back the hoards. And if you look across the
news of this past year, you will encounter
story aſt er story about VPN systems with
fl aws that allow remote access without
authentication.
That steel reinforced door may have a
pet access fl ap. Let's plug all those holes. If
you require a remote employee to access
data inside your on-premises network, use
a SASE approach and leverage its capability
to securely connect to the offi ce or the
internal system.
It's challenging to do all of this at once.
Start by adding layers of protection around
Endpoints and Identities. Next, harden the
confi guration of your cloud and on-premises
systems, then you will be ready for the
more advanced stuff .
Raffi Jamgotchian is the
President/CTO of Triada
Networks. He has been a
member of The ASCII Group
since 2008.
The lines between trusted and untrusted networks has become blurred.
SEPTEMBER 2021 Commercial Integrator
21
DEAGREEZ/STOCK.ADOBE.COM
http://www.commercialintegrator.com
Commercial Integrator September 2021

Table of Contents for the Digital Edition of Commercial Integrator September 2021
