Exploring the Importance of Zero-Trust Test Environments in the Print Industry

Hi, I’m Pat McGrew with McGrewGroup, and you are about to watch a fabulous video recorded with Ryan McAbee, PixelDot Consulting, and myself where talking about zero trust test environments. Solimar has a really good solution to help you build your zero trust test environment. What we explore in this video is why it’s so important to your business process and how having the right software solution is going to enable you to meet all of your audit requirements around zero trust test, making sure that you’re hitting all your security requirements, and also give you some confidence when it comes to knowing that files that are moving through your system are as protected as possible. We’re going to focus on obfuscation and redaction, two of the Solimar solutions. And, we’re also going to talk about some of the data behind the level of attacks that are currently happening that make zero trust test environments so important to you.

Hi, I’m Pat McGrew with McGrewGroup, and I’m with Ryan McAbee, PixelDot Consulting, and we’re here today to talk about something that might sound a little bit counterintuitive because we’re going to talk about zero trust in the context of disaster recovery and security. So, Ryan, just to kind of draw a box around it. What’s a zero trust environment and then let’s talk a little bit about why you probably want one.

Yeah, I think the easiest way to describe a zero trust environment is literally in the name. It’s basically you do not want to trust the credentials or basically the authentication processes for anyone trying to access your network, your infrastructure, your data. Basically, they need to be a known entity, but to be able to do that, they need to verify who they are in some way, shape or form. Because at the end of the day, what’s happened over the years and it’s, you know, an increasing larger problem, year after year, is the amount of basically attacks or people out to access your data for financial gain for disrupting your business is just increasing. And the sophistication of that is just getting out of control almost. I mean, we’ve heard instances in our industry even of where they’ve impersonated auditors as an example, and you would think, okay, this is someone I can trust. We know who they are. They’ve audited our processes before. But no, no, they’d been basically had identity fraud applied to them and they’re trying to get in that way, so all kind of sophistication that we’re seeing in the market for that.

So, one of the reasons we want to bring this conversation to you is because we started to see a lot of research come into the marketplace over the last six months about the challenges that businesses are facing. And we’ve certainly heard it from printers that we’ve interviewed for case studies and we’ve heard it in all sorts of forums. But what got my attention was this Allianz risk barometer, which I kind of keep an eye on. They say that the top business challenge today is cyber security, that cyber incidents that thing we might think of as hackers breaking in, that is the number one concern. And it seems to be happening more and more that as they survey people kind of year on year and on their yearly and quarterly cadence that they do, more and more businesses are telling them, oh, wait a minute, we’ve got to be paying attention to it. And when you think about, I mean, business interruption dropped to number two, it had been kind of the leader for a long time. Even natural catastrophe is now third. And when you start to look at that, you start to realize that every size business is potentially impacted by it. And if you think about the print industry, the print industry is every size kind of business, isn’t it?

It is. I mean, and you want to pay attention to this Allianz research because they’re in that business, they’re in the insurance and risk mitigation business. So, these are the people who are against these kind of catastrophes in a way. And the other reason you want to pay attention to it is because it’s done on a global basis. I mean, they talk to thousands of people and business entities to get this information. So, I think the thing that happens in our industry and we’re probably not alone, but we think, oh, that’s not something we have to deal with. It’s only the high-tech companies that they have to deal with these breaches. But we know that’s not true for a fact. I mean, we’ve had breaches in our industry and it causes a lot of damage. And honestly, these two top points that the research came back with, they’re kind of interrelated because if you have a cyber incident, you have business interruption guaranteed.

Right. And this is in the context of, you know, disaster recovery programs. And we love to talk to people about disaster recovery because sadly, in a lot of places we walk into, they don’t actually have an executable disaster recovery program. They might have a cute binder labeled disaster recovery or business continuity, but their ability to actually execute on it might not be what they think it is. What can Mueller, who is the CEO for Allianz Global Research, he said business interrupted is likely to remain the key underlying risk theme, he said, for 2022. And now we know that going into 2023 it’s very likely to be the same. And if we start to look at some of the research that they brought to the table, they are also noting just how much more intensive the incursions into our life are. They’re not only going after cybercriminals, not only going after the biggest companies, they’re not just going after the giants, but they’re going after the mid tiers and the low tiers, because any place there is data, you’re a potential target and in the transaction print and direct mail industries today there are hundreds of mid-tier providers. And even what we might think of smaller providers providing services into professional practices, engineering practices, manufacturing practices, legal practices who are still handling private data, handling financial data. So, it’s not all just credit cards and bills. There’s a whole lot of other data that’s out there that’s all at risk. So, if you are not sure who is accessing your server, even if they claim to be somebody, that’s where this zero trust idea comes in.

Yeah, it really is. And you know, you might be sitting here as a printer and saying, well I don’t see a printing company on their attacks list in any huge number. But we’re in an interconnected business, right? We’re an intermediary, because we are a producer of print from data that comes from somewhere else. One of these industries. Exactly. So, because of that, it may be that you’re not the primary target necessarily, but you may be the what is perceived as the easiest target. And that’s where they’re going to really come in and look for that weakness, because, like you said, they’re going for that mid-tier company or a little a smaller size company these days because the larger ones have spent millions and built up their defenses, so to speak, and are much more proactive than maybe has been further downstream. Now we’re seeing that change, obviously, as awareness increases in the industry as we do have some breaches and word gets out across the industry that we need to actually be more on the offense than we are on the defense. And that’s really what we’re talking about here with this zero trust testing environment is to be on the offensive.

So, one of the things we know is that as you as you’ve said in the past, being on the offense almost means having a really good defense. You’re going to have to have that in order to survive. We’ve heard tales from printers of being attacked via spoofed emails, via all sorts of spoofed text messages is sort of the new one that we start to hear about quite a bit. And the thing that we know is that every printer we talk to believes that they’re safe. They believe that they’ve built the firewalls, they’ve paid the money to the consultants to tell them how to build their environment. But all of these security frameworks, they’re defensive. They’re not offensive, they’re just guidelines. So, how do you combat in a world where the attackers are mounting this massive offense on data infrastructures?

You’re right. We’re not saying give up your defensive parameters. So, you know, you should do all the best practices that all the organization, whether it’s NIST or, you know, any of the other frameworks kind of tell you to do. And those are things like hardening your servers based on what operating system they’re using that’s turning on and off protocols and doing everything from the user management perspective, so do all those best practices. But I think in terms of being more on the offensive, you really have to think about how any data that comes into your environment is coming in and whether it should be in almost like an air-gapped environment, because that’s really what we’re talking about with the zero trust server, that it’s not a part of your primary network. You know, the easy visual to give you is almost like that original. Well, it’s not the original, but the Tom Cruise movie Mission Impossible, where they’re literally having to dangle by a cord to get at the computer because it’s air-gapped. There’s no network connectivity or anything. And so that makes it much more difficult, even from a digital perspective, to realize how that would save your other functioning parts of your network that contain your workflow, contain your business systems and processes and all of that, things that you need to execute and tools you need to execute with every day for your print business.

It’s probably worth noting here that if you do get hacked and somebody penetrates your network, the ability to come back up can be not as easy as you might think. Even if you have cyber insurance. And we’ve heard from printers that those rates are going up because the attacks are becoming more prevalent. But, what it takes from the time you identify that you’ve been penetrated to the time that you can get back up, we’re not talking hours in most cases, it can be days, weeks and months. And in some cases you never get back up. So, this is one of the reasons we’re talking about this idea of zero trust testing environment and general computing environment, so that you do start to play in a world where you think in terms of air-gapping your primary network systems and working with tighter security than maybe you’ve ever worked for before. And this is especially true for family-owned businesses because I think of family-owned businesses as being a little bit more vulnerable because what we know everybody, it’s all family working here. How hard can it be? You know, Aunt Mary is on the front desk and Uncle John is working in the press shop, and we sent the kids to school for computer science. So, they’re doing all the programing and managing all the I.T.. I mean, we’re all fine. We’re all good. Yeah, you are. But it’s a family environment might be a little bit more trusting than today’s world actually lets you really live with. So, no matter how big or how small your environment is, it’s a really good idea to start thinking more defensively and offensively at the same time. So, make sure you’ve got those defenses there, but make sure you’re talking to your employees and testing their reaction to things like spoofing emails and phishing emails and texts, even to make sure that they aren’t putting you at risk.

With that said, we want to create a zero trust environment. Ryan, it’s worth spending some time on what creating a zero trust environment looks like because it doesn’t fall naturally off my tongue. It’s still feels funny to say zero trust environment, but the way you described it as being taking responsibility for knowing everybody who touches your system, that makes a lot of sense to me. So, what does an isolated network really look like? Does it have to be air-gapped?

So, we’re talking about it in the context of the workflow at this point. But you can apply this to other software infrastructure, your software stack as it’s often referred to in your print business. So, that could be it just as easily your print MIS which is running the business aspects of everything or it could be like what we’re talking about here, which is more of a data intensive workflow. And, so what you would do for that is a couple of things. Minimally., you would isolate it on its own network so it can’t reach anyone that may breach that server, cannot get into other parts of your business and your other software stacks. You could go as far as air-gapping that which basically means it’s not connected to a network at all. So, any data that you’re going to feed into that system or extract from that system, you would do kind of the old sneakernet approach, which is, you know, with media, whether it’s a hard drive thumb drive, whatever kind of technique you want to use there. A tape drive. Yeah, whatever is at your disposal these days, that makes the most sense. But the other thing is that you really want to control the user rights and access management to that server, too. So, you don’t want to have 50 users within the company be able to access that server. You really want to narrow it down to one or just a few minimally to be able to actually log in and operate that server for administration, for testing of the workflow and so forth. So, then that’s just the hardware in the network part of it. Then what you want to do is basically recreate your entire workflow on the server as it exists in your production environment today. So that’s the same version of the software, It’s the same workflow or processing plans that you need to execute that. And that way you can do two things with this. You could test any file that’s coming int, any data that’s coming in, from your customers to make sure that it’s going to execute on the workflow as you would expect it to. And then you can troubleshoot and isolate things if you wanted to because you don’t want to do that on your live workflow because you know what happens if there is something in the data that’s corrupted or that there’s a virus or some other kind of malware kind of aspect, you don’t want that getting into your live production environment.

Similarly, if you were needing to do updates, particularly if you’ve got software that’s integrated at both points, you know, the in and the out through APIs or SDK or something, you want to be able to test that in your zero trust environment before applying it to your live workflow where it may break something that was unintended or unexpected. So, you could get ahead of that as well. And then last but not least, what these zero trust environments are really good for is if you have something that takes your main workflow server offline for whatever reason, let’s say it was a hack, let’s say someone deleted the assets in terms of what was needed to be able to process. In any kind of scenario, you could, you should easily be able to roll over this configuration because it should mirror your live production configuration and get back up within, you know, a very quick sort of period of time.

Yeah. So, is this like we’ve talked about staging servers. Where does a staging server sit in this environment?

I mean, I think this is a staging server just that’s isolated in the environment. It’s just more isolated. Right.

And, so one of the things we know about these environments is that, especially print environments, files are coming in all the time, right? Customers are sending files all the time. Sometimes they’re sending databases and templates. They send all sorts of files and not everything works the way you always want, right? Sometimes there are mismatches in the field mapping and sometimes the data is corrupted and you need help getting it fixed. But legally and for security, you don’t want to be sending these live files all over the network. The whole idea of protecting them is you don’t want to be sending all this stuff around. So, there are these two concepts that we have in blue here, obfuscation and redaction. And, I like the idea of obfuscation because what it does is it takes content that you decide you don’t want other people to see, and it makes it unreadable by the human eye. And. so you can still send the file around if you need help from a vendor, you need help from your customer. You can still send things back and forth without exposing all of that stuff to the network. Right? You’re not sending clear files or even encrypted files all over the place. So, I like the idea of including that in a zero trust environment because it kind of protects you from accidentally exposing data that you might not intend to. But then there’s also this idea of redaction, and a lot of people like to use that for like archive files and they like to use it when they’re, again, sending things around. And I know I’ve gotten files from some of my providers where, you know, they have my Social Security number but only like the last four are exposed, and anymore, sometimes I get them where only the last two were exposed. It’s not even the final four where they’re using some sort of redaction technology. Do think these are prevalent in our industry? Or, do you think we still need to do a little bit of education?

I don’t think they’re prevalent to 100% level and I think that’s where it probably needs to be to be honest. But if you’re a printer that’s working with any PII or personally identifiable information, you know the, people’s name, their Social Security numbers, their address, their account numbers, any of that kind of thing, which is usually you think of in a transactional or direct mail kind of printing operation, you should be using these in the couple of reasons why. You don’t want to have data at rest for any longer than what you need to use it for because if it’s in your environment and you do have a breach, then odds are you’re going to be liable for that in some way, shape or form. So. you want to minimize your liability by just not having the data in your environment longer than it needs to be. Second to that, if it comes in, that’s where the obfuscation and the redaction really become beneficial, because like you said, the way to separate the two in my mind is obfuscation really is like a Gaussian blur almost, if you’re used to that kind of technique in your PhotoShop or other kind of creative apps, it’s just going to take that area and kind of just blur it out to where it’s not readable to the human eye, but it’s not going to be able to really target narrow focus on a piece of content and take that out. That’s where you use the fine-tooth comb, so to speak, is going to be the redaction part of that so where you can do it at object level and use tagging and so forth to really, as the pages go through and change, you can make sure that its being removed or redacted, so to speak, where you can’t read it as well using that technique. So, both should be used. They have different purposes, one’s more global, one’s more narrow focus and at the object level. But I think if you’re in this kind of an environment, you’re going to want both and use both.

So, let’s talk about the benefits of a zero trust testing environment and in a zero trust environment and in general. So, if our goal is to make it safe, to make the environment safer, what are the reasons that that people or what are the most significant upsides, I guess, is what I’m really asking to these environments? I know sometimes I talk to printers and they there’s a little bit of a pushback that they, you know what might mean. I trust all my employees, all my employees are really well-trained. You know, nobody’s going to hack me, right? There’s always the it can’t happen to me syndrome. But in reality, because it does happen, is there a talk track that we should be approaching printers with to help them understand the value proposition of the zero trust testing environment and kind of get them more on board?

Yeah, I think we talked previous about the operational benefits when it comes to the business being able to roll over the environment if something happened to your primary workflow servers and being able to minimize the downtime there. But I think it comes back to being able to use these tools like obfuscation or redaction inside of this zero trust environment. What it’s doing is that if you do have a breach and this is the only data that they get access to, then they can’t really execute on it or there’s not much they can do with it because there’s not the personal, the PII information, that that is sought after, right? That’s really what is the leverage. You’re getting a lot of pretty templates, right? Basically, yes. So, you know, that’s one reason. The other reason is that there’s several different use cases that will speed up and allow you to do things faster, whether it’s customer onboarding or whether it’s also just being able to work more effectively with your partners and vendors that may be helping you on the software execution side of things or maybe helping you on some other kind of operational issue that you have. So, what you can do in those cases is that you can obfuscate or redact whatever portions of the documents and data that you need to and then forward that on to maybe even an internal department in the business like Marketing as an example, that shouldn’t be seeing the PII either or if it’s external with one of your partners, they certainly shouldn’t be looking at that information, but they can still troubleshoot whatever it is that you need help with.

So, if we start looking at the fact that there are tools in the marketplace that can help you create these environments and we think you should certainly investigate them. The other thing we can recommend is the Zero Trust White Paper that we wrote for our friends at Solimar to help all of their customers, clients and their partners understand what the value proposition is for a zero trust environment. What I’m hoping is that out of these videos and our White Paper is that as an industry will start to recognize the term zero trust and recognize that that should be what we’re striving for, to make sure that all of this data and personal information, personal health information, personal financial information, everything related to our personal lives can be protected and not accidentally exposed through data breach.

So, Ryan, thanks so much for your time today. I’m excited to hear reactions to this. If you have any comments, please don’t hesitate to reach out to your team at Solimar. I’m Pat McGrew from McGrewGroup. This is Ryan McAbee for PixelDot Consulting and we’ll talk to you again on another Solimar video.