Transcript
Hank Schless: So the next one, the thing that I like to just show here and Andy, if you wouldn't mind diving into a little bit more from from the technical side is really, you know, what's the why do we have to look at the managed versus unmanaged use case here? You know, this showing how we do on the managed side, but then the next next piece will show unmanaged as well. But, you know, we've talked so much about the variety of devices that people are using and and, you know, organizations enabling Bring Your Own Device, whether that's for smartphones or laptops. That's kind of one in the same these days. So I think that going through this real quick is important. So, Andy, if you wouldn't mind sort of running through this piece quickly. Sure. Andy Olpin: So first and foremost, in the in the use case that will make the most sense to everyone is when you think about, you know, bringing your own laptop, what happens when that user leaves the organization or if there's any data left on that laptop, you don't have a way to call it back, right? So in many cases, you want to make sure they're using a corporate laptop that they're accessing, accessing sensitive data so that you can make sure you can wipe that device, bring the data back. But there's also more security controls on the managed device. The most obvious is antivirus or EDR to keep malware off there so you have some assurance that the operating system is in good shape. But the other thing that we can do is one of the controls here with managed endpoint is we also have this option to see on the left hand side for forward proxy. Now you can talk about that forward proxy has been around for forever, but they're kind of getting new life today as something like a secure web gateway. And what that lets me do as an administrator is all these contextual policies can also apply to personal clouds from managed endpoints. So what I mean is, let's say I let the user on their corporate laptop download this document with salary information for my entire executive staff. That's clearly sensitive information and want to control where that goes. But that's going to a corporate device to a user in finance. So they are a valid person to be able to download it. So my contextual policies are going to let the user download that. But if that same user on their corporate device goes to Google, they log in with their personal Google account, I need to stop them from taking that same sensitive document and uploading it to Google. So this managed endpoint as part of our secure web gateway and our proxy there, can not only we can allow them to sign into their personal Google if that's what we want to do, but I can still analyze all of the data they're attempting to upload there. So if they're uploading their shopping list, they create on their work laptop, no problem. But as soon as they attempt to upload that list with all the sensitive salary information, we can block that upload from occurring. Right? So I've got more control and management on that managed endpoint that lets me be a little more confident in that data residing on that device. Mike Matchett: So DLP can be better implemented, obviously, if you have a managed endpoint and you can put some filters and and I don't want to say Big Brother stuff, but definitely gateway kinds of activities on there that keep everybody. Andy Olpin: And the real advantage here is not just blocking. Right? So the old school answer would have been, you're not allowed to ever use your work laptop for personal stuff at all. Right? You can't go to Google with your personal account. We just won't allow it. Well, now what I can say is you can use your laptop for personal. You can do some personal stuff. You can go to your Google account, that's yours. But we are going to restrict any upload of sensitive data. Right? So now your users can say, great, my work gave me this laptop and they're letting me do some personal stuff with it, which is a really nice benefit. I'm glad I worked for this company, but you're still able to keep your data secure and safe. Mike Matchett: Yeah, and I think that's, you know, as people become more and more, we become more and more digital natives, we integrate more work and life together. It's really hard to maintain separate devices for those things as as we integrate our our balance. You know, I'm carrying a laptop around, I'm doing work on it, I'm doing my life on it. I'm doing everything on it. I don't even know whether it's a company laptop or a personal laptop. Six months later, I forget, but it would be great to just augment that and enable that rather than block it. Right? Andy Olpin: Right. Yep. Hank Schless: And I think that sort of conversely on that, the the unmanaged use case too, you know, just like you just said, like, you know, it's at what point does your mindset shift to the point where you don't really know is it you know, you know, you just kind of treat whether you have a you know, I've got my work laptop here. I've also got a personal laptop. There are plenty of times where, you know, I kind of to your point, forget which is which. So from a from your perspective, Andy, on the on the more technical side, how does what we just talked about sort of shift when it comes to unmanaged devices? Andy Olpin: Well, I think, again, the goal here is to enable users to have an unmanaged device and still connect to Office. Right. So what you don't want to say is you have to have a work laptop at all times because there are situations where that just doesn't happen, you know, oh, I'm traveling on vacation. I didn't expect to do any work. I didn't bring my work laptop with me and an emergency happens and they need me to do something right. And all my data is in Office, so there's no technical reason I couldn't get access to it. But company policy doesn't allow. Right? So what we're going to do here is we're going to allow you to access that data. But again, all the contextual policies will control what you can do with it. So your personal device gets to Office. Great, no problem. Now, we're not going to let you download that salary document. We may we can do things like if you download a document with social security numbers in it, maybe we redact or remove those social security numbers from the document as it's downloaded. Right? So document you can still see it, but the sensitive data parts get removed because it's a personal device. Or we could do something like encrypt or apply EDRM to the document that even though you've downloaded it and you do have access to it, we can ensure that no matter where that document goes, we have the ability to pull it back and restrict who can open it, because again, you're coming to it from an unmanaged device. So we want to actually use this not as a as I said earlier about CISOs, we don't want to use it as a way to say, no, you can't access the system. We want to use it to say you can access the system because we have assurance that our sensitive data is being handled in an appropriate way and only going to the appropriate people.