RUCKCast #75: Security Story Time

Show Notes

On our latest RUCKCast, Jim and John are joined by Adam Cutts to have fun with some Security Story Time! Security is more than one device or one service, it's more of a mindset and everything thing can either contribute to, or expose holes, in your network security posture. Listen is as they discuss tactics, theories, and challenges with securing today's networks.

#ruckusnetworks #security #SDWAN #SASE #ZeroTrust

You can follow the RUCKUS security story at this website https://www.ruckusnetworks.com/blog/?searchTerm=&category=security&author=&desiredTime=&desiredYear=

To learn more about U.S Federal Government solutions click here https://www.ruckusnetworks.com/solutions/industries/u.s.-federal-government/

Intro music by Alex Grohl, available here:
https://www.youtube.com/watch?v=ZsRWpx8VJ_E
and
https://pixabay.com/users/alexgrohl-25289918/

Transcript

Episode 75 Security Story Time

John Deegan: Hello again, Mr. Palmer. How are you, sir? 

Jim Palmer: Doing good, John. 

John Deegan: Did I stop the music too soon? It looked like you were really kind of grooving there for a little bit. 

Jim Palmer: You know, I was just gonna say something that you, you waited till you got into that drum fill and then they went and it sort of progressed into that.

So I was, I was actually very appreciative of the fact it's, it's kinda like a radio dj and when they like talk over like the best part of the song and you're like, no. So you, you, you waited for the drum fill and then you know, you got that crescendo and then it kind of, so I think you did. Maybe, maybe a couple seconds longer.

Did you just sort of let that thing sort of like, you know, gotta let it breathe? You know, you just gotcha after that drum fill, but No, you did good. 

John Deegan: But yeah, you see you screwed up. You already used our big word for the day. 

Jim Palmer: What? What was that big word? 

John Deegan: Crescendo. 

Jim Palmer: Oh 

John Deegan: Yeah, that's it. We can't use anything else big.

We're, we're gonna be in trouble with somebody somewhere. 

Jim Palmer: Yeah. That reminds me, I gotta go back to the podcast we did with John Murphy. 

John Deegan: Oh boy. 

Jim Palmer: And, and find that word that he used. Then define it in the show notes so I can remember it. 

John Deegan: Oh God. 

I remember him using a big word. I couldn't tell you what the big word was, so I'd have to do the same thing and listen, that's beauty of recordings.

Jim Palmer: Well, no, luckily, luckily I have the transcript now. So that's the transcripts. The transcripts are on the show notes. So, or with on the page. So you can actually go find transcripts now. And, and, well, not for all of 'em, I'm still working on it, but I do have the transcript for John Murphy and the RUCKUS WAN Gateway.

So you can actually go read it now. You don't have to listen through the whole thing. You can actually just scroll through the page and read it. So 

John Deegan: it seems like work though.

Jim Palmer: It is, but you know, I do it for others. I'm a 

John Deegan: Well, it's, you're a man. 

Jim Palmer: I'm a people. 

John Deegan: You're, 

Jim Palmer: I'm people. Person of people. Well, So all of that's a big giant lie, but 

John Deegan: Oh, but speaking of work, so we are not just here to 

Jim Palmer: Wait. Work? 

John Deegan: Banter. Yeah. Work so well, you know. So we have, we have another guest with us today, Mr. Palmer. We can't leave out hanging too long. 

Jim Palmer: And this is, this is funny because, you know, this is how my conversations with this person always ends up going is we, we, you know, it's, it's funny, it really mimics our, our podcast, you know, we're, we, we think we're gonna talk about something and then we get on the call and like, like we'll have a 30 minute call and all of a sudden I'll look up and I'll be like, okay, so in the last three minutes of our call, let's talk about why we were on this call.

And so then we cram, like we cram up, cramming like, like the, the 27 minutes that we wasted gets crammed into like three. So it's a, I think sometimes it's like, you know, it's, it's, we're the quintessential, this was a call that could have been an email, but we wanted to talk, so we, we had a call anyway, so 

John Deegan: I feel like a lot of people's calls go like that.

Unless they get the really good like manager, project manager that keeps 'em on point, and then it's like a 15 minute call that still could have been an email. But anyways, 

Jim Palmer: And that's the funny thing is, is so what this, so what this gentleman we're gonna bring on here in a second does, is he's actually been helping project manage.

One of our, one of our recent efforts. And so it's, it's funny because it, you, you've basically made fun of him before we even introduced him. But so at this point, I, I actually think of, of Adam more as a, as a friend. And we, I look forward to our calls more than, you know, a project manager who's, you know, cracking the whip over my head to get things done.

But Adam welcome to the show. 

Adam Cutts: Oh, thank you. Yeah, I'm, I'm,

oh, you caught me unawares with the, with the applause. I love it. I had a flashback to 80 sitcoms. That is, that is great. 

Jim's absolutely right too. I, I mean, I, I look at him as it's usually one of the best parts of my day to, to talk to Jim. Even if it's been a bad day, we talk and then somehow the world is better and we've solved something. Or maybe not, maybe we just feel a little better, better about where we are and, and move forward.

And, and same with John. It's just good to catch up and, I mean, we probably spent, what, 20 minutes talking before we started this, so. Awesome. Just, just a, a good way to. To, to get back into it and, and you know, reestablish some of the things that we didn't get a chance to talk about in the last couple months.

Anyway, I should probably introduce myself. 

Jim Palmer: I was like, we know you, but nobody else. 

Adam Cutts: Right, right. Yeah, exactly. 

Jim Palmer: Random voice. 

Adam Cutts: Yes. Yeah. So my name's Adam Cutts. And I work in what's called our networking Intelligence, cellular and Security group or segment, and that has a bunch of business units in it.

And my team is responsible for some of the critical business operations. Notably federal, state, local education, as well as service provider for some of our business units. But I also do special projects and do project management. And it's not just me. I have team members who also do projects and own the business operations and are experts in their own right.

So makes for quite an entertaining and diverse day each day of the week.

Jim Palmer: All righty, 

John Deegan: Jim. I think we both owe him a check, by the way, cuz that was really good. Yeah, that was really good. We're gonna have to check's in the mail. 

Adam Cutts: Yeah, no, no, no check needed. I say it like it is. 

Jim Palmer: That was a very project manager answer by the way. I do. 

Adam Cutts: I was just trying to prove that I can be concise and on on point now and then.

Jim Palmer: I don't know. I drifted off in the middle of it, so I'm not quite sure. 

Adam Cutts: You're, you're not alone. My wife always asks what I do and I tell her, and then she's like, can you boil that down into like, you know, you know, something that's a little bit less, you know, corporate and a little bit more English language, 

Jim Palmer: you know?

And that's, it's funny because that's kind of, I, I always bring up a story that happened to me. Way, way back in the day, and I was talking to a salesperson and he asked me a question. 

Adam Cutts: Mm-hmm. 

Jim Palmer: And it was a, it was a. It was a kind of a technical question, and I spent like 10 minutes explaining the answer to him.

And he sat there very, you know, what I thought was paying attention to me and, and focused and everything. And he comes back and at the end he goes, he goes, you know, when I ask you what time it is, don't tell me how to build a watch. And I was like, I was like, oh yeah. I was like, so the answer to your question is, Yes.

And so, and he's like, thank you. That's all I needed. And then walked away and I was so, so, yeah. So that's something that, but it's something that I've, I've always struggled with, and this sort of ties into, you know, the project that Adam and I have been working on for. Gosh, how long now? 

Adam Cutts: I mean, oh geez. I mean, we started it last year putting the structure in place and like anything, if you wanna be successful, you spend more time getting the structure in place and getting the process working the way you want it to you know, getting the materials.

You know, lined up. Then you do actually doing it once you have things clicking along. So it took us quite some time to get all of the mechanics in place and then to start, be able delivering on it, and yet no one knows what we're delivering it. So I'll hand that one back to you to, you know, release the tension there.

John Deegan: Such a tease. 

Jim Palmer: Well, so what we're, what Adam and I have been working on is the RUCKUS Securities. Story, I guess. 

Adam Cutts: Yeah. 

Jim Palmer: And you know, and. Part of that is sort of me talking about security in blogs, and now I think mm-hmm. You know, I, we're actually gonna throw this podcast into the security story as well, and we'll double dip and take credit for, for this episode as being part of that as well, getting that story out there.

But it's one of the things that I've really been working on is how do I, how do I, as a quote unquote, smart person, talk about the RUCKUS security stuff, but do it in a way that is, You know, understandable for people who aren't security experts and, and sort of, and also because they're making me do it on the corporate blog site.

I can't use, you know, 5,000 words to do it. And so, so Adam has been Adam's my, he's my editor, I guess you could say. He's a project manager and editor, and he's been.

That fits. I'll, I'll own that one. And so 

John Deegan: I love, I love you, Jim, but we know, we know you can be very loquacious. 

Adam Cutts: Oh, there go. 

Jim Palmer: Oh my God. 

Adam Cutts: That's a good word. I was going for verbose. 

John Deegan: Well, wait, 

I, I, I will, full disclosure, I am stealing that line from a movie, and if you can guess the movie, that's great.

You know exactly what I'm watching. Nicholas Cage, John Cusack Ving Rames. It involved a plane and a bunch of cons. 

Adam Cutts: Conair. 

John Deegan: Yeah. Yes. 

Adam Cutts: Nice. Yes, yes. 

John Deegan: Conair. But anyways, that's my contribution for that. So now we use two big words. People are gonna think we actually know what to talk about. 

Jim Palmer: Well, no, now we're like at three.

I'm just gonna have to put the link to like the Webster's dictionary site. 

Adam Cutts: Great. 

John Deegan: Exactly. 

Jim Palmer: In the show notes and be like, Hey, just go look everything up yourself. 

John Deegan: We're using the big words. We're not telling anybody that we're using incorrectly. Just, just to cover our butts.

Jim Palmer: So what were we talking about? I'm, 

Adam Cutts: We were talking about the security writing, the blogs and Oh, the ne the need to make them approachable and understandable by really everyone. So. I mean, I can talk a little bit about that as well. The idea about security, if you, if you read all the news nowadays, you know, cybersecurity, this standard, that certification, you know, the US federal government releasing standards on it, you know, the European government's coming up with their own stuff.

It's always being talked about. And usually then they'll throw out these different terms or, or, or bodies of knowledge and, and say it's NIST this, or it's, you know, AES encryption that, or something like that, and it will immediately signal that to the average reader that it's something they don't know about.

But what we wanted to do is, make it so that you can read it at a level where you understand our fundamental approach to security for RUCKUS, and we make security something that's understandable kind of demystify it and, and, and make you realize that you can do it. You know, and if you do the things that are the most important, then you are doing a lot to secure your network and to make sure that your organization is, is keeping the bad actors out and keeping the good people able to do what they need to.

That's been what we've been trying to do with the blogs is put it in an approachable format. Sure. We could write white papers sure. We could you know, do a technical journal. But a blog is something that is really. Cool. And really a soundbite if you, if you will, that in 500, 800 words, sometimes, you know, if it's Jim writing, it might be 12, 1500 words.

But overall you can you can get through it and you've learned something that you can then go learn more about or you can even sometimes just go and apply it. And so that's been the approach that we've been trying to do to, to, to get this, the, a security narrative, a story out there that holds together, and people can see how RUCKUS is really fundamentally focused on and concerned with securing their network.

Did that help? 

John Deegan: Okay. No, no, it makes, it does make sense. So, you know, aside from the podcast which, you know, we're trying to get the story out and, and we, we do like to use this for that. 

Adam Cutts: Yeah. 

John Deegan: What, what else is involved in this effort of getting this story out? 

Adam Cutts: Oh, so, so podcast is one. This is, this is a lot of fun.

Getting to talk about it, cuz then it, it tells other people and we're able to tell people who are listening to it, where else they can go and what they can find out. So first off, before we talk about, you know, everyone thinks the story is just that, you know, we're building something, but there's nothing behind it.

But the story is no good if there is nothing, but if there is nothing behind it, Security is a consistent ground up approach. That means that if you look at our products, if you look at the standards that we implement, if you look at our recommendations and best practices that we publish on what to do with those products and how to configure them, everything from the, where you're putting the wire into the switch to and connecting it out to a wall outlet, to making sure that you have devices that aren't rogue devices to making sure that you understand what happens when someone tries to connect and you don't want them to. 

That is built into our portfolio of products. So fundamentally our product portfolio is fully supportive and driving the security story. So without that portfolio and the capabilities built into those products, we couldn't have blogs that were effective or a podcast where we tell people that we know what we're doing.

So, So that's part of it. Then if you, if you also wanna look at it we, we realize the way people are thinking about security. If you go 10 years ago, 15 years ago, people are like, I take my little ethernet cable, I plug it into my computer, and I plug it into an outlet in the wall, and then I connect to the network.

Well, we don't do that anymore. So if I were to talk to you about, you know, security wired in, it would, it wouldn't be approachable to today's experts, to today's business leaders. So we take the focus of Edge Inward and that's where I, we, realize that there are multiple devices that never connect with any type of physical connection, and they connect in multiple ways.

You know, we using multiple wireless protocols, so the way that we're making this approachable and making it understandable is saying, look, we're. RUCKUS. We're a wireless company. We're also a wired company, and we want you to understand security from the point of your connecting with your device all the way in to how you, we make sure that you're the right person connecting to the right network with, with the right access.

And you've been authenticated and onboarded and you know, you're, you're if you're trying to access something that, that you shouldn't, then you're told no. You know, that's the way we look at it, and we put it in language like that too, so that people understand not only what we're trying to do, but then they can delve into the, the details and say, oh, I can go look at this white paper or this FAQ or this configuration guide and see how to do that myself.

Jim Palmer: All right.

That's a, that's a lot to. That's a, that's a really, I mean, it's a really good answer, but I mean, it's a, it's, it's a lot to digest, you know? And, and, you know, you, you brought up a, you brought up something that I'm, and I'm gonna steal from, I. Some other things that we've talked about or were scheduled to talk about, I guess.

But, you know, you're talking about from the edge in, and I think, you know, a lot of times people think of security and they only think about like firewalls. 

Adam Cutts: Mm-hmm. 

Jim Palmer: You know, and so it's, it's, Hey, you know, I really should only depend on my firewall for my security. And so security is a firewall, but you know, I.

I mean, truth be told, RUCKUS doesn't have a, what you would call a quote unquote firewall that you didn't normally think of. And so it's interesting that you bring that up because it is, you know, sort of this both direction type of 

Adam Cutts: Yeah,

Jim Palmer: type of flow, you know, because there's anymore, there's two edges to the network.

And you just can't say the edge anymore because you have your access layer edge, 

Adam Cutts: right? 

Jim Palmer: And then you have your WAN edge. And so I know something that I was taught early on was, was actually to define that, of saying, Hey, which edge are you talking about? Are you talking about the access layer edge or the WAN edge?

Because you know, where your organization connects to the rest of the world through the internet is where you have the WAN edge. And that's, you know, a little bit about our last conversation we had in our last episode with John Murphy and RUCKUS WAN Gateway 

Adam Cutts: mm-hmm. 

Jim Palmer: Was that was sort of the, hey, this is, this is helping, you know, on that edge.

But at the same time, we still have to control both sides of that story. I'm not sure where I was going with that on. 

Adam Cutts: Well, it's, it's really interesting cuz I had this visualization of like, I'm a medieval castle with multiple walls while you were doing this, you know, you would define your wall and you'd say, that's my edge.

But you know, what about, you know, barista, what about, you know, Digging under the walls, you know, and, and coming in. It's, you can't just say, Hey, my firewall is my security. The fundamental principles around much of today's security is that you can't assume that your wall is gonna hold people out.

You have to basically it's like the zero trust architectures and principles. You have to assume that there are bad actors and that you have to be able to detect the ones that make it in as well as the ones that are. You know, that you're trying to prevent, and that's why an older terminology was a defense in depth or defense in layers.

And that, you know, if you think about a medieval wall, again, that's why I use this analogy. You know, you have your, your first outer wall, and then you fall back to your next wall and then to your next wall, into your next wall. And that's one way of thinking about it, is you, you know, you're, you, you, you wanna make sure that there's multiple levels that you can protect your, your key assets and your information. 

And but looking at it that way is a, is a very rigid concept, I think. And so what I think we recognize in our security story, I'll bring us back to that now, is, is that 

John Deegan: somebody knew where we were. 

Adam Cutts: Yeah, yeah. Well, so there's this fallacy that you have to have the answer for everything.

That you have to have a product or a feature that does everything. There's a reason why there's industry standards. There's a reason why there's interoperability, why when you go look at our products, for example, you go look at someone else's products and it says, I implement these IEEE specifications.

I implement these standard features and requirements that are industry-wide. You do that so that you can interop. With products that we know, our companies, our customers, or potential customers are already gonna have in their environment. And they, they don't wanna replace everything. They want to get our stuff and make sure that it works with their stuff.

And so that security then that you, you're looking at, is a combination of our stuff. And, you know, other stuff that, that they might already have, maybe they'll replace it later with some of our stuff. But that's the whole point of it, is that you're able to build a comprehensive security story that addresses everything from the fundamentals of to, you know, in some cases the the, the, the niche tools and applications that are needed for it.

John Deegan: That makes sense. 

You were gonna say something? 

Jim Palmer: No, I was was gonna say that the, the term I think you were looking for was the, the castle and the moat. 

Adam Cutts: Yes. Thank you. Yes, yes. That's what it was. 

Jim Palmer: Where you have, you have the, the moat, you have the big castle walls. 

Adam Cutts: Right. 

Jim Palmer: And then, and if you get through that initial, you know, thing, then, then, you know, yeah, you might have one or two secure rooms within the castle, but.

Pretty much, you know, the way it used to be was if you got through that outside perimeter, if you got through that, that, you know, over the moat, probably not under it back in the day, but if you got over that moat and, and, you know, and through the wall or over the wall, whatever, you know, and of course I'm, I'm having like Lord of the Rings.

Adam Cutts: Yes! That's what was going through my head, going through my head 

Jim Palmer: When we talk about that. 

But it's like, it's like, you know, once you, you know, once you get through the, the, the outside wall of Helms Deep, then all of a sudden it's like, oh, quick, what do we do? You know? 

Adam Cutts: Right. 

Jim Palmer: We're, we're, we're in trouble.

And so that's where that, you know, You know, I think that, and that's part of the story that, that I know I've been trying to tell in our blogs 

Adam Cutts: mm-hmm. 

Jim Palmer: Is that, you know, there are so many other different things that you can do. You know, not just, I mean, you still need that strong or outer wall, don't get me wrong, but you still have, there's still other things that you can do and should be doing 

Adam Cutts: mm-hmm.

Jim Palmer: In order to help sort of fortify in every place that you can. 

Adam Cutts: Yeah, absolutely. And that's, I think what we're trying to show as well. That if I can jump ahead a little bit the, everyone thinks I need to go buy this thing, this, this cool thing that is gonna do all my security for me. I need to go buy a, you know, a a zero trust solution.

For example, that's that's gonna do everything. I know. You're, you're, I can, you're, you're shaking your head at this. I know. But Zero Trust is a, is a set of principles and implementation of those policies, PR procedures and controls to make sure that you're doing the things you need to, to pr, to keep thing bad actors out and to.

Catch them, you know, and kick them out. When if, if they do happen to get in. And I'm, I'm grossly simplifying this but where I'm going with that is you don't have to have the whizzbang, coolest thing out there on the market that you overlay on top of your, your network and all your connections into it.

That says here, I'm now. I'm now zero trusting. I'm, I'm, yeah. So obviously I'm secure, but if you've, you, you know, left your back door open and someone can walk in and move your a access point to another place in the building and then have full con access to the network because that happens to be a live network drop goes into your, your core network.

Just as a hypothetical example, 

Jim Palmer: Totally hypothetical. 

Adam Cutts: Not that that would ever happen. 

Jim Palmer: No. 

Adam Cutts: Then your tool did nothing, and so the idea that we've been building is focusing on the fundamentals catches a huge percentage of people who want to use the easy way in. Cuz fundamentally, no one wants the hard way in.

No one wants to be, oh God, I worked, you know, 25 hours straight trying to, to break through this one area, into this area. No, they wanna be able to then just plug into something, Ooh, look, they left this open, let me go. That is what, what? And, and if you're hard enough to get into, they're gonna go find someone easier.

John Deegan: Yeah, no, I mean it's, it's the going back way back in my career and I worked at a startup and I wasn't even security conscious back then cuz I didn't know what I was doing. I was still learning stuff. But I remember our posture was, and it was something that I was taught, was I wanna make it hard enough to get in the network.

Not impossible. I'm not gonna be the dumb, dumb person that sits there and says, you can't get in. I want it to be hard enough that if you get in, I wanna hire you. That was kinda always, 

Adam Cutts: I love that. 

John Deegan: Well, yeah. You, you're smart enough to, to get in. Hopefully it's, I mean, how many times do we see breaches because people leave, I mean, it's layer eight's the weakest link in almost every network, probably every network.

And at the end of the day, How many times do you see people getting in because default passwords are still out there. 

Adam Cutts: Yeah. 

John Deegan: Or default credentials never got disabled or changed. Or people walk away from their computers and they're logged in and they've got privileged access and so on and so forth, or phishing attacks and things like that.

And we could spend a hours talking about it. It, it made me laugh. And this is a story that I, and I just sent this to Jim last night. Everybody's probably aware or will be aware if they're going to Vegas. There's a new monstrosity of a arena being built called the Las Vegas Sphere. 

Adam Cutts: Mm-hmm. 

John Deegan: And Def Con is gonna be there and Black hat's gonna be there in a matter of weeks.

And somebody through the press has basically come out and declared that the people that run the sphere have said it's not hackable. Which means when Def Con and Black Hat are there, it's going to be hacked. They literally just threw the gauntlet down and said, come hack us. Which isn't necessarily a bad thing cuz you're basically getting a free pen test.

But like I. It's, yeah, it's defense in depth. It's, it's, make it as hard as possible, make it as unattractive a target as possible. 

Adam Cutts: Mm-hmm. 

John Deegan: And putting a gigantic video screen around your entire arena is making it about as big a target as possible. But to, to kind of shift gears a little bit back to something you had talked about earlier with standards, Adam.

Yeah. I know from my little minuscule experience with security, like a lot of times people take their posture, take their, their cues from what the government requires. Yes. At the end of the day, there's a lot of fines and things that come into play with GDPR and, and all that being in the news. So how does that play?

I mean, I know we've got some interactivity with the, the fed space and things like that. So how does the, 

Adam Cutts: yeah. 

John Deegan: Whether it's US or international rules and and laws at, at that point in standards, how do they come into play with, with what we drive forward? 

Adam Cutts: And in fact, it's all interrelated and, but they, they factor in a lot.

So I'll use two governments as an example. So the US Federal government Has a, a, a very extensive focus is probably one way of putting it right now on cybersecurity. There's a, a, a massive amount of the IT budget is dedicated to, to cybersecurity in the US federal government, and they are passing those requirements to each of their departments and agencies and bureaus, and in turn, purchasing out of those then is requiring those same standards from any software, hardware, vendors or services or support contractors, et cetera.

So it, it, that is a trickle. I, I hate to use trickle down effect because, you know, everyone thinks of trickle down economics. Sidebar won't talk about it, but, you know, that's what it is though, is it trickles out there because the federal government is saying this is really important. And, you know any business that wants to do business with them has to implement those standards.

And those standards come in the form of across the board security. So we've been talking mostly about information security. But there are ones around physical security, around authentication of product and components. I mean, it's full supply chain and cyber supply chain risk management and security, as well as information security that, that, that are being released out into you know, the broader world from the US federal government.

So, With that context, and I'm not gonna list a bunch of different ones, but I could throw out all the different standards that they use. It's, it's not really important. It's to know that they are there and that they drive behavior. 

So if I want to say, go sell to the Department of Defense, then I have to do what we've been doing for years and go get my products certified under multiple federal certifications that say that they meet the criteria for where they're built. That they meet the information security requirements, that they meet encryption requirements and cryptography requirements that they have security on boot up checks that they have the ability to lock things out or lock into a particular configuration so that they can't be changed.

All of those, we have done that with our products and the results of those are ones that we can then leverage as part of our security posture. So other Non-federal agencies will buy federal products because they provide more security. We've seen this happen, especially in the US but it's not just the US.

You mentioned GDPR. If you look at the European Union each one of the member countries of the European Union have come out with their own security standards. Those security standards are oftentimes based on ISO 27,001 to take for, for cloud or for their, their, their security requirements.

But they also have come out with encryption standards, and those are continued to evolve year by year, which means that, going back to the earliest part of what I said, we have to look at those and build the strategy to have the the higher level encryption available. You know, to go from 2000 bit to 3000 bit RSA encryption to go from 128 to 256 bit, you know, those type of things.

We have to be constantly doing that, building that into our capabilities. So, short answer, to go all the way back to Jim's Yes. It, it, it has a heavy influence on the way we look at it and what direction we see security going.

Jim Palmer: You talked about, you know, you talked about the encryption, but, you know, and stuff like that, which is, I think where, especially in a, for a Wi-Fi, You know, in a Wi-Fi world where we, you know, John and I kind of live, you know, we always think about the encryption standards and 

Adam Cutts: mm-hmm. 

Jim Palmer: And you and I have had some conversations about, you know, the 2000 and 3000 bit type of stuff, and 

Adam Cutts: That's right.

Jim Palmer: We don't have enough time to get into that. 

Adam Cutts: No, 

Jim Palmer: But there's also, you also talked about something else which, and I'm going to go ahead and shamelessly plug our own podcast. You talked about, you know, making sure that you know who's connecting to your network. 

Adam Cutts: Yes. 

Jim Palmer: And that was actually something that we talked about, about three, two or three months ago with Christopher Mohammed when we did an episode 

Adam Cutts: mm-hmm. 

Jim Palmer: On Cloudpath, which is also part of this bigger security story that I haven't gotten around to writing about yet. But so if you haven't listened to that episode, that was episode number 68 go ahead and you can go back and you can listen to that where we talk about, you know, how do we make sure that the people joining our network are the people we want on our network, and how do we sort of control that side of it.

So it's, it really is sort of this interesting mix of, you know, like we were talking about with the access layer versus the WAN edge. You know, which one really is the edge? You know, it all sort of ends up being this huge mass of nebulous. And, you know, John, you, you are blaming layer eight and I'm actually going to jump onto my my hacker fan boy mode.

And I'm gonna say, you know, it's, it is a layer 8 problem, but it's, it's not, you really can't blame them because for too many times we end up making it so hard that people come up with ways to circumvent the rules. But we don't ever teach them 

John Deegan: Notes on keyboards. 

Jim Palmer: Well, we don't ever teach 'em like better ways.

We don't enable better ways. So yes, it is a layer eight issue, but it's, it's also the layer eight issue on both sides of that street between, you know, we make it so hard, like you were talking about with your your startup, you know, it's super easy to secure a network. You just don't want anybody on it.

You know, you deny any, any, put that up to the top of your firewall list. 

Adam Cutts: Right. 

Jim Palmer: You know, you make, you, you make a, a PSK network that's has 64 characters and you just don't ever give it to anybody. Nobody's getting on that network. And so you can secure it. It's very easy to secure, but it, to your point, it's also, you know, nobody can use it.

And so it's, it's finding that balance and the balance and the people and the balance and the technology and that whole balance to sort of bring all this stuff together. And I think that's kind of, you know, the effort that we've been going on with, you know, our efforts in the blogs is, you know, there are so many different ways that you can look at security.

You know, and we were, one of the things we were gonna talk about, which I don't know if we were have enough time now, but you know, it's like stuff like, well, if you don't have the budget and the resources to go buy The Best, you know, top of the line, high end firewall, you know, Are you, you know, are you just out of luck? 

Adam Cutts: Again, I think that's just to, to plug your own story from the blogs for a bit.

But in, I wanna say your own story, but it's really the, the story of, of RUCKUS enabling our customers to do what they need to do. It's, it's not saying go buy the most expensive thing or license the most expensive thing, or go find the, the top-notch you know, best of breed product for this one firewall and, and, and do that.

And you're good. That's, you know, sure. That'd be awesome if everyone could do that, but not everyone can't. So instead, you know, look at. What kind of environment you have, what kind of devices you have connecting, and look at the best design to make sure that you are you know, doing all the, checking, all the boxes, dotting all the i's, crossing all the t's to say.

Am I making sure that people who are connecting should connect, like, authenticate and authorize them? Am I making sure that I have policies in place where I, I check the devices first to make sure that they are a corporate device, you know, and those are all things that are within standard products.

That, that, that we and, and other people too, offer. And you don't have to go buy the most expensive thing to do that. So the, the short answer, again, I'm gonna keep coming back to that, is no, you, you don't have to buy the most expensive firewall or the most expensive toy, or, you know, the biggest SASE or SDWAN provider to do this kind of stuff.

You, you can. Your attention to the fundamentals, to securing everything from the point where things are connected, whether that's a user connecting or a, a, a device to device connection. Making sure that the right policies and, and role based access is in place and that you use things like certificates or, or pre-onboarding where, where things can be preauthorized to make your job easier, like you can do with Cloudpath, then you can have a secure environment without breaking the bank.

John Deegan: That makes sense. And you talk about breaking the bank or, or, or not breaking the bank as the case may be. So here's, here's a, taking a, a slightly different approach, say we've got. I'll call them frugal cuz I don't wanna be disparaging. 

Adam Cutts: Mm-hmm. 

John Deegan: But we've got some and, and everybody knows it and anybody listening to this, our hundreds of listeners, it takes time.

But we get to a couple hundred, our listeners. 

Adam Cutts: Does that include family? 

John Deegan: I don't think my kids will, if I listen to it in the car, my kids have to listen to it. So maybe, but so we, I'm sure we've all had these customers, right? They've got. The network works. They don't want to change it for anything. But the reality is we've got some really old legacy devices and on top of that, they've got no staff.

So I mean, are they kind of up a creek without a paddle? 

Adam Cutts: I. No, I think again, you know, I can't speak to their specific configurations, nor am I an expert in that. As Jim pointed out in the beginning, I'm kind of a jack of all trades, master of none. If we really want the in-depth explanation of how, of how that would work, it has to come back to, to John, you and Jim to do it.

However, that being said, it oftentimes you have to match your capabilities and your capacity to address it. Which capacity being like people capabilities being skills to what you need to do. And so if you're looking at capability, capacity, and then budget as well then say, well, what are the, what is gonna get me the farthest down that path of being able to do what I need to do within my own constraints?

Well, that's why there's something like, you know, RUCKUS One or cloud based opportunities to, to, to use that, the, the strength of that, of the, of the cloud to do stuff for you. So if you go into RUCKUS One, for example formerly known RUCKUS Cloud for people who are saying, what is he talking about?

But RUCKUS One is the latest thing that we just announced. RUCKUS Cloud, it was, was the previous iteration of it. And that inter integrates with Cloudpath and so, you know, for authentication onboarding. But the thing about it is you can. I'm gonna grossly simplify. Check a little box that says auto update for me.

And what that means is a cyber tower security expert is the one who is responsible within your environment to go and make sure that you're, you're up to date on your patches, on your your firmware, your os, your, your your devices, your, I mean, you know, I could go on. But that's a lot of work. And that means that you also have to have in place tools and controls that allow you to go check on that all the time and then tell you about it.

And then you have to be monitoring security bulletins and releases. And that is where you get into the if you're a lean department, you don't have that, you need to lean on someone else, forgive the pun, to help you do that. And that's where the, the cloud can come in to really assist you. It can make up that difference for you and let you, and, and do that for you.

So that addresses, if you have devices where you can do that. Now, the other part you ask is you have legacy devices and, and what do you do about having legacy devices? Well, that's an interesting one. And Jim, you may I'm gonna cue it up and then you might wanna talk more on this, but each one of those devices has a certain maximum level that you can get them up to in terms of security and what they can use, what kind of ways you can secure those.

So just saying, oh man, I'm hosed. I can't, I can't do it. That's not usually a good approach. Instead finding which ways and what are the best mechanisms and that you, and, and, and standards you can use to secure those knowing that you have to have them on your, your, your network. Well, that's what you're gonna have to do.

And then maybe you can isolate the, all those devices often to, you know, certain parts of the network where they can do less damage. And Jim, you might wanna add some more to that. 

Jim Palmer: You know, and. I'll plug the show again. If you don't know about RUCKUS One, that was two episodes ago episode number 73, where we talked with my boss, Mittal Parekh about RUCKUS one and that evolution.

So if you haven't listed that one, go listen to that one. But you know, there's, I think there's a point then, and I was thinking about it while you guys were talking. And I was like, I was like, you know, I said, Adam brings up a good point about using RUCKUS Cloud. And John talks about like, he, he loves to use force multiplier type of thing.

And I think that's something that you know, we get with the r with a RUCKUS One or RUCKUS Cloud that I think we don't necessarily pay attention to. And I'm, I'm a little distracted cuz I'm, I'm double checking my question here. Remember my point. So when I go into. Some of our other controller platforms and I looked at Build a Network.

I'm given authentication options and encryption options. But for somebody who's not a Wi-Fi expert, you're not, you don't really know or understand like, Hey, what exactly should I pick? What should I do? However, when I look at at RUCKUS One and I go to do that same thing. And I, you know, go say, Hey, I'm gonna create myself a, a, a wireless network.

It actually helps me walk through and, and even has little diagrams of, Hey, this is what we're talking about, that this is how the data flow is going to work. This is how the encryption is going to work. This is, and, and it gives me a little explainers to walk me through so that I don't have to be a security expert when I design these networks.

And so at that point you can say, Hey, I have a legacy barcode scanner and it only does, you know, 802.11g and you know, it barely does WPA2. It doesn't, you know, none. And that's it. And so, you know, you have these. These were, you know, these limitations. And I think that's part of what I'm, I'm trying to do in my blog series, which I'll put a link to in the, in the show notes for people, is to sort of understand that, hey, you know, you can, you still have to support those, you still have to bring 'em on.

But if you configure it in a way, you know, It ends up, you can protect your access layer a lot better, and you can also protect your core network a lot better because then at that point you can say, you know, we're going to put these barcode scanners on their own network. We're going to isolate them. And this is stuff that RUCKUS One sort of walks you through and says, Hey, you know, these are these different options.

And then not only these are the options, but you know, this is what it means when you know, when you say, Oh, I want to have a passphrase, or I want to have DPSK, or I want to have 802.1X. There's all these little explainers underneath, you know, just one or two lines, you know. Oh. Requires users to enter a passphrase to connect. The passphrase is unique per device. Well, that's DPSK. 

You know, use 802.1X standard and WPA2 security protocols to, you know, authenticate users using an authentication server on the network. Well, that's enterprise, you know, 802.1X. And so I think that's one of those things that, you know, from a force multiplier and helping those people out, it's like, you know, having a tool like RUCKUS One allows you to actually start building that stuff up.

And so you have an idea, you have an understanding. And then, you know, you mix that in with the blogs with me trying to explain in, in, you know, a thousand words or less, Hey, you know what, put those, and then because we are standards based, because everything we do is sort of like that, then it's easy to incorporate it and say, you know, I'm gonna send my barcode scanner traffic, or my fish tank heater traffic to my firewall. 

And then I'm going to let whichever firewall I've selected, manage and maintain that and keep track of that connection. And then alert me if, you know, all of a sudden my fish tank heater is sending gobs and gobs of data to, you know, Russia. 

Adam Cutts: Mm-hmm. 

Jim Palmer: Which is a true story that ha Yes, that happened to a casino.

And so I think that's, you know, I think that's, that's sort of the. You know, the whole idea behind the effort is you're not in trouble because you don't have the budget to buy the biggest and most expensive firewall on the market. There are other things that you can do, you know, to help sort of get that balance between functionality and security.

Adam Cutts: And I think that to add one more thing to that, you said earlier that everyone thinks the firewall is where it, where it's at. The firewall isn't where it's at. The firewall is one place. It's at. The firewall is the most visible and noticeable thing that everyone thinks about cuz we all now know what the word firewall means.

But you know, if you're looking at Zero Trust as an approach, it's the combination. It's, it's, it's of tools, configurations of your different products and networks applications, access control, you know, managing devices and putting safe devices in one place and less safe devices somewhere else. Limiting edge devices in where they, what they, how far into the network they can go. And then validating and, and carrying things that tell you where that device should be as they move. It's a different place in the network, kind of like the know tenant stuff that Christopher Mohammed talked about for having your, your own no matter where you go, you know, that device goes to this network just as an example.

So it's all of those put together. So you're creating a package that is your solution, not relying on one or two things. 

Jim Palmer: Can I, can I just say that I'm going to now, you know, night the, you know, with your, you know, as, as a, as a network at least, at least as a, as an honorary network person or an honorary, because your, your description about zero trust.

Is probably one of the, I almost wanna just take that one little clip and say, let's just play this over and over and over again because it's, it's not about a product you go buy. 

Adam Cutts: Yes. 

Jim Palmer: It's not about, it's not about, you know, this one little widget. It's a concept and, and trying to take all that stuff together.

That was, if you've, if you're listening and you've ever wondered about Zero Trust, Adam's answer is probably the one of the. Best and concise answers I've heard you know about what is Zero Trust. In a very, very long time, so 

Adam Cutts: Thank you. 

Jim Palmer: Thank you for sharing. Thank, thank you for, we actually have that recorded.

Now we can use it. So, yay. 

John Deegan: I can cut it and make it a soundbite and put on a button.

I won't, but I could

Adam Cutts: See the soundbite tools are just one part of your arsenal. 

John Deegan: Exactly. 

Adam Cutts: Yeah. 

I couldn't help it. I couldn't help it. 

John Deegan: I be, I, I behave, you know, with great power comes great responsibility. I don't use these, you are right on teams calls. Even though I could, because everything's still connected from my teams calls.

I've thought about it. I've never done it, cuz I'll probably get in trouble, but I've thought about it. 

Oh, 

Adam Cutts: I love it. 

John Deegan: Yeah. On that note I don't know that I have anything else to ask. This was a very I mean, we, we could easily spend hours kind of diving into any one of the particular areas of security.

It's a very nebulous world. That's probably the best way to put it. Mr. Palmer, what do you think? 

Jim Palmer: You added another big word we gotta get. 

John Deegan: Yeah, I did. 

Jim Palmer: Yo yeah, and this is, this is this. This podcast episode is very indicative of the calls that Adam and I have where we just 

Adam Cutts: Very much 

Jim Palmer: Like, we're like, oh yeah, we're gonna schedule it for this long.

And then you look up and you're like, wow, we blew through that, like nothing. So there's, there's lots I could add, but we, you know, we do need to kind of wrap this up. And respect other people's time. But this is a fascinating conversation. And Adam, thanks for joining us. But I will give you, I will give you, as a guest, one last opportunity to, you know, If there's one last thing you could add or if you, you know, ask or, or, or something that you could impart upon our listeners we'll give you as much time as you want cuz honestly, we're never gonna cut you off, so.

Adam Cutts: Oh, thank you.

Jim Palmer: Is there one, is there one last thing? 

Adam Cutts: Yeah, so I think if you listen to everything we talked about we rarely dove into anything truly technical while explaining the principles of security everything from. Government requirements to zero trust. One thing I want people to take away is don't be intimidated by the need to do all this security.

That's why there are tools that help you. That's why there are the fundamentals. That's why there are configurations and configuration guides. That's why there's, you know, RUCKUS support. That's why there is your, your, your partner teams and the, the, the technical assistance that comes with, you know, deciding to go with a particular solution, security is something that you build up over time.

It does, doesn't magically appear. So if you take the time and you build your network and you already have a network, I mean, it's most, most likely. It's not like it's a green field and you just drop a switch in the middle of it and you start from there. If, but if you, if you take the time to build out your network and build out how you configure and control it, and you follow best practices everything from physical to virtual to tool-based to, you know edge connectivity, you can build a secure network and have something that you can have confidence in.

So I just want you to realize that if you do that, and you've heard, heard the word Zero Trust, you've heard all sorts of other things. If you're following those best practices, you're building out your approach to that. And it is not something that should scare you away. There are wizards, there are helpful things in cloud.

If that's something that you, that that, that is your architectural approach as well, that will get you there. When I started doing and looking into security, I had to, to learn everything. You know, there were so many terms I didn't know. I probably had notebooks full of terms that I didn't understand.

But if you. You know, just continue to go through and, and let us help you demystify it. Then you're gonna get where you need to go.

Jim Palmer: Thank you. 

John Deegan: Awesome. 

Adam Cutts: Yeah. Thank you. 

John Deegan: Well, I don't think we've got anything else to add, so Yeah, big, big thanks to Adam for taking time outta your, your day to to join us and talk all things security, which is great cuz you know, Jim mentioned it before, we're a wireless company or we're wireless guys in the, in the company.

And Secur security is one of those areas that we, we have answers for, but we don't really, we're not known for it, I guess is, is probably the best way to put it. It's not it's not what people think of when they think of RUCKUS. Maybe that'll change. 

Jim Palmer: That's our goal. 

Adam Cutts: It is, and again, to realize that we've been thinking about it the whole time and building it in the whole time.

We've been focused on you have the best Wi-Fi, the best wired networks the best capabilities to do what you need to do and. This is one of our ways of making sure you see that all the work that's gone into it is something that you can use and approach easily to configure secure networks.

John Deegan: Yes. Cool beans. Cool beans. I don't think I have anything else to go. I mean, we could, we could keep you for hours, 

but we've actually the regular,

Jim Palmer: let's, let's just, let's just state that we're going to end this now and you know, Adam, you're always welcome to come back and join us, although I think 

Adam Cutts: Thank you.

Jim Palmer: You know, we said that to like the last like. Like every guest we've had, it's always been like, oh yeah, come back and join us later, you know, next time or another. And I, I realized I was like, well if we did that, that's all we would ever do is we just keep talking like the same, like eight people, you know, and this is rotation.

So, but no, it's fascinating conversation. Thank you for joining us and we do really have to put a bow on this one. Cuz if not, we're just gonna keep going and going and going and going. 

Adam Cutts: Yeah. Well thanks for having me. I enjoyed it. 

John Deegan: Thank you very much. So on that note, I'm gonna hit the music so we can't get going.

Jim Palmer: Yes, please. 

John Deegan: No, we won't. We will see everybody else in the next episode.

Stop on Zoom.