Listen as industry leaders share ways they have assisted state and local governments address both the direct impacts of the pandemic and the gaps and shortfalls brought to light.
Speaker 1: On behalf of SolarWinds and Carahsoft, we would like to welcome you to today's podcast focused around legacy modernization upgrade to citizen centric digital services. In the second panel in the series, Michael Kennedy, former senior National Intelligence Service Officer sits down with Brandon Shopp, VP of product network management with SolarWinds to discuss it modernization in consolidation.
Michael Kennedy: Hello, everyone. Thanks for joining us today. I am Michael Kennedy. We're about to have an interesting conversation focusing on state local and education or sled issues. State CIOs to the National Association of State CIOs have named digital services as their number two priority and 2021. Second, only the cyber security. Today, we'll be discussing how modernization of legacy it is a critical component to achieving success in these areas. Critical to realize and success is a modernization of legacy IP, including cloud migration, remediation of bottlenecks and silos, and deepening the pool of talent to draw upon for needed skills, influenced by unique challenges of the covid 19 pandemic, including added cost and burdens on the IP and networks workforce, in particular, have made this even more daunting task. Our guest today is going to look at various primary issues for how state, local and education entities can best achieve milestone for effectively transitioning and evolving modern digital services while maintaining strong cybersecurity practices. I'm happy to welcome Brandon Shopp, Vice President of Product network management at SolarWinds, random previously served as Director of Product Management in 2011. Before becoming Senior Director of Product Management, Product Management in 2013. He also served as Senior Director of products in market Aero technologies, then Vice President of Product Management at Amazon involved prior to assuming his current position with SolarWinds. Thanks for joining us today Pradhan. And let's get started. First off, tell us a little bit more about yourself maybe from my personal perspective.
Brandon Shopp: Sure, absolutely. And again, thank you to yourself, Michael and FedInsider and Carahsoft for this today. So really appreciate that. But we talking about here about state, local and education. So from a personal perspective, you know, this actually hits quite close to home for me, my wife actually works for the University of Texas at Austin. As you can tell, I'm out of out of Austin, Texas, where we're our corporate headquarters is and so she actually oversees, amongst other functions it for her district, you know, so this is something where even in the evenings, we try not to talk about work, sometimes we don't, you know, kind of fall into that trap and, and talk about those I hear about some of the challenges that that she faces there, you know, from an education perspective, working within a state agency. So always good to kind of learn and hear about some of the challenges there. So that's, I guess, a little bit a little tidbit about me, from a personal perspective.
Michael Kennedy: I tell you what, with that kind of a partnership, it's kind of hard not to talk about work at home, sometimes.
Brandon Shopp: It is.
Michael Kennedy: I can't imagine. I could imagine that. So thanks a lot, that let's dive right in. There have been a lot of cybersecurity challenges that federal, state and local agencies have been facing this past year during the pandemic. It's not just about cyber-attacks, is it?
Brandon Shopp: No, absolutely not. It's not at all. And so it's not just cyber-attacks. It's really, you know, you talked about this a second ago, with a lot of folks doing remote work with a pandemic over the last, you know, 12 plus months, you know, of course, we had the election, as well, a lot of people, you know, forget about that, like it was so long ago. But that was of course, put a lot in the election headlines and a lot within the state, local, you know, and even to a certain degree, the education. And then of course, you know, with the, with COVID, we definitely saw digital transformation, which we'll talk about here today, you know, really speed up with cloud computing, but also looking at it consolidation and monitor modernization. You know, it's really all impacting, you know, federal, state, local, IT teams who are really delivering what are increasingly critical services, you know, whether it be to citizens, to their employees to our warfighters, you know, to whatever it may be that they're having to service.
Michael Kennedy: Well, thanks, that lets me you know, risk state and local governments, along with our educational institutions, migration and modernization from legacy systems, and infrastructure can be daunting to say the least. What are some A proven method for identifying legacy applications suitable for rethinking and modernizing?
Brandon Shopp: That's a great question. And this is a question I hear all the time, when I'm talking to folks, and we've been, you know, deploying within our data centers within our environment for so long. And so, typically, what I tell people to do is look at the tech, the technology itself. And so, is one element. We'll talk about that here a little bit. And then the other is, you know, what is the criticality of that application? You know, is it something that is, you know, critical, you know, to kind of running, you know, I function within the business day to day, or is a nice to have, and so prioritizing kind of the, you know, the, the need of that application, you know, within the environment will help from a prioritization perspective, and the, you overlay on top of that, you know, really taking a look at the technology stack that that application, you know, is created in, you know, is it something that you got, that is a, you know, commercial off the shelf based application, you know, or is it something that was homegrown, you know, we see a lot of times in state, local, and education, you know, a lot of homegrown applications because of, you know, the unique needs and unique use cases that a given agency may have, and there may not always be, you know, a commercial off the shelf application that can solve those needs. And so, the reality is, some of those, you know, homegrown applications, they don't get updated very often, you know, once they are, they're built, you know, they serve their function, they serve their purpose, and there's not a whole lot of modernization that goes on with those applications. So as long as it's kind of the old adage, if it isn't broke, don't fix it. And so, you know, those applications may not be the most prime or suitable to kind of rush to the cloud. And then as well, if you kind of overlay, you know, some of that as well, you know, that that will give you additional data points, you know, as you think about kind of that ultimate prioritization. But I always say, really, you know, take a look at and focus on, you know, who are the people that are leveraging and using this application? Where are they located at? You know, are they primarily out of the office over, you know, putting the last year aside? Are they normally in an office? You know, is it something that is pretty static, meaning, you know, the usage of that application, or is it something that, you know, is dynamic, that has elasticity built into it. And so you may have, for example, you know, tax time or, you know, healthcare.gov, you know, those types of marketplaces, those typically have periods where they're more busy than other periods, where you're going to need to scale up traffic and, and compute capacity within an environment. And so again, you kind of look at the usage of that application. And that gives you in Connect can really help prioritize for you, which are really going to be prime applications that are going to be less risky, and less impactful for the organization, if it's down for a period of time. But also, again, to, from a budgetary perspective, you know, applications that are more prone to that elasticity of nature. So instead of going off and having to purchase and rack and cool a bunch of hardware in order to handle that, and it sets idle for the other nine months, or 10 months of the year, you know, if you use the cloud, you can scale those compute resources as needed. After that event has concluded and traffic goes back down or usage goes back down more towards its normal levels, then you elastically scale back down. And again, you kind of control your budget as well, they're from that perspective to where you're not just having idle resources sitting there essentially doing nothing. So, you know, those are some of the things that I will typically look at when I'm having phone conversations or advising folks really around their journey from a modern modernization perspective.
Michael Kennedy: It makes absolute sense. But you listening to it, it looks like, we're probably going to be in a hybrid type solutions for forever, we're always going to have static functions, homegrown functions, things like that, that are probably best suited to be on site. Whereas like you said that the dynamic and scalability, both traffic and compute capacity, really called for a cloud solution. Keep moving forward with it, right.
Brandon Shopp: That's right. And so, you know, we talked about defining the scope a little bit there. I know I kind of, in roundabout ways here talked about some of these, you know, doing the assessment, you know, understanding what you got across your environment. I didn't talk about the market survey, you know, really understanding how your users are using it. But also, what are other potential applications out there? Is that something that can be retired and replaced with something that is a commercial off the shelf application that maybe didn't exist five or 10 years ago? But then to your point, Michael, you know, just keep moving forward.
Michael Kennedy: Exactly. It's almost like the agile process. If you keep it, you keep it moving. It's a full circle, but the circle has to continue to go.
Brandon Shopp: It's gonna be very cyclical nature.
Michael Kennedy: Great. Well, moving on. So interoperability is critical in today's life. Networking and communications ecosystem. So what are some resources for sled entities to take advantage of to ensure that their migration efforts actually lead to interoperable environments?
Brandon Shopp: Yeah, no, that's a great question here. And so, you know, another great question actually, and, you know, there's plenty of resources that are out there and available, you know, a lot of these providers that are out there, you know, from a cloud service perspective, they have a lot of resources available, there are organizations that specialize in this, in this type of effort and doing these analyses. And, and, as well as kind of pointing out some best practices, and what are the things do not do, and so, you know, so I would definitely recommend, you know, checking out those resources that are available from those, those cloud service providers, as well, you know, as you go through there, and so, but additionally, you know, the cloud has been around enough to where you've got tooling that is available, you know, that'll help you kind of on this journey, ultimately, not just in the assessment also, but also in the migration effort. So, you know, taking an on premises database, you know, SQL server or an oracle database and, and moving it over to, you know, manage SQL instance, or Amazon RDS, and kind of helping you with that. So that way, again, you're not manually, you know, kind of handling that yourself, there are there are ways in which to automate, if not all of it, you know, kind of the analysis and the assessment, but at least automating some of it. So the tooling that is available universes many years ago, is one, there's more documentation out there, there's more real world use cases to there more consultants out there that specialize in this, and kind of aiding and assisting organizations through this journey. And then, you know, as I mentioned, kind of third, you know, there, there are other resources that are available at the government level to around securing, ultimately, and making sure, you know, that, you know, because now you're putting something out, and that you've got to manage, you know, as well, it's not in within your physical, you know, four walls so to speak. And so, you know, there are additional considerations that you have to take into account, when you're deploying the cloud, making sure that things are secure, that they're accessible, that they're configured appropriately, and those types of things. And so there, there are definitely lots of resources that are available in many different places to assist you through, you know, through this migration set of efforts.
Michael Kennedy: Well, that's where it makes sense. I mean, if others have already done it, which is all likelihood, everything that we're doing others have done it, there's really no need to reinvent the wheel. There's something for everybody. Seriously? That's right. So from the private sectors perspective, what are some best practices and tools for state and local governments to use today for safeguarding data assets, while not restricting the ability for information sharing amongst team members, as well as outside organizations in the field, even?
Brandon Shopp: Yeah, no, exactly. And, you know, there are definitely some great tools, as well as best practices, but I'll talk, you know, a little bit more on the tooling side of things, you know, so you, you know, you have data assets, you know, I talked about, you know, making sure that you've got, you know, the appropriate amount of tooling there to ensuring that, you know, that cloud asset is configured appropriately, you know, don't want to have, you know, Miss configuration leading to data exfiltration, or anything like that. And so, you know, you shouldn't have to, again, kind of going back to the previous comment, the cloud has been around long enough, there are enough best practices, documentation and even tooling resources available, ultimately, to make sure that you secure it appropriately. And to ensure that, you know, it's just as secure as if you had it on prem, within your own data center. And so, you know, additionally, you know, you look at, you know, you look at kind of permissioning So, you know, one of the things that's, you know, a big topic these days is really around kind of least privilege, and, you know, not just from an IT perspective, but globally from an organization, you know, making sure or ultimately that members in your organization only have access to the data and the resources that they need in which to, you know, do their job. And so, you know, having resources that are going and look at identity and access management, not just, you know, once when you implement it, but then on an ongoing basis, again, to make sure that, you know, folks that truly need access to that, you know, that data or that application, have access to it, but if they don't need access to it, then it should be removed. And if it's only temporary, then having a tool that can automate a lot of those types of tasks to you know, you know, somebody that is going to request access, you know, to a specific application or a set of data, you know, having that go through an approval process from a tracking perspective, provisioning, that that access, but then again, assuming that it is time bound, and it's not something that that person needs, you know, an ongoing basis, then having the ability to automate that, that revocation of access at some point there in the future. But then also, you know, I see all the time talking to folks where people even organization, you know, they're whether they on their own or not, and, and, you know, IT teams will go through and they'll try to clean up and remove access, but you know, what they, you know, a lot of times don't always know, or have a kind of a good inventory system of what all the different accounts they have were, you know, and what access they had, you know, available. And so, you know, again, having a tool that can give you that visibility, is something that is critical, you know, for state, local and education, you know, today to make sure, ultimately, that they're, they're safeguarding assets, while not restricting the ability, you know, for people to do their job and, and to, you know, not have to jump through a bunch of extra hurdles and hoops in which to do their job, it shouldn't take them, you know, three times as long to accomplish a task, because of all the additional safeguards and processes that are put in place, they're supposed to protect and inhibit them.
Michael Kennedy: That's a bingo, right there. It's a balance. That's why it's more of a risk assessment that needs to be done. And not risk avoidance, the idea of least privilege, it leads him to Zero Trust, and, and what you talked about, as far as the automated tools for cleaning up when people leave, that's critical isn't.
Brandon Shopp: That absolutely is I mean, you know, it, you know, as we all know, especially over the last year, we don't have, you know, endless budgets, which we did, but we don't and so we've got to do more with less. And so you've got now security, which we talked about in the beginning, you know, that is now everybody's job, you know, where you know it outside of it. And so you're asking the teams that you have to do more, and it's not like they're getting, you know, a, you know, commiserate around amount of additional team members or tooling in which to, to accomplish those tasks, and to make sure they stay on top of them. So the more you can automate, and, you know, kind of more of the routine type of functions type of tasks, you know, that frees up your engineers time to then go focus on those more higher, you know, higher order tasks that really require their time and attention, that's going to take time to do researching, and, and prototyping or piloting, you know, within the lab or whatnot. So the more you can allow them to focus on there, the more impact, you know, that team is ultimately going to have to the organization and to the business. So, you know, automation is something that I think organizations, in general are becoming a lot more comfortable with here, as we as we move forward.
Michael Kennedy: I think a lot of that's been driven by the COVID environment also, and you're in points being spread out all over the place, you make a very good point, security is everybody's job, and even more so in this environment, and ecosystem that we're in. Thanks. So information sharing is critical to mission success, and all about risk management is speaking of risk management and information sharing. So how can technology upgrades cloud migration and network modernization contribute to risk management challenges?
Brandon Shopp: So you know, a couple things here, you know, one, you know, especially if you're leveraging, not just in house technology, but you know, even in the cloud, so you're going to have things that are going to be more respondents from a youth perspective, you're going to have things that are going to be able to support, you know, some newer technologies, more secure technologies, you know, from a risk avoidance perspective, if you, you know, if you're running a virtual or a server, you know, that just can't handle some of the new operating systems that are out there, the requirements, and the resources that are needed from them will Don't let an old operating system run out there, you know, it's going to become, you know, risk issue ultimately, and so, you know, it allows again, you know, for more accessibility, for people who wish to do their job, they could do things more efficiently, more effectively. You know, if you look at cloud migration, and kind of network modernization, you know, you talked about, you know, not just with COVID, but you're starting to see as well, organizations that are putting COVID aside that are starting to become more accepting of, you know, people being distributed, you know, from a personnel perspective, not everybody is always going to be sitting in an office going forward. And, and so, you know, when you have some of these newer technologies around network modernization, it allows you to ensure that you're still keeping your organization as secure as possible, you know, while also ensuring that people are still able to do their jobs and, you know, an effective manner. So, a lot of things are becoming software defined, you know, if we look at kind of the network modernization side of things, you know, with SDN and sassy, you know, overlaying security onto that all the way up to the edge. And so, now, of course, with new technologies also bring new challenges as well. And so, that really goes back to you know, we talked about, you know, we're not getting we have to do more with less and so we still need to make sure that we afford, you know, our team members ultimately is the time you know, to go off and do you know, education higher, you know, higher education for themselves, learn about new technologies that are in the market, and make sure they keep their, their IT skills and their capabilities, now up to date with the market and the market needs and the technology needs that are out there. And so, you know, if everybody is constantly busy doing repetitive tasks, they're not able to do that. So something's got to kind of fall off the truck. And so, but really, I mean, you know, a lot of these is, you know, there's newer tooling as well, that is available for some of these newer technologies and newer applications that are out there, whereas they didn't exist with some of the, you know, older technology that you may have deployed. And so being able to hook in, and, you know, appropriately plan and have visibility into your environment.
Michael Kennedy: So really, you're talking about evolution. And as we evolve, you need to start moving on to the better platforms and, and newer platforms, that the Not only that, that's the what the users today are going to be expecting to see, color work is actually becoming the new norm also. So you have to plan for that, too. So all good points. Thank you. So now we're looking at cloud migration and hybrid network environments are rapidly becoming a norm across the it ecosystem is are saying, so especially in a hybrid and multi cloud environment, keeping track and managing your data and services is critical. What types and range of services do you see as priorities for migration to the cloud? And what tools do you see become unavailable to manage the data and networks in these hybrid environments?
Brandon Shopp: Yeah, that's, I mean, this question code can go a different couple of ways here, you know, I'll kind of start off and talk more at the technical level, but then, you know, when we talk about types and ranges of services that we see as priorities for migration, you know, to the cloud, you know, the one that that kind of really sticks out to me, you know, is, you see a lot of data intensive, you know, so database, you know, driven, you know, applications or workloads, database, you know, his storage costs are dropping down, you want accessibility, you know, you like we talked about people work from home, work remote, you know, that type of thing. You don't have to worry about, you know, configuring, you know, access control or VPN within, you know, to access those resources, if they're out available in the cloud, then as long as they have the ability to access them, then they can access them from anywhere. And so, you know, so I look at databases, you know, or data workloads is one that really makes sense. Not always though, to move to the cloud. Now, the double edged sword of that, though, is cost. If it is a, a, you know, let's say a very traffic intensive tensive database, there's a lot of communications, a lot of rewrites going back and forth, you know, that could be cost prohibitive in a cloud environment. So it may make sense to leave that within your data center on premises. And so.
Michael Kennedy: How would you break down or decide do you think, decide at what point would that become cost prohibitive? As far as the traffic because again, just as data or storage is becoming cheaper? So is the traffic capabilities encoding cheaper?
Brandon Shopp: Yeah, no, you're right, you're right, in multiple ways you can do that, at least understanding what you have in your environment, this goes back to kind of the earlier points around audit, and one of the tools that you can use to understand just really how much traffic, you know, from that given database to or you know, how much communication from the app server back to the database servers really going across your environment. You know, you can look at technologies such as flow based technologies, as an example, whether using, you know, NetFlow, or j flow or s flow, you know, that'll give you visibility into the types of sessions, you know, the amount of data or traffic that is transversing. And so that way you can see is this, you know, what type of application is this, this is one that is again, going to be very chatty is going to have a lot of communication, a lot of data transfer, typically, you know, where people get bid on the cloud side of things is what their ingress and egress data bill, that's where I kind of a hidden cost. And that's where a lot of people will typically get, you know, burned. And so, you know, but you're right, costs are going down as time goes on. And so, you know, I look at the, you know, it's kind of that assessment that we talked about the beginning is really understanding, you know, just really what those workloads are doing. But then also, you know, how they're being leveraged in the environment, you know, how they operate. And so, flow is another one of the tools they use the leverage to get some visibility into, you know, into your environment, and what are the most chatty types of applications out there? You know, so that will give you some visibility from a tooling perspective, you know, as we talk about migration, the other thing, you know, you have your traditional monitoring tools, you know, so looking at, you know, again, you'll be able to see kind of workloads, in terms of CPU memory, you know, instead of going out and either procuring another server or, you know, having to migrate or move around a bunch of workload internally across virtual machines in order to, you know, apply more resources to a virtual host. You know, again, you know, you can use those tools to give you this ability to understand what's on the edge, and what's going to need something soon, and what is got plenty of headroom in which to grow. And so again, you can kind of look at that from a monitoring perspective. And, and, and use that as another data point and kind of helping with your prioritization ultimately, along with some of the other factors there. So, ultimately, it's not, you know, as you can see through the conversation here, not just one variable or factor that comes into play, it's going to be multiple variables that ultimately come into play that, that drive these decisions.
Michael Kennedy: So it continues to be a dynamic environment that you're looking at and the capability for scaling up or scaling down, or not needing to scale is really what drives what we're moving forward with. Right?
Brandon Shopp: Yep.
Michael Kennedy: So thanks a lot. Now we're gonna move on, if we can to, in his address to Congress, President Biden spoke to upgrading broadband access across all the United States, do you see this as being a critical benefit state and local governments?
Brandon Shopp: I do. I absolutely do on multiple pieces here. And so, you know, one, you know, being a, you know, a father to a nine year old, you know, and having my child the, you know, educated, you know, remotely for part of this year, you know, you definitely saw, you know, having the ability to not just from a state local perspective, but even down to the individual, you know, consumer, you know, in having and supporting these types of unfortunate scenarios that we're in, you know, there was a, you know, you read stories out there, you know, that break your heart, no kids having to go to a local business and leverage their Wi Fi, because they don't have broadband access at home, that is once scalable enough, but to affordable enough, I see that as one absolute benefits. Now, again, hopefully, hopefully, we don't have you know, you know, kids start going back to classes, and, you know, we don't have another one of these types of events soon. But even with that, it's still going to be important, as you know, even if kids are in school, at the education level, it's still going to be important for them to have reliable broadband access from pretty much anywhere, including their home, that comes to research homework projects, you know, collaboration with, with other classmates and peers, and, and those types of things. And so, but the other element is, and again, I go back to the earlier point that you made around, you know, we talked about COVID sending a lot of people home, but irrespective of COVID, you know, there was a lot of folks that were moving to a telework type of approach. And so, you know, the, the infrastructure has become more and more perimeter less. And so, you know, with that, you know, we talked about some assets residing on prem, some, you know, being prime or good candidates for the cloud, but all of that, you know, doesn't matter where they're at, if your employees ultimately don't have reliable and scalable, you know, broadband, you know, ultimately, for them to use and be able to access the resources that they need in which to do their job. And so, exactly, and so, yeah, so we're kind of looking at it on two fronts there, you know, I, you know, kind of selfishly from a kid perspective, you know, with the pandemic, but then more long term, you know, as the perimeter is shifted, and, you know, truly people being, you know, housed from anywhere.
Michael Kennedy: I've got some friends in state and local governments that I've been speaking to, and a lot of cases, their offices have switched due to finding out that the teleworking actually works through the COVID, that they don't have plans for going back in a lot of cases. I mean, they may go once a week just to meet and see what's going on with it with their teammates. But for the most part, their work is going to be done from home for now. One, the one bad thing for the kids around here, though, is that means no days are probably a thing of the past. Right?
Brandon Shopp: Exactly. We don't do very often, but you know, up there up there in the north, y'all do.
Michael Kennedy: Well up around Lubbock in Dallas, I think you do every once in a while, not left. So, you know, the newly signed American rescue plan set aside $2 billion for federal technology modernization efforts, that billion with a B, do you see any of that also benefiting the sled community modernization efforts?
Brandon Shopp: I do I mean, at all, you know, they're all interrelated in some form or fashion. And so I, you know, federal systems are tied in the state systems are tied in the local systems. And so, I also do expect to see that, you know, there's going to be, you know, as we've seen with some of the recent cyber activity, you know, there I do also foresee in the future where there's going to be additional regulation that are going to be put on entities, you know, going forward. And so, and, and all of that takes, you know, time and dollars ultimately, and so, the technology that I had historically in which to manage my environment may not be, you know, good for today's environment and where the environment is moving towards as we move forward. So, you know, so I do absolutely believe that some of that 2 billion that There's been set aside for federal modernization is going to have an impact in and, you know, a follow through effect down to the state and local levels, as well and kind of helping them because I mean, the other thing you find as well is, let's just say a large portion of those dollars are going to stay up the federal level where they're going to go, and they're going to hire, you know, a lot more people in which to go in and enact and drive, you know, some of these modernization efforts up there. And so they're going to learn a lot, they're going to learn best practices, what to do, what not to do, I mean, a lot of some of these already there today, but as you do it more and more, you're gonna learn more, as new technology comes out, there's new challenges, new risks that you need to account for. And so, the processes, the documentation, you know, those are all going to get much more robust, you know, here, as we move forward, you know, there's some that exist today, I expect that they'll get more robust going forward, but those are all things that, again, can be shared with their peers within the community. So you know, it's a two way street, but lessons learned from the state and local can be shared up to the federal level, and vice versa, the other way down. But then we also have talked multiple times here today about, you know, just the, you know, the lack of, or the limitation of, you know, qualified resources out there for the very, very skills, you know, whether it be cloud or security or whatnot, you know, there's never, it seems to be, you know, enough technical people to go around. And so, now you have a lot of extra dollars being there, you're gonna have more people, more people are going to be learning the skills, at some point, those people are going to distribute around, and they're going to go on to other organizations, and that's going to create an opportunity, you know, for other organizations, you know, whether the state local education level, to be able to bring people without those skill sets into their teams, ultimately, and so, you know, I think, you know, it's really going to really push things forward much more so that I've seen, you know, over the past few years, in terms of, you know, ensuring that ultimately, you know, we've got the not just the right tooling and processes, but also the right amount of people out there, you know, security, as an example is one of those areas, that there's just not enough security engineers out there, ultimately, you know, in the world, to satisfy all the security needs for all the organizations around the globe, not just at a, you know, federal or state local level, you know, this is just a worldwide basis. And so, the more dollars that are there, the more attention and focus that is there, the more programs at the, you know, education level, whether that that two year or four year university, you know, is really going to drive that next generation of workforce to make sure that we've got the appropriate amount of people across all sectors, you know, be a private or commercial, via federal, state, local, etc. So I do think that even if directly, they don't see some of those dollars, that I think indirectly, they are going to feel the effect.
Michael Kennedy: That's outstanding. And also, the good point is the skill set and continuing education requirements that are going to be there. And something that was near and dear to my heart, when I was with the information sharing environment is the information sharing and resource sharing amongst federal and state and local, as well as tribal and territorial governments and entities? So thanks a lot for sharing that. Continuing on, though, what are some of the steps you would recommend conducting a successful IP consolidation or modernization project?
Brandon Shopp: Yeah, first thing, you know, I always start off with, once I've identified a target, or a set of targets, you know, we've talked about which candidates are prime to potentially, you know, modernize or even move to the cloud, you know, which ones aren't, you know, which would need to be retired, or just kind of stay where they're at. And so, one of the things that we forget that
Michael Kennedy: We forget are going to be those that are just, they're not candidate for moving to the cloud, and just, we need to retire them or let them stay where they're at, and die slowly. That good point.
Brandon Shopp: Yeah, there's nothing wrong with that, that's the thing, you know, not everything is going to be prime, you know, to modernize or go to the cloud. It's okay, you know, to take something, you know, and, you know, retire it. And so, you know, making sure but it really starts off with what we talked about earlier, making, making sure you have a good handle of what's in your environment. So that's kind of you know, Ground Zero is understanding what you've got throughout there, understand what are the priorities and then kind of build out that matrix. But, you know, if I looked at kind of the steps in conducting a successful it, consolidation or modernization project, I mean, I usually start at the beginning before I even, you know, kind of, you know, pick the first step, and actually, you know, putting a project in emotion and actually doing the work itself, not the planning, but the actual execution of it is, you know, talk to your peers, you know, their modernization is going on all around us. You know, and so, we again, going back to there's no sense and reading inventing the wheel, or, you know, you know, let's leverage a lot of a knowledge and know how and capabilities that are within the community, the state, local and education community, you know, there's a lot of peers and you know, neighboring jurisdictions or even neighboring states or school districts, you know, depending on where you work that you are likely to have gone through a similar project that you may be getting ready to go through. If you haven't done one of these before, then talking with those folks, and, and understanding, you know, what went right, what went wrong? What would you do different? You know, those are all things that again, you shouldn't think that you're the first person ever have this challenge, or have this task, or this problem. And so, you know, again, going back to talking to folks, to me, that is step zero when I'm going into a project, so just really understanding kind of, you know, what are the problems? What are the challenges, what are the pitfalls to watch out for, that others have faced and have fallen into? So that's definitely first piece, you know, second, as I talked about is, you know, really making sure you have a good inventory understanding prioritization of the assets. But then, then the other thing too, is communication and training, you know, you've got to look at it and kind of a full lifecycle perspective, kind of like we have here on the slide. You know, it's not just, you know, there's the definition, there's the planning, there's the execution, but then there's the, you know, we say, keep moving forward here, but there's really, you know, making sure that you have follow up that you're talking with your users that you're communicating that that things are operating the way they should, and if not, then those are something that you could stay on top of pretty quickly.
Michael Kennedy: Absolutely. That's the fantastic points about communication. Communication is paramount in this, you make the point there. So moving on, the impact of the pandemics virtually universal workers were talking before from home for many state, regional and local governments and agencies. In many cases, they've actually achieved productivity gains and cost savings from having remote workforces with the prospect of continued remote work. What changes do you see for tomorrow's workplace?
Brandon Shopp: I think we kind of said it earlier, I think I expect to see a hybrid workplace, you know, is kind of what we go as we go forward. So I think you actually kind of just said it here a minute ago, people are showing that they can work from home productively. But there is absolutely a time and a place where, you know, when meetings are great, and they have their place, but they don't work in all circumstances, in some circumstances, getting together in person, now that vaccinations are becoming more prevalent and available, and as we move forward, getting on a plane, and going you know, nothing kind of beats that face to face interaction and whiteboarding and troubleshooting or whatnot. And so I do believe ultimately, you know, as we go forward, you know, there is going to continue to be remote work. But I do expect to see that it's going to be you know, as you touched on earlier on more of a hybrid type of setup and type of environment is ultimately what I expect to see going forward.
Michael Kennedy: I think you're right on target with that, because in a way you look at it, the future workplace is going to be a mix that includes a large general workforce. So with that in mind, though, how do we best move forward for provisioning these hybrid environments? And how do we prioritize our modernization in them?
Brandon Shopp: Yeah, and we've kind of touched on this a little bit, and some of the previous points, as we've gone through here today, and so a lot of is really going to go down to, you know, your organization, your agency, and what it is, you know, you got to sit down, and what are the priorities for you, as an organization? And so what are you understanding kind of critic, criticality of applications and workloads, you know, understanding, you know, how those are, were created and written, you know, are those, you know, what's the long term plan for those, you know, is this something where, you know, you were planning, it was a commercial, you know, custom written application, but now there's a commercial off the shelf application, but you weren't planning to budget for it for another two years. Well, maybe accelerate that, then you look at how you can get that done. So you don't have to worry about one either maintaining that on prem, or to migrating that to the cloud. And so depending upon the, you know, the mandate that has been set up by your agency and your organization, are you truly going to be hybrid, are you going to be a cloud first type of organization. And so, so I think moving forward, you know, for provisioning these hybrid environments, folks should have a cloud first type of mentality when it comes to new resources, you know, new capabilities, those types of things as we move forward. And then while we're looking at prioritizing your existing resources, and looking at what are good against, you know, kind of good workloads to move to the cloud.
Michael Kennedy: Okay, excellent. Florence, you were referencing earlier though, the importance of education and skill building for the workforce. So what should we be doing now to ensure that we have educated workforce needed to deal with our future IP and networking needs?
Brandon Shopp: Yeah. Now, it's a great question. And I kind of gave break this up into two points, but I'll focus on the key point here and the question which is more about kind of, you know, it folks, whether The security engineers or virtualization or storage engineers, whatever it may be. And so, a lot of that goes back to, you know, just going back to, you know, the education, you know, as I mentioned that, you know, my daughter's a nine year old. So the one of the things that I'm seeing, even, you know, from the difference from when I was young, or younger, I should say, is that, you know, as a nine year old, I'm already seeing, I'm already getting advertisements for after school coding camps, and after school camps to, you know, start to get kids and, and even young adults, more interested in these technologies in these areas at a younger and younger age. And so, you know, I really think that, you know, that is definitely a big part of it is, is exposing people, you know, to that younger age, I know, I personally got my, you know, partially got my excitement and passion, you know, for IT, and networking, you know, back in high school. And so, you know, if it wasn't for that, then who knows what my future career direction would have looked like, but, but the sooner you can make, you know, folks aware of that, you can start to educate them around that the better, you're going to have a much larger population. Additionally, there's also you can, you know, look at expanding out, not just having, you know, four year degrees, but, you know, expanding out, you know, two year degrees as well, you know, providing additional, you know, educational options, kind of across the university system on that front, looking at even, you know, you could look at more things, you know, I come originally from up north, and, you know, a lot of times they had a lot of apprenticeships up there, you know, in a lot of places, you know, and having those types of things you see, every now and then and some, you know, verticals or some industries, you see internships, and so, you know, leveraging those, you know, those tools, education and getting people exposed to in our camps and, and internships and even making, you know, online resourcing more readily and easily available, you know, a lot of that is, is there, and with kind of, you know, class based, you know, training, you know, online, you know, cbts, you know, those types of making those much more readily available.
Michael Kennedy: I think that's good. And the other thing, too, is that you mentioned, you know, the four year two year degree, I've actually seen somewhere, it's just credentialing now, and the and from there, they go on, and for the apprenticeship and internship, more or less like a, like an IP bolttech education, if you've got your certifications, and your knowledge and your training, some of the folks are just saying, Well, I don't really need a degree.
Brandon Shopp: Yeah. And they're right. And they're absolutely right. You know, I know some crazy smart people that don't have a four year two year degree. So I 100% agree with you there.
Michael Kennedy: Absolutely. Okay, thanks. So here's something that's near and dear to my heart identity credential, and access management, or ICAM, is absolutely critical to an organizations that depend on the safe sharing of data across multiple domains and platforms. So what controls should be in place for authentication of people, as well as things? And is it different for citizens and the government work force?
Brandon Shopp: Yeah, this is a great question. I mean, you know, the easy thing that you can always do is to FA two factor authentication when you're authenticating in across multiple different environments. And so, you know, depending upon and again, this goes back to understanding kind of risk and priority within the organization that you're in, and you can set up processes and rules, you know, if you have two factor authentication used within your environment, you know, do I just do the basic kind of text based methodology? Or do I want to go and multi-tiered MFA, you know, maybe I have that as long as well as a hardware based token with like a yubikey as an example, depending upon the sensitivity of the data, or what that application might be able to do. And so, you know, there are that's one thing I absolutely looked at. The other is, from an IT perspective, I look at Pam's are privileged access management is another thing specifically. And so one is just the centralized and secure credential of information because effectively from an IT perspective, those can be the keys to the kingdom. And so having a stored in a centralized place that you know, is going to be secure is one thing, but then also, humans are you know, we're, we are creatures of habit. And so, we are going to use credentials that are typically we're going to use them across, you know, work and personal and things like that. And so the harder we can make it with, you know, things like different types of authentication, whether it's biometric or something like that, or even just write more complex passwords, you know, just again, provide additional layers or buffers, of you know, security and kind of gap between, you know, you and ultimately the bad guys who are after the data. Now, go into your question here, you know, around, you know, do you do I see that, you know, it's different for citizens than for government workforce? The reality is, I think the answer is absolutely, yes, I think it should be the same for everybody, we all should have very strict and you know, rules in place, but government workforce is going to have access in some, in many instances to data that normal citizens aren't going to have, you know, you're going to have a lot of PII information about the citizens of the country, or the state or the city that you're in, or whatever it may be. And so, you know, I would say there's, you know, the government workforce, potentially, as, you know, privy to access to information that, you know, folks, like, you know, myself that, you know, would never have the chance to have access to.
Michael Kennedy: Right, exactly. That's good information is Good thinking. I appreciate that. So now we're gonna move on, what can private industry do to help states and local governments maintain absolute data integrity? If we're talking about false reporting? Absolutely. The capability for information sharing? I mean, is there new technology services, processes or approaches to information security on the horizon, that you might be able to share with the audience?
Brandon Shopp: Yeah, I do think that, I mean, private industry, typically, not always, but you know, and many instances will move a little faster than you might see, and the, you know, state and local governments. And so, yeah, so they're, they're going to be able to vet out, you know, some of the cutting edge technology and figure out what's real and what's, what's not, what's, what's vapor, and what's going to actually have a meaningful impact within your agency and your organization. And so, there are, you know, new technology services, you know, in which to go about from an information security perspective, as well as an information sharing perspective. And so, you know, I think, ultimately, what is ultimately going to need to be there in order for, you know, the government to take advantage of it is the right set of controls ultimately, in place, you know, I know, CMMC is definitely gaining some traction out there from a supply chain perspective. But even if you look at things like FedRAMP, you know, from a SaaS perspective, we, you know, we've talked a lot about cloud and SaaS based services, you know, those are going to make accessibility much more at everybody's fingertips. But with that, you know, we need to make sure that we're trusting those third party suppliers, and that, you know, we've got the appropriate kind of checks and balances, as well as, as well as regulation and legislation in place to make sure that a can, you know, most appropriately serve the needs of these government bodies.
Michael Kennedy: Yep, absolutely. So, here's one way ransomware that we were talking about earlier, is toward to be the number one cybercrime last year. And even up sophisticated bad actors are getting in the game in their basement with ransomware as a service. Last week, even the DC Police Department became a victim. So how can state and local agencies and governments increase resiliency against ransomware attacks, and then make recovery faster and easier?
Brandon Shopp: So a couple more points here. So one, I would say is education, education of your users internally, not just your IT folks around, you know, what to look out for making sure you do that on a recurring basis. And when in doubt, ask questions, you know, so that way, they're not clicking on something that they shouldn't be or opening something they shouldn't be. The other is a lot of the processes that exist out there today. So making sure you're doing backups of your systems, you know, those types of things. So that way, if you do have a ransomware incident, you can quickly restore from backup. So making sure that you do have a backup strategy in place. As much as we want to secure the perimeter, you know, and we can keep most of the bad actors out. I mean, if these bad actors want to get in, they're going to get in. And so it's really making sure that we've got all the other, you know, kind of checks and balances in place, you know, around that, whether it's education, whether it's backups, you know, whether it's segmentation, between networks, within your environment to make sure that if somebody does get into your environment, that it makes it even harder for them to move laterally or to other parts of the infrastructure based upon kind of criticality and priority of that system. So, you know, looking at network segmentation, there are lots of things that you can do there, one that will, if it does happen to get into your environment will limited spread, but to will allow you to, you know, recover quicker than then maybe you have been able to historically.
Michael Kennedy: Excellent, thank you. Good point. I'm going to keep it close and recover as quickly as possible if it does happen. So thanks a lot. We could keep talking for another hour, I'm sure but unfortunately, it looks like we're out of time, so.
Speaker 1: Thanks for listening. If you'd like more information on how SolarWinds or Carahsoft can assist your state, municipality or county upgrade their legacy IT systems please visit www.carahsoft.com or email us at solarwinds@carahsoft.com. Thanks again for listening and have a great day.