Cybersecurity: Amplified And Intensified

9. Zero Knowledge vs. Revenue.

May 07, 2021 Shiva Maharaj/Eric Taylor
Cybersecurity: Amplified And Intensified
9. Zero Knowledge vs. Revenue.
Chapters
Cybersecurity: Amplified And Intensified
9. Zero Knowledge vs. Revenue.
May 07, 2021
Shiva Maharaj/Eric Taylor

When it comes to choosing between your privacy and the commercialization of your data, vendors will invariably choose advancing their revenue by using your data.

Earlier this week Gary Pica’s TruMethods was acquired by Kaseya, a financial powerhouse in the MSP marketplace.

With each acquisition, these market share leaders are consolidating their power-base to what some would consider anti-trust levels, further diminishing the likelihood of Zero Knowledge being built into their products.

And of course what's a podcast without CMMC?

Eric Taylor
Twitter: barricadecyber
Youtube: barricade cyber solutions - YouTube
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com 

Links mentioned:

  1. Kaseya’s IT Glue Acquires TruMethods MSP Peer Groups, vCIO Software (channele2e.com)
  2. Kaseya Compliance Manager for CMMC Automates Defense Contractors’ Compliance Assessments Under New Federal Government Requirement | Kaseya

BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Show Notes Transcript

When it comes to choosing between your privacy and the commercialization of your data, vendors will invariably choose advancing their revenue by using your data.

Earlier this week Gary Pica’s TruMethods was acquired by Kaseya, a financial powerhouse in the MSP marketplace.

With each acquisition, these market share leaders are consolidating their power-base to what some would consider anti-trust levels, further diminishing the likelihood of Zero Knowledge being built into their products.

And of course what's a podcast without CMMC?

Eric Taylor
Twitter: barricadecyber
Youtube: barricade cyber solutions - YouTube
www.barricadecyber.com

Shiva Maharaj
Twitter: kontinuummsp
www.kontinuum.com 

Links mentioned:

  1. Kaseya’s IT Glue Acquires TruMethods MSP Peer Groups, vCIO Software (channele2e.com)
  2. Kaseya Compliance Manager for CMMC Automates Defense Contractors’ Compliance Assessments Under New Federal Government Requirement | Kaseya

BARRICADE CYBER
Ransomware Remediation Services, Incident Response and Penetration Testing.

KONTINUUM
Because you're entitled to IT support that's actually supportive.

FASTMAIL
Your data is for you, no one else. That includes your email, calendars, contacts, notes, and files!

Shiva Maharaj:

This is the cybersecurity amplified and intensified podcast.

Eric Taylor:

What's going on?

Shiva Maharaj:

Nothing I saw Kaseya bought Gary Pica's true methods. Kudos to Gary Pica for exit. And I just don't like Kaseya it's all I got.

Eric Taylor:

Yeah, so we were seeing the whole channel or the whole thing come up today where Yeah, This marks the 253rd m&a acquisition, that's happened this year. And we're five months into the year, it seems like we got a lot more consolidation and buyout from other folks from other companies right now that is just doing a massive consolidation that we talked about, I didn't think 2021 was going to be a more expedited year than it was last year, because we see no ton of it last year, right.

Shiva Maharaj:

I think there's a lot of money to be spent when you have the powerhouses that are connectwise and Kaseya. And the mark market consolidation that connectwise has been doing Kaseya has no choice but to follow, I firmly believe one day Kaseya and connectwise will be the master MSP and they will start pitching you on Hey, go out and sell. We'll do all the work so that you can work on your business instead of working in your business like what they tell us to go out and tell our end customers.

Eric Taylor:

Yeah, not to confuse your company name of continuum. But there is a continuum with a si that connectwise has used for their in house or their outsource management for their partners refresh my I don't think Kaseya has that currently correct? Not yet.

Shiva Maharaj:

I think they are probably looking at buying someone. And if I had to guess who they would buy, I would think it would be the 20 The 20 is already using the sale. It's a natural evolution for them. If they're not talking to leadership over at the 20. I'm assuming they will shortly. It's the only way Connect was bought service leadership. They bought Htg a few years ago. So they have the financial side for the MSP. They have the peer group side and now with Gary Pica's, o what was Gary Pica's through methods can say is getting to parody on that.

Eric Taylor:

Yeah, it's gonna be interesting to see what the details are. I mean, a lot of times we see the channel E to E stuff come out, you see, you know, kind of you know how long the existing owners supposed to stay on board with six months to a year, you're kind of a little bit of the information that may get leaked out of your financials, things of that nature, but this, they're definitely keeping this one close to the chest and kind of go on from there. When we start talking about this, you know, we've been very adamantly and vocal about KaseyaI don't care for the product, I don't believe in what they are doing. I just don't think that it's a good solution from my personal belief that it's good for msps as a whole. And when you start looking at like their what they have here manage and automate all your it with vssa to msps. They want that single pane of glass, and I get that to a certain degree,

Shiva Maharaj:

but there is no single pane of glass.

Eric Taylor:

No, but they're trying to build that

Shiva Maharaj:

that's a unicorn MSP bullshit.

Eric Taylor:

Yes. But when you start looking at from my side of the fence, when I start going after businesses and IT companies and you know, they want us to test their security, you've got a gateway to breach just like if you remember what was it two years ago when Webroot was going through all their mess? And if you pop Webroot their tenant, you were able to drop payloads and do whatever you want to

Shiva Maharaj:

to Webroot discredit How long did it take them to put MFA on their platform much less make it mandatory?

Eric Taylor:

I think it was almost four to six months.

Shiva Maharaj:

It was it was recent, within the last year or two that they put MFA on that bad boy.

Eric Taylor:

Yeah, they gave me the option to do it. But they did not make it mandatory,

Shiva Maharaj:

right. So if you're going to be able to do in essence command and control commands, probably want to secure your infrastructure. I mean, that's probably a good idea.

Eric Taylor:

Exactly. And that kind of brings us to the whole point of just how much can you trust your vendors, you know, this is talking to those out there and much as ourselves. So

Shiva Maharaj:

the answer is zero. And that's because I think you and I are in sync when it comes to having a zero trust zero knowledge relationship with our vendors. I want the product but I don't want you seeing inside of the product. I don't want you to see my client data because take it glue for instance, they can see into your tenant, they have

Eric Taylor:

they got it glue, they got your agent, they are reselling the AV which I'm assuming is a lot like Pax eight where you are just inside your a partner account underneath their tenant for instead vendor, they got rocket cyber now. So now they're able to get some of that data.

Shiva Maharaj:

Well, they got the logs and let's be honest, all of these all of your referrals. The majority of these managed sim and SOC platforms, they're not actually segregating your data. It's a logical separation with a customer tag. So the chances that someone can get into that providers data store and by provider I mean vendor, they can get insight into all of your clients, IP addresses any products you have that may pass plaintext passwords, unifi is good at that. So it's konica Minolta. They love passing those plaintext passwords over the internet.

Eric Taylor:

Yep, absolutely, I mean, firing up a Wireshark and able to start seeing all that traffic, it's really, really crazy with what you say is doing and has done. And last year, I got it up here where they want to help automate their partners to become cmmc compliant. I don't know with what they have in house unless they start restructuring in being able to make sure they do go through that zero knowledge, not zero trust the pure zero knowledge from each one of their platforms. How are they going to maintain cmmc, especially with a VSA product, when it's all the bear thing in a single pane of glass type of scenario, I don't understand how they're going to achieve that.

Shiva Maharaj:

So I have an interesting story. I am an IT glue user and my sales rep for it glue account rep, customer success, whatever the dose of kool aid is they want to make you think that they're your partner told me that the DOD actually you will branches of the military use Kaseya RMM. And when I heard that, I almost cried. Yeah, SolarWinds is one thing that's an enterprise product, but you're taking a managed services product, which let's be honest, the majority of these vendors wouldn't know security if it kicked them in the ass. And you're putting that into our defense base.

Eric Taylor:

It goes right, I was really surprised that a lot of people or a lot of DOD is using his say, especially with the whole solar winds thing. And I did see some of that stuff where they were actually running that in unison.

Shiva Maharaj:

And they're also using their backup product that they bought a couple years ago, I forget the name of it,

Eric Taylor:

the solar winds one or they could say no, they say a backup product. It was a recent acquisition

Shiva Maharaj:

as of about three, maybe four years ago. And my sales my my rep was so happy to tell me this. And when I asked them what zero knowledge is he had no clue.

Eric Taylor:

But yeah, they bought the company spanning for the Microsoft 365 cloud backup.

Shiva Maharaj:

Okay, that might be something new. Well, this

Eric Taylor:

is back in 2018, which Oh, they bought unitrends

Shiva Maharaj:

unitrends. That's the one they said that is deep into the defense space.

Eric Taylor:

Unless Kaseya. And a lot of these other vendors really are going to start doing a FedRAMP model where they are allowing people to stand up their own tenants are these things and correct me if I'm wrong, I'm pretty sure VSA is cloud based. There's no no

Shiva Maharaj:

vssa. And all these products are instance based. They're not platforms like say the datto platform, yo can have a couple maybe a doze or so different versions runnin depending on if it's hosted b Kaseya. Or if it's hosted o prem by the partner. It reall depends. I just checked th marketplace for FedRAMP. Kase a is not listed either as unitra s Why is the DOD or a branch usi g something that feasibly hasn t been vette

Eric Taylor:

Already? That goes back to our podcast that will be released later this week that we talked about with the police department and CJIS high, where they are not doing what they're supposed to do. I mean, I mean, I think at the end of the day, the government is going to do whatever the hell the government wants to do, or the Departments of the government, I should say, Well, I mean, hell any of it really, but there's nobody, like you said before on the podcast, that nobody is holding their feet to the fire,

Shiva Maharaj:

you don't have to they're making the rules they can do as they wish you've got local police departments who don't follow the proper CJIS, protocols. And there are people who should not have access to CJIS, controlled data and systems who barter for access to those systems, which that in of itself is pretty scary.

Eric Taylor:

Yep. Yeah. And I mean, it's, it really is just interesting to see all this stuff go down. It's, it's, I don't know what to think about. Now. I know we'll have some more to talk about on the podcast coming up again, another couple of days. But it's interesting to see what people are going to do and where this industry really is when it comes to cybersecurity of how. How serious are people actually going to start taking this stuff?

Shiva Maharaj:

I don't think they will just because they're so desensitized, and then you have every not every you have a the majority of it providers who think slapping an AV and a firewall in is cybersecurity, they have no concept of what controls are. And if they don't know what zero knowledge is, what are we going to do, there's a vendor in the marketplace sells a zero trust platform, but it's not a zero knowledge platform. They can go in, they can do whatever they want. They have a storage piece, so they could feasibly See, I mean, these agents run as system, so they get breached and supply chain attack, which has been happening quarterly at this point, major supply chain attacks.

Eric Taylor:

Yep,

Shiva Maharaj:

you're left there. You know, you just pulled up a article that Kaseya announced a cmmc compliance back in December. Now, if I'm not mistaken, cmmc at that point had not even been finalized.

Eric Taylor:

No, no, it hasn't been and, you know, we see a bunch of people jumping on the whole bandwagon where they can help you get cmmc compliant, but I'm part of a group of folks that are going through self attestation and going through asking each other you know, hey, what exactly does this control mean? You know, how do I apply this and until recently, I think it was January or February. The final version of cmmc was not even released as a final work proof of concept or proof of work.

Shiva Maharaj:

I think this is a really good opportunity for this case Kaseya, and I hate for them to be the whipping post almost. But for vendors to take advantage of their providers who they call their partners, do you think Kaseya or any of the top MSP vendors have any competency in cmmc? No, I don't. And now they want to help their partners attain a level one through five,

Eric Taylor:

oh, they're not going to get you above a level three without sponsorship. And they're not going to go through all that.

Shiva Maharaj:

But do they know that?

Eric Taylor:

I'll guarantee you they don't.

Shiva Maharaj:

They just want that recurring revenue.That's all they care about.

Eric Taylor:

Oh, absolutely. That's all they care about this, you know, it's all about me padding that number. So that way it helps for the next acquisition.

Shiva Maharaj:

Right.

Eric Taylor:

You know, I actually was watching a YouTube documentary. I know this is going a little squirrely for a moment. But there was a documentary done not too long ago about McDonald's and a tailor company around the whole McDonald's milkshake things were

Shiva Maharaj:

22% was service MRR

Eric Taylor:

are 25%.

Shiva Maharaj:

I remember if I remember correctly, it is $140 for the technician for the first 15 minutes, and $340 for every 15 or 30 minutes thereafter. So you're not getting out of there for less than a grand an hour give or take. Exactly. That's a fantastic business model for Taylor. Not you, different Taylor. But that's the nature of it. Now, chick fil a and all these other guys, they have Taylor machines that are different from the McDonald's machine, because McDonald's has exclusive. So is McDonald's complicit in that? But again, that's a whole different.

Eric Taylor:

Exactly. But you know, but the whole premise of how much are they trying to pad the book, so to speak, you know, showing them that they have more revenue, whether it's good revenue or bad, you know, it's more revenue. So when you're trying to get more funding, you're trying to get acquired or whatever. These are the kind of things they do.

Shiva Maharaj:

And that's the problem in our industry, right? You've got they're letting anyone in and the vendors are just shooting from the hip or whatever can stick on the wall. It's

Eric Taylor:

sad. But anyway, I appreciate jumping on those watching. This is just a little quick snippet of, you know, kind of our daily banter that we go back and forth on these podcasts. So if you're interested in hearing more about this stuff, definitely check out both my page and Shiva's page on your social media of preference. And check out our podcast that is on Spotify and Apple iTunes or Apple, Apple play Google Play all that stuff where we go into these stuff all the time,

Shiva Maharaj:

and that is cybersecurity amplified and intensified.

Eric Taylor:

Thanks for joining and we will sign off see y'all next time.

Shiva Maharaj:

Thank you. Thanks again for joining us for the cybersecurity amplified and intensified podcast.