Security Insights - Cybersecurity for Real-World Workplaces

Cloud Security: Indiana Bob’s Server Closet Versus Data Centers

Season 2 Episode 28

Amanda and Chris share stories proving why your data really is more secure in the cloud than the average on-premises server closet – and what organizations should worry more about when it comes to data security.

  • Join the conversation online on LinkedIn (linkedin.com/company/Ivanti)

The most awkward intro of all time [01:10]

 

Ashley Stryker [00:00:05] Welcome back to Ivanti Security Insights, where best practice cybersecurity meets real-world workplaces and roadblocks. I'm your host, Ashley Stryker, and with us today is our O.G. host Chris Goettl and our astounding queen of the night, Deputy CSO, Amanda Wittern. Welcome, everybody. 

Amanda Wittern [00:00:27] Thank you for having me. Happy to be back. 

Ashley Stryker [00:00:29] Of course. No, it's always a great time. So I guess we'll just get things right off the bat here. I had an awkward turtle conversation with my father this weekend, and I'm hoping you two can help me out. And, I swear this is relevant. 

Amanda Wittern [00:00:43] I can't wait. 

Ashley Stryker [00:00:46] I mean, with an intro like that, right? 

Ashley Stryker [00:00:49] So my husband caught my dad, who was over visiting for a family wedding, trying to plug a mysterious USB that nobody knew about into random computers at my house. And my husband then told him that you need a USB condom for that, which led to flailing efforts to explain that. 

Ashley Stryker [00:01:09] And then, we ended up on a very bizarre rabbit hole down... How the Stuxnet worm ended up in the Iranian nuclear facility, and then that got us on to why air gapping is cool for security, which then brought up the "things are more secure in the cloud" conversation, which I've been hearing bantered around at Ivanti of late. 

Ashley Stryker [00:01:32] And then my dad piped up with, "How could this possibly be more secure in the cloud than the thing I can see in the server closet where I can control access?"

 Ashley Stryker [00:01:43] And you know what? I figured instead of butchering this, I would just ask you guys and then forward this link to him. 

 Chris Goettl [00:01:50] You just want us to tackle the last of those topics? We don't have to go into USB condoms. I mean, safe power is good, but I don't know if I have much more to add beyond that. 

 Ashley Stryker [00:01:59] My father is a wastewater civil engineer. So I'd rather talk about USB condoms, Stuxnet and on prem versus cloud security, than septic tank and wastewater treatment plants. So... 

Chris Goettl [00:02:13] I could see how that's an improvement. Yeah. 

Ashley Stryker [00:02:15] Yeah, so, I mean.... Yes. 

Ashley Stryker [00:02:19] If you guys could recommend, though, a specific condom that you prefer for your USBs, I can send the link to him so you don't have to explain... You know, just, if you have a preference. 

Amanda Wittern [00:02:30] I am not opining on condoms of any kind. All right? 

Chris Goettl [00:02:34] So cloud. So, yes – let's talk cloud. Yes. He was concerned about the security aspect, right?

Ashley Stryker [00:02:41] Yes. And there were a couple of different questions that were kind of brought up with this. And, I guess we'll address the first one here. 

Ashley Stryker [00:02:48] My dad is in his mid-fifties. He's very much of a, you know... He's adapted to the Internet age pretty well – like I think a lot of our businesses or successful businesses have. But there's still an element of, "what I can see and touch feels more real to me than something that is just randomly there in the cloud." And then, it's... There's a level of control that feels missing when it gets to the cloud. 

Ashley Stryker [00:03:14] So, trying to get him to wrap his head around the idea that the security controls that are in place in the cloud are superior to a physical lock and key on a closet door.... 


How data centers can stop fully loaded tractor trailers going 60 MPH [03:26]

Amanda Wittern [00:03:26] Physical security and data centers is so interesting. Now, I really find the level of physical security at a data center to be something out of a sci-fi movie. 

Ashley Stryker [00:03:39] All right. So, let's start there then! 

Ashley Stryker [00:03:41] So, when you talk about moving something to the cloud versus having it stored in an on-prem hardware server or device at your place of business, what you're talking about is basically renting space out of giant master servers and supercomputers at data centers. 

Ashley Stryker [00:04:02] So, you're saying that the security at a data center – a professional data center – is sci-fi levels of cooler than the broom closet server closet?

Chris Goettl [00:04:12] Yeah. So if you just start with the physical security – one of my favorites that I saw, I was onsite at a federal contractor. 

Chris Goettl [00:04:23] You know, they were looking at implementing a different rollout of how they were going to be patching and managing vulnerabilities. So we were talking through how to maintain or manage this product in their environment, and I got to walk past – I didn't get to go in – the data center. I only got to walk past the entry point. 

Chris Goettl [00:04:40] And my God, that was an amazing man trap. 

Chris Goettl [00:04:42] I mean, this thing was like... Multiple security guard checkpoints on either side of this thing, glass on either side. There's somebody able to push out a button to lock you in there. I mean, it's not just a closet door with a key that you're going to get through. 

Chris Goettl [00:04:59] So from a physical security perspective, already steps above, and Amanda has much better stories about this, because she actually got to go into some of these places. 

Amanda Wittern [00:05:10] So it's actually funny, when I talk about it being out of a sci-fi movie, people have made it further into Area 51 than they have some of the data centers that I've been into. 

Amanda Wittern [00:05:24] So, you know, layer number one, even before you get to those man traps that Chris was talking about, is perimeter security. 

Amanda Wittern [00:05:32] And from the very, very, very outside space of a data center, they've got these pylons that come out of the ground. Some of the pylons are even disguised as rocks. These pylons are tested, so that a vehicle could never drive into this side of the data center. They're tested with semi-trucks that drive into them to stress test and make sure that even fully loaded vehicle can't smash into even the fenced area of the data center, much less into the data center itself. 

Amanda Wittern [00:06:14] Then there's the fences. Yes, there's fences – which, of course, are lined with incredibly high definition cameras, as are on the building at every single point of the data center. The fences are electric. 

Amanda Wittern [00:06:31] They also have monitoring. If there is a strong breeze or a tumbleweed bumps into the fence, people are alerted that there has been something going on. Cameras will focus on that area. 

Amanda Wittern [00:06:47] It's insane. Absolutely insane. 

Amanda Wittern [00:06:49] On top of that, you've got these sensors. They will have a camera on top of the high def – they're infrared, just to make sure that if someone is dressed up as a tumbleweed, they can still be picked up – and that this is just perimeter security, right? 

Amanda Wittern [00:07:05] There's only one entrance point into a data center – just one. That's the only way that you can get in. It's usually a huge steel door that has no lock. It's completely vault style, right? You can only get in with your key code biometrics. Sometimes it's a swipe card, but it's always at least two ways just to be able to enter the data center. 

Amanda Wittern [00:07:32] Perimeter security is is truly fantastic. I've always been very impressed. 

Ashley Stryker [00:07:38] You see that there's only one way into a data center, right? And they have these pylons. Is that just the one you visited, or is that basically every data center?

Amanda Wittern [00:07:47] You'll actually typically have one entrance. So in a data center – which is any reputable cloud hosting company, so for example, Azure – they'll they'll actually have two to three doors on the outside of a building for emergency exits. 

Amanda Wittern [00:08:07] There's a separate set of walls and doors that actually get deeper into the data center that, again, only has one door. So just even getting to the man trap that Chris was talking about... 

Amanda Wittern [00:08:19] Which, for those of you who don't know, the door closes behind you [in a man trap]. Once you enter with a biometric scan and a keycard, it closes behind you. Only after it's been closed will the next door in the hallway that you're in open, which, like Chris said, there's somebody standing behind the glass. They also have lasers that will track – including infrared – that only one person has entered the man trap at a time. And, if more than one person enters, the trap will lock and has to be cycled through a system to let either side open again. 

Amanda Wittern [00:08:54] And that's just to get into the data center, and they're so careful about being able to maneuver around that. One of the data centers that I visited had a set of pipes that ran over the man trap, and I was hoisted onto the pipes to make sure that you couldn't crawl through, you know, on top of them over the man trap and that secondary wall – the outer wall as well. 

Amanda Wittern [00:09:19] But that secondary wall, again, credibly thick rebar concrete. So you're not even getting in there without significant effort and a jackhammer. 

Chris Goettl [00:09:30] So physical security – debunked. Definitely better than what you can do on prem. 


Audited data centers versus Indiana Bob’s on-site server closet [9:36]

Ashley Stryker [00:09:36] Well, let me bring up... That's if you know [that] your data is one in one of those data centers, right? So let me bring up my dad's next point, which was, "Well, how do you know that my data is in one of these data centers? Couldn't they just have this... like, a 'show' data center? Not that anyone ever goes there, but like, they have the 'show' data center, and then they have your stuff in a random security closet because you're a rinky dink business owner or they don't love you?" Or something? I don't know. 

Amanda Wittern [00:10:05] The reality is, you don't. However, part of that is on purpose. The data centers cannot be marked. You would have no idea what the building was from the outside. They'll even have their own power grid that supplies them, plus your backup power. They're on their own grid, some of these large data centers. So the answer is, you don't. 

Amanda Wittern [00:10:30] However – and we can touch on this a little bit later – there [is] information that data centers or cloud hosted providers will provide to you, where someone like me has gone into the data center and looked at it. 

Amanda Wittern [00:10:49] Now, I'll tell you one more story about, you know, making sure that it's not in someone's closet and rather is in a very reputable researched [location]. You want external auditors that have come in and looked at things. 

Amanda Wittern [00:11:02] I was tasked to going into what was a potential vendor for one of the largest banks in the world. And, I had to go onsite because there were sensitive things that I looked at. 

Amanda Wittern [00:11:14] I got there early. It was pouring rain. It was an hour before I could even be let in. There was no coffee shops near. And so, I'm standing there like a lost puppy in front of the door, and someone walks by and you know, [says,] "Hey, do you need in?"

Amanda Wittern [00:11:28] And I said, "Well, I've got an appointment. You know, that would be great" – knowing that they absolutely should not have done that. 

Amanda Wittern [00:11:34] Now, keep in mind – keep in mind, this is not a cloud provider. This is just a vendor who had, you know, their own data in their local data center, right? 

Amanda Wittern [00:11:46] So he lets me in, huge no-no. There's a security desk, at which there is no one. There are cameras of the entire place just open for me to see. 

Amanda Wittern [00:11:56] I walk past the security desk, and the door into the server room was open. 

Amanda Wittern [00:12:03] So, to sort of address the second point there, how do you know that we've got these secure data centers? How do you know that my data is there?

Amanda Wittern [00:12:13] There's a couple of different ways. One is something like a SOC2 report – which, again, would be provided. That's where a third party comes in and says, "Show me where everything is located," or – even more – does sort of like pen testing, doing certain activities that will make sure that the data is where it says it's going to be. 

Ashley Stryker [00:12:35] Climbing on pipes to make sure that the man trap is sufficiently protective, like that kind of pen testing? 

Amanda Wittern [00:12:43] More infrastructure related, right? Actually being able to trace data from one point to another. Right, okay. So it's not only... It's both more technical, as well as the physical [testing] that I had the opportunity to do. 

Amanda Wittern [00:12:56] But additionally, you've got to do your due diligence to make sure that you have a company that has third parties that can verify this. But additionally, a lot of providers will give certain information, like the geography of where something is located, that you can further use to gain comfort that the data isn't in Bob's closet in Indiana. 

Amanda Wittern [00:13:24] Not anything against Indiana but –

Ashley Stryker [00:13:27] Bob's closet is more the problem, not necessarily the state, there. Bob! Apologies to all Bobs with closets that are sufficiently secure–

Amanda Wittern [00:13:33] –In Indiana!–

Ashley Stryker [00:13:36] –Indiana specifically. 

Ashley Stryker [00:13:36] Yes, I can understand why you wouldn't want to publish or publicize or even mark in any way what a data center is. It sounds like it's the technology version of a bank, basically – it's your data bank! Haha. Sorry, didn't quite mean that. 

 

Data privacy, data sovereignty and the shared responsibility model [13:54]

Ashley Stryker [00:13:54] So, with that understood, though, how could a guy knowing the geography of where your data server, where your data centers are, bring a certain level of comfort? Or what about the geography? 

Chris Goettl [00:14:08] See? That's probably the more important part of this conversation today. 

Chris Goettl [00:14:14] I think people have gotten past the security of these well-established large data centers, especially the U.S. – it's the Googles, the Microsoft environments, even the, you know, second tier [providers]. 

Chris Goettl [00:14:26] Security is not the bigger concern. The bigger concern is data sovereignty. Where is my data? 

Chris Goettl [00:14:33] So if you're in the EU, data sovereignty is a very important thing. If the data center for the vendor that you're trying to pick is in the U.S., well, that's pretty much a nonstarter unless the company is headquartered in the U.S. and just happens to have global sites. 

Chris Goettl [00:14:49] So now we enter into a whole ecosystem of... Back to that, "Where's my data?", "Which data center is it in?" [question.]

Chris Goettl [00:14:59] Wherever that data center is located, they have ramifications on whether or not you can choose that vendor. 

Chris Goettl [00:15:06] So think of geopolitical issues if you had a data center in Russia or China. Maybe, you know, ten years ago, that might have been a very different conversation. But now, those those are areas where you have to have a data center there. You have to have a data center elsewhere. 

Chris Goettl [00:15:21] And, you got to keep things very much across those international lines. Even with the U.K. breaking away from the EU, that legally doesn't fully take effect until 2025. But companies in Europe are already looking at that, saying, "Oh, I'm sorry, your data center's in the U.K., [but] I need to have that somewhere in the EU," basically. So data sovereignty is probably the bigger challenge. 

Chris Goettl [00:15:53] Privacy of data, knowing... If you deal with most cloud platforms today, there's some level of AI-ML type capabilities going on, where data is being taken and anonymized and used as kind of a crowdsourced way of showing larger trends or different challenges like that. 

Chris Goettl [00:16:15] I actually just had a customer that I had to – I literally had to diagram out exactly when and how data was anonymized, where it traveled to and how it was being used, so that they understood how their data was was being utilized in that type of case. Even in extremely cautious cases, we showed them their data was being anonymized before it left their tenant. 

Chris Goettl [00:16:43] So within the data center that they were in, they had their tenant. Their data never left that tenant in an unanonymized fashion. It was sanitized before it left, and then it was went through a second buffer before it went into what we call our data lake – which is where we actually do the analysis on it, to actually glean some whatever type of telemetry we're trying to get from that information. 

Chris Goettl [00:17:09] So even that went under a lot of scrutiny. Data sovereignty is probably the number one reason why companies are still somewhat cloud resistant in many cases. 

Ashley Stryker [00:17:20] So, and – just to make sure that I understand – data sovereignty is just the concept of who actually owns the data?

Chris Goettl [00:17:27] Not owns – where it is. Because where the data is, means that it's under certain legal jurisdictions. 

Ashley Stryker [00:17:35] Like the – That's the GDPR European question there?

Chris Goettl [00:17:39] Yep. And if my personal data stays within the solution that it's supposed to be in and is only used for things that it should be used for, it's meeting GDPR requirements. If that crosses certain borders – like a person from Germany did not authorize their data, their personal health care information, to be passed over to a data center in the U.S. – that would be a significant concern for them. 

Chris Goettl [00:18:05] So those are the types of things that really are the bigger barrier to cloud adoption more than anything else nowadays. 

Ashley Stryker [00:18:13] I have two questions then, and one has to do with accessing data on the cloud. When you have data sovereignty issues like that... So I'm based out of the United States. We're a global company, and we send emails to our European counterparts. The people who build the emails  internally also work in the United States. Our database of emails contains GDPR needed compliant emails. 

Ashley Stryker [00:18:47] Does my access – does my team's accessing them in the United States disrupt the data sovereignty if it's stored in GDPR compliant EU servers? So, does my accessing it in the US –  when it's stored on an EU server – end up breaking data sovereignty? Or is the... Does the data actually have to travel out of that in order to disrupt it? 

Amanda Wittern [00:19:09] These regulations like GDPR are put in place to protect the people who own the data, whose data it is. They are put in place for the businesses, companies, services that handle that type of project-protected data. It's not just GDPR, right? There's some UAE regulations. 

Amanda Wittern [00:19:33] I can tell you what what we're doing from an information security perspective, because not only is it our in our best interest as providing services to make sure that we're compliant with these things, it's it's also the regulatory requirements themselves, right? Everyone, businesses included, need to be law abiding citizens. So we're not unaware of those requirements. 

Amanda Wittern [00:20:01] The thing is, that you, Ashley, as a user – we'll call it an "internal user" who has access to these emails that may be located in other places – you, as a user, don't know. However, my whole job in information security is to make sure that you don't have to. 

Amanda Wittern [00:20:22] So some of the initiatives that we do... For example, I do want to bring up again third party assessors. We have people that we pay as independent auditors to come in and look over everything that we do. We willingly provide them everything that they can. And, even if we weren't willing, it is their job to make sure they get everything they need. Because ultimately, both [of] us – as the company, as well as the assessor – are putting our names [out there], saying, "We do comply with this."

Amanda Wittern [00:20:56] So we might touch on this a little bit later, but there is a level of shared responsibility. You, as the consumer of a cloud service, need to make sure that you're requesting these [auditor] reports that would have a third party that comes in and says, "Absolutely, this has been covered." You would want to make sure that you have read the terms of service or that your contract with that company covers your security concerns. You need to make sure that you understand your responsibility for your own data, so that it is secure. 

Amanda Wittern [00:21:30] So the extension for that, the company's responsibility is not only verified by third parties, but by multiple departments. I think, Chris, you brought up privacy. There is legal, obviously; information security, which is my plug. The sole purpose of those departments in a company is to accomplish exactly what we're talking about here. How do we keep data safe? Our data, your data – how do we make sure that it complies with all of these regulations as well as best practice? 

Amanda Wittern [00:22:07] We have some controls in place to address risks that there isn't a requirement of [remediating], but we can see that there's a potential vulnerability. So part of that would be the shared responsibility. 

Amanda Wittern [00:22:22] You've got to make sure that what you know is a risk is addressed when you contract. Even the terms of service, when you click, "yes, I accept" for your telephone bill, right? That kind of stuff. But at the same time, you have to keep in mind that it's not just the integrity of a company, but also that there are requirements that do protect you as a consumer and do make sure that your data doesn't have a breach of your customers' or even just your personal data, where it's in a place where it's not supposed to be. 

Ashley Stryker [00:22:56] Like poor Bob's closet in Indiana. 

Amanda Wittern [00:22:58] Poor Bob.

Ashley Stryker [00:23:00] We're just picking on you today. 

Ashley Stryker [00:23:04] Well, I guess that brings me then.... So let's move to the "shared responsibility" kind of idea, because because this is an interesting thing. We're running a survey right now in the field that's talking about and asking people what they think their responsibility for security is. 


“So, what actually is the biggest security concern for cloud data, and what can people do about it?” [23:17]

Ashley Stryker [00:23:17] So I'll pitch you this question, having an idea of how you answer: if physical security and someone actually physically breaking in or electronically breaking into a data center to access data in the cloud is not a security concern, what is the biggest security threat to data in the cloud from an average company['s perspective]? 

Chris Goettl [00:23:39] Yeah, I would say that the biggest risks there are data in transit, data at rest. Are – is the data being secured properly? 

Chris Goettl [00:23:49] And again, that's where things like a SOC2 audit and other – like, you see most countries now have some type of government-level cloud environment as well, whether it's... The U.S. has FedRAMP, Australia, Germany... I was just in the Netherlands recently, and they they have one that's going to be launching soon, as well. 

Chris Goettl [00:24:10] Those types of environments have yet even more certifications and requirements that you have to go through to get compliant there. So a lot of times, that's going to focus on not only the data or the security of the system itself, but the data security that all of those requirements are being met, as well. So that part of it is definitely important. 

Chris Goettl [00:24:34] The other part, really, is the how is that data being used? You have to be very clear in the terms of your the terms of service and in explaining to an adequate level how that data might be used in some way. 

Chris Goettl [00:24:51] Most of the GDPR fines that have been given out, there are some that were security related – like they didn't take adequate security steps – most are just the the usage of that data. Once it was given into the hands of that vendor, [the data] was abused, whether it was doled out to a third party for additional analysis or other things like that. Many of the large infractions from privacy standpoint have been in the usage of that data.

Ashley Stryker [00:25:21] So it's not how it's stored or the fact that it's in the cloud. It's people like me doing silly things like randomly downloading an unencrypted Excel sheet of all of our German clients. 

Ashley Stryker [00:25:32] Not that I've ever done that – boss lady, please do not come at me! This is just an example! I have no access...!

Chris Goettl [00:25:40] Hypothetically!

Ashley Stryker [00:25:41] Yeah, hypothetically! 

Ashley Stryker [00:25:42] But that's... The security danger, though, isn't the data in transit for us, because we've made sure that that's all secure – thank you, Amanda's team! 

Ashley Stryker [00:25:51] In my hypothetical example of the emails from Germany, if I'm trying to email those people, it's me as the end user, as the company, and what I do with that data and how I treat my access to that data – that's a big security risk for data in the cloud. 

Amanda Wittern [00:26:08] Let me make a distinction here. There is a difference between what we would call a cloud provider, where they are providing a space for your data or even SaaS like we offer, where there is a place for your data. But it's the ability to manipulate your data to do a certain thing, right? Then, there's also a scenario where you give your data to a vendor, so that they can do something with it. 

Amanda Wittern [00:26:41] The reason I want to make a distinction there is that there are certain controls that are in place that would prevent, for example, you being able to access that data at all. We have the environments or a data center can have the environment and have zero ability to access that data. Because you, as the consumer, have the ability to encrypt your data, you can put the controls in place of who can access it, how it can be transferred in and out. 

Amanda Wittern [00:27:17] So, obviously there is there is a risk in certain circumstances where you don't want somebody who has your data to do something inappropriate with it or how they then precipitate that data, whether they sell it to a third party. 

Amanda Wittern [00:27:37] But part of that shared responsibility model that I was talking about is – and in the circumstances that I think your dad was asking about – the company themselves don't have that access in the first place. 

Amanda Wittern [00:27:51] Even if they have the ability to get to the data at all, which they... In cloud service providers, especially in things like data centers or with us – we don't even have access to the ability to access your data. 

Amanda Wittern [00:28:06] Again, part of the shared responsibility, you have the ability to set those controls. You have the ability to make sure in the contract that it's not designated to third parties. You have the ability to make sure that they're compliant with HIPPA and GDPR and have these other controls in place. 

Amanda Wittern [00:28:23] So I leave you with the fact that, yes, things like physical security – obviously, we've got checked. Other things that a cloud service provider will provide, they do provide. But, you will have your own responsibility – regardless of where your data is – to make sure that your data is safe, and specifically for cloud service providers or companies that have that that type of model. 

Amanda Wittern [00:28:53] You are responsible for things like who has access to the data, because we do not. You do. And so, if you don't want your data moved somewhere else, your employees need to make sure that they have the appropriate training. Access is restricted. 

Amanda Wittern [00:29:06] And then one final point there, is that a lot of these risks that we're talking about and controls that I'm suggesting here are especially important when you migrate to the cloud, because, again, until it reaches that point, the responsibility is how you handle your data. 

Amanda Wittern [00:29:24] That would, in my mind, be where a person like your dad should really be concerned, is making sure that when you move it from the server of Bob in Indiana, that you move it safely and put the safeguards in place, so that when it gets to that secure environment that I would absolutely advocate for – and I think Chris would wholeheartedly agree at the safety of that – that in-transit and before it gets there, that it's absolutely safe and secure. 

Amanda Wittern [00:29:58] And, once it gets there, that you do everything that you have the ability to do – and that is your responsibility, which will be clearly designated – that you also put those controls in place. It's two people working together for the same goal. 

Chris Goettl [00:30:13] Yeah. I mean if you Google a lot of the largest cloud data breaches that have occurred, many of them were a database that was configured incorrectly. It was either not encrypted or access was not restricted fully. And that's what Explorer was exposing, that the way that the attackers got at the data. So, I mean, many of the big ones. 

Ashley Stryker [00:30:39] – Access control, user controls, open encryption – 

Chris Goettl [00:30:43] – Of data. Exactly. 

Chris Goettl [00:30:46] That's part of that shared responsibility. The cloud provider needs to give you the facilities to do these things. You need to actually do [those] settings. 

Amanda Wittern [00:30:53] Facilities and infrastructure controls, too. We want to make sure that your data isn't exposed to the Internet, right? So, yeah. 

Amanda Wittern [00:31:01] And in addition to those physical, certainly we have those technical controls as well. But again, I think Chris's point there, is a point in which you have the ability and should make sure that you have your own controls in place, so that you do know your part and what you need to be doing. 

Ashley Stryker [00:31:20] Well, I think this is a comprehensive answer to my dad's question. I will report back on what he thinks of the episode. I will ping the family chat with this, like, "Hey, you thought this was done! Nah, man."

Ashley Stryker [00:31:37] And with that, thank you both for for being willing to play ball with me on this. I know this was a kind of a random a random intro here. 

Ashley Stryker [00:31:46] And thank everybody here for listening today. If you'd like to continue today's conversation, especially if you've either had personal experience with other people asking about security in the cloud or have been to a data center and have tried to break in – no, really, I want to hear! Please follow us online @GoIvanti, and please join the conversation there. I will be watching; I'm very curious! 

Ashley Stryker [00:32:23] Please do check out the show notes for links to any and all relevant information, including some links. Because I think, Chris, you have a preferred source for the most GDPR fines – I think I saw that link floating around, so we'll make sure all those are in the show notes for you, as well. 

Ashley Stryker [00:32:37] And if you found today's conversation remotely entertaining, interesting or would like to bust some myths that your own organization or team needs, please share this with anybody you think should hear it. The more you share, the more we can reach other infosec people like yourself. 

Ashley Stryker [00:32:54] So with that, we're signing off for now. Stay safe, and talk soon! Bye.