Remote Support: How Secure Are You?

View or Listen to this Bomgar™ Webcast:

June 29, 2006

Download mp3 | Read Transcript

Moderator:
Welcome to the SSPA webcast, "Remote Support, How Secure Are You." Presenting on behalf of the SSPA is Bill Rose, founder and Executive Director, Nathan McNeill, Bomgar^TM co-founder and VP of Product Management, and Chuck Deaton, Humana IT Security Manager. And now to begin the webcast, Bill Rose.

Bill Rose, SSPA:
Okay, thank you. Hey, listen, thanks for everybody for attending another SSPA webcast. I'm really a firm believer in the ability to deliver content via the Web and taking an hour of your time to collect some vital information that'll help improve your service and support. I think it's a great way to do this.

I just want to talk a little bit about our topic of the day. We're going to focus on remote support, and in particular the security aspect of it. Remote support is a hot topic today; I mean, there's no question about it. A hot topic because we are looking for new and unique, and very effective and efficient ways to deliver tech support; remote support does that. But the problem is we've got a little bit of a challenge when we start thinking about the security aspect; I think it's a little scary for a lot of your customers. And today we want to focus our attention on trying to see how we can reduce that fear factor, if you will, of security in remote support.

So let me introduce my co-speakers today. The operator told you Nathan is here from Bomgar^TM, and I just want to mention I really appreciate, Nathan, the partnership with SSPA and helping to make this webcast possible. We also have Chuck Deaton here with - I mean, who's better to talk about security than an IT security guy, right? So from Humana, we brought Chuck in, and really, we'll be able to look inside the Humana operation and get a pretty good idea of what these guys do as far as remote support and how the security aspects have affected them and what they've done to correct them.

Bill Rose, SSPA:
Let me just start by setting the stage a little bit. My first slide is titled, "Poking Customer with a Stick." I just wanted to take you back a while so we don't kind of forget what's happened to our customers over the last ten years. Everything that's listed on this page is something that I bet all of us wish we could take back. I mean, we've created some real challenges for our customers, things like busy signals and hold times; and we've put inexperienced support reps on the front end, we've used paper-based systems, we've sent bad code in the self-inflected wound kind of approach, we've had installation issues with our products, and of course, we've had some bad documentation - the old RTFM, "Read The Fat Manual" type of approach. So all of these things are pretty good indications that at times, our industry doesn't do all the right things. And as we look to remote support, we really want to try to figure out what is it that we can do that will ensure that we are doing the right things and making sure that we're not making a mistake in any form or fashion.

So let's just look at the next line. We've talked about technical support transitions; we've actually made a lot of transitions, and these transitions have been very positive in a lot of ways. And I think they're positive because we've delivered better service than we ever had in the past, but we've also reduced the cost of service. So if you look at the top of this chart, and it talks about on-site support, and look at the bottom of the chart that talks about remote support, you can see the difference in cost between these two is pretty amazing. On-site, you take a senior technician, put him on an airplane, fly him out to a customer environment; relative to the bottom of the chart, which talks about remote support where our people have the ability to dial into a customer environment and pretty much do the same thing: Take control and effectively resolve issues without the on-site expense.

Bill Rose, SSPA:
The next slide talks a little bit about the complexity. If you look at what's happening in our industry today, there's a real need for solving complex problems. And as you can see this guy's in the middle of the chart here is - any one of these pressure points are affecting the way that we deliver service today. And so what's happening is everything out there, all technology is getting more complex; the technology stack within an IT operation is getting broader and deeper. From a consumer standpoint, I mean a cell phone used to be exactly that, a cell phone; and now I don't know of anybody who has a cell phone that's not a camera, not a personal device of some type, not a Blackberry, emails and everything else that goes with it. So the complexity is a major factor in how effective we're going to be in delivering quality tech support in the future.

Let's look at the next chart; it focuses on, "Customers hold service levels to a high standard." I would have to say that this is 100 percent true; and if you look at this chart, it's kind of interesting to me that right in the middle of it, we focus our attention on the fact that good customer service is one of the things that customers really respond to. And I think that we all know this, but we still have to figure out how do we actually deliver that great service.

Well, the next chart kind of reinforces everything because it talks about how customers evaluate support. And you can see that top of the list is timely and consistent response. And right underneath that, the number two issue is quality and speed of response in critical situations. One more time I go back to remote support again and say, "Gee, if we had the opportunity to be able to quickly - instantly, if you will - to reach out and get into a customer's system and be able to resolve issues much faster than if we did it on the telephone, having to describe what the issue is and going back and forth and so on remote support really addresses these two issues at the top.

Bill Rose, SSPA:
The next slide focuses on how important it is for us to continue to deliver great service. I think it's pretty amazing to me that 80 percent or so of consumers these days are very much in tune with the kind of support that's provided, and it in fact is a major selection criteria.

Now, what's that mean for us? Well, the next slide focuses on new support challenges, because with all this complexity and all the things that are going on in our industry, there's some new and different things for us to be concerned about. One is the blurring of distinction between business use and personal use. It used to be that it was quite simple; if somebody was using a computer somewhere and they were a consumer, they were probably playing games, right? Not anymore. It's very difficult to determine the business side versus the personal side. There's an increased number of mobile workers and telecommuters. I mean, we're physically not in the same space anymore. I mean, a great example of this is this webcast here. Look how many of us are online - at least a few hundred of us online and all of us from different locations, right? And home broadband was less than 5 percent in 2000; today it's 30 percent, which means that your people could be anywhere, your customers could be anywhere, and that means that we have to support them anywhere.

So what are the implications for support? Well, let's go look at the next chart; maybe that'll help us understand what's going on here, right? One thing is that the support of the enterprise is no longer support of a centralized corporate office. So if you are doing any kind of support internal to your company, those people that used to be located in one particular place may be located anywhere. And consumers are more advanced - are using more advanced applications that demand much more than phone only support. So the more - one more time - the more complexity that we have within an environment, the more advanced those applications are, the harder they're going to be to support. And the greater need would be - for us would be to be able to reach in and take over, if you will, in order to make things happen.

Bill Rose, SSPA:
And the final bullet point here is that the power user is no longer confined to the office. So when we need help or when we want someone to help us, it used to be we just use the "sneakernet", run down the hall and grab the power user. The power user may not even be around anymore. Right? They may be located in a much, much different location.

So let's move on. Support efficiency is critical. There's a couple numbers here I want to throw at you that less than half of the time phone callers get answers that they need, and only 42 percent of electronic submittals get resolved on a first contact, and 46 percent of the customers get what they need when they go to your website. These are not real impressive numbers. So what does that mean to us? Where are we going to focus our attention? Well, the areas to improve are the key places for us. Let's focus on shortening the complex call resolution time, let's focus on resolving requests the first time that they come around, and let's scale expertise so that we can have the ability to reach people wherever they are with whatever expertise they have. Then of course, promptness of service - being there and being there at the right time - and of course, having the availability of our staff. And I think you're going to see as we progress here that remote support does a lot of that for us.

The next slide is titled, "Remote Support Control Your End User's PC Console." I mean, this is an interesting study by Gartner that basically went out and asked a bunch of tech support people what tools do they like to use; and remote support came out as ranked as number one technology by the technical support professional because it's easy to use, it's effective, and it's a preferred alternative to phone or email itself. And I think I'd have to agree with that, that in that business, it's much easier to take charge, if you will, than it is to try to interpret what's going on via the telephone, email, or some of the other sources.

Bill Rose, SSPA:
Let's look at the next slide; it focuses on, "Support Efficiency Creates Measurable Economic Value." I know that at SSPA we've been talking about this for some time now, but it's well worth discussing again, and that has everything to do with the pressures that are being placed on your customers to reduce their maintenance fees. And so what we find is that there are companies out there that we have classified as "fee defenders" and other companies that we classify as "frequent discounters." And what we found is that those companies that are fee defenders, they basically go out and say, "We don't want to discount our maintenance services, and here's why." So they defend the fee that they charge. Those people deliver better service. They deliver better service than the other group, which are frequent discounters, which have a tendency to go out and discount their maintenance and service and support. So let me just show you a couple numbers here, and maybe this'll help you to kind of see this, though. Here's some numbers that we know a lot about, right? Time to resolution, resolve time, and response time. The blue bar on top are the frequent discounters and the light blue bar on the bottom are fee defenders. Now, this is interesting to me because it basically says those people that defend - the blue bar underneath, light blue bar - those people that defend have better resolution times and better response times.

So let me back that up with one more slide, and this is going to show the same thing again; it basically says that when you look at call abandon rates and first call resolution, the same thing happens. Right? Those people that defend - that go out and defend their maintenance pricing are in fact delivering better service than those that don't. Okay?

Let me just look at the big picture perspective, the next slide. I titled this "Increase Service Offerings and Perceptions of Those Offerings." It's kind of interesting to me because if you look at this kind of timeline, if you will, on the left, it says "fewer service offering features" and on the right it says "more service offering features. I think we find ourselves in a position where we constantly have to keep adding new ways to deliver service, and remote support does that, all right, it's another way. It's another - it's not going to necessarily replace something; it may in fact be just add on to.

Bill Rose, SSPA:
Well, we think we got it figured out and you're moving your arrow there to the right, and then we go to our next slide and we realize that as you move your arrow to the right, your customer's perceptions are moving to the right as well. So we have to constantly be evolving our technical support and delivering mechanisms in order to become, and maintain our effectiveness.

Let's look at the requirements for effective remote support. There's some technical requirements and there's support requirements. I think from a technical standpoint, technical access to the customer information is important, support team access to service provider information is key, and protecting company information is really what we're talking about today. From support requirements, we definitely can lower our costs, right? We can shorten response times, and we have this flexibility that I think is really important to us because we can reach out and have a lot of different people from a lot of different areas.

So with that, let me just - here's a quote that I think is pretty interesting from Matt at IDC, and basically, you can read this. "Remote support tools are essential part of a company's IT support strategy; however, customers need to consider the security implications of these tools before choosing a remote support solution. So here's an industry analyst warning customers to be concerned about security. And that's why we want to talk more about this, and we want to try to figure out what's happening.

Well, the next slide just kind of sums it all up. The problem is if you're going to deliver remote support, for excellent support it's great, right? But access is required; and if you have access, then you have issues. And so security issues are going to make this extremely difficult.

So with that said, let me introduce Chuck from Humana and have Chuck maybe tell us a little bit about how Humana handles these issues, how big the security risk is, and how does remote support really help with that. Chuck?

Chuck Deaton, Humana:
Thanks, Bill. You said a mouthful here, and it's very good information, and I'm on board with it. I think Humana is seeing exactly the same kind of trends that you bring to the table. I guess going forward right now, we should be looking at the agenda slide, and we'll look at some of the solutions that we've - or solution goals that we tried to consider in this particular challenge of remote control or remote access, and then kind of move on into criteria qualifications and then summarize it with the key points. So having said that, we'll go to the next slide.

As you can imagine, Humana's really not that much more unique than many of the customers that you will encounter in that we have already just a litany of remote control tools. So it's not a lack of remote control necessarily, especially in our own boundaries that we are faced with. It really is this issue of accountability and security of information assets, the electronic information in particular. With those kind of challenges, we find ourselves over the past few years of not being able to answer the basic questions of who is accessing what information and what exactly they're doing with it.

And that extends right on into the remote control arena as well, and not only for inside but also crossing the boundary. As Bill mentioned, people are everywhere, and your partners, your vendors, your employees; and you've got to be able to reach out and touch those systems, and they have to reach back in and touch systems on the inside. So this concept of answering the basic questions of visibility of information access and information accountability is an important concept. And ultimately, it comes right down to what I'm going to call the "Information Security Golden Rule." Essentially, with the regulatory issues that we face, they go on the information, make all the access and remote control rules. And that's something that you can't really overlook that much.

Chuck Deaton, Humana:
And so Humana's control object - remote control objectives, and moving forward was to consider this vast number of user populations or user communities that include both our employees and our business partners, and also our vendors and how they factor into that. Some of the key factors here is mobility; it's an ever-increasing mobile workforce out there for everyone, as Bill mentioned, and the flexibility and mobility presents huge challenges.

We also need to consider all the different technologies that people use and that we have no longer any control over that. Interoperability, compatibility issues abound. People use anything they can get their hands on that has basically in these days an SSL or a web-base type utility, and they expect fully to be able to get into the things that they need to, have access to, to perform service or to even do their jobs. And to be able to leverage all this broadband connectivity that continues to be adopted by the masses, up to and including very inexpensive and somewhat unreliable connections - unstable connections - all the way down to and including the old legacy dial-up connections. These technologies have to be able to work, at least to some functional level and performance level, even on those slow connections.

And we have the challenge and information security, which not everyone really considers as factor that much in my experience, of the differences between remote control and remote access. And as Bill said, to have remote control, you must first have access; and therefore, it puts the security people square between you and your objective. Really, the focus is protecting the data. I mean, this conversation today is not about an attacker, or a hacker, or malicious software; it's about authorized people doing authorized tasks in remote locations from various places and using various technology. So it's really not about the hacker; it's about the information that authorized users are touching. And so in that regard, if we can have more visibility inside a remote control stream or remote control session and security we think, if we can have more visibility of what's going on with our systems and with the users and with the data, then we can release or relive some of the security restraints that are around that because accountability or visibility of that activity allows us to balance the restrictive nature and the non-productive nature of hardening or locking things down.

Chuck Deaton, Humana:
And then finally, if we look at all the different tools that we currently have to manage - a variety of things, everybody uses their favorite remote control tool - we want to consolidate and minimize as many of those as possible. Especially from like a Humana's perspective, we own the data, so we call the shots. So it's much more productive for us to be able to build a remote control infrastructure and offer it up to anyone who comes to the door, rather than accepting everyone's favorite remote control solution and having Humana try and adopt to that for thousands of vendors and customers and so on and so forth.

All of this has to be constrained for us through this tremendous regulatory explosion that's occurred, and there are some of those mentioned here, with Sarbanes and HIPAA, GLBA, PCI, Senate Bill 1386, which is kind of sweeping the country right now, the Center for Medicare Services, Department of Defense, Department of Insurance - the list goes on and on and on. And it's different for each vertical and each company.

So looking at Humana's criteria, if we move onto the next slide, how do we view security then, if security is central to this getting access to a company's assets, both physical and electronic? And how do we size up security? And we look at it in somewhat of a unique fashion, I think. We look at the economics, we look at the speed, the simplicity, we look at the mobility. And those factors come together to form this sort of equation that I'm going to call, "complexity is inversely proportional to security." In other words, it's not just the parts that make it up, but it's the sum of the parts. And at Humana, we've learned with many technologies, from a mainframe to a client server world, from the AppDev, on and on and on that you can have the most hardened system in the world, but if it has too many moving parts and pieces, it won't take very long for it to become unsecure or unreliable. And so therefore, we try to keep things - and remote control's one of those - we try to keep those solution sets as simple as possible in terms of the moving pieces and parts, also in terms of the number of people and companies that are involved, so that we can maximize our security potential, not only initially, but also throughout - ongoing throughout the use of the technology by various user communities. So the - this whole idea of the ratio of complexity and security is really how we size up our ability to secure information assets or systems in general.

Chuck Deaton, Humana:
So moving onto the next slide then, if those are the criteria, then what are some of the qualifications that we really were considering and continue to consider in a comprehensive, remote control type solution? Well, like everyone else, we require the minimum types of hardening or security technologies in terms of encryption, recognized encryption algorithms, key length - those kinds of things - and encrypted tunnel, and all that, that's a minimum; and any technology that does not have that in today's marketplace is not even considered. So we move very quickly, then, to this concept of privacy, whereas - really, the main thing here is you cannot take control of something that you're not participating with another human being or another party on the other end that is agreeing to you having access to the information and the system. So this granting control is completely the opposite of taking control, and we really are focusing in on granting of control as opposed to allowing people to take control at any given time. This has implications of segregation of duties, Sarbanes-Oxley audits, individual accountability, privacy, many regulations is really - are really focused on this particular concept.

It has to be economical and scalable, and I'm going to break that down into two parts. Scalability and the economics of a particular solution can be technical in a sense, even if you're talking about licensing where it's either perceived or concurrency; and it can be economical in licensing in a cost-per-user - again, using the example of concurrency, those two factors come together to see if a solution really is economical at the scale. And if you just look at the scalability factor, really defining that more clearly for everyone to kind of understand our perspective, scalability's really defined in two terms. One is to maximize the users or sessions with a minimal amount of hardware; and then at the same time, maximize the speed and performance with the maximum users or sessions. So as your load goes up, your hardware should stay down and your cost should go down. And that's sort of a unique way of looking at it as opposed to maybe in a traditional technology sense, people look at things like if it scales, it just means it'll handle a bunch of people. You may have to build 20 data centers to put all your hardware in, but hey, you still get a bunch of people on the system. And that is counterproductive to the "security is inversely proportional to complexity" model. You can't keep three data centers worth of stuff secure when you can do it with two boxes and be much more secure and much more economical over the long run.

Chuck Deaton, Humana:
So some of the other factors here on the next slide in the solution qualifications is just this concept of simplicity. The customization is high for us; I mean, we have different users who need different things. Some users need to transfer files, some don't. We don't want a system locked down where you can't transfer any files when you really need to. Accountability is used, so if we've got the visibility, we can do with you whatever we wish. And again, we're controlling the shots there. Very important concept. It's gotta be transparent to firewalls, and then from there it really gets into - I do want to mention the efficiency of the footprint, because in today's world, one of the huge qualifications that we had is we do not want to distribute software or leave big software footprints on people's machines that we do not own or operate. So it's - this idea of having some central location that sort of gives you the client on demand and then relieves you of the client whenever the connection is broken is a very powerful concept; and economically and operationally, provides huge benefit to us and provides a great deal of comfort for the end users in saying, "When we're gone, your system is as it was when we got there."

And then from there, features kind of take different directions for different companies. My bottom line here for you with these qualifications, which are rather lengthy, is that we just didn't pick one. We looked at many solutions, we had experience with many solutions, and we had some fairly stringent criteria that had to be met.

Moving to the next slide, so then security is sort of a generic term, so what does it mean to us as we look at this important factor of security being between you and the end customer that you support? Well, there's two facets: One is technical and one is informational. The old model of IT security is hardening and OS encrypting and encrypting tunnels and so on and so forth; I mean everybody's sort of familiar with the attacker type hardening approaches. The information security component is more ability visibility and accountability of data assets. Who's accessing the data, what kind of data is it, what does the data file contain - i.e., Social Security numbers, credit cards embedded in a spreadsheet or something to that effect, where is the spreadsheet going, is it encrypted when it leaves the boundary, is it being used by insiders, is it being used by outsiders?

Chuck Deaton, Humana:
It's really the trusted user, the authorized user, doing risky things with your information assets. That's really the focus of today's regulatory environment. It isn't as much the attacker; it's really about people doing risky things or making mistakes with the data that they have access to. And then thirdly, you have this operational security component - which I really tie that back to the IT security on the technical side because it is the traditional stuff of antivirus, patch management, inventory management, resetting of passwords, unlocking accounts - these are all more or less operational issues that fall underneath the technical side of IT security.

So moving to the next slide, one of the questions that we had to ask ourselves was, "Do we in-house this type of solution on remote control, or do we outsource and use an ASP-type model?" And this slide is entitled, "Simplify the Chain of Trust." And this is a Humana perspective, and there will be different perspectives from different verticals and different companies out there. But given the background that I've provided so far, our goal was to simplify the chain of trust. We wanted to minimize the number of parties involved with our information assets; and in doing so, we felt like we needed to have control of the access and we needed to have control of the logs of the access and the activity and minimize the number of parties that were involved in that. And there are some efficiencies that we believe we get out of that model, and they are living out as we implement and go forward with the Bomgar^TM type product. And a lot of the benefits that I've talked about, the qualifications and the aspects of criteria and stuff have all been met by our use of Bomgar^TM, their Bomgar Box^TM in particular. They're very happy with that, and they allow us to be directly in contact with those parties that we support remotely and take control of those assets. And whether it's out people on the outside coming back in or our inside people going outside and touching people that are at coffee shops, hotels, Starbucks, I mean we help people that are at home or having a coffee at Starbucks with equal ease and capability - technical capability. And it's all secured and logged, and the Bomgar^TM product has provided that to us without us having to distribute software and do all the things that we - that I've discussed here up to this point.

Chuck Deaton, Humana:
So moving on to the next slide, the key points summary that I guess I kind of thought were the bigger ticket issues here were - are listed here on this line. And just kind of summarizing it, the security, again the hardening of the tunnel and the encryption and all that, it's all there with the Bomgar^TM product; and many products have that, so that turns out to be - not to differentiate in the decision-making process, just the requirement.

And then this concept of providing incident-based or ad-hoc real time remote control support. You - in today's environment, Humana demands a high level of service, and we require ourselves to provide that same high level of service to our downstream customers and partners. So you gotta be able to connect very, very quickly and with minimal ease. I mean, it has to be simple and easy. And Bomgar^TM provides a super-fast connection with very little effort or - and quite frankly - very little technical knowledge to get that accomplished. And we're keen on the concept of not extending the chain of trust when it comes to our information assets; and our information assets are electronic, information assets happen to be contained by systems, so therefore, we don't want to involve anything more than us and the customer. Then that gives us a great deal of autonomy there with being able to maintain our high level of support. If anything goes wrong, it's with us or it's with the customer. Nobody else to blame or to be involved. And the concept of being economical at large and small scales, we have to have something that's easy to install, and easy to repair, and easy to maintain. And it cannot scale in economics or cost linearly. If we scaled huge amounts of users in a short period of time, the cost really should go down in our opinion, and the amount of hardware it takes to process it should stay relatively low.

And then simplicity and easy of use and speed: To be able to give a user population access to a tool and not require much if any learning curve with the tool, I can't tell you how valuable that is.

Chuck Deaton, Humana:
And business continuity, in terms of today's market space and just the natural disasters and various components that are out there - avian flu, Katrina - I mean, we were hit with two hurricanes last year that really allowed us to distribute or scatter our workforce and use DSL accounts and cable modems. And we were still able to maintain a premium level of support to those people.

And then remote access. If we own the data - again, back to the Infosec Golden Rule - he who owns the data makes all the rules - we would like to transition away from much of this B2B and sort of always-on type access into our systems and put change management controls around that that are mandated by Sarbanes-Oxley and HIPAA and other regulations, and provide always-off - on - only by request. If we can make that so simple and so easy and so fast that we can turn it on when it's needed, then it doesn't need to be always on. It can be always off, and then that way everybody has to knock on the door and ask for permission to get access to our information. That's how we maintain compliance.

That's really our story in a nutshell when it comes to remote control over the past few -past couple of years, really, and past few months. Now, I guess I'll turn it over to Nathan.

Nathan McNeill, Bomgar^TM:
Thank you, Chuck. I'm just going to take a few minutes to walk through a little bit more about Bomgar^TM as a company and then our product, and then also our security stance.

So with that, let me start out with just a little bit about our company. We are the only appliance-based remote solution. We have about 2,000 customers in all 50 states and 33 countries internationally; and those range from small to medium businesses, from construction to IT consulting in terms of vertical, all the way up to Fortune 1000, Fortune 500 and Global 1000 customers.

And then in terms of the solution that we deploy, we do deploy through a Box; and our Bomgar Box^TM allows the support rep to connect to any computer in the world in just a few seconds. So it's any Windows-based PC from 95 through 2003 server, and the reason it can do that is 'cause it works through firewalls and does not require a pre-installed client. We also have file transfer and chat once you get connected with the customer, and a feature called Reboot/Auto-Reconnect that allows the rep to reboot the remote system and gain remote control without any user intervention whatsoever. There's several of our competitors that can list that feature, but it usually requires the user to actually re-connect the session once you complete the reboot. We also allow you to transfer the session to another rep and then also share it with another rep to collaborate on a single issue.

You have - because we use a tabbed interface, it allows you to handle multiple sessions very easily. And also on this last point, I want to take a couple moments on that, it really is a 30-minute deployment of the solution. It's not a 30-minute setup or 30-minute training run; it takes about 30 minutes from the time the FedEx guy drops off the box to the point where you're remote controlling a user's system. So it really is incredibly easy. We ask our customers to take the Bomgar^TM Pizza Box Challenge, which is basically to order a pizza as soon as the box gets there; and then by the time the pizza gets there, you should have it up and running.

Nathan McNeill, Bomgar^TM:
Let's take a couple of minutes to talk about how it works, just briefly. It all works through the appliance, and it's firewall transparent for both you and for your customer. So it works through any firewall or proxy or net or router without any pre-configuration. The way it would work is the support rep would monitor the queue waiting for incoming support requests, and then the customer would then initiate the session using one of three different initiation options. You can use a session key, you can use a display name or a support request form; and the administrator has the ability to decide which of those to display. You can also customize the support request form page to look - for the look and feel for your company.

And then once the customer grants control - and it always is granting control versus taking control. The rep is never going to reach out and take control of the system; the customer always has to explicitly grant permission to give control. And then once you have control of the system, the rep can troubleshoot just as if you were local to it. Amazingly more efficient than working through something over the phone, 'cause you're not trying to tell the customer to click here or click there; you can just do the service directly.

And then at the completion of the session, the customer would enter feedback about the session. A couple points here: The remote support - or the Bomgar^TM client that was installed for the duration of the session while you are supporting the system is completely uninstalled at the end of the session, so there's no resident client on the PC. This has a couple of implications, one that Chuck alluded to earlier, which is simply privacy, that the user has control of their system, and they can control the session, who gets on, and then ensure that once the session is completed, the rep cannot gain control again until the customer explicitly grants permission again.

Nathan McNeill, Bomgar^TM:
And just kind of for the next couple of minutes, I want to talk through Bomgar's security stance. And it really starts with the fact that no products can claim to be certified, HIPAA compliant, or Sarbanes-Oxley compliant, or security compliant. I know we kind of hear that all the time, but there really is no certification. There's no rubber stamps. And the reason for that is simply that security and compliance involve much more than just the product itself. Security is not just in the product; it's also in the deployment and the use of the product. You could make a product that was as secure as Fort Knox technologically and still use the product in an insecure fashion. It's not a tradeoff; it's not an either-or situation. It's kind of like do you go with safe driving or safe cars. The truth is both are needed. You can still kill yourself in a safe car by using unsafe driving, and the same is true of a secure quote-unquote product. You can have a secure product and use it in an insecure fashion.

And so with that kind of paradigm in mind, Bomgar^TM seeks to facilitate secure deployment of our products. And the changes that brings about in our company and our approach to security is that it's not just adding security features. It's not just adding acronyms to our list, but it's really creating products in such a way that it makes secure and compliant use of the products easy and natural. It's kind of like lane markers on a highway or the little beepy thing that goes off if you don't buckle your seatbelt. Neither of those things do anything, technologically speaking, to keep the car safe; it just makes it easy to stay within the lanes and not hit other cars and hard to not wear your seatbelt. So that's what we're talking about in terms of facilitating security versus just throwing an acronym at it.

Nathan McNeill, Bomgar^TM:
So how do we do that? What's the - what are the methods with which we seek to facilitate security and compliance for our customers? Well, there are the bits and bytes. It's kind of the ground floor, like Chuck was saying earlier. Not necessarily value-add, but just kind of a prerequisite; and that includes 256 bit SSL encryption for the data stream, SSL secured web interfaces, pre-hardened appliance - and you don't have to take our word for it, either. We had the entire solution, the Box, and Bomgar^TM audited by Symantec^TM Corporation. They did a product penetration test, which is kind of white collar hacking along with a review of the source code. So they're looking through our proprietary code, looking for potential vulnerabilities, and then testing those out in the real world to see if they actually can form a hole. And the results of that were really favorable to us. You can read about those on our website at bomgar.com.

Moving on a little bit about Bomgar's security and our approach to information to information security. And one of the main things here, in terms of not just the bits and bytes but controlling the information flow is that we do deploy through a box. And by deploying through a Box, one that's been pre-hardened and pre-secured, Bomgar^TM reduces the scope of our customer's liability; and we don't force you to extend that chain of trust agreement with other companies. And what this does is basically to simplify your approach to security, so you're not having to worry about a vendor's security along with your own. It's just simple math. It's that the number of vectors of attack are - with a product - are based on the product itself. The technology. The numbers of vectors of attack with a service are based on the product as well as the company, as well as the people in the service company that you're using.

From a compliance standpoint, this goes back to the issues of responsibility or liability; and that is that it's impossible to outsource liability. You can outsource everything else, but you can't outsource liability. You the company are still responsible for the use of your data. You are still responsible for the security of your data, even if you're using a service provider.

Nathan McNeill, Bomgar^TM:
We had an example of this in our offices just a couple of days ago. I was talking with Tom Thomason, one of our sales guys, and he uses an insurance company for his life insurance and then annuity investments. And it turns out that they use a service to host customer records; and that service was broken into, and they had a couple of services like physically stolen, dragged out of the rack and then taken out of the building. And the life insurance company that he was using was unsure of which customers were affected by this breach. And so they basically said, "We had no - we couldn't have done anything about it, but we're going to offer you three years of Equifax Credit Watch service to ensure that this breach does not affect you adversely. So they have 7 million customers, and they're offering this service to them for three years, just astronomical expense, with the point being simply that there are security and monitoring implications to using a service.

This quote from IDC: "On-site remote support solutions enable customers to directly control the security of their IT environment and realize the benefits of remote support."

There are companies and some of our customers included in that group that are unable to use an application service for this particular type of application, for remote support. Regardless, though, for any company, there are security implications to sourcing an application. I think that's the central point for this.

Nathan McNeill, Bomgar^TM:
A few of the other things that Bomgar^TM offers by way of information security or facilitating information security, we have granular administration of the support rep privileges so the administrator can go in and determine point-by-point, option-by-option, what the rep is allowed to do and what he's not allowed to do, just really controlling the information flow. Each session is ad hoc or incident based, and there's no resident client. And then also, in terms of customer education, just educating our customers on what is the secure use of the products, not just the acronyms but the workflow and deployment. 'Cause again, really where it does come down is that security is not just in the product, it's in the use and deployment of the product.

A couple of final points, with Bomgar^TM, when compared to other solutions, it does present a lower total cost of ownership because you are purchasing the solution instead of basically renting it or leasing it from a service provider. There's no monthly fees. The ease of use as well for Bomgar^TM is amazing. I mentioned earlier that deployment of the appliance takes about 30 minutes; once you have that up and running, using it with a customer, the customer just has to do a couple of clicks - it's really dummy proof - usually takes about ten to 20 seconds for them to give the rep control. And then as I mentioned earlier, the strong security stance that Bomgar^TM offers, all the acronyms, all the SSL-this and SSL-that along with the aid in information security to easily deploy our solutions, even into a security-sensitive environment.

And that kind of wraps it up for me; I'm going to turn it back over to Bill for Q&A.

Bill Rose, SSPA:
Okay, thanks, Nathan. Thanks, Chuck; really great information there. I wanted to remind everybody out there that there's a button somewhere on your screen that says "Ask Question" or a question button that you can easily ask some questions of any of us, myself, Chuck or Nathan. So please feel free to ask questions - and we have some already, that are already here.

Chuck, let me start with you if you don't mind. I'd like to ask this question that Brent is interested in; I think it's pretty interesting. He's basically asking about the comment that you made about being transparent to firewalls. Do you mean open so that the firewall can validate the traffic or do you mean that the solution uses a standard communication port that's already open on most firewalls, like Port 80 or something like that. So what about this transparent to firewall concept? What is that all about?

Chuck Deaton, Humana:
Well, from an information security that has goods and bads to it, as you can imagine. Pretty much, most of the technologies that we see today being used are really going after 443, which is HTTPS or an encrypted web channel, if you will, that most firewalls today have that open because that's how we do e-commerce, or business with the public internet. That does present a challenge because once you open up that port, 443, there is an encrypted tunnel that bores through your firewall infrastructure, and your firewall cannot penetrate that tunnel. Most legacy firewalls cannot penetrate that tunnel and inspect the contents for either the quality of data or the security of the payload. It could be malicious traffic, but a firewall can't see it because the tunnel goes through the firewall.

So in this case, companies that want to manage those kinds of threats and vulnerabilities have to either upgrade their firewalls or they put proxies between their firewalls and the internet that can - that have certificates, digital certificates, that can break or decrypt that traffic, inspect it, and send it on its way. In our case, we pretty much leverage 443 with the Bomgar^TM product and bring the customer in all the way to the appliance. Then from the appliance, traffic could digitally be encrypted all the way to the host. So this is where the concept of accountability really comes into an important role in the Bomgar^TM product, because the Bomgar^TM product, being a box, centrally controls the traffic flow and logs the details of what's going on with that particular session and maps all the interesting points together. The target host, the originating client, the actions of the particular user, all this stuff is captured there. So in security world, we have a high degree of visibility so that we can manage the risks that each connection represents. In addition to that, we continue to look at expanding our firewall and intrusion protection and intrusion prevention systems to host certificates to break 443 traffic on a global scale, not just on a remote control scale.

Bill Rose, SSPA:
Thanks, Chuck. I think from that response, we're going to get 25 or 30 more questions, so that was great. It was a good response.

Hey, Nathan, from your side there's several questions here that have to do with operating systems and so on. For example, Randy's asking the question, "Can you support clients on operating systems that are not running Windows, for example?" And then Ken is asking, "You stated that you need a Windows-based PC server; what about UNIX and Linux servers?" Can you talk a little bit about that whole environmental kind of thing?

Nathan McNeill, Bomgar^TM:
Sure. A couple factors there, 'cause I think those may have been asking about the server component and then the client component. As far as the systems that you can control as a rep, at this time we are Windows only, from 95 through 2003 Server, although stay tuned on that point to us. And then as far as what the appliance requires, the appliance is running a LAMPStack, Linux, Apache and PHP; and so it doesn't require a secondary server. So you're not installing a software server on an existing server, but it's installing our appliance in the rack. Does that answer it? Or -

Bill Rose, SSPA:
Yeah, I think it does. So, Chuck, let me go back to you, 'cause this issue of security and liability comes up, and Chase is asking a question about, "What are some ways we can limit agent liability while providing remote support?" I mean, do you see this as an issue? Is there a liability issue from the agent's standpoint? Is that a con - 'cause we always talk about concerns with customers and giving us glancing access, but what about some of the agent side of things? Is there liability there?

Chuck Deaton, Humana:
Well, I think there is. We have this discussion all the time. Can Humana put software on your personal PC, and would you be happy with us if we did, and do we have an obligation then to support your PC after we do that if you have trouble? These are the kinds of questions that come into play, both from a security and an operational, and just a legal liability, not to mention the privacy liabilities of that. So I think it's very important that you consider, anytime you put a piece of client software down on a machine that you do not own and have legal accountability for, you open yourself up to something there. Not only do you open yourself up to those issues, but what if that piece of software opened a vulnerability into that system and allowed that entire network to be breached somehow after you left? So it's very important that you first put something that is safe on there; and when you're done - each time you're done - take it off and leave it as it was. That way, you take with you the liability; and your liability then window is contained for the time that you were connected. Again, your detailed logging can help you here, because if you logging all the activities that occur on that session at a granular enough level, you can go back to an attorney or a privacy or security, or just a businessperson and say, "This is what happened, and this is how we found the machine, and this is how we left the machine." And that becomes hugely critical.

Bill Rose, SSPA:
Yeah, and it makes a lot of sense that that would have to be very, very well documented, as well.

So, Nathan, from your perspective, Tom asked a question about the Box itself. Basically the question is where does this appliance live? I mean, is it in the customer network? Is it internal? What - talk a little bit about the hardware component here.

Nathan McNeill, Bomgar^TM:
Sure, it's a one 1U rack mounted device, and usually our customers will install it in their DMZ and then make it accessible to the internet on 443 and 80, the standard internet ports. So that's the usual deployment, but it is installed at our customer's location.

Bill Rose, SSPA:
Okay, thanks. You know, I think - I don't want to turn this into a discussion about all the legislation and policy makers out there and so on; but Rick does have a pretty good question, and basically his question has to do - for you, Chuck - about HIPAA in particular. And so basically saying, so you're saying that no remote access application, hardware, software are HIPAA compliant? Or are there some, or - talk just a little bit about to the folks that don't really understand what HIPAA is.

Chuck Deaton, Humana:
Well, the HIPAA being the Health Information Portability and Accountability Act; I think Clinton signed it in 1996, and we are now living with the impact of that. But it's really about protected health information, or if you want to classify between paper and electronic, it's EPHI, or Electronic Protected Health Information. Now, being HIPAA compliant is a very loosely stated thing as being compliant with any regulatory issue. I mean, people come in and they can measure you for this or that; at the end of the day, it's interpretation on behalf of the company as to how they're going to comply with a particular set of requirements that are designed to protect information assets from authorized users and unauthorized users alike. So it's not just a hacker problem; it's a trusted user issue as well. So when people come to us to pitch solutions that are compliant with this regulation or that regulation, all they're really saying is that we have got enough security that if we give this solution to you or you purchase this solution and decide to use it, you have an opportunity to use it in such a way that cannot hurt you in your efforts or goals to comply with a particular set of requirements. Does that make sense?

Bill Rose, SSPA:
Yeah, that sure does. That clarifies quite a bit. Thanks, Chuck.

Nathan, here's another question Jeffrey's asking. He's a little bit confused about the whole concept of how everything installs, right? What he's basically saying is to remote control somebody, does the customer have to download some kind of small .exe file and then install it on the computer, and then afterward the .exe goes away? What is - what's your take on this?

Nathan McNeill, Bomgar^TM:
Yeah, that's exactly it. What would happen is the customer would go to your website, they would click on your name or initiate in some other fashion and then download a small .exe. It's actually under 400k and takes about two seconds over a broadband connection, it installs automatically gives the rep control; the rep would service the machine, and at the completion of the session when the session is terminated, that little application or that little applet would be completely removed from that system. So that's kind of that structure.

Bill Rose, SSPA:
Good. Then so while you're there, Nathan, let's just talk about a question that Shamin brings up about basically asking a question about logging. Can you talk a little bit about how things are logged? Is it automatically? Are sessions monitored during the course of use? What - talk a little bit about the logging and the monitoring side.

Nathan McNeill, Bomgar^TM:
Right. It's logged automatically; and it's going to record a lot of information about the session, any chat logs or file transfers that took place, whether remote control was allowed, the IP addresses of the machines involved, usernames, machine names and all that sort of information. So you really have a detailed trail of kind of what happens during a session and who was connected to whom for how long. So.

Bill Rose, SSPA:
Okay, great. Great. What about this? Maybe, Chuck, maybe you could answer this, and then I'll ask Nathan the same question; but talk a little bit about these concurrent sessions. How many concurrent sessions can you actually run to a Box like that? And Chuck, maybe you could start with Humana's point of view. When you talk about concurrent sessions, how many are you talking about? How much activity are you getting here?

Chuck Deaton, Humana:
Well, I think the latest word that I got from our support desk group, they're running somewhere around between 50 and 75 support reps, if you will, those are our associates that are helping people; and I think they're crunching about 3,000 sessions a day. So if that gives you an idea that they're pounding the Bomgar Box^TM pretty heavily right now at those volumes. And essentially, what we have is one Bomgar Box^TM that supports that group and two other groups, and they each have their own website on that one box. Our customer service support center is called CSS, so they have a site called css.humana.com. Our workstation distribution group is called DSI; they have a site called dsi.humana.com. And then we have another site called MYRC for My Remote Control by Humana.com. And they all are on that box, and each administrator has his own site to administer and has his own licenses; and their users log into their site and all the logging is relevant to their site and their user communities. That puts the administration in the hands of the people who use the tool, which is a wonderful aspect. And they're just pounding that thing every day. They take a call, and their first option now is to connect to the user and give them personal, hand-held service through the issue. They do not frustrate them over the phone.

Bill Rose, SSPA:
Yeah, it's pretty interesting, so they're actually getting better service using remote support than they probably would have gotten through the phone, right?

Chuck Deaton, Humana:
There's no doubt about it. It's the very first tool they reach for.

Bill Rose, SSPA:
Yeah. And Nathan, maybe we just move onto another question here. Because there's one here - Joe's asking the question, and I've heard you mention AccessDesk^TM and Bomgar^TM, is that the same thing?

Nathan McNeill, Bomgar^TM:
No, it's two different products. Bomgar^TM is incident based in that it works through firewalls and does not require a pre-installed client but does require the user to be present in order to initiate the session. AccessDesk^TM is more for systems administration or maintenance; and so it allows the rep to gain control of unattended systems, but you must have a software client pre-installed on the systems. So they're two different products.

Bill Rose, SSPA:
I see. I see. And Chuck, another question that's coming in from Kevin is basically he's trying to use the product to replace a B-to-B/VPN situation, right, from a third-party support organization for example. Right, and part of the presentation was always off and sometimes on, not the other way around, right? But can a remote support product like this replace a typical VPN environment?

Chuck Deaton, Humana:
It depends. And I'll try to draw the clarity here of if you have real-time, automated file transfer mechanisms that go across a B-to-B, or if you have a backend system in one company or Company A continuously talking to a backend system at Company B, then a traditional VPN is going to be the need there. But if you've established a B-to-B so that you can have remote support of servers or infrastructure or respond to ad hoc support calls, then absolutely this tool can replace that and all the cost and security threat that comes along with that.

Bill Rose, SSPA:
I see. Nathan, from your perspective, Jason is asking a question here about some functionality. Like he's asking about the Push and Start functions. Can you talk a little bit about what those are and how they work?

Nathan McNeill, Bomgar^TM:
Sure, that's a feature of Bomgar^TM that allows the rep to - if he's on the same LAN as the systems he wants to remote control, and assuming he's the systems administrator or has an administrative account of those systems - he can actually push the client to the system on the network and have it automatically install and connect back to him, assuming he's on the same LAN as that system. So that would be a means of him getting control of an unattended system that he's an administrator of within the same LAN.

Bill Rose, SSPA:
Chuck, can you talk a little bit about the whole issue of - I don't know - what you talked a little bit about it before with the regulations and so on, but what about the emotional side of this? I mean, there's just some people out there that feel bad about letting anybody - granting or otherwise, right - have access. And we're finding that there are customers out there, or some of our SSPA members that just can't use a tool like this because they can't gain access. How do you approach that? 'Cause it's really in a lot of things, it's emotion more than anything else, right?

Chuck Deaton, Humana:
Well, it is, but there's a lot of fear and uncertainty and doubt in the marketplace right now around identity theft and hackers and people getting into your systems, whether it's home PC or your office PC; so you've got a lot to overcome there in terms of public opinion or public perspective. But you do bring up a good point. This is why I like the aspect of prompting the user before you do it. One of the things here that's interesting that may not be intuitive to those people who've never used this particular tool is that the tool still requires you to be on the phone or have personal contact with the end user. And this is one of the ways that can solve this particular problem, because Bill, if you and I were talking on the phone and you were having a particular issue - and particularly, if you called me first - so you're very comfortable already that you're talking to a trusted second party. And then I say, "Okay, I'm going to have you come to a website or click on my name and maybe even my face, something to that effect. And say when you click here, you're going to get this prompt, and it's going to as you to let me in, view only - and I need you to clean off your screen and don't have an pictures or spreadsheets or anything like that up that you don't want me to see - and then I'm going to help you out with this issue." We found that that works very, very well because the user is always in control, and they're already talking to you. In fact, they're the ones who initiated contact with you to begin with. So this is a very much user-empowered or end customer-empowered type experience from beginning to end.

Bill Rose, SSPA:
Yeah, that makes a lot of sense, Chuck, and I see now what you're saying. People are calling you and asking you, and you're asking them to grant access, and they grant it. So it's a whole different world, and the emotion should be out of that, right?

Chuck Deaton, Humana:
And if they want to terminate your session, they can do that at any time.

Bill Rose, SSPA:
Yep, exactly. Exactly. Listen guys, we're out of time on this webcast. I'd like to close by just asking each of you to, if you could, if there's one recommendation that you could make for people that are very much interested in remote support and very much concerned about security, what would that be? So Nathan, maybe I could ask you first. What's your recommendation to the folks out there that are - why should they move ahead?

Nathan McNeill, Bomgar^TM:
I think a lot of it's just doing your homework, evaluating different solutions. We actually offer a trial of our product and can even give you a trial of the Box itself, have you install it at your location. And then consider the implications of the choices like whether or not to host the application with a provider or host it internally before making a decision.

Bill Rose, SSPA:
Okay, thanks. And Chuck, what about you? What's your recommendation?

Chuck Deaton, Humana:
I would say that look at your logging and the details of what you can see of what's going on with your information inside that remote control session, make sure that you have individual accountability and very detailed information to the system, and then the other thing that I would probably recommend is that be very careful or very cautious as to the economics and the impact of scale. If your users adopt this and your end user communities like it and it begins to grow, make sure that you don't have to buy a bunch of hardware or that the costs are not going to consume you, at even a small scale, much less a much larger scale.

Bill Rose, SSPA:
Great. Hey, Chuck, I just wanted to say thanks a lot for taking some time with us today and sharing what you've been doing at Humana. It's pretty exciting stuff that you're doing there. Also, Nathan, thanks for your partnership with SSPA and thanks to everybody that had a chance to attend. We have some questions, of course, that weren't answered; we're going to get back to anybody who did ask a question. Also, this session has been recorded, and in a short period of time it'll be up on the SSPA website for you to review. So thanks, everybody for attending another SSPA webcast, and we'll see you next time.