Wednesday, April 21, 2021

Rise of Broad Reliance on APIs Brings Novel Vector for Security Concern and Need for New Defenses

Transcript of a discussion on how APIs, microservices, and cloud-native computing form a new frontier for cybersecurity vulnerabilities -- as well as opportunities for innovative defenses and resilience.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable.ai.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Thinking of IT security as a fortress or a moat around your compute assets has now given way to a more realistic and pervasive posture. A cybersecurity perimeter, it turns out, was an illusion.

A more effective extended-enterprise strategy protects business assets and processes wherever they are -- and wherever they might reach. As businesses align to new approaches such as zero trust and behavior-modeling to secure their data, applications, infrastructure, and networks, there’s another rapidly expanding digital domain that needs modern protection.

Stay with us now as we explore how application programming interfaces (APIs), microservices, and cloud-native computing in general form a new frontier for cybersecurity vulnerabilities -- as well as opportunities for innovative defenses and resilience.

To learn more about why your expanding use of APIs may be the new weak link in your digital business ecosystem, please join me in welcoming our special guest, Jyoti Bansal, Chief Executive Officer and Co-Founder at Traceable.ai. Welcome, Jyoti.

Jyoti Bansal: Thank you, Dana. I’m very excited to be here.

Gardner: Jyoti, has the global explosion of cloud-native apps and services set us up for a new variety of security vulnerability? How serious is this new threat?

Bansal: Well, it’s definitely new and it’s quite serious. If you look at every time we go through a change in IT architectures, we get a new set of security challenges. The adoption of cloud-native architectures means challenges in a few things. 

Bansal
One, you have a lot of APIs and these APIs are doors and entryways into your systems and your apps. If those are not secured properly, you have more opportunities for attackers to steal data. You want to open the APIs so that you can expose data, but attackers will try to exploit that. We are seeing more examples of that happening.

The second major challenge with cloud-native apps is around the software development model. Development now is more high-velocity, more Agile. People are using DevOps and continuous integration and continuous delivery (CI/CD). That creates the velocity. You’re changing things once every hour, sometimes even more often.

That creates new kinds of opportunities for developers to make mistakes in their apps and in their APIs, and in how they design a microservice; or in how different microservices or APIs interact with each other. That often creates a lot more opportunity for attackers to exploit.

Gardner: Companies, of course, are under a lot of pressure to do things quickly and to react to very dynamic business environments. At the same time, you have to always cover your backside with better security. How do companies face the tension between speed and safety?

Speed and safety for cloud-native apps

Bansal: That’s the biggest tension, in many ways. You are forced to move fast. The speed is important. The pandemic has been even more of a challenge for a lot of companies. They had to move to more of a digital experience much faster than they imagined. So speed has become way more prominent.

But that speed creates a challenge around safety, right? Speed creates two main things. One is that you have more opportunity to make mistakes. If you ask people to do something very fast because there’s so much business and consumer pressure, sometimes you cut corners and make mistakes.

Learn More 

Not deliberately. It’s just as software engineers can never write completely bug-free code. But if you have more bugs in your code because you are moving very, very fast, it creates a greater challenge.

So how do you create safety around it? By catching these security bugs and issues much earlier in your software development life cycle (SDLC). If a developer creates a new API and that API could be exploited by a hacker -- because there is a bug in that API around security authentication check -- you have to try to find it in your test cycle and your SDLC.

The second way to gain security is by creating a safety net. Even if you find things earlier in your SDLC, it’s impossible to catch everything. In the most ideal world, you’d like to ship software that has zero vulnerabilities and zero gaps of any kind when it comes to security. But that doesn’t happen, right?

You have to create a safety net so that if there are vulnerabilities because the business pressure was there to move fast, that safety net that can still block what occurs and stop those from trying to do things that you didn’t intend from your APIs and applications.

Gardner: And not only do you have to be thinking about APIs you’re generating internally, but there are a lot of third-party APIs out there, along with microservices, when doing extended-enterprise processes. It’s a bit of a Wild West environment when it comes to these third-party APIs.

Bansal: Definitely. The APIs you are building and using internally through your microservices may also have an external consumer calling those APIs. Other microservices may also be calling them -- and so there is exposure around that.


Third-party APIs manifest in two different ways. One is that you might be using a third-party API or library in your microservice. There might be a security gap there.

The second way comes when you’re calling on third-party APIs. And now almost everything is exposed as APIs – such as if you want to check for some data somewhere or call some other software as a service (SaaS) service or cloud service, or a payment service. Everything is an API, and those APIs are not always called properly. All of those APIs are not secure, and so your system fundamentally can become more insecure.

It is getting close to a wild, Wild West with APIs. I think we have to take API security quite seriously at this point.

Gardner: We’ve been talking about API security as a function of growing pains, that you’re moving fast, and this isn’t a process that you might be used to.

But there’s also malice out there. We’ve seen advanced, persistent threats in such things as zero-day exploits and with Microsoft Exchange Servers recently. We’ve certainly seen with the SolarWinds exploits how a supply chain can be made vulnerable.

Have we seen people take advantage of APIs, too, or is that something that we should expect?

API attacks a global threat

Bansal: Well, we should definitely expect that. We are seeing people take advantage of these APIs. If you look at data from Gartner, they stated that by 2022, API abuses will move from an infrequent to the most frequent attack vector. That will result in more data breaches in enterprises and web applications. That is the new direction because of how applications are consumed with APIs.

The API has naturally become a more frequent form of attack vector now.

Gardner: Do you expect, Jyoti, that this is going to become mission-critical? We’re only part way into the “software eats the world” thing. As we expect software to become more critical to the world, APIs are becoming more part of that. Could API vulnerabilities become a massive, global threat vector?

Bansal: Yes, definitely. We are, as you said, only partially into the software-eats-the-world trend. We are still not fully there. We are only 30 to 40 percent there. But as we see more and more APIs, those will create a new kind of attack vector.

For a long time, people didn't think about APIs. People only thought about APIs as internal. External APIs were very few. Now, APIs are a major source of how other systems integrate across the globe. The traffic coming through APIs is significantly increasing.

It’s a matter of now taking these threats seriously. For a long time, people didn’t think about APIs. People only thought about APIs as internal APIs; that you will put internal APIs between your code and different internal services. The external APIs were very few. Most of your users were coming through a web application or a mobile application, and so you were not exposing your APIs as much to external applications.

If you look at banking, for example, most of the bank services software was about online banking. End users came through a bank web site, and then users came through mobile apps. They didn’t have to worry too much about APIs to do their business.

Now, that’s no longer the case. For any bank, APIs are a major source of how other systems integrate with them. Banks didn’t have to expose their systems through those apps that they built, but now a lot of third-party apps are written on top of those APIs -- from a wallet app, to different kinds of payment systems, to all sorts of things that are out there -- because that’s what consumers are looking for. So, now -- as you start doing that -- the amount of traffic coming through that API is not just through the web or mobile front-ends directly. It’s significantly increasing.

The general use of internal APIs is increasing. With the adoption of cloud-native and microservices architectures, the internal-to-external boundary is starting to blur too much. Internal APIs could become external at any point because the same microservice that our engineering team wrote is now being used by your other internal microservices inside of your company. But they are also being exposed to your partners or other third-party systems to do something, right?

Learn More 

More and more APIs are being exposed out there. We will see this continued explosion of APIs because that’s the nature of how modern software is built. APIs are the building block of modern software systems.

I think we have two options as an industry. Either we say, “Okay, APIs could be risky or someone could attack them, so let’s not use APIs.” But that to me is completely wrong because APIs are what’s driving the flexibility and fluidity of modern software systems and the velocity that we need. We have to just learn as an industry to instead secure APIs and be serious about securing them.


Gardner: Jyoti, your role there as CEO and co-founder at Traceable.ai is not your first rodeo. You’ve been a serial startup leader and a Silicon Valley tech visionary. Tell us about your other major companies, AppDynamics, in particular, and why that puts you in a position to recognize the API vulnerability -- but also come up with novel ways of making APIs more secure.

History of troubleshooting

Bansal: Yes. I have a unique advantage in that I have founded companies to solve big problems like these in the past. AppDynamics was my first company, which I started back in 2008. The purpose was to give development teams good solutions to diagnose and troubleshoot when something goes wrong in their distributed software systems.

At that time, we were starting to see a lot of service-oriented architectures (SOA). People were struggling when something was slow and users experienced slowdowns from their websites. How do you figure out where the slowdown is? How do you find the root cause?

That space eventually became what is called application performance management (APM). What we came up with was, “How about we instrument what’s going on inside the code in production? How about we trace the flow of code from one service to another service, or to a third service or a database? Then we can figure out where the slow down and bottlenecks are.”

By understanding what’s happening in these complex software systems, you can figure out where the performance bottleneck is. We were quite successful as a company. We were acquired by Cisco just a day before we were about to go IPO.

The approach we used there solves problems around performance – so monitoring, diagnosing, and troubleshooting diagnostics. The fundamental approach was about instrumenting and learning what was going on inside the systems.

That’s the same approach we at Traceable.ai apply to solving the problems around API security. We have all these challenges around APIs; they’re everywhere, and it’s the wild, Wild West of APIs.

So how do you get in control? You don’t want to ask developers to slow down and not do any APIs. You don’t want to reduce the velocity. The way you get control over it is fundamentally a very similar approach to what we used at AppDynamics for performance monitoring and troubleshooting. And that is by understanding everything that can be instrumented in the APIs’ environment.

That means for all external APIs, all internal APIs, and all the third-party APIs. It means learning how the data flows between these different APIs, which users call different APIs, what they are trying to achieve out of it, what APIs are changed by developers, and which APIs have sensitive data in them.

Once you are in control of what is there, you can learn if some user is trying to use these APIs in a bad way. You know what seems like an attack, or if something wrong is happening. Then you can quickly go into prevention mode. You can block that attack.

Once you automatically understand that -- about all of the APIs – then you start to get in control of what is there. Once you are in control of what’s there, you can learn if some user is trying to use these APIs in a bad way. You know what seems like an attack, or if something wrong is happening. There might be a data breach or something. Then you can quickly go into prevention mode. You can then block that attack.

There are a lot of similarities from my experience at my last company, AppDynamics, in terms of how we solve challenges around API security. I also started a second company, Harness. It’s in a different space, targeting DevOps and software developers, and helping them with CI/CD. Harness is now one of the leading platforms for CI/CD or DevOps.

So I have a lot of experience from the vantage point of what do modern software engineer organizations have to do from a CI/CD DevOps perspective, and what security challenges they start to run into.

We talk to Harness customers doing modern CI/CD about application and API security. And it almost always comes as one big challenge. They are worried about microservices, about cloud-native architectures, and about moving more to APIs. They need to get in control and to create a safety net around all of this.

Gardner: Does your approach of trace, monitor, and understand the behavior apply to what’s going on in operations as well as what goes on in development? Is this a one-size-fits-all solution? Or do you have to attack those problems separately?

One-size-fits-all advantages

Bansal: That’s the beauty of this approach. It is in many ways a one-size-fits-all approach. It’s about how you use the data that comes out of this trace-everything instrument. Fundamentally it works in all of these areas.

It works because the engineering teams put in what we call a lightweight agent. That agent goes inside the runtime of the code itself, running in different programming languages, such as Java, PHP, and Python. The agents could also run in your application proxies in your environment.

You put the same kinds of instruments, lightweight agents, in for your external APIs, your internal microservices APIs, as well as the third-party APIs that you’re calling. It’s all the same.

Learn More 

When you have such instrumentation tracing, you can take the same approach everywhere. Ideally, you put the same in a pre-production environment while you are going through the software testing lifecycle in a CI/CD system. And then, after some testing, staging, and load testing, you start putting the same instrumentation into production, too. You want the same kind of approach across all of that.

In the testing cycle, we will tell you -- based on all instrumentation and tracing, looking at all the calls based on your tests – that these are the places that are vulnerable, such as these are the APIs that have gaps and could be exploited by someone.

Then, once you do the same approach in production, we tell you not only about the vulnerabilities but also where to block attacks that are happening. We say, “This is the place that is vulnerable, right now there is an attacker trying to attack this API and steal data, and this is how we can block them.” This happens in real-time, as they do it.

But it’s fundamentally the same approach that is being used across your full SDLC lifecycle.

Gardner: Let’s look at the people in these roles or personas, be it developer, operations, SecOps, and traditional security. Do you have any examples or metrics of where API vulnerabilities have cropped up? What vulnerabilities are these people already seeing?

Vulnerable endpoints to protect

Bansal: A lot of API vulnerabilities crop up around unauthenticated endpoints, such as exposing an API and it doesn’t have the right kind of authentication. Second is around not using the right authorization, such as calling an API that is supposed to give you data for you as user 1, but the authorization had a flaw that could be exploited for you to take data -- not just as user 1 but from someone else, a user 2, or maybe even a large number of users. That’s a common problem that happens too often with APIs.

There are also leaky APIs that give you more data than they should, such as it’s only supposed to give the name of someone, but it also includes more sensitive data.

In the world of application security, we have the OWASP Top Ten list that the app security teams and the security teams have followed for a long time. And normally you would have things like SQL injection and cross-site scripting, and those were always in that list.

Now there’s an additional list called the OWASP API Security Top Ten, which lists the top threats when it comes to APIs. Some of the threats I described are key parts of it. And there are a lot of examples of these API-involved attacks these days.

Just recently in 2020, we had a Starbucks vulnerability in API calls, which potentially exposed 100 million customer records. It was around an authentication vulnerability. In 2019, Capital One was a high-profile example. There was an Amazon Web Services (AWS) configuration API that wasn’t secured properly and an attacker got access to it. It exposed all the AWS resources that Capital One had.

We are starting to see patterns emerge on the vulnerabilities attackers are exploiting in APIs. No one should take API security lightly these days. It's a big mistake if companies are not getting to this faster.

There was a very high-profile attack that happened on T-Mobile in 2018, where there was an API leaking more data than it was supposed to. Some 2.3 million customers’ data was stolen. In another high-profile attack, at Venmo, a public API was not exposing the data for the right users so 200 million transactions of data were stolen from Venmo. As you can see from these examples, we are starting to see patterns emerge on the vulnerabilities attackers are exploiting in APIs.

Gardner: Now, these types of attacks and headlines are going to get the attention of the very top of any enterprise, especially now where we’re seeing GDPR and other regulations require disclosure of these sorts of breaches and exposures. This is not just nice to have. This sounds like potentially something that could make or break a company if it’s not remediated.

Bansal: Definitely. No one should take API security lightly these days. A lot of the traditional cybersecurity teams have put a lot of their focus and energy in securing the networks and infrastructure. And many of them are just starting to get serious about this next API threat vector. It’s a big mistake if companies are not getting to this faster. They are exposing themselves in a big way.

Gardner: The top lesson for security teams, as they have seen in other types of security vulnerabilities, is you have to know what’s there, protect it, and then be proactive. What is it about the way that you’re approaching these problems that set you up to be able to be proactive -- rather than reactive -- over time?

Know it, protect it, and go proactive

Bansal: Yes, the fundamentals of security are the same. You have to know what is there, you have to protect it, and then you become proactive about it. And that’s the approach we have taken in our solution at Traceable.ai.

Number one is all about API discovery and risk assessment. You put us there in your environment and very quickly we’ll tell you what all the APIs are. It’s all about discovery and inventory as the very first thing. These are all your external APIs. These are all your internal APIs. These are all the third-party APIs that you are invoking. So it starts with discovery. You have to know what is there. And you create an inventory of everything.

The second part, when you create that inventory, is to give a risk score. We give every API a risk score: internal API, external API, and third-party, all of them. The risk score is based on many dimensions, such as which APIs have sensitive data flowing through them, which APIs are exposed publicly versus not, which APIs have what kind of authentication to them, and what APIs are internally using your critical database systems and reading data from those. Based on all of these factors, we are creating a risk heat map of all of our APIs.

The most important part for APIs security is to do this continuously. Because you’re living in the world of CI/CD, any kind of API discovery or assessment cannot be static, like you do it once a month, once a quarter, or even once a week. You have to do it dynamically all the time because code is changing. Developers are putting new code continuously out there. So the APIs are changing, with new microservices. All of the discovery and risk assessment has to happen continuously. So, that’s really the first challenge we handle at Traceable.ai.

The second problem we handle is to build a learning model. That learning model is based on a very sophisticated machine learning (ML) approach on what is the normal usage behavior of each of these APIs. What users are calling an API? What sequence do they get called? What kind of data passes through them? What kinds of data are they fetching out of where? And on and on.

We are learning all of that automatically. Once you learn that, you start comparing every new API request with what the normal model of how your APIs are supposed to be used.

Now, if you have an attacker trying to use an API to extract much more data than what is normal for that data, you know that something is abnormal about it. You could flag it, and that’s a key part of how we think of the second part, which is how do you protect these APIs from bad behavior.

Learn More 

That cannot be done with the traditional web application firewall (WAF) and runtime application self-protection (RASP), and those kinds of approaches. Those are very rule-based or static-rules-type of base approaches. For APIs, you have to build a behavioral learning-based system. That’s what our solution is about. That’s how we get to a very high degree of protection for these APIs.

The third element to the solution is the proactive part. After a lot of this learning, we also examine the behavior of these APIs and the potential vulnerabilities, based on the models. The right way to proactively use our system is to feed that into your testing and development cycle. That brings the issues back to the developers to fix the vulnerabilities. We can help find them earlier in the lifecycle so you can integrate that into what you’re doing in your application security testing processes. It closes the loop on you doing all of this – only proactively now.

Gardner: Jyoti, what should businesses do to prepare themselves at an early stage for API security? Who should be tasked with kicking this off?

Build your app security team

Bansal: API security falls under the umbrella of app security. In many businesses, app security teams are now tasked to secure the APIs in addition to the traditional web applications.

In many places, we are also seeing businesses create teams around what they call product security. If you are a company with FinTech products, your product is an API because your product is primarily exposed to APIs. Then people start building out product security teams who are tasked with securing all of these APIs. In some cases, we see the software engineering team directly responsible for securing APIs.

The first thing every business has to do is to create a responsibility around securing APIs. You have to bring in something to understand the inventory. They don't even know what all of the APIs are. Then you can start securing and getting a better posture.

Whatever the model is, the first thing every business has to do is to create a responsibility around securing APIs. After that, you have to bring in something to understand the inventory. I still am amazed every time I see so many businesses we talk to struggling with just even knowing what APIs are there.

The problem is they don’t even know what all of their APIs are. They may have 500 or 2,000 developers in the company. They are building all of these APIs, and can’t even track them. So most businesses have to get an understanding and some kind of control over the APIs that are there. Then you can start securing and getting a better security posture around those.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how APIs, microservices, and cloud-native computing may be the new weak link in your expanding digital business ecosystem. And we’ve learned how modern security strategies of tracing, analyzing, and modeling behaviors provide opportunities for new API defenses and resilience.

And now a big thank you to our guest, Jyoti Bansal, Chief Executive Officer and Co-Founder at Traceable.ai. Thank you so much, Jyoti.

Bansal: Thank you, Dana.

Gardner: And a big thank you as well to our audience for joining this BriefingsDirect API protection discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Traceable.ai-sponsored BriefingsDirect discussions.

Stay tuned for our next podcast in the series, again with Jyoti, for a deep-dive into ways that APIs can be made more robust in production as well as in development.

Thanks again for listening, please pass this along to your business associates, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Traceable.ai.

Transcript of a discussion on how APIs, microservices, and cloud-native computing form a new frontier for cybersecurity vulnerabilities -- as well as opportunities for innovative defenses and resilience. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in:

Monday, April 19, 2021

Creating Business Advantage with Technology-Enabled Flexible Work

Transcript of a discussion on how a global business process outsourcing leader uses a “Cloud Campus” to improve remote worker productivity and their end users’ experience.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Citrix.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

As businesses plan for a future where more of their workforce can be located just about anywhere, how should they rethink hiring, training, and talent optimization? This major theme for 2021 and beyond poses major adjustments for both workers and savvy business leaders.

Stay with us now as we explore how a global business process outsourcing leader has shown how distributed employees working from a “Cloud Campus” are improving productivity and their end users’ experience.

To learn more about best practices and advantageous outcomes from a broadly dispersed digital workforce, we are now joined by José Güereque, Executive Vice President of Infrastructure and Nearshore Chief Information Officer at Teleperformance SE in Monterrey, Mexico. Welcome, José.

José Güereque: Thank you, Dana. Good morning all. Nice to see you.

Gardner: We are also here with Lance Brown, Executive Vice President Global Network, Telecom, and Architecture at Teleperformance. Welcome, Lance.

Lance Brown: Great to be here. Looking forward to it.

Gardner: And we are here with Tim Minahan, Executive Vice President of Business Strategy and Chief Marketing Officer at Citrix. Welcome back, Tim.

Tim Minahan: Thanks, Dana. Great to be back.

Gardner: Tim, when it comes to flexible and hybrid work models we often focus on how to bring the work to the at-home workforce. But this new level of flexibility also means that we can find and attract workers from a much broader potential pool of talent.

Are companies fully taking advantage of this decentralized talent pool yet? And what benefits are those who are not yet expanding their workforce horizons missing out on?

Pick your talent anywhere

Minahan: We are at a very interesting inflection point right now. If there is any iota of a silver lining in this global pandemic it’s that it has opened people’s minds to both accelerating digitization of their business, but also opening their minds to new ways of work. It’s now been proven that work can indeed occur outside the office. Smart companies like Teleperformance are beginning to look at their entire workforce strategies -- their work models -- in different ways.

Minahan

It’s not about should Sam or Susie work in the office or work at home. It’s, “Gee, now that I can enable everyone with the work resources they need, and in a secure workspace environment to do their best work wherever it is, does that allow me to do new things, such as tap into new talent pools that may not be within commuting distance of my work hubs?”

This now allows me to even advance sustainability initiatives or, in some cases, we have companies now saying, “Hey, now I can also reach workers that allow me to bring more diversity into my workforce. I can enable people to work from inner cities or other locations -- rural locations -- that I couldn’t reach before.”

This is the thought process that a lot of forward-thinking companies are going through right now.

Gardner: It seems that a remote, hybrid, flexible work capability is the gift that keeps giving. In many cases we have seen projections of shortages of skilled workers and gaps between labor demand and supply. Are we in just the early innings of what we can expect from the benefits of remote work? 

Minahan: Yes. If you think way back in history, about a year ago, that’s exactly what the world was grappling with. There was a global shortage of skilled workers. In fact, McKinsey estimated that there was a global shortage of 95 million medium- to high-skilled workers. So managers were trying to hire amid all that.

But, in addition, there was a shortage of the actual modern skills that a lot of companies need to advance their business, to digitize their business. And the third part is a lot of employees were challenged and frustrated with the complexity of their work environment.

Now, more flexible work models enabled by a digital workspace that ensures employees have access to all the work resources they need, wherever work needs to get done, begins to address each of those issues. Now you can reach into new areas to find new talent. You can reach skills that you couldn’t before because you were competing in a very competitive market.

Now you can enable your employees to work where and how they want in new ways that doesn’t limit them. They no longer have a long commute that gives them added stress in their lives. In fact, our research found that 80 percent of workers feel they are being as, if not more, productive working remotely than they could be in the office.

Gardner: Let’s find out from an organization that’s been doing this. José, at Teleperformance, tell us the types of challenges you faced in terms of the right fit between your workforce and your demands for work. How have you been able to use technology to help solve that?

Güereque: Our business was mostly a finite structure of brick-and-mortar operations. When COVID struck, we realized that we faced a challenge of not being able to move people to and from the work centers. So, we rushed to move all of our people, as much as possible, to work from home (WFH).

At-Home Workers May Explore Their Options. 

Technically, the first challenge was to restructure our network, services, and all kinds of resources to move the workforce to WFH. As you can imagine, that came in hand with security measures. Security is one of the most important things we need to address and have in place.

But while there were big challenges, big opportunities also arose for us. The new model allows us to be more flexible in how we look for new talent. We can now find that talent in places we didn’t search before.

Our team has helped expedite this work-at-home model for us. It was not embraced in the massive way it is right now.

Gardner: Lance, tell us about Teleperformance, your workforce, your reach, and your markets.

Remote work: Simpler, faster, safer

Brown

Brown: Teleperformance is a global customer experience company based in France. We have more than 383,000 employees worldwide in 83 countries serving over 170 markets. So it’s a very large corporation. We have a number of agents who support many Fortune 500 companies all over the world, and our associates obviously have to be able to connect and talk [in over 265 languages and dialects] to customers.

We sent more than 220,000 of these associates home in a very quick time frame at the onset of the pandemic.

Our company is all about being simpler, faster, and safer -- and working with Citrix allowed us to meet all of our transition goals. Remote work is now a simpler, faster process -- and it’s a safer process. All of our security that Citrix provides is on the back end. We don’t have to worry as much with the security on our endpoint as we would in other traditional models.

Gardner: As José mentioned, you had to snap to it and solve some major challenges from the crisis. Now that you have been adjusting to this, do you agree that it’s the gift that keeps giving? Is flexible work here to stay from your perspective?

Our company is all about being simpler, faster, and safer -- and working with Citrix allowed us to meet all of our transition goals. Remote work is now a simpler, faster process -- and it's a safer process.

Brown: Yes, from Teleperformance’s perspective, we fully are working to get our clients to remain at WFH -- for a large percentage of the workforce. We don’t ever see the days of going back to 100 percent brick and mortar, or even mostly brick and mortar. We were at 90 percent on-site before the pandemic. Now, at the end of the day, that will become between 50 percent to 65 percent work at home.

Gardner: Tim, because they have 390,000 people, there is going to be a great diversity of how people will react to this. One of the nice things about remote work and digital workspaces is you can be dynamic. You can adjust, change, and innovate.

How are organizations such as Teleperformance breaking new ground? Are they finding innovation that goes beyond what they may have expected from flexible work at the outset?

Minahan: Yes, absolutely. This isn’t just about can we enable ourselves to tap into new talent in some remote locations or for disenfranchised parts of the workforce. It’s about creating an agile workforce model. Teleperformance is on the frontlines of enabling that for its own workforce. But Teleperformance is also part of the solution, due to their business process outsourcing (BPO) solutions and how they serve their clients. You begin to rethink the workforce.

We did a study as part of our Work 2035 Project, in which we went out over the past year-and-a-half and interviewed tens of thousands of employees, thousands of senior executives, and probed into what the world of work will look like in 2035. A lot of things we are talking about here have been accelerated by the pandemic.

One of those things is moving to a more agile workforce model, where you begin to rethink your workforce strategies, and maybe where you augment full-time employees with contractors or gig workers, so you have that agility to dial up your workforce.

Maybe it’s due to seasonality, and you need for a call center or other services to be able to dial up or back down. Or work locations shift, moving due to certain needs or responses to certain catastrophes. And like I said, that’s what a lot of forward-thinking companies are doing.

What’s so exciting about Teleperformance is they are not only doing it for their own organization -- but they are also providing the solution for their own clients.

Gardner: José, please describe for us your Cloud Campus concept. Why did you call it Cloud Campus and what does it do?

Cloud Campus engages worldwide

Güereque

Güereque: Enabling people to WFH is only part of what you need. You also need to guarantee the processes in place perform as well as they used to in a brick-and-mortar environment. So our cloud solution pushes subsets of those processes and enables control -- to maintain the operational procedures – at a level where our clients feel confident of how we are managing their operations.

In the past, you needed to do a lot of things if you were an agent in our company. You needed to physically go to a central office to fulfill processes, and then you’d be commuting. Today, the Cloud Campus digitalizes these processes. Now a new employee, in many different countries, can be hired, trained, and coached -- everything -- on a remote basis.

We use video technology to do virtual face-to-face interactions, which we believe is important to be successful. We still are a very human-centric company. If we don’t have this face-to-face contact, we won’t succeed. So, the Cloud Campus, which is maintained by a really small team, guarantees the needed processes so people can WFH on a permanent basis. 

Gardner: Lance, it’s impressive to think about you dealing face-to-face virtually with your clients in 83 different countries and across many cultures and different ways of doing business. How have you been able to use the same technology across such a diversity of business environments?

Brown: That’s an excellent question. As José said, the Teleperformance Cloud Campus gives us the flexibility and availability to do just that. For our employees, it just becomes a one-on-one human interaction. Our employees are getting the same coaching, counseling, and support from all aspects of the business – just as they were when they were in the brick-and-mortar office.

Planning a Post-Pandemic Workplace Strategy? 

We are leveraging, like José said, video technology and other technologies to deliver the same user experience for our associates, which is key. Once we deliver that, then that translates out to our clients, too, because once we have a good associate experience, that experience is the same for all of the clients that the associate is handling.

Gardner: Lance, when you are in a brick-and-mortar environment, a physical environment, you don’t always have the capability to gather, measure, and digitize these interactions. But when you go to a digital workspace, you get an audit trail of data.

Is that something you have been able to utilize, or how do you expect that to help you in the future?

Digital workspaces offer data insights

Brown: Another really good question. We continue to gather data, especially as the world is all digitized. And, like you said, we provide many digital solutions for our clients. Now we are taking those same solutions and leveraging them internally for our employees.

We continue to see a large amount of data that we can work with for our process improvements and our technology, analysis, and process excellence (T.A.P.) teams and the transformation our agents do for our clients every day.

Gardner: Tim, when it comes to translating the value through the workforce to the end user, are there ways we can measure that productivity benefit?

Minahan: One of the key things that came up early-on in the pandemic was a huge spike in worker productivity. Companies settled into a hybrid work model, and that phase was about unifying work and providing reliable access for employees in a remote environment to all the resources they needed.

The second part was, as José said, ensuring that all employees can safely access applications and information -- that our corporate information remains secure.

A solid digital workspace environment provides an environment where employees can perform at their best and collaborate from the most remote locations.

Now we have moved into the simplify-and-optimize phase. A lot of companies are asking, “Gee, what are the tools I need to introduce to remove the noise from my employees’ day? How do I guide them to the right information and the right decisions? How do I support more collaboration or collaborative work execution, even in a distributed environment?”

If you have a foundation of a solid digital workspace environment that delivers all the work resources, that secures all the work resources, and then leverages things like machine learning (ML), virtual assistants, and new collaborative work management tools that we are introducing -- it provides an environment where employees can perform at their best and can collaborate from the most remote locations.

Gardner: José, most businesses nowadays want to measure everything. With things like Net Promoter Scores (NPS) from your agents and employees, when it comes to looking for the metrics of whether your return on investment (ROI) or return on innovation is working, what have you found? Have you been able to verify what we have been talking about? Does this move beyond theory into practice, and can it be measured well?

Güereque: Yes, that’s very important. As I mentioned, being able to create a Cloud Campus concept, which has all the processes and metrics in place, allows us to compare apples with apples in a way that we can understand the behavior and the performance of an agent at home -- same as in brick-and-mortar. We can compare across those models and understand exactly how they are performing.

We found that a lot of our agents live in cities, which have a lot of traffic. The commuting time for them, believe it or not, was around one-and-a-half hours – as many as two hours for some of them -- just going to and from work. Now, all that commuting time is eliminated when they WFH.

At-Home Workers May Explore Their Options. 

People started to give lot of value to those things because they can spend their time smarter -- or have more family time. So from customer, client, and employee satisfaction, those employees are more motivated -- and they’re performing great. Their scores are similar – and in some cases better -- than before.

So, again, if you are able to measure everything through the digitalization of the processes, you can understand the small things you need to tweak in order to maintain better satisfaction and improve all scores across both clients and employees.

Gardner: Lance, over the past 30 years in IT, we’ve been very fortunate that we can often do more with less. Whether it’s the speed of the processor, or the size of the disk drive. I’m wondering if that’s translating into this new work environment.

Are you able to look at cost savings when it comes to the type of client devices for your users? Are your networks more efficient? Is there a similar benefit of doing more with less when we get to remote work and digital workspaces?

Cost savings accumulate via BYOD

Brown: Yes, especially for the endpoint device costs. It becomes an interesting conversation when you’re leveraging technology like Citrix. For that [thin client] endpoint, all of the compute is back in the data center or in the cloud.

Your overall total cost of ownership continues to go down because you’re not spending as much money on your endpoint, as you had in the past. The other thing is the technology allows us to take an existing PC and make it a thin client, too. That gives you a longer life of that endpoint, which, overall, reduces your cost.

It’s also much, much safer. I can’t stress enough about the security benefits, especially in this current environment. It just makes you so much safer because your target environment and exposed landscape is reduced. Your data center is housing all the proprietary information. And your endpoint is just a dumb endpoint, for lack of better word. It doesn’t have a large attack vector. So you really reduce your attack vector by leveraging Citrix and putting more IT infrastructure in your data center and in your cloud.

Güereque: There is another really important factor, which is to enable bring your own device (BYOD) to be a reality. With the pandemic, the manufacturers of equipment, the PCs and everything, their time to deliver has been longer.

What used to take them two to three weeks to deliver now takes up to 10 weeks. Sometimes the only way to be on time is to leverage the employees’ equipment and enable its use in a secure way. So, this is not just an economic perspective of avoiding the investment in the end device, but is an opportunity to enable them to work faster rather than waiting on the delivery time of new equipment.

Minahan: At Citrix, we’re seeing other clients do that, too. I was recently talking with the CIO of a financial services company. For them, as the world moved through the pandemic, they saw the demand for their digital banking services quadruple or more. They needed to hire thousands of new financial guidance agents to support that.

And, to José’s point, they couldn’t be bothered with sending each one a new laptop. So BYOD allowed them to gain a distributed digital workspace and to onboard these folks very quickly. They attained the resources they needed to service their end banking clients much faster.

Güereque: Just following on Tim’s comments, I want to give you an example. Two weeks ago we were contacted by a client who needed to have 1,200 people up and running within a week. At the beginning, we were challenged. We wanted to be able to put 1,200 new employees with equipment in place, and weirdly our team came back with a plan. I can tell you that last week they were all in production. So, without this flexibility, and these enablers like Citrix, we wouldn’t be able to do it in such a small time frame.

Gardner: Lance, as we seek work-from-home solutions, we’re using words like “life” and “work balance.” We’re talking about employee behaviors and cultures. It sounds like IT is closer to human resources (HR) than ever.

Has the move to remote work using Citrix helped bond major parts of your organization -- your IT capability and your HR capability, for example?

IT enables business innovation

Brown: Yes, now they’re seeing IT as an enabler. We are the enabler to allow those types of successes, from a work-life balance and human standpoint. We’re in constant contact with our operations team, our HR team, and our recruiting team. We are the enabler to help them deliver everything that we need to deliver to our clients.

In the old days, IT wasn't viewed as an enabler. Now we're viewed as an enabler. We come up with innovative solutions to enable the business to meet its business needs.

In the old days, IT wasn’t viewed as an enabler. Now we’re viewed as an enabler, and José and I are at the table for every conversation that’s happening in the company. We come up with innovative solutions to enable the business to meet those business needs.

Gardner: Tim, I’m going to guess that this is a nice way of looking at the glass as half full. IT enabling such business innovation is going to continue. How do you expect in the future that we’re going to continue the trend of IT as an enabler? What’s in the pipeline, if you will, that’s going to help foster that?

Minahan: With the backdrop of the continued global shortage of skills, particularly the modern skills that are needed, companies such as Teleperformance are looking at what it means for their workforce strategies. What does it mean for their customer success strategies? Employee experience is certainly becoming a top priority to recruit the best talent, but also to ensure that they can perform at their best and deliver the best services to clients.

In fact, if you look at what employees are looking for going forward, there’s the salary thing and there’s the emergence of purpose. Is this company doing something that I believe in that’s contributing to the world, the environment?

Planning a Post-Pandemic Workplace Strategy? 

But right behind that is, “What are the tools and resources? How effectively are they delivering them to me so I can perform at my best?” And so IT, to Lance’s point, is a critical pillar, a key enabler, of ensuring that every company can work on making employee experience a competitive advantage.

Gardner: José, for other companies trying to make the most of a difficult situation and transitioning to more flexible work models, what would you recommend to them now that you’ve been through this at such a large, global scale? What did you learn in the process that you think they should be mindful of?

Change, challenge, partner up

Güereque: First of all, be able to change, and to challenge yourself. We can do much more than we believe sometimes. That’s definitely something that one can be skeptical of, because of the legacy we have been working through over many years. Today, we have been challenged to reinvent ourselves.

The second one is, there is tons of public information that we can leverage to be able to find successful use cases and learn from them. And the third one is, approach one consultant or partner that has experience in putting all these things in place. Because it is, as I mentioned, not a matter of just enabling people to WFH, it’s a matter of putting all the security environment in place, and all of the tools that are required to be able to perform as a team so you can deliver the results.

Brown: I’ll add one thing to that. It was about a year ago that I was visiting with Tim and the pandemic was starting to come to fruition. The pandemic had started overseas and was rapidly moving toward the US and other parts.

I met with Tim at Citrix and I said, “I’m not sure exactly what’s going to happen. I don’t know if this is going to be 100 people that go home or 300,000 people. But I know we need a partner to work with, and I know we have to partner through this process.”

So the big thing is that Citrix was that partner for us. You have to rely on your partners to do this because you just can’t simply do it by yourself.

Gardner: Tim, it sounds like an IT organization within Teleperformance is much more of an enabler to the rest of the organization, but you, at Citrix, are the enabler to the IT department at Teleperformance.

Minahan: Dana, to borrow a phrase, “It takes an ecosystem.” You move up that chain. We certainly partner with Teleperformance to enable their vision for a more agile workforce.

But, again, I’ll repeat that they’re doing that for their clients, allowing them to dial up and dial down resources as they need, to work-shift around the globe. So it is a true kind of agile workforce value chain that we’re creating together.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how businesses should rethink hiring, training, and talent optimization in the age of flexible work.

And we’ve learned how a global business process outsourcing leader, Teleperformance, has shown how distributed employees working from a Cloud Campus are improving productivity and their end users’ experience.

So a big thank you to our guests, José Güereque, Executive Vice President of Infrastructure, and Nearshore Chief Information Officer at Teleperformance. Thank you so much, José.

Güereque: Thank you, Dana.

Gardner: And a big thank you as well to Lance Brown, Executive Vice President of Global Network Telecom and Architecture at Teleperformance. Thank you, sir.

Brown: Thank you, Dana.

Gardner: And a big thank you lastly to Tim Minahan, Executive Vice President of Business Strategy and Chief Marketing Officer at Citrix. Thank you so much, Tim.

Minahan: Thanks, Dana. I appreciate the dialogue.

Gardner: And a big thank you as well to our audience for joining this special BriefingsDirect remote work innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of Citrix-sponsored BriefingsDirect discussions.

Thanks again for listening, please pass this along to your business associates, and do come back next time.

Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: Citrix.

Transcript of a discussion on how a global business process outsourcing leader uses a “Cloud Campus” to improve remote worker productivity and their end users’ experience. Copyright Interarbor Solutions, LLC, 2005-2021. All rights reserved.

You may also be interested in: