May 2, 2024 • 27 mins
Say goodbye to outdated security methods and welcome SASE, which makes managing security easier and ensures safe connections from anywhere. Discover how Security Service Edge (SASE) is revolutionising secure networking in a world where remote work and cloud-based apps are the norm.
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
S1 (00:05):
Welcome to Lifting the Lid on Technology, a podcast series
brought to you by Soft Source in association with New
Zealand's leading IT vendors and experts. I'm Barry White, the
CIO principal consultant at Soft Source. In this series, we
explore opportunities and challenges in the world of it. And
(00:26):
I'm joined today by David Small, CTO for Soft Source Flybridge. Welcome, David. Thanks, Perry.
S2 (00:32):
Hello to everyone.
S1 (00:33):
So look, in this podcast we're going to today, we're
going to talk about, I guess, one of the hottest
topics in IT security today, which is SASE or the
secure access service edge. And um, I know David, I'm
really interested in what you've got to say today because
there's a lot of confusion out there in the market
about exactly what SASE is and what zero trust is. And, um,
(00:54):
you know, even different security vendors and industry analysts are
coming up with different definitions of what these things are.
You know, for example, you know, is it a replacement
for SD-Wan and where does Sdn fit into the picture? Um,
I'm happy to sort of kick things off. I'm really
keen to, I guess, to hear from you. Just give
us a bit of an overview of that, a bit
of history of sassy, because the terminology has not been
(01:16):
around all that long. Just what does it mean?
S2 (01:18):
CSI is a terminology that our friends at Gartner decided
they need a new acronym to add to the mix.
So around about 2019, it was their way of bundling
together a group of technologies that deal with that access
security at the edge. Um, so they brought together components
(01:43):
that have been around for 5 to 10 years and
put it all under one umbrella so that they could
score and give guidance back to the industry, how you
would actually look at implementing CSC across the board, because
in the past, it's been each one of the components
(02:04):
of CSC is a standalone product. So you would have
lots of vendors who would provide you the different services,
and trying to link them together got more complex, got harder.
So they looked at how they could bring those together
and mark people that could actually move across the the spectrum.
(02:25):
So sassy itself from a IT perspective, really kicked in
around that sort of pandemic timeframe. And as the cloud
came on board, sort of started the driver where our
end users are not sitting, accessing data in the corporate
(02:45):
network anymore. A lot of the applications and the data
is up in the cloud, and they may still have
some applications they access inside the corporate network. So connecting
via your VPN to your corporate office to then trombone
out to go to the internet added latency and didn't
(03:07):
give the right performance to those roaming or remote users.
So that's where the the the combination of tools came
together to create the sassy model. So sassy is made
up of basically four modules. At the end of the day,
there's the Secure Web gateway, which looks after that access
(03:31):
and basically a firewall in the cloud. You've got your
cloud access security broker, so your Casb type environment, which
has been around, as I say, for about ten years,
where you access and control what people are getting to
on the the cloud platforms. And then you've got your
(03:52):
ztna which is your zero trust network access. And then
the fourth and final component which makes up SASE is
the SD-Wan. So you have three security services and one
network service, and that becomes your, your CC model. Obviously,
(04:14):
since then it's about 2021. Gartner went well. People aren't
doing all of CC, so maybe they want to just
do the cloud. And from there they've now produced another
acronym they've come out with which is CC which is
the combination of those first three products, the Secure Web Gateway,
(04:38):
the Casb and the Ztna. So that's where we're sort
of sitting at today's world and what we're seeing in
the market.
S1 (04:47):
So, Sir William, in essence, what you're saying is that
the key driver for it to some degree, has been
this significant shift from that sort of traditional sort of
castle and moat approach around the data center, and that
being the sort of primary point of contact. But now
we've seen a lot more people working remotely, massive shift
towards cloud computing. And that has changed the balance and
(05:10):
in some degree, the volumes that are sort of hitting
these things. And so being able to distribute that load
and control that on a more broader term is really
one of the big goals of CC.
S2 (05:20):
Exactly. You're bringing in that security layer, and you're taking
it out of the data center and out of the
firewall as such where it lived before, and you're moving
it to the cloud because you're protecting cloud services along
with you could still protect services on prem as well.
So it enables you to address a user. that could
(05:44):
be in the office at home, or that road warrior
at a cafe.
S1 (05:52):
There's a bit of a misconception that SASE is a
kind of replacement for SD-Wan, but really, SD-Wan is a
core component of makes up that suite of capabilities, if
you like, within the framework of.
S3 (06:03):
CC.
S1 (06:04):
Itself.
S2 (06:04):
It is key to that CC model because obviously SD-Wan
is around how we. Enable us to offload traffic at
the edge or at the site, versus bringing it back
to your central office and going through that central firewall. Again.
It's saying, hey, at the branch office, let's send that
(06:29):
cloud based traffic straight to the to the internet and
not send it back to the corporate. So where I
need to go back to the corporate, then sure, go
back over the corporate network. So now you're not tied
in to having those big high speed networks with big
internet pipes. You can go out and get that lower
(06:50):
end broadband connection, which obviously New New Zealand's got fairly
good coverage of and can take good advantage of to go, hey,
I'll break that traffic out at the edge, but if
you're going to break it out at the edge, then
that's when you want to be using your casb, uh,
secure gateway to protect what those people are accessing, just
(07:14):
like if they were at home on their corporate network,
not using the VPN back into corporate, how do you
fit it in? So it is very much key to it.
But this new SEC that came out a couple of
years ago terminology is where vendors don't have that SD-Wan component.
So you'll see a lot of security vendors come out
(07:36):
and say, hey, we've got SASE, but they have no
SD-Wan component. So when you drill into it, they like
to call themselves an sec.
S1 (07:46):
So there was another question I had for you. And
I think particularly when it, um, talk about maybe some
of the old, slightly older SD-Wan solutions and maybe we
could talk a little bit about Aruba in that context, um,
in terms of what they offer now. But yeah, our
solutions compatible with this framework or are there challenges there
for businesses that maybe have invested in some of this
technology already?
S2 (08:06):
Each vendor implements it slightly different. Yes, there are some
standards they stick to, but at the end of the day,
if I'm a firewall vendor, I'm going to build it
around my firewall capabilities versus if I'm a pure network
telco type vendor, then I'm going to build around my
(08:28):
SD-Wan capabilities. So you mentioned Aruba. Uh, if you're looking
at Aruba, they started building SD-Wan without that extra firewall,
but they'd already realized they needed a SASE provider, and
that's why they worked closely with Zscaler to be able
(08:48):
to offer that, so that you could put that layer
of security around your SD, Wan, and then the one
in the meantime, they've gone out and acquired Nick company.
And now that's part of their portfolio. So you can
still connect to the the known brands out there. But
(09:08):
they've got their own offering now, which is obviously all
built in the cloud and and transitions for people as
it goes through. But let's talk.
S1 (09:16):
About zero trust. My understanding is zero trust. It is
really a journey isn't it? It's something that takes time.
and there's a series of steps that you have to
go through, and some may be right for your business
and some may not be right for your business. What
does zero trust mean to you?
S2 (09:30):
I guess my view on zero trust is simply it's
a strategy or an architecture. Again, it's one of those
things that's born out of a university environment where in
2015 they came up with this concept of zero trust,
which was really just a combination of things we already
(09:51):
knew were best practice. But obviously in that time frame
it was hard to implement. And this is where the
likes of sassy and where what gets rated as a great,
sassy product is that integration is is being brought in
so that all those four segments work together. Well, Zero
trust is just bringing together those concepts and technologies from
(10:16):
an architecture perspective. So micro-segmentation of your network, of your workforces,
your obviously your identity verification. So turning around and everyone
has an identity that you have to verify and check through. Obviously,
you've you start building and governance around your networks, around
(10:40):
your applications, and then you have a policy manager that
sort of orchestrates over the top. At the end of
the day, all it's doing is providing you that structure
around your security posture. And it's a strategy. So it's
as a strategy. An organization could actually implement zero trust
(11:03):
without CSI. But CSI can't be implemented without zero trust.
S1 (11:09):
So when we talk about zero trust as a strategy
for those businesses who perhaps a little bit more at
the beginning of this journey, where should they start?
S2 (11:18):
Look, if you're going through that digital transformation to say, hey,
how do I get to there? An environment where we
trust nothing, which is basically the concept of of zero trust.
Unless you're starting at the network layer and you're thinking
about redesigning your network. But the easiest place we find
(11:41):
with our customers is to start at their identity. And
if you can get an identity that is across all
your systems, that is that single sign on type environment,
you start moving down the track to, hey, I trust
the user. And then you move to do I trust
(12:02):
the devices and then the servers and applications. The network
is a layer that you can spend a lot of
time and effort doing, but you won't see a lot
of return on investment, because when you start looking at it,
you say, well, my users are out in the field,
they're roaming. So doing micro-segmentation on my network doesn't actually
(12:27):
benefit me. But if I'm a factory or a retail shop,
then it's going to benefit me. So it's where you
are in your journey and what your business goals are
as you step through that, how you implement it. But
there's no right or wrong way. You start where it
(12:48):
makes sense for you.
S1 (12:50):
But that's probably a good lead in to talk about
privileged access management. And I guess some of the the
drive towards really putting in place those controls. What are
some of the steps you think that IT managers should
be thinking about when they're looking at privileged access management?
S2 (13:05):
So privileged access management is really about assigning permissions when
and where they are needed. From our IT managers perspective
or CIO's perspective, you're looking to probably lock up the
crown jewels being those administrative accounts that have high privileges
(13:29):
in that way, you're making those users stop and think.
But if you've been in the industry a while, you
you will remember the days where we used to have
two accounts. You would have your admin account and you'd
have your user account. All it's doing is replacing that
methodology with one account But somewhere in there, you've got
(13:50):
to elevate your privileges to go through to the next level.
So to start looking at implementing it is looking at
those high level permissions that you want to control and
track who goes in to what. And at the same time,
by implementing it, you are starting to build a security
(14:10):
framework that if that person has been compromised. They may
not have the credentials or the power to do more
damage in your environment because they have an elevated and
you've got to normally from an elevation, you've got to
have a second form of approval to, to get through.
(14:32):
So we're seeing people like Microsoft push that further and further. Obviously,
they've just changed it for us as a managed service
provider with CSP that we now use global access permissions
that we get granted via the customer. So none of
(14:54):
our engineers get to log in as a global admin.
As such, they have to log in with their accounts
and then elevate. But there's plenty of organizations or software
developers coming out with that sort of concept. But it
it is driven by your identity management system. So whatever
you have there will drive the the privilege identity management
(15:18):
service itself.
S1 (15:20):
What what's been your experience of the reaction to that?
Do you see a lot of sort of pushback or
how's it been adopted so far, do you think?
S2 (15:27):
I see the adoption is easy with a customer interface,
with the end users understanding that, hey, I don't need
that privilege. I'll elevate when I need to. It's the
software developer, and in our case, it's the technicians who
believe they know everything and they should have that permission
(15:49):
all the time. And obviously, it does put an extra
layer of time and effort into something, because you go
to do something, you've got to elevate to be able
to do it, then do the task. So if you
get interrupted, it may time out. But we had that five,
ten years ago when you had a different login and
(16:11):
you had to log out as your user account and
log in as your admin account to be able to
do stuff. It's just a habit forming thing that yes,
developers love to be God on their systems, but that's
not secure anymore. So it's how we build a secure environment.
But I'm finding with more and more of the sort.
S4 (16:33):
Of.
S2 (16:34):
Younger development group, they get it because they've been taught
to develop with security in mind, whereas it's more of
the old hats of the room that think they need
global access or full permissions.
S1 (16:48):
So let's talk a little bit about the the the
vendor landscape. If you sort of circle back to CSI,
you know, this is something that's quite sort of vendor centric.
And you need.
S3 (16:58):
To always.
S1 (16:58):
Be looking at one vendor solution or how does how
does what does that landscape look like? From when you
start to talk about implementing a a strategy around zero
trust in CSR.
S2 (17:08):
So when you're looking at that CAC model, you may
not be ready to do, say, the SD-Wan component, but
you are looking to get that casb this secure web
gateway in place so that you can control people coming
in and giving them the right experience, no matter which
(17:29):
location they're coming from. So when you're choosing a vendor,
it's looking at who actually will give me my full stack.
At the end of the day, I may not be
ready for Esteban today, but let's choose the vendor. And
it's very easy to go to market and go find
(17:50):
a vendor today who says they're sassy, but at the
end of the day, they're not because they don't have, say,
the SD-Wan component. And it's very easy to go find
a network vendor who goes, we've got sassy, but they
don't have the other secure gateways or the casbs they're
(18:12):
tapping into someone else like Aruba did originally, when they
didn't have that, they built a mechanism to to use
Zscaler as this their service. Now they've got something in
their access product that now allows them to offer that
as one complete solution. But we're seeing it more.
S4 (18:34):
With.
S2 (18:35):
Vendors that they're coming out with that or they're creating
the partnership. But if you go and buy the point
solutions in those spaces, you will struggle to get them
to all communicate. And that's where the Zero trust architecture
kicks in, because you're trying to create that one identity
for not only the user, but the device.
S4 (18:59):
And.
S2 (18:59):
Then the services they're accessing. Because if you've got those,
then you can create those policies that sits over zero
trust that says, okay, Barry's logging in from home. We
trust that device. It's a corporate device. It's passed its
(19:20):
compliance tests. He's accessing this data. We're happy for him
to access it. But tomorrow Barry's logging in from China
or Russia or somewhere else that's deemed not acceptable to
the business. And he's not coming from a corporate device.
(19:41):
So maybe we won't let Barry into the network. Or
if we do, we won't let Barry touch that service
because that's the HR or the finance system. But we'll
let him touch his email or something like that as
an example.
S1 (19:56):
It sounds like you're planning my next holiday. Thanks for that. That's, uh,
we appreciate it.
S2 (20:00):
I thought they were places you might want to go.
S1 (20:02):
What are some of the challenges? You know, I'm putting
myself in the shoes of an IT manager. What are
some of the challenges from a legacy point of view?
And I've got an existing investments.
S3 (20:11):
And.
S1 (20:12):
Network and firewalls and these sorts of things. Where does
network as a service fit into that? As a as
an opportunity to help address some of those challenges?
S2 (20:21):
Yeah. Look, the challenges come in that a which part
do you tackle first. And I suppose that is looking
at your environment and saying where's my greatest risk versus
where's my greatest reward? because obviously as an IT manager,
(20:43):
you're driving the how do I deliver the technology out
to the business so they can do what they need
to do, be it make widgets, sell widgets, whatever they're
they're there to do. So you can't get tied up chasing, uh,
holy grail of a architecture, but But it's how you
(21:05):
bolt those in and get driven by those mechanisms. So
sometimes it's, hey, if I've got people roaming or using
more in the cloud. So we've just gone to maybe
Microsoft 365, and I've now started to use Azure Active
Directory or Azure Inter ID these days. And it's new naming.
(21:29):
It's how do I use that product to then start
doing my zero trust? And I might then turn around
and say, okay, now that I've got that, I've got
a some sites that need upgrading and I've got some
budget for those networks. It's building out that stack. As
I said earlier.
S4 (21:48):
Around.
S2 (21:49):
That chassis model, finding something that will actually plug into
all of it. And when you talk about network as
a service, obviously we have an offering in that space
where we've partnered with HPE Aruba to actually deliver that,
be it wireless, wired or that Wan connectivity. And now obviously,
(22:12):
we now have the the new access SEC product that
plugs into that. So we have can give you the SD-Wan,
give you all your circuits and it comes down to
a utility service. So depending on how your business structure
is you might find an OpEx model fits you. And
(22:32):
that's where network as a service fits in nicely with
customers if they're not a capital asset rich environment, they
want to drive on opex so that they can scale
up and scale down as they need to. Whereas sometimes
with those capital rich, um organizations, they're happy to spend
(22:55):
the the capital up front, but it's still the same technologies,
still the same concepts. It's just a different way of
delivering it. So that's the the reason for NAS and
how it would fit into that approach of saying, okay,
I want a zero touch architecture. And in doing that,
I'm going to use a SAS model to achieve it,
(23:19):
or a vendor that sort of fits across that SASE.
But there are so many. And that's the bit I suppose.
S4 (23:25):
To.
S2 (23:26):
Reiterate, there are very a lot of vendors that will
say they're sassy and they'll miss one of those four components,
and that's where you've got to drill in and understand
what they are.
S1 (23:40):
What kind of. For anybody listening to this podcast and,
you know, it's kind of a next step. What what
is the next step for them in terms of engagement
or they want to know more information.
S2 (23:50):
Obviously we're here to help solve sauce for bridge is
happy to to walk people through the the discussion points,
but it's understanding what you want to achieve out of it.
So are you being driven by that model where, you know,
you've got some infrastructure upgrades coming and someone's pushing the
(24:10):
SD-Wan topic with you? Whichever vendor you're dealing with at
the time, it's looking at that and saying, what's my
bigger picture? Do you have a play in the sassy market?
If so, what is it? So I may not be
ready for it, but I can make sure I've got
the foundations because we know when we put in a
(24:33):
Wan type environment, that's not something you're going to change
in the next few years. It's in it's in there
for a minimum three year sort of cycle to to
expense the cost. It's more around how do I plug
in my other components. But we're seeing more and more
customers who go, I'll go down the SEC track first,
(24:58):
so I'll go sign up to a product that gives
me the.
S4 (25:02):
Secure.
S2 (25:03):
Web gateway, the Casb, Casby, the Ztna capabilities. And I'll
do that first because that is software driven. Does it
require any physical assets? And if you've in some times
that actually solves some of your other problems because you
may have problems with your VPN today, it's not fast.
S4 (25:26):
Enough.
S2 (25:27):
When everyone connects in or if, um, you're looking at
firewall upgrades, you, you're thinking, oh, how big do I
need to make this? Because I've got all these VPN services,
but all the people are doing is tromboning through the
firewall to go back out to the internet, or you're
letting them go to the internet direct and just coming
(25:47):
back via the VPN for those business apps. So if you.
S4 (25:50):
Look at.
S2 (25:51):
The SEC world, you can actually address that and still
give them access back into the corporate world to those
applications they need to. But now you've taken the control
and the reliance on that VPN service away, and you're
using the speed and performance of the location that the
(26:12):
person's at, because using your securities in the cloud, which
matches up to where most people are taking their business applications.
So I don't come across many customers these days that
aren't using either Google or Microsoft for their productivity suites.
(26:33):
The same point, there's more and more of the CRMs
and ERP type solutions that are in the cloud that
people are using as their back office applications. So if
you've got those there, how do you secure them? So
that's where we sort of sit down and we see
more clients wanting to look in that SEC space. So
(26:53):
that's what I would personally focus on first, unless I
had a driving need to upgrade my Wan and that
at that point and I'd delete the SD, Wan drive
my decisions to to what I get. But I would
be keeping in mind. I want all for being greedy
as an IT manager. I want all for I want
(27:14):
the ultimate, because I don't want four separate admins to
administrate those key areas. I want probably one admin. I'm
lucky to get half an admin to do that in
today's environment.
S1 (27:26):
As you say, we're here to help and are happy
to talk to people. Um, if they've got more questions
And I know we've got some more public events coming
up as well, which would be great to have you
along to talk at those as well. Look, um, thanks
for your time, David. Appreciate it, as always.
S2 (27:41):
You're welcome. Barry. You know me. I'm always happy to
talk about technology. Have a great day. Thanks.
Welcome to Lifting the Lid on Technology, a podcast series
brought to you by Soft Source in association with New
Zealand's leading IT vendors and experts. I'm Barry White, the
CIO principal consultant at Soft Source. In this series, we
explore opportunities and challenges in the world of it. And
(00:26):
I'm joined today by David Small, CTO for Soft Source Flybridge. Welcome, David. Thanks, Perry.
S2 (00:32):
Hello to everyone.
S1 (00:33):
So look, in this podcast we're going to today, we're
going to talk about, I guess, one of the hottest
topics in IT security today, which is SASE or the
secure access service edge. And um, I know David, I'm
really interested in what you've got to say today because
there's a lot of confusion out there in the market
about exactly what SASE is and what zero trust is. And, um,
(00:54):
you know, even different security vendors and industry analysts are
coming up with different definitions of what these things are.
You know, for example, you know, is it a replacement
for SD-Wan and where does Sdn fit into the picture? Um,
I'm happy to sort of kick things off. I'm really
keen to, I guess, to hear from you. Just give
us a bit of an overview of that, a bit
of history of sassy, because the terminology has not been
(01:16):
around all that long. Just what does it mean?
S2 (01:18):
CSI is a terminology that our friends at Gartner decided
they need a new acronym to add to the mix.
So around about 2019, it was their way of bundling
together a group of technologies that deal with that access
security at the edge. Um, so they brought together components
(01:43):
that have been around for 5 to 10 years and
put it all under one umbrella so that they could
score and give guidance back to the industry, how you
would actually look at implementing CSC across the board, because
in the past, it's been each one of the components
(02:04):
of CSC is a standalone product. So you would have
lots of vendors who would provide you the different services,
and trying to link them together got more complex, got harder.
So they looked at how they could bring those together
and mark people that could actually move across the the spectrum.
(02:25):
So sassy itself from a IT perspective, really kicked in
around that sort of pandemic timeframe. And as the cloud
came on board, sort of started the driver where our
end users are not sitting, accessing data in the corporate
(02:45):
network anymore. A lot of the applications and the data
is up in the cloud, and they may still have
some applications they access inside the corporate network. So connecting
via your VPN to your corporate office to then trombone
out to go to the internet added latency and didn't
(03:07):
give the right performance to those roaming or remote users.
So that's where the the the combination of tools came
together to create the sassy model. So sassy is made
up of basically four modules. At the end of the day,
there's the Secure Web gateway, which looks after that access
(03:31):
and basically a firewall in the cloud. You've got your
cloud access security broker, so your Casb type environment, which
has been around, as I say, for about ten years,
where you access and control what people are getting to
on the the cloud platforms. And then you've got your
(03:52):
ztna which is your zero trust network access. And then
the fourth and final component which makes up SASE is
the SD-Wan. So you have three security services and one
network service, and that becomes your, your CC model. Obviously,
(04:14):
since then it's about 2021. Gartner went well. People aren't
doing all of CC, so maybe they want to just
do the cloud. And from there they've now produced another
acronym they've come out with which is CC which is
the combination of those first three products, the Secure Web Gateway,
(04:38):
the Casb and the Ztna. So that's where we're sort
of sitting at today's world and what we're seeing in
the market.
S1 (04:47):
So, Sir William, in essence, what you're saying is that
the key driver for it to some degree, has been
this significant shift from that sort of traditional sort of
castle and moat approach around the data center, and that
being the sort of primary point of contact. But now
we've seen a lot more people working remotely, massive shift
towards cloud computing. And that has changed the balance and
(05:10):
in some degree, the volumes that are sort of hitting
these things. And so being able to distribute that load
and control that on a more broader term is really
one of the big goals of CC.
S2 (05:20):
Exactly. You're bringing in that security layer, and you're taking
it out of the data center and out of the
firewall as such where it lived before, and you're moving
it to the cloud because you're protecting cloud services along
with you could still protect services on prem as well.
So it enables you to address a user. that could
(05:44):
be in the office at home, or that road warrior
at a cafe.
S1 (05:52):
There's a bit of a misconception that SASE is a
kind of replacement for SD-Wan, but really, SD-Wan is a
core component of makes up that suite of capabilities, if
you like, within the framework of.
S3 (06:03):
CC.
S1 (06:04):
Itself.
S2 (06:04):
It is key to that CC model because obviously SD-Wan
is around how we. Enable us to offload traffic at
the edge or at the site, versus bringing it back
to your central office and going through that central firewall. Again.
It's saying, hey, at the branch office, let's send that
(06:29):
cloud based traffic straight to the to the internet and
not send it back to the corporate. So where I
need to go back to the corporate, then sure, go
back over the corporate network. So now you're not tied
in to having those big high speed networks with big
internet pipes. You can go out and get that lower
(06:50):
end broadband connection, which obviously New New Zealand's got fairly
good coverage of and can take good advantage of to go, hey,
I'll break that traffic out at the edge, but if
you're going to break it out at the edge, then
that's when you want to be using your casb, uh,
secure gateway to protect what those people are accessing, just
(07:14):
like if they were at home on their corporate network,
not using the VPN back into corporate, how do you
fit it in? So it is very much key to it.
But this new SEC that came out a couple of
years ago terminology is where vendors don't have that SD-Wan component.
So you'll see a lot of security vendors come out
(07:36):
and say, hey, we've got SASE, but they have no
SD-Wan component. So when you drill into it, they like
to call themselves an sec.
S1 (07:46):
So there was another question I had for you. And
I think particularly when it, um, talk about maybe some
of the old, slightly older SD-Wan solutions and maybe we
could talk a little bit about Aruba in that context, um,
in terms of what they offer now. But yeah, our
solutions compatible with this framework or are there challenges there
for businesses that maybe have invested in some of this
technology already?
S2 (08:06):
Each vendor implements it slightly different. Yes, there are some
standards they stick to, but at the end of the day,
if I'm a firewall vendor, I'm going to build it
around my firewall capabilities versus if I'm a pure network
telco type vendor, then I'm going to build around my
(08:28):
SD-Wan capabilities. So you mentioned Aruba. Uh, if you're looking
at Aruba, they started building SD-Wan without that extra firewall,
but they'd already realized they needed a SASE provider, and
that's why they worked closely with Zscaler to be able
(08:48):
to offer that, so that you could put that layer
of security around your SD, Wan, and then the one
in the meantime, they've gone out and acquired Nick company.
And now that's part of their portfolio. So you can
still connect to the the known brands out there. But
(09:08):
they've got their own offering now, which is obviously all
built in the cloud and and transitions for people as
it goes through. But let's talk.
S1 (09:16):
About zero trust. My understanding is zero trust. It is
really a journey isn't it? It's something that takes time.
and there's a series of steps that you have to
go through, and some may be right for your business
and some may not be right for your business. What
does zero trust mean to you?
S2 (09:30):
I guess my view on zero trust is simply it's
a strategy or an architecture. Again, it's one of those
things that's born out of a university environment where in
2015 they came up with this concept of zero trust,
which was really just a combination of things we already
(09:51):
knew were best practice. But obviously in that time frame
it was hard to implement. And this is where the
likes of sassy and where what gets rated as a great,
sassy product is that integration is is being brought in
so that all those four segments work together. Well, Zero
trust is just bringing together those concepts and technologies from
(10:16):
an architecture perspective. So micro-segmentation of your network, of your workforces,
your obviously your identity verification. So turning around and everyone
has an identity that you have to verify and check through. Obviously,
you've you start building and governance around your networks, around
(10:40):
your applications, and then you have a policy manager that
sort of orchestrates over the top. At the end of
the day, all it's doing is providing you that structure
around your security posture. And it's a strategy. So it's
as a strategy. An organization could actually implement zero trust
(11:03):
without CSI. But CSI can't be implemented without zero trust.
S1 (11:09):
So when we talk about zero trust as a strategy
for those businesses who perhaps a little bit more at
the beginning of this journey, where should they start?
S2 (11:18):
Look, if you're going through that digital transformation to say, hey,
how do I get to there? An environment where we
trust nothing, which is basically the concept of of zero trust.
Unless you're starting at the network layer and you're thinking
about redesigning your network. But the easiest place we find
(11:41):
with our customers is to start at their identity. And
if you can get an identity that is across all
your systems, that is that single sign on type environment,
you start moving down the track to, hey, I trust
the user. And then you move to do I trust
(12:02):
the devices and then the servers and applications. The network
is a layer that you can spend a lot of
time and effort doing, but you won't see a lot
of return on investment, because when you start looking at it,
you say, well, my users are out in the field,
they're roaming. So doing micro-segmentation on my network doesn't actually
(12:27):
benefit me. But if I'm a factory or a retail shop,
then it's going to benefit me. So it's where you
are in your journey and what your business goals are
as you step through that, how you implement it. But
there's no right or wrong way. You start where it
(12:48):
makes sense for you.
S1 (12:50):
But that's probably a good lead in to talk about
privileged access management. And I guess some of the the
drive towards really putting in place those controls. What are
some of the steps you think that IT managers should
be thinking about when they're looking at privileged access management?
S2 (13:05):
So privileged access management is really about assigning permissions when
and where they are needed. From our IT managers perspective
or CIO's perspective, you're looking to probably lock up the
crown jewels being those administrative accounts that have high privileges
(13:29):
in that way, you're making those users stop and think.
But if you've been in the industry a while, you
you will remember the days where we used to have
two accounts. You would have your admin account and you'd
have your user account. All it's doing is replacing that
methodology with one account But somewhere in there, you've got
(13:50):
to elevate your privileges to go through to the next level.
So to start looking at implementing it is looking at
those high level permissions that you want to control and
track who goes in to what. And at the same time,
by implementing it, you are starting to build a security
(14:10):
framework that if that person has been compromised. They may
not have the credentials or the power to do more
damage in your environment because they have an elevated and
you've got to normally from an elevation, you've got to
have a second form of approval to, to get through.
(14:32):
So we're seeing people like Microsoft push that further and further. Obviously,
they've just changed it for us as a managed service
provider with CSP that we now use global access permissions
that we get granted via the customer. So none of
(14:54):
our engineers get to log in as a global admin.
As such, they have to log in with their accounts
and then elevate. But there's plenty of organizations or software
developers coming out with that sort of concept. But it
it is driven by your identity management system. So whatever
you have there will drive the the privilege identity management
(15:18):
service itself.
S1 (15:20):
What what's been your experience of the reaction to that?
Do you see a lot of sort of pushback or
how's it been adopted so far, do you think?
S2 (15:27):
I see the adoption is easy with a customer interface,
with the end users understanding that, hey, I don't need
that privilege. I'll elevate when I need to. It's the
software developer, and in our case, it's the technicians who
believe they know everything and they should have that permission
(15:49):
all the time. And obviously, it does put an extra
layer of time and effort into something, because you go
to do something, you've got to elevate to be able
to do it, then do the task. So if you
get interrupted, it may time out. But we had that five,
ten years ago when you had a different login and
(16:11):
you had to log out as your user account and
log in as your admin account to be able to
do stuff. It's just a habit forming thing that yes,
developers love to be God on their systems, but that's
not secure anymore. So it's how we build a secure environment.
But I'm finding with more and more of the sort.
S4 (16:33):
Of.
S2 (16:34):
Younger development group, they get it because they've been taught
to develop with security in mind, whereas it's more of
the old hats of the room that think they need
global access or full permissions.
S1 (16:48):
So let's talk a little bit about the the the
vendor landscape. If you sort of circle back to CSI,
you know, this is something that's quite sort of vendor centric.
And you need.
S3 (16:58):
To always.
S1 (16:58):
Be looking at one vendor solution or how does how
does what does that landscape look like? From when you
start to talk about implementing a a strategy around zero
trust in CSR.
S2 (17:08):
So when you're looking at that CAC model, you may
not be ready to do, say, the SD-Wan component, but
you are looking to get that casb this secure web
gateway in place so that you can control people coming
in and giving them the right experience, no matter which
(17:29):
location they're coming from. So when you're choosing a vendor,
it's looking at who actually will give me my full stack.
At the end of the day, I may not be
ready for Esteban today, but let's choose the vendor. And
it's very easy to go to market and go find
(17:50):
a vendor today who says they're sassy, but at the
end of the day, they're not because they don't have, say,
the SD-Wan component. And it's very easy to go find
a network vendor who goes, we've got sassy, but they
don't have the other secure gateways or the casbs they're
(18:12):
tapping into someone else like Aruba did originally, when they
didn't have that, they built a mechanism to to use
Zscaler as this their service. Now they've got something in
their access product that now allows them to offer that
as one complete solution. But we're seeing it more.
S4 (18:34):
With.
S2 (18:35):
Vendors that they're coming out with that or they're creating
the partnership. But if you go and buy the point
solutions in those spaces, you will struggle to get them
to all communicate. And that's where the Zero trust architecture
kicks in, because you're trying to create that one identity
for not only the user, but the device.
S4 (18:59):
And.
S2 (18:59):
Then the services they're accessing. Because if you've got those,
then you can create those policies that sits over zero
trust that says, okay, Barry's logging in from home. We
trust that device. It's a corporate device. It's passed its
(19:20):
compliance tests. He's accessing this data. We're happy for him
to access it. But tomorrow Barry's logging in from China
or Russia or somewhere else that's deemed not acceptable to
the business. And he's not coming from a corporate device.
(19:41):
So maybe we won't let Barry into the network. Or
if we do, we won't let Barry touch that service
because that's the HR or the finance system. But we'll
let him touch his email or something like that as
an example.
S1 (19:56):
It sounds like you're planning my next holiday. Thanks for that. That's, uh,
we appreciate it.
S2 (20:00):
I thought they were places you might want to go.
S1 (20:02):
What are some of the challenges? You know, I'm putting
myself in the shoes of an IT manager. What are
some of the challenges from a legacy point of view?
And I've got an existing investments.
S3 (20:11):
And.
S1 (20:12):
Network and firewalls and these sorts of things. Where does
network as a service fit into that? As a as
an opportunity to help address some of those challenges?
S2 (20:21):
Yeah. Look, the challenges come in that a which part
do you tackle first. And I suppose that is looking
at your environment and saying where's my greatest risk versus
where's my greatest reward? because obviously as an IT manager,
(20:43):
you're driving the how do I deliver the technology out
to the business so they can do what they need
to do, be it make widgets, sell widgets, whatever they're
they're there to do. So you can't get tied up chasing, uh,
holy grail of a architecture, but But it's how you
(21:05):
bolt those in and get driven by those mechanisms. So
sometimes it's, hey, if I've got people roaming or using
more in the cloud. So we've just gone to maybe
Microsoft 365, and I've now started to use Azure Active
Directory or Azure Inter ID these days. And it's new naming.
(21:29):
It's how do I use that product to then start
doing my zero trust? And I might then turn around
and say, okay, now that I've got that, I've got
a some sites that need upgrading and I've got some
budget for those networks. It's building out that stack. As
I said earlier.
S4 (21:48):
Around.
S2 (21:49):
That chassis model, finding something that will actually plug into
all of it. And when you talk about network as
a service, obviously we have an offering in that space
where we've partnered with HPE Aruba to actually deliver that,
be it wireless, wired or that Wan connectivity. And now obviously,
(22:12):
we now have the the new access SEC product that
plugs into that. So we have can give you the SD-Wan,
give you all your circuits and it comes down to
a utility service. So depending on how your business structure
is you might find an OpEx model fits you. And
(22:32):
that's where network as a service fits in nicely with
customers if they're not a capital asset rich environment, they
want to drive on opex so that they can scale
up and scale down as they need to. Whereas sometimes
with those capital rich, um organizations, they're happy to spend
(22:55):
the the capital up front, but it's still the same technologies,
still the same concepts. It's just a different way of
delivering it. So that's the the reason for NAS and
how it would fit into that approach of saying, okay,
I want a zero touch architecture. And in doing that,
I'm going to use a SAS model to achieve it,
(23:19):
or a vendor that sort of fits across that SASE.
But there are so many. And that's the bit I suppose.
S4 (23:25):
To.
S2 (23:26):
Reiterate, there are very a lot of vendors that will
say they're sassy and they'll miss one of those four components,
and that's where you've got to drill in and understand
what they are.
S1 (23:40):
What kind of. For anybody listening to this podcast and,
you know, it's kind of a next step. What what
is the next step for them in terms of engagement
or they want to know more information.
S2 (23:50):
Obviously we're here to help solve sauce for bridge is
happy to to walk people through the the discussion points,
but it's understanding what you want to achieve out of it.
So are you being driven by that model where, you know,
you've got some infrastructure upgrades coming and someone's pushing the
(24:10):
SD-Wan topic with you? Whichever vendor you're dealing with at
the time, it's looking at that and saying, what's my
bigger picture? Do you have a play in the sassy market?
If so, what is it? So I may not be
ready for it, but I can make sure I've got
the foundations because we know when we put in a
(24:33):
Wan type environment, that's not something you're going to change
in the next few years. It's in it's in there
for a minimum three year sort of cycle to to
expense the cost. It's more around how do I plug
in my other components. But we're seeing more and more
customers who go, I'll go down the SEC track first,
(24:58):
so I'll go sign up to a product that gives
me the.
S4 (25:02):
Secure.
S2 (25:03):
Web gateway, the Casb, Casby, the Ztna capabilities. And I'll
do that first because that is software driven. Does it
require any physical assets? And if you've in some times
that actually solves some of your other problems because you
may have problems with your VPN today, it's not fast.
S4 (25:26):
Enough.
S2 (25:27):
When everyone connects in or if, um, you're looking at
firewall upgrades, you, you're thinking, oh, how big do I
need to make this? Because I've got all these VPN services,
but all the people are doing is tromboning through the
firewall to go back out to the internet, or you're
letting them go to the internet direct and just coming
(25:47):
back via the VPN for those business apps. So if you.
S4 (25:50):
Look at.
S2 (25:51):
The SEC world, you can actually address that and still
give them access back into the corporate world to those
applications they need to. But now you've taken the control
and the reliance on that VPN service away, and you're
using the speed and performance of the location that the
(26:12):
person's at, because using your securities in the cloud, which
matches up to where most people are taking their business applications.
So I don't come across many customers these days that
aren't using either Google or Microsoft for their productivity suites.
(26:33):
The same point, there's more and more of the CRMs
and ERP type solutions that are in the cloud that
people are using as their back office applications. So if
you've got those there, how do you secure them? So
that's where we sort of sit down and we see
more clients wanting to look in that SEC space. So
(26:53):
that's what I would personally focus on first, unless I
had a driving need to upgrade my Wan and that
at that point and I'd delete the SD, Wan drive
my decisions to to what I get. But I would
be keeping in mind. I want all for being greedy
as an IT manager. I want all for I want
(27:14):
the ultimate, because I don't want four separate admins to
administrate those key areas. I want probably one admin. I'm
lucky to get half an admin to do that in
today's environment.
S1 (27:26):
As you say, we're here to help and are happy
to talk to people. Um, if they've got more questions
And I know we've got some more public events coming
up as well, which would be great to have you
along to talk at those as well. Look, um, thanks
for your time, David. Appreciate it, as always.
S2 (27:41):
You're welcome. Barry. You know me. I'm always happy to
talk about technology. Have a great day. Thanks.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!