Hello, everybody. Welcome to DataEndure’s September TECH Talk. We’re delighted to have you all here. I am Kirstin Burke, and I am joined as always by Shahin Pirooz, DataEndure’s Chief Technology Officer and Chief Information Security Officer. Welcome Shahin.
Thank you. Great to be here again.
Great to see you.
In front of my brick wall.
Yeah. Welcome. We are delighted to have you all here this month and actually we had a lot of feedback from our last TECH Talk, which was all around zero trust. And we’ve heard a lot of different comments from folks that watched, venting their frustrations a little bit about zero trust. And either feeling that it just doesn’t work, it’s not going to work for them or thinking, you know what, there’s just no way we’re going to be able to deploy this everywhere. And in having these conversations, it seems that folks are applying or employing a traditional perspective to a new challenge that perhaps needs a very different perspective and approach to actually make it work.
So with that, we’re going to spend a little bit more time on zero trust. We’re also going to talk about what that different perspective is. And we’re going to go a little bit off the rails here. Typically, we try to be very informational about the market and about issues, but just because of the nature of this conversation, we are going to go a little bit more into DataEndure’s services and what we do, because that different perspective really applies to what we’re doing. And I think it’s important. So Shahin, let’s talk about why people are so frustrated and what’s happening here.
I’ll start by saying we have been busy – I was about to say busy little beavers, but busy little anti beavers. We’ve been breaking down the dams for security and IP for our customers for some time. And the newest set of services that we’re bringing to market are our SASE portfolio of services. And the reason that’s so important right now is there’s a lot of acronyms that are spinning around. We talked a lot about all the EDR, MDR, XDR stuff in a previous TECH Talk.
Similarly SASE has gotten some of that. Similarly, VPN has gotten some of that and there’s a lot of confusion about what is zero trust? What is SASE? What does it really mean? I’m only obviously going to be able to give you my perspective to this, and I’ll give you some industry perspective on it as well. But zero trust is really guided by the principle that you are explicitly trusting an individual versus implicitly trusting them, or assist them. So ZTN is network, it’s about that ability to say that just because somebody shows up on my network doesn’t mean that I implicitly trust them. I have to explicitly say this device has access to the following services and resources and applications and so on and so forth.
ZTNA is similar, but it’s from an identity user perspective. So just because a user has access to my network, think in context of VPN, just because they VPN in, doesn’t mean they should get access to every application in my network. It doesn’t mean I implicitly trust them to roam around my network. And let’s say their machine has compromised laterally, caused damage across all of my systems.
So ZTNA is about restricting access for an identity to services, resources, and applications that that identity should have access to and nothing more. So it’s moving from our traditional implicit network trust to explicit lack of trust or zero trust. That’s the concept of zero trust. That’s the definition that’s been floating for a long time. People have had a hard time grappling with that and how that actually implements in reality. And then we all got sent home a couple of years ago in March, and that created a massive impact on how people got access to resources inside their network and the immediate easy default answer was we need more VPN licenses.
And so we explicitly trusted the user and we explicitly trusted the machine they were on to be on our network and roam around on our network where nobody was actually in the building. So what happened? Our edge went away and that’s where SASE comes in. So secure access is the first part of that. So when you talk about ZTNA or zero trust networking, that’s all about access. So secure the access so that they can’t get to the things they shouldn’t ought to get to. So again, shift from the implicit trust to explicit don’t trust.
And the second part of the SASE acronym is service edge. So what that means is that the services have moved to the edge. Meaning there is no – we don’t have a defined edge anymore. The network doesn’t have an edge, it is everywhere. So the users can be at home. They can be at Starbucks. They can be anywhere and they still should get access to the services to do their job. So those two things, taking the services and exposing them to everyone, and creating secure access to those services is what SASE’s all about. And we’ve launched a set of services to address and it’s products that we embed in our managed services to help a customer implement a SASE methodology in their network and secure their environment.
So all that said, the reason I’m giving you that background is we’ve been spending a lot of time over the last quarter, two quarters talking to customers about our SASE offering. And post our last TECH Talk last month, which was really talking about micro segmentation and ZTN and ZTNA. The feedback that we’ve been getting pretty consistently is it’s a really cool concept, but it’s impossible to implement. It’s too hard. If you have ten machines, no problem, it’s easy. But if you have 1000 machines or 10,000 machines or more, there is no way you’re going to get micro segmentation across your network.
There’s no way you’re going to get this whole VPNA concept working properly. I already manage identities and that’s all I need to do. And there’s a lot of truth to that statement, but that statement is founded in – to your point, Kirstin, it’s founded in that notion of traditional segmentation and what segmentation meant. Let me now bring segmentation and this whole ZTN dialogue together.
To us, zero trust networking is microsegmentation. It’s as simple as that. The only way you can truly be able to say, I explicitly trust this device or this individual to get access to this resource, is by taking the segmentation down to that resource. So by nature, that means that you have to microsegment rather than traditional segment network segmentation. There’s three types of core segmentation. There’s network segments, which is leveraging your firewalls, switches, VLANs, all that, the traditional way we’ve always done it and you create segments.
Now you could technically create a VLAN for every port on your switch and manage that. And there’s some dynamic ways of doing that, but it becomes a nightmare to manage. There is no really good interface for deploying policies consistently across similar types of systems, so it becomes really challenging to manage a network-based segmentation approach. The second type is hypervisor-based segmentation. Again, really cool because every VM now has virtual switches. Those virtual switches can do VLANning and you can even set policies that say machines that joined this particular folder are part of this segment and they can talk to each other. So it makes it a lot easier than traditional tracing wires and figuring out what ports are plugged into.
So that’s great. But it doesn’t extend to your physical infrastructure. So there is no segmentation for your ESX servers, there’s segmentation only for the systems that are running on top of it. And there is no segmentation for your workstations unless they’re VDI. It ends up creating a lot of challenges where now you have to live in the hybrid world of network and hypervisor-based segmentation.
The final way to do segmentation is host-based segmentation. And this is probably one of the biggest objections I get in the field today until we have this dialogue. And the objection is I don’t want to install yet another agent on my system, and I don’t understand why the network can’t do it. The network can’t do it because it hasn’t been able to do it for 30 years. And it hasn’t changed. It’s hard. It’s really hard to do it network-based. All the big companies out there, Ciscos, Junipers everybody is implementing network-based segmentation solutions. VMware, Microsoft, KVM, all the big players out there implementing hypervisor-based segmentation.
The issue is all those things do not tie to an individual host. They’re not actually microsegmentation, they’re just segmentation. And to make them micro makes it very difficult. So what host-base does is it gives you two perspectives on how to set this up. Number one, it’s giving you the perspective of that device, that server. You know every packet that is going in and out of that, every connection that is going to and from that system, what applications are running on that system, only if you have an agent running on that system.
Or you’re sniffing every single port on your network. And it becomes really challenging to capture all that flow data, process that flow data, versus being able to tie that flow data to a single host and know this is the server and it’s talking to – based on like ARP tables on that server to this other box, and here’s how much data it’s sending to that box. And it’s not receiving anything back, it’s just one direction. So that host-based segmentation gives you the granularity to get down to a host.
Why is that important? And why can’t you just set up a VLAN and put three hosts together? You can. That’s how we’ve done it for decades and it works. But I can tell you from personal experience, in the previous company that we had hosted Exchange, and hosted SharePoint, and hosted Infrastructure as a Service and all that, all the services as a service that you would think of and in a MSP, and cloud service provider, we built all those. And the levels of segmentation I had to do our configuration page on our firewalls was about 200 pages.
And it took so much change control to make sure we didn’t make one mistake when we were managing that infrastructure. And we had scripts upon scripts that inserted and removed configurations into those profiles so that humans couldn’t make mistakes. It’s not impossible, but it’s not really scalable. So that’s where we come back to the immediate reaction is I don’t like agents and why can’t we just do it the way we do it. And then the follow on to that is I’ve tried it and it doesn’t work. And everybody has tried to do segmentation and it’s difficult.
Well, and it seems like for these organizations you can’t ignore the scenario you’re in. You’ve got to do something. And on one end you’re creating even more complexities in an environment where complexities are compounding. So is that really the way you want to go? In another model, you could be creating a situation where you have gaps that you have to plan for, watch for, inspect. And it sounds like host-based, if you’ve got your act together going in, it seems like you have a way of addressing both. You simplify it.
And that means not only simplifying it on the configuration, but on the management maintenance. You’ve got a lot easier way to inspect and manage. So if you think about that, how does someone get it right setting it up? It seems like mapping and awareness of everything going in is going to be critical to the success of something like this.
So that then is the next – once you decide, once you’ve gotten past that hurdle – I recently, a couple of weeks ago had a conversation with a very large prospect, a company that has about – probably 50,000, 100,000 end points in their network and they’re across many countries. And as soon as I started talking about micro segmentation, before I even got anything out of my mouth other than micro segmentation, the response was, if you’re talking about host-based don’t bother. And I said, will you indulge me? And we had this dialogue and by the end of it, he said, okay, I get it. And I’m open to evaluating this and let’s see where it ends up.
And the reason for that is that host-based is not easy either because just deploying an agent on a server and being able to push policies to the server is a positive thing. It’s an easy thing, but we’re not far from that with network-based and hypervisor-based virtualization or segmentation. The difficult part in any segmentation project or implementation is you have to have a solid understanding of the dependencies between your systems and the application. And I know that in my career, that’s been one of the toughest things to do in the CIO role, to understand all of the apps and all of the reports and all of the protocols that they use to talk to each other and what the dependencies are on if I take this server and shut it down, is it going to impact the other one over there or not?
And those mappings are the bane of any CIO out there. That is the problem. So most segmentation solutions out there do – and this is where you got to put the censor thing over my mouth – a piss poor job of doing the mapping. And the issue is you have to dynamically be able to understand and capture how everything’s talking together. So the flow data becomes really important, but without being able to visualize that flow data, you still have to go through spreadsheets upon spreadsheets, and do manual mapping and understand who talks to who and how much and where and what ports and all that.
So if you don’t have a solution that is going to start with application discovery mapping and discovery in general, so that it can find all your nodes out there, identify all those flows and communications that I talked about. And then take a dynamic attempt at creating application groups. Then you’ve already started in a potato sack race with both your legs tied together and the potato sack tied to the ground. And so it’s, you’re not going anywhere. Fundamentally, you’re stuck because without that step, this project will not succeed. And that’s when people say I’ve done this before and it doesn’t work, it’s because that step was missing.
So yes, I believe host-based segmentation is the right way because of the granularity you can get. But it doesn’t matter if you use host-based if you don’t understand that application discovery mapping and dependency mapping. So that’s the first step to any solution. Our approach to this in order to address this problem has been that we start with an application discovery mapping which maps 80% of the applications out there. And then just requires a small amount of fine tuning.
We have a 90-day cycle to implement micro segmentation versus typical projects that last a year to two to three years to get it right. And that 90 days is 30 days of that application mapping and fine tuning. So the system found these applications that communicate to each other, and they group those together. But what’s this one server over here that is also communicating to that group? Should that be in this group? Should that be in the segment or should that traffic not happen? And there’s a lot of surprises that happen when you start to do that application mapping.
I would imagine. I would imagine. So it sounds like from a getting started perspective, clearly, and I’ll really simplify it, having your ducks in a row is critical. And for any IT project, but certainly with anything that requires this level of granularity to be successful. And as we know, when folks enter into an initiative like this in their mind, I think they’ve already worked themselves up because they know it’s complicated and they’re wondering, how am I going to get through this? How many resources do I have to dedicate to it?
And I think the fact that someone like us can come in and say, hey, we can employ something on your behalf for a 30-day period that can get you 80% of the way there. That’s going to be a tremendous relief. Because you don’t enter into a project saying, well I want to start this October 1, 2021, and I’m expecting by 2022 it’s going to be ready. Because think of how much change happens there. So even when you get to end-of-job, so much change has probably happened that you’re not going to get it right anyway. So I think the fact that this can help accelerate them to the end of the job is fantastic. And we’re really operating in that real time versus operating on mapping data that may have been valid six months ago.
Yes. And that first discovery mapping piece is one of three phases that have to happen to implement a project right. The second phase is you have to be able to, let’s call it test the policies that you want to implement. So implement the policies, implement them quickly and see what they’re going to do without actually blocking traffic and stopping your business. And that is very hard to do on network-based segmentation and hypervisor-based segmentation. Because you’ll either put a device into a VLAN or not. And then you allow what ports can get through on that VLAN or not.
So you’re either on or off, it’s an on/off switch. Whereas with this type of segmentation, once you understand the traffic and the flows and the applications, now you can say, I would like to implement this policy, let’s see what the impact of this policy is. And get a visualization of okay, here’s all the green traffic lines that are going through, and here’s all the red ones that we would have blocked if we turned this on. That red one right there is pretty darn important, we better make sure we don’t do that because if we do that, the application won’t do credit card processing, as an example.
So those types of things are where these projects give us black eyes as practitioners if you’re not doing these steps. The final step is enforcement. So now that you’ve understood your network and your connectivity between your systems, and you have tested your assumptions about how you want to segment and how you want to group systems and applications, now implement enforcement. And enforcement means turn on those policies to stop blocking traffic that shouldn’t get to a device.
Most segmentation solutions stop there. But what if you can now alert on devices that are trying to connect to an application segment that they’re not supposed to and send that traffic to a honeypot and find out what they’re trying to do? That’s the extra layer of services that we bring to the table. It’s not just about –
Functionality.
Yeah. But why are you doing this to begin with? You’re doing this to begin with for the S in that secure access layer, it’s you want to be secure. You can create walls to be secure, but people can get overwhelmed. They can climb under them. They can climb over them. They can break through them. And so, when they attempt to, you need to know it, you want to know it. And if that wall is really far away from your office where you’re sitting and listening for breaks in the wall, you’re not going to hear it. It’s the tree in the forest syndrome.
When we have these dialogues and by the time we get to the end of it, we get a lot of nodding from our prospecting, okay, I was not open to this, but I understand why this is important. And with a micro segmentation solution that is host-based, you can create a segment of a single host, and here’s why that’s important. Or you can create a segment of a conclave of 30 servers that communicate with each other. Whatever that segment size is, you’ve reduced your attack surface down to that segment.
If somebody compromises that segment or a host in that segment, because of whatever reason, whether it’s a phishing attempt or whatever, they’re not going to spread to your thousands or ten thousands of systems in your network. They’ve only got those 30 systems to laterally move too. And that’s it. There’s nothing else. And that’s the beauty of segmentation is by reducing that attack surface, you reduce the impact of a ransomware attack. You reduce the impact of the recovery time to your business, rather than having to recover every server in your environment, you’ve only got six or 30, or depending on whatever size your segment is.
The other thing that network-based segmentation can’t do, or hypervisor-based segmentation is it does not allow for the service edge concept. So the service edge concept is now the edge is moving so that if the edge is moving, it means our data centers are also moving. So we see the result of these moving parts and pieces is people are doing migration. They’re moving things into the cloud, to other data centers, to co-location facilities. And if you implement a segmentation solution inside of your data center, and then move, guess what? You have to do it all over again in a new facility.
You can’t just pick it up and carry it with you because those network switches, firewalls, routers, hypervisors that you built it on, don’t exist in the cloud. So you’re starting from scratch again with a good host-base, not all host-based segmentation solution. That policy will stick with the server when you migrate it anywhere. So you can have a segment that has a host in Amazon, a host on premise, a host in Azure, and a host in GCP, and that segment will continue to function. This isn’t providing you no stop traffic, so you still need WAN, an SD-WAN, and internet connectivity, but it is protecting the east-west traffic between your systems. And that’s really the key value of zero trust networking.
For sure. Given what we’ve learned over these last 18 months, the ability to be agile, and to be able to move quickly and effectively and securely is huge. And finding solutions that can accommodate that best has gone way up on the priority list. Yeah.
I agree.
Well, Shahin, as always. It’s so interesting for me to talk to you because I am not a technology practitioner at all yet, after I finish listening to you, I feel like I’m that much smarter. So thank you. And for those of you who are listening, I would imagine that resilience in your organization is a priority for you as it is for us. And that’s really what DataEndure is all about and Shahin talked about data protection. He talked about security. Our business is all about helping you, however it is that you need, be able to be resilient in this environment where things are changing so fast.
And what we have learned, if nothing else, it’s all about time. And whether it’s time to get your mapping completed, whether it’s time to implement. Whether it is reducing the time to find whoever’s in your system and get them out. Time is huge. And we’re all about helping organizations recapture that time. And so you hear about our solutions and that is one priority that we always have as we develop. And it’s a question we ask ourselves, how is this helping people do things, get to value faster. So Shahin, thank you. And for anyone who’s listening, we encourage you to have this conversation with us.
Whatever it is you’re doing today and however it is that you’re thinking about solving for it, let’s talk. And we may, at the end of the conversation, wind up saying, hey, you got this. Or we may wind up at the end of the conversation saying, hey, let’s think about this a little bit different and let us help. Shahin, is there other than having a conversation with us, I know that the mapping certainly is where we would go next. Is there any other first step that you might recommend to folks before we sign off?
Now, the dialogue is the very best first step. And for something like this, our customers typically like to do a proof of concept, which we support and get going. And the one thing that I would say is different, we’ve talked about micro segmentation and ZTN, and there’s a lot of products out there in this space. And I always say buyer beware on technologies, because I love my marketing peer sitting across from me here, but marketing tends to glom on to whatever is the coolest, hottest acronym out there.
And we try to peel things back and figure out is this really what Gartner, Forester, the inventor of the technology really intended? And as I mentioned, we’ve talked about that with other new evolving acronyms in the space and ZTN is no different. So just because somebody calls themselves ZTN or ZTNA, buyer beware. Talk to us. If nothing else, get our perspective and do with it what you like. But hopefully we can figure out a way to make something work for you.
Our managed services solutions, not only help you get these things done fast, but help you maintain them in an ongoing perspective so that your team can focus on what’s important to your business and what differentiates you.
Fantastic. Well, thank you. And thanks to all of you and we will see you next month.