Podcast - Episode 16 - Security Service Edge - Tarun Desikan

Show video

hello and welcome to get it started get it done  the Banyan security podcast covering the security   industry and Beyond in this episode our host  in banyan's Chief security officer Den Jones   speaks with Banyan co-founder tarun desiccan to  discuss security service edge or SSE Technologies   and why Banyan is rolling them out now we hope  you enjoy Dan's discussion with tarun desiccan   okay everybody welcome to another episode of get  it started get it done I think we're the episode   number who gives a [ __ ] actually I don't  know or somewhere down the line we've done   about a year worth of these and and today  I've got an amazing guest who is actually   our very first guest on the show because  he is one of our companies co-founder so   tarun why don't you introduce yourself just  for those who have no idea who you might be   awesome thanks Dan thanks for having me I  remember when we first did this podcast I   said then it's going to be you me my mother your  mother and it is just amazing to see how far the   podcast has come in the last year or so but  hi everyone my name is tarun desikin I'm one   of the co-founders of Banyan security we're a  zero trust security provider for organizations   looking to better secure their Workforce  from Modern threats based on the internet   awesome and and yeah we I I still don't think  my mom's listened to this [ __ ] to be honest   I made my mom listen to it once and um yeah she  said you know you have a face meant for radio   yeah my my mom my yeah no my mom said I have  a face for video podcast but she didn't know   what a video podcast was and I gave her the twenty  dollars to say that um so when you were here last   time we were talking about Banyan the journey we  were on and a lot of zero trust so so why don't   you start by saying you know roll roll back the  couple of years ago hey we were doing the zero   trust network access so why don't you kind of  share just like what was that Journey all about   um as as we then we'll we'll then trans translate  transfer all right then we'll move on to the the   the up and coming Journey so let's talk about the  history what was the journey we were on for the   last few years well you know zero trust itself  is such a funny word right zero trust like what   does it even mean but it has also has been such  a catchy phrase so people have taken zero trust   and applied it to everything it's in its original  Roots zero trust was a concept coined by a forest   analyst John kindebug to speak about Network  segmentation hey do not trust everybody on your   network what's kind of the origins of zero trust  but over the years people have taken that term   zero trust and applied it to zero trust network  access applied it to I most saw zero trust data   backup I saw that recently and so it people that  bastardize that term essentially it means anything   to anyone so even when we started Banyan we  never called ourselves a zero trust company   we were always a secure remote access company  that's how we got started and of course as Gartner   and other analysts popularized the term zero  trust we of course jumped on the bandwagon and   we said hey our secure access technology solves  your zero trust problem and this is one of these   things you know I don't know if there are other  words you can think of then that have just kind of   cross the chasm as it were you can say zero  trust to pretty much any I.T professional and   they will not their head they're like yes I  know of zero trust I have heard of zero trust   um they actually mean the same zero trust you  and I talk about do they understand the nuances   of zero trust I'm not entirely sure but zero trust  has kind of become like AI artificial intelligence   like everybody knows what it is everybody wants it  but not everyone can clearly articulate what it is   and how it's going to help their business yet so  so anyway that's the provenance of zero trust and   From banyan's perspective I think we've always  been a secure access company it's always been   about providing secure access to your Workforce  to the resources they need to do their job so I was just going to say like zero trust is  more of a marketing buzzword these days and I I   kind of think is like you say applied everything  to everybody everyone's got a different opinion   of what it actually means to them or in different  vendors want to be zero trust and I kind of think   of it more like digital transformation  but everyone said I'm doing some digital   transformation like [ __ ] are you really what  do you mean you're migrating from exchange to   office 365. that's just a migration project you  can call it digital transformational you want   um and I think zt's got like that and I do think a  lot of vendors and maybe I think we fell for like   the Savannah was I want to label ourselves because  we want to be the magic quadrant or we want to be   we we know we know if you look at the definition  we fall under the definition for certain pieces   of the puzzle and I think we've been very crisp  with our our audiences over the the years which is   you you could look at a zero trust architecture  and you could say hey Banyan will solve this and   this of a zero trust architecture we may solve  the remote access piece of that puzzle we might   solve the device posturing piece of the puzzle  but we don't solve DLP data tagging or or network   segmentation we don't solve lateral movement  within a network if you'd already always already   in the network but we might solve lateral movement  if we don't provide Network layer access because   we're providing the application Level access so  it's all I I kind of look at it like it's all   the nuances um now what's really interesting is  we're about to read not I don't know if retagging   how would you describe what we're about to launch  where it's almost like we're we're about to glom   on to another fancy buzzword SSE so so Turin why  don't you explain for everybody like what is what   is this this tweaking of our messaging that you  think we're doing why are we doing it and why now   yep so I mean there's a lot of a lot to unpack  in there but SSE is a concept articulated Again   by the analyst this time Gartner to stand for  security service edge the idea that a lot of   security capabilities that were historically found  in an office Network typically on a firewall close   to your Wi-Fi access point is where these security  capabilities used to lie you no longer keep them   in your office instead you deliver them from  an edge which is essentially a cloud point of   presence close to the user so that's what SSE  stands for it's a set of security capabilities   that are delivered in the cloud and so From  balian's perspective from day one we've been   a cloud-based company we've always done secure  access and um the reason for us the good time is   Gartner has something called a magic quadrant  where it starts tracking vendors in a space   and the cool thing for a young company like us is  that this space did not even exist six or seven   years ago when we started the company now I would  be lying if I said yeah then I had the foresight I   knew this Market called emergence seven years and  therefore we started Banning no that's just not   true so I think people have entered the SSC Market  from two different angles there is one class of   vendor that has sold firewalls for the longest  period of time they took those five walls they   delivered them to the club and I'm going to name  names like Palo Alto zscaler Cisco you know these   guys have sold hardware for the longest time they  took their Hardware models they delivered them in   the cloud they're going to call themselves SSE and  show up in Gartner that's fine there's another set   of companies that have been taken a cloud native  approach which is we have thought from day one   what does it look like if your applications don't  run on premise what should the user experience   be if the user doesn't always come to the office  we call ourselves a cloud native approach to SSE   so we have taken a cloud native approach in our  case focusing on the end point focusing on the   user focusing on context but still delivering  the same security capabilities so you're going   to see both types of vendors but we are solving  the same set of problems for an organization   which is how to better secure your Workforce  how to provide the security capabilities that   was traditionally provided in the office for  a hybrid world yeah and I think you know so   from a threat landscape perspective um what  is it you think we're solving for with SSE   so when Banyan got started the primary threat  landscape we were solving was the one that   was used to attack say the Veterans Affairs or  solarwinds which is credential compromise somebody   compromises your user gets into the network and  then starts spreading in the network so that   was the primary Threat Vector we were protecting  against and The Way We Were protecting against it   was by posturing your device requiring device  posture for all accesses and then when you do   that it's very hard for a bad guy to kind of just  fish you as a user and get access to your network   and then of course you extend that with least  privileged principles and give users and devices   accesses access just to the applications they need  so that was the core of Banyan when we got started   and in this release what we're focusing on is  extending that core capability we're now also   blocking malicious websites so we're also now  blocking malware from that could be downloaded   onto onto your device so we have expanded our  protection layer to also look at internet threats   and and I think the one thing you asked is  hey why now why are we doing it now and it   is just you know as a young company entering  a space that is dominated by big players one   of the key things for me as a product guy is  we need to be really good at everything we do   and so we didn't want to take on internet threats  until we had really nailed the user device context   and least privileged access problem and I honestly  think right now we have nailed that we have nailed   that how do you really posture a device how do you  handle the different types of clients clientless   access contractor access developer access service  account access manage device access you know we   have nailed all of those um and so once you have  gone deep and solved one set of problems I think   you earned the right to solve the next and that's  why it's SSC is ready now for us to go after yeah   and it's funny because I kind of look at it  like the the new perimeter of of your security   is really the the device right I mean the the  endpoint device the user that context together   um you're not all in your network and I don't  care which business you're in these days you know   you have a percentage of your Workforce which  is not on your network and their access and   apps and services that are not on your network  they're cloud-based and you know depending on   your industry it might be a smaller percent but  the reality was 2017 in Adobe we were catering   to about 20 of the workforce that were remote  and about 60 of the apps and services were now   cloud and then as as Corbett hit obviously that  went even more extreme right so from a Workforce   perspective now I'm going to pause slightly here's  a little bit of a curveball right so AI we've been   talking a lot about AI in the world these days so  I decided with the chat gpt's help I'll get a list   of questions together regarding SSE so I wanted to  know what chat GPT thought the top five questions   were regarding SSE so here here's number one for  you to run what is SSE and how does it differ   from traditional security models well uh chat GP  can chat GPT also answer these questions for you   probably I probably could ask I'll tell  you what I'll ask that question right   and then see what it says all right now I want  you to give me the answer from your perspective   then I'll tell you with chat GPT says well I  would say SSC differs from traditional security   models primarily in that it does not assume you  are in the office and it does not assume that   your applications are in the control of your  it team so SSC allows you as an organization   to provide a security layer for your Workforce  that kind of highlights today's hybrid reality   well that is pretty good now the  first time I said what is SSE   stands for I didn't add in Secure  service edge so I've done it again   and and the good thing to ruin is your answer  is way more succinct than the four paragraphs of   nonsense I get from chat GPT so a security model  that focuses on securing the edge of the network   where applications and users connect rather than  securing individual oh geez see I don't know but   it seemed like it was really confident in its  answer I feel like GPT does that I asked chat   GPT a lot of questions just for The Confident  response yeah no by the way that's most of the   [ __ ] I say I don't know if the answer is right  but I make it sound right with the good accent   and then everyone's like God he knows his [ __ ]  and I'm like no so point of life isn't it like   deliver BS with confidence yeah that's how I mean  that's how my whole careers went to be fair so uh   here's another one um what's the potential risks  and challenges associated with an SSC deployment   yeah I think one concept that everyone who  deploys SSE should be aware of is you are   putting more trust in a third-party security  vendor that's just the reality see in the old   world you bought say a Cisco firewall and you  put it in your office it's still in your office   you touched it you know how to manage it now the  problem of course is all the bad guys also knew   the credentials to it and they could get in so  that was a slightly different risk so the old   model the risk was everyone knew the root password  to your Cisco VPN so that was a problem but in the   new world you are now trusting a security vendor  to deliver your Security Services and so you as   an organization you have to be comfortable with  that level of risk now in the last 10 years you   know we've gotten comfortable putting all our  proprietary sales data and Salesforce we put   all our proprietary files in Dropbox we put all  our proprietary emails in G Suite in the cloud   so folks have got more and more comfortable  but you know there is a risk associated with   saving your resources or trusting  another third party so that's one thing   um and the other one I think the the risk and this  to me is a big risk is you just stop caring as   much when you hand over the service to somebody  else and you see this where hey why is this   service slow or it's not my fault I purchased you  know so and so vendors that went vendor's fault no   I think the IT team is still responsible for poor  user experience even if you purchased a vendor   and and I don't think we should let it teams  off the hook you know just because you checked   a box and you purchased some some third-party  vendor doesn't mean you're off the hook so   I personally think it teams should still stay  responsible for the user experience the quality of   service and so on even after they purchase an SSC  product yeah and and um look yeah I don't think   it it removes your accountability or  responsibility as a service provider so if you're   the IT team and you're responsible for delivering  um email services or collaboration Services   regardless of where you source and how you deliver  that it doesn't change your responsibility to be   the person on the hook for delivering the  best experience you can to your Workforce   um and and that comes from a guy who's spent 25  years delivering [ __ ] to thousands of people   um and yeah how did you retain that control  like so at some point when you touched every   server that you own you could feel  the ownership and responsibility for   the experience but when you're just  going and buying service providers   how do you retain that feeling of I control it I  want to deliver the best experience for my users   instead of waving your hands and saying you know  it's up to somebody else well I think I think is   I mean I'll use octo as an example because you  know a lot of people especially a lot of our   customers use up to as well right and in Adobe we  would have knocked a shop and before OCTA we were   um homegrown built or or SSO platform with  clusters of servers and a couple of people   in the team that looked after it and the reality  is is we didn't have enough full-time staff to   really deliver the best quality of service to  manage and maintain and Patch servers patch   applications upgrade applications I mean the whole  life cycle of the thing now if I even talk about   it before my Adobe team met Banyan right we were  hodgepodging what we thought of as our zero trust   remote access solution and and and a lot of it  was duct tapes more committers of things that we   were running internally and and I asked the team  go find me a vendor that will be Cloud native   Cloud first so that we don't need to do that and  you know that's when The Architects discovered   Banyan and we went into a partnership together  with the Adobe and Banyan team so that we could   get a cloud first service now if I put my my Adobe  hat on for a minute where my predecessor has this   responsibility just because Banyan has delivered  in a cloud service it doesn't mean that he's you   know in the negated away from the responsibility  of 40 000 people still using that service and   accessing apps and services on a daily basis it's  dial tone service so if if there's a problem with   the banging platform and the accessibility of  everybody in Adobe to do their job it's still on   him they don't give a [ __ ] and nor nor should  they give us that um so I kind of put it like   that now from an SSE perspective you know buzzword  Bingo and all that nonsense um what is what is the   one feature your most excited about in our up and  coming launch you know we're we're what was that   one thing that you think oh this is brilliant yeah  um well I I love how we think about trust profiles   the feature is called trust profiles and the idea  is historically it has been one size fits all for   an organization either you're on the network or  you're not either you're on the VPN or you're not   and what trust profiles do in Banyan is allow  you to teach different devices differently so   you can treat a managed device that your shipping  differently from a contractor managed device that   is managed by somebody else from a bring your own  device from a completely unregistered device where   you have to give clientless access to resources  so it really highlights the fact that Banyan has   thought about this world from a first principles  approach right we're not a hammer that says You   must be on my network to access resources it  recognizes the the different types of users   the different types of applications and so that  if I were to choose one feature that would be   trust profiles and Trust profiles are reflected  everywhere in value and you use trust profiles for   access to you know which resources you have  access to you can use trust profiles to say   hey these are the threats I need to protect you  against so it's used broadly but just the ability   to think about devices differently think about  policies differently for those devices that's the   one feature that I love and and from a business  benefit how would you describe that business   benefits people yeah so the clear business benefit  is you don't use the hammer for every approach see   marketing onboards a contractor and needs to give  them access to HubSpot right in many organizations   that per contractor will have to either get  a fully managed device from the vendor from   the company or they'll have to go download like a  Cisco anyconnect VPN and and essentially let that   Cisco anyconnect VPN do whatever it wants on the  device to give access so the tangible benefit for   banion is we can give you clientless access just  to HubSpot just for that user securely with all   the controls you need and the ability to do that  for a targeted population and to really reduce the   friction you know it saves the company a lot of  money but it honestly makes the employees so much   happier yeah yeah people I know there are some  I had a call earlier today where I was like we   focus on organizations on secure environments  where we don't care about the user experience well that's the government that's the banks okay  I understand you know you have highly regulated   industries that require that no we focus on  people who care about user experience like I   think it's really important to provide a great  user experience yeah well it's funny because   even in a highly regulated environment I mean you  still don't want people complaining and knocking   on your door yeah I feel like I I yeah exactly  I mean is that why our government sucks is that   is it because the security vendors give them  such terrible user experiences they're like I'm   going to take it out on you no I feel like user  experience should be uniformly good for everybody   you should accomplish security for user experience  yeah and then it's funny because you normally   think of a bit of a trade-off between improving  security at the expense of user experience whereas   what we find you know is you have and I say we  found the in Adobe what we found was you can   improve security and improve user experience  and it's a win-win you know so for me that's   yeah that's the goal that's the goal no hey  so what about 25 minutes in on this to ruin so   um I I don't want to take up all your time I  know because of your blurred background that   you're in Tahoe it's a sunny day outside there's  been a big dumping of fresh powder you're really   just dying to to go there and and as a security  secure snowboard Edge I mean is that is that you   know is that the edge that you're looking for I  guess oh man listen if there was an SSC solution   that provided a secure snowboard Edge like a  guaranteed Edge no matter which slope I was   coming down it would be you'd be all in on that  business in that business now um yeah so you're   gonna get to go the slope so I'm going to join  some meetings and talk to prospects and stuff   like that and all that business so yeah it's it's  a different life I guess you know the life the   life of a snowboarding founder um so yeah look  hey I appreciate your time this has been awesome   um we we have this pod we've got many other  podcasts with your blogs are we gonna have   blogs are you going to be writing anything about  this SSE business or we have other people on the   team that do that for you right what both  but I am writing one on how to evaluate SSE   and I think one of the one of the biggest  requirements for an industry as you adopt   a new technology is not to just buy something  because your buddy bought it or your boss told   you to buy it I think it's really important for  a new technologies tag to use the product try   it in different scenarios every organization I  mean one thing we have learned and then you've   known this is every organization is different  they have different culture they have different   tools they just have a different way with dealing  with problems and so it's it's incumbent on I.T   leadership to actually try a few different tools  and you know in today's Cloud world the switching   cost is so low there is no excuse for you not  to say I tried A B C and C is the best fit so   that's that to me is my big hope for the industry  is that they get into the habit of trying a tool   using it there's so much Innovation today the  switching costs are so low I think try it and   if it's a good product you know it should do it  should work well for you and I think the big thing   as well you know these these terms like digital  transformation zero trust EDR XTR SSE like they're   all they're all buzzword Bingo and at the end  of the day it's like you know we solve concrete   problems and in the industry as a practitioner  we're paid to solve concrete problems right so   if if accessing your apps and services remotely  from any location is a problem that you're still   struggling with then I'd certainly say hey this  is this is something to take a look at and peel   it back and then I was in a call this morning with  with a csoda bank and we'd met at a trade show and   his whole struggle was hey I want to get started  but I'm I'm struggling on how and where it's our   conversation was like Hey within your own team  grab 10 or 15 people grab one application that   you're responsible for that actually should  be super secured anyway and and let's focus on   playing around with that because if you have your  team get to taste it feel it touch it then they'll   know what the experience is like and they'll  know what the security benefits are because   you're doing it and that's that's what we've done  that adobe that's what we don't in Cisco that's   how we even do a banyan right so the reality is  is get started now it's done I'll get it done it   started then get it done thank you very much I  appreciate your time always a pleasure thank you thanks for listening to learn more about Banyan  security and find future episodes of the podcast   please visit us at banyansecurity.io special  thanks to Urban punks for providing the music  

for this episode you can find their tracks summer  silk and all their music at urbanpunks.com [Music]

2023-04-16

Show video