Podcast - Episode 16 - Security Service Edge - Tarun Desikan
hello and welcome to get it started get it done the Banyan security podcast covering the security industry and Beyond in this episode our host in banyan's Chief security officer Den Jones speaks with Banyan co-founder tarun desiccan to discuss security service edge or SSE Technologies and why Banyan is rolling them out now we hope you enjoy Dan's discussion with tarun desiccan okay everybody welcome to another episode of get it started get it done I think we're the episode number who gives a [ __ ] actually I don't know or somewhere down the line we've done about a year worth of these and and today I've got an amazing guest who is actually our very first guest on the show because he is one of our companies co-founder so tarun why don't you introduce yourself just for those who have no idea who you might be awesome thanks Dan thanks for having me I remember when we first did this podcast I said then it's going to be you me my mother your mother and it is just amazing to see how far the podcast has come in the last year or so but hi everyone my name is tarun desikin I'm one of the co-founders of Banyan security we're a zero trust security provider for organizations looking to better secure their Workforce from Modern threats based on the internet awesome and and yeah we I I still don't think my mom's listened to this [ __ ] to be honest I made my mom listen to it once and um yeah she said you know you have a face meant for radio yeah my my mom my yeah no my mom said I have a face for video podcast but she didn't know what a video podcast was and I gave her the twenty dollars to say that um so when you were here last time we were talking about Banyan the journey we were on and a lot of zero trust so so why don't you start by saying you know roll roll back the couple of years ago hey we were doing the zero trust network access so why don't you kind of share just like what was that Journey all about um as as we then we'll we'll then trans translate transfer all right then we'll move on to the the the up and coming Journey so let's talk about the history what was the journey we were on for the last few years well you know zero trust itself is such a funny word right zero trust like what does it even mean but it has also has been such a catchy phrase so people have taken zero trust and applied it to everything it's in its original Roots zero trust was a concept coined by a forest analyst John kindebug to speak about Network segmentation hey do not trust everybody on your network what's kind of the origins of zero trust but over the years people have taken that term zero trust and applied it to zero trust network access applied it to I most saw zero trust data backup I saw that recently and so it people that bastardize that term essentially it means anything to anyone so even when we started Banyan we never called ourselves a zero trust company we were always a secure remote access company that's how we got started and of course as Gartner and other analysts popularized the term zero trust we of course jumped on the bandwagon and we said hey our secure access technology solves your zero trust problem and this is one of these things you know I don't know if there are other words you can think of then that have just kind of cross the chasm as it were you can say zero trust to pretty much any I.T professional and they will not their head they're like yes I know of zero trust I have heard of zero trust um they actually mean the same zero trust you and I talk about do they understand the nuances of zero trust I'm not entirely sure but zero trust has kind of become like AI artificial intelligence like everybody knows what it is everybody wants it but not everyone can clearly articulate what it is and how it's going to help their business yet so so anyway that's the provenance of zero trust and From banyan's perspective I think we've always been a secure access company it's always been about providing secure access to your Workforce to the resources they need to do their job so I was just going to say like zero trust is more of a marketing buzzword these days and I I kind of think is like you say applied everything to everybody everyone's got a different opinion of what it actually means to them or in different vendors want to be zero trust and I kind of think of it more like digital transformation but everyone said I'm doing some digital transformation like [ __ ] are you really what do you mean you're migrating from exchange to office 365. that's just a migration project you can call it digital transformational you want um and I think zt's got like that and I do think a lot of vendors and maybe I think we fell for like the Savannah was I want to label ourselves because we want to be the magic quadrant or we want to be we we know we know if you look at the definition we fall under the definition for certain pieces of the puzzle and I think we've been very crisp with our our audiences over the the years which is you you could look at a zero trust architecture and you could say hey Banyan will solve this and this of a zero trust architecture we may solve the remote access piece of that puzzle we might solve the device posturing piece of the puzzle but we don't solve DLP data tagging or or network segmentation we don't solve lateral movement within a network if you'd already always already in the network but we might solve lateral movement if we don't provide Network layer access because we're providing the application Level access so it's all I I kind of look at it like it's all the nuances um now what's really interesting is we're about to read not I don't know if retagging how would you describe what we're about to launch where it's almost like we're we're about to glom on to another fancy buzzword SSE so so Turin why don't you explain for everybody like what is what is this this tweaking of our messaging that you think we're doing why are we doing it and why now yep so I mean there's a lot of a lot to unpack in there but SSE is a concept articulated Again by the analyst this time Gartner to stand for security service edge the idea that a lot of security capabilities that were historically found in an office Network typically on a firewall close to your Wi-Fi access point is where these security capabilities used to lie you no longer keep them in your office instead you deliver them from an edge which is essentially a cloud point of presence close to the user so that's what SSE stands for it's a set of security capabilities that are delivered in the cloud and so From balian's perspective from day one we've been a cloud-based company we've always done secure access and um the reason for us the good time is Gartner has something called a magic quadrant where it starts tracking vendors in a space and the cool thing for a young company like us is that this space did not even exist six or seven years ago when we started the company now I would be lying if I said yeah then I had the foresight I knew this Market called emergence seven years and therefore we started Banning no that's just not true so I think people have entered the SSC Market from two different angles there is one class of vendor that has sold firewalls for the longest period of time they took those five walls they delivered them to the club and I'm going to name names like Palo Alto zscaler Cisco you know these guys have sold hardware for the longest time they took their Hardware models they delivered them in the cloud they're going to call themselves SSE and show up in Gartner that's fine there's another set of companies that have been taken a cloud native approach which is we have thought from day one what does it look like if your applications don't run on premise what should the user experience be if the user doesn't always come to the office we call ourselves a cloud native approach to SSE so we have taken a cloud native approach in our case focusing on the end point focusing on the user focusing on context but still delivering the same security capabilities so you're going to see both types of vendors but we are solving the same set of problems for an organization which is how to better secure your Workforce how to provide the security capabilities that was traditionally provided in the office for a hybrid world yeah and I think you know so from a threat landscape perspective um what is it you think we're solving for with SSE so when Banyan got started the primary threat landscape we were solving was the one that was used to attack say the Veterans Affairs or solarwinds which is credential compromise somebody compromises your user gets into the network and then starts spreading in the network so that was the primary Threat Vector we were protecting against and The Way We Were protecting against it was by posturing your device requiring device posture for all accesses and then when you do that it's very hard for a bad guy to kind of just fish you as a user and get access to your network and then of course you extend that with least privileged principles and give users and devices accesses access just to the applications they need so that was the core of Banyan when we got started and in this release what we're focusing on is extending that core capability we're now also blocking malicious websites so we're also now blocking malware from that could be downloaded onto onto your device so we have expanded our protection layer to also look at internet threats and and I think the one thing you asked is hey why now why are we doing it now and it is just you know as a young company entering a space that is dominated by big players one of the key things for me as a product guy is we need to be really good at everything we do and so we didn't want to take on internet threats until we had really nailed the user device context and least privileged access problem and I honestly think right now we have nailed that we have nailed that how do you really posture a device how do you handle the different types of clients clientless access contractor access developer access service account access manage device access you know we have nailed all of those um and so once you have gone deep and solved one set of problems I think you earned the right to solve the next and that's why it's SSC is ready now for us to go after yeah and it's funny because I kind of look at it like the the new perimeter of of your security is really the the device right I mean the the endpoint device the user that context together um you're not all in your network and I don't care which business you're in these days you know you have a percentage of your Workforce which is not on your network and their access and apps and services that are not on your network they're cloud-based and you know depending on your industry it might be a smaller percent but the reality was 2017 in Adobe we were catering to about 20 of the workforce that were remote and about 60 of the apps and services were now cloud and then as as Corbett hit obviously that went even more extreme right so from a Workforce perspective now I'm going to pause slightly here's a little bit of a curveball right so AI we've been talking a lot about AI in the world these days so I decided with the chat gpt's help I'll get a list of questions together regarding SSE so I wanted to know what chat GPT thought the top five questions were regarding SSE so here here's number one for you to run what is SSE and how does it differ from traditional security models well uh chat GP can chat GPT also answer these questions for you probably I probably could ask I'll tell you what I'll ask that question right and then see what it says all right now I want you to give me the answer from your perspective then I'll tell you with chat GPT says well I would say SSC differs from traditional security models primarily in that it does not assume you are in the office and it does not assume that your applications are in the control of your it team so SSC allows you as an organization to provide a security layer for your Workforce that kind of highlights today's hybrid reality well that is pretty good now the first time I said what is SSE stands for I didn't add in Secure service edge so I've done it again and and the good thing to ruin is your answer is way more succinct than the four paragraphs of nonsense I get from chat GPT so a security model that focuses on securing the edge of the network where applications and users connect rather than securing individual oh geez see I don't know but it seemed like it was really confident in its answer I feel like GPT does that I asked chat GPT a lot of questions just for The Confident response yeah no by the way that's most of the [ __ ] I say I don't know if the answer is right but I make it sound right with the good accent and then everyone's like God he knows his [ __ ] and I'm like no so point of life isn't it like deliver BS with confidence yeah that's how I mean that's how my whole careers went to be fair so uh here's another one um what's the potential risks and challenges associated with an SSC deployment yeah I think one concept that everyone who deploys SSE should be aware of is you are putting more trust in a third-party security vendor that's just the reality see in the old world you bought say a Cisco firewall and you put it in your office it's still in your office you touched it you know how to manage it now the problem of course is all the bad guys also knew the credentials to it and they could get in so that was a slightly different risk so the old model the risk was everyone knew the root password to your Cisco VPN so that was a problem but in the new world you are now trusting a security vendor to deliver your Security Services and so you as an organization you have to be comfortable with that level of risk now in the last 10 years you know we've gotten comfortable putting all our proprietary sales data and Salesforce we put all our proprietary files in Dropbox we put all our proprietary emails in G Suite in the cloud so folks have got more and more comfortable but you know there is a risk associated with saving your resources or trusting another third party so that's one thing um and the other one I think the the risk and this to me is a big risk is you just stop caring as much when you hand over the service to somebody else and you see this where hey why is this service slow or it's not my fault I purchased you know so and so vendors that went vendor's fault no I think the IT team is still responsible for poor user experience even if you purchased a vendor and and I don't think we should let it teams off the hook you know just because you checked a box and you purchased some some third-party vendor doesn't mean you're off the hook so I personally think it teams should still stay responsible for the user experience the quality of service and so on even after they purchase an SSC product yeah and and um look yeah I don't think it it removes your accountability or responsibility as a service provider so if you're the IT team and you're responsible for delivering um email services or collaboration Services regardless of where you source and how you deliver that it doesn't change your responsibility to be the person on the hook for delivering the best experience you can to your Workforce um and and that comes from a guy who's spent 25 years delivering [ __ ] to thousands of people um and yeah how did you retain that control like so at some point when you touched every server that you own you could feel the ownership and responsibility for the experience but when you're just going and buying service providers how do you retain that feeling of I control it I want to deliver the best experience for my users instead of waving your hands and saying you know it's up to somebody else well I think I think is I mean I'll use octo as an example because you know a lot of people especially a lot of our customers use up to as well right and in Adobe we would have knocked a shop and before OCTA we were um homegrown built or or SSO platform with clusters of servers and a couple of people in the team that looked after it and the reality is is we didn't have enough full-time staff to really deliver the best quality of service to manage and maintain and Patch servers patch applications upgrade applications I mean the whole life cycle of the thing now if I even talk about it before my Adobe team met Banyan right we were hodgepodging what we thought of as our zero trust remote access solution and and and a lot of it was duct tapes more committers of things that we were running internally and and I asked the team go find me a vendor that will be Cloud native Cloud first so that we don't need to do that and you know that's when The Architects discovered Banyan and we went into a partnership together with the Adobe and Banyan team so that we could get a cloud first service now if I put my my Adobe hat on for a minute where my predecessor has this responsibility just because Banyan has delivered in a cloud service it doesn't mean that he's you know in the negated away from the responsibility of 40 000 people still using that service and accessing apps and services on a daily basis it's dial tone service so if if there's a problem with the banging platform and the accessibility of everybody in Adobe to do their job it's still on him they don't give a [ __ ] and nor nor should they give us that um so I kind of put it like that now from an SSE perspective you know buzzword Bingo and all that nonsense um what is what is the one feature your most excited about in our up and coming launch you know we're we're what was that one thing that you think oh this is brilliant yeah um well I I love how we think about trust profiles the feature is called trust profiles and the idea is historically it has been one size fits all for an organization either you're on the network or you're not either you're on the VPN or you're not and what trust profiles do in Banyan is allow you to teach different devices differently so you can treat a managed device that your shipping differently from a contractor managed device that is managed by somebody else from a bring your own device from a completely unregistered device where you have to give clientless access to resources so it really highlights the fact that Banyan has thought about this world from a first principles approach right we're not a hammer that says You must be on my network to access resources it recognizes the the different types of users the different types of applications and so that if I were to choose one feature that would be trust profiles and Trust profiles are reflected everywhere in value and you use trust profiles for access to you know which resources you have access to you can use trust profiles to say hey these are the threats I need to protect you against so it's used broadly but just the ability to think about devices differently think about policies differently for those devices that's the one feature that I love and and from a business benefit how would you describe that business benefits people yeah so the clear business benefit is you don't use the hammer for every approach see marketing onboards a contractor and needs to give them access to HubSpot right in many organizations that per contractor will have to either get a fully managed device from the vendor from the company or they'll have to go download like a Cisco anyconnect VPN and and essentially let that Cisco anyconnect VPN do whatever it wants on the device to give access so the tangible benefit for banion is we can give you clientless access just to HubSpot just for that user securely with all the controls you need and the ability to do that for a targeted population and to really reduce the friction you know it saves the company a lot of money but it honestly makes the employees so much happier yeah yeah people I know there are some I had a call earlier today where I was like we focus on organizations on secure environments where we don't care about the user experience well that's the government that's the banks okay I understand you know you have highly regulated industries that require that no we focus on people who care about user experience like I think it's really important to provide a great user experience yeah well it's funny because even in a highly regulated environment I mean you still don't want people complaining and knocking on your door yeah I feel like I I yeah exactly I mean is that why our government sucks is that is it because the security vendors give them such terrible user experiences they're like I'm going to take it out on you no I feel like user experience should be uniformly good for everybody you should accomplish security for user experience yeah and then it's funny because you normally think of a bit of a trade-off between improving security at the expense of user experience whereas what we find you know is you have and I say we found the in Adobe what we found was you can improve security and improve user experience and it's a win-win you know so for me that's yeah that's the goal that's the goal no hey so what about 25 minutes in on this to ruin so um I I don't want to take up all your time I know because of your blurred background that you're in Tahoe it's a sunny day outside there's been a big dumping of fresh powder you're really just dying to to go there and and as a security secure snowboard Edge I mean is that is that you know is that the edge that you're looking for I guess oh man listen if there was an SSC solution that provided a secure snowboard Edge like a guaranteed Edge no matter which slope I was coming down it would be you'd be all in on that business in that business now um yeah so you're gonna get to go the slope so I'm going to join some meetings and talk to prospects and stuff like that and all that business so yeah it's it's a different life I guess you know the life the life of a snowboarding founder um so yeah look hey I appreciate your time this has been awesome um we we have this pod we've got many other podcasts with your blogs are we gonna have blogs are you going to be writing anything about this SSE business or we have other people on the team that do that for you right what both but I am writing one on how to evaluate SSE and I think one of the one of the biggest requirements for an industry as you adopt a new technology is not to just buy something because your buddy bought it or your boss told you to buy it I think it's really important for a new technologies tag to use the product try it in different scenarios every organization I mean one thing we have learned and then you've known this is every organization is different they have different culture they have different tools they just have a different way with dealing with problems and so it's it's incumbent on I.T leadership to actually try a few different tools and you know in today's Cloud world the switching cost is so low there is no excuse for you not to say I tried A B C and C is the best fit so that's that to me is my big hope for the industry is that they get into the habit of trying a tool using it there's so much Innovation today the switching costs are so low I think try it and if it's a good product you know it should do it should work well for you and I think the big thing as well you know these these terms like digital transformation zero trust EDR XTR SSE like they're all they're all buzzword Bingo and at the end of the day it's like you know we solve concrete problems and in the industry as a practitioner we're paid to solve concrete problems right so if if accessing your apps and services remotely from any location is a problem that you're still struggling with then I'd certainly say hey this is this is something to take a look at and peel it back and then I was in a call this morning with with a csoda bank and we'd met at a trade show and his whole struggle was hey I want to get started but I'm I'm struggling on how and where it's our conversation was like Hey within your own team grab 10 or 15 people grab one application that you're responsible for that actually should be super secured anyway and and let's focus on playing around with that because if you have your team get to taste it feel it touch it then they'll know what the experience is like and they'll know what the security benefits are because you're doing it and that's that's what we've done that adobe that's what we don't in Cisco that's how we even do a banyan right so the reality is is get started now it's done I'll get it done it started then get it done thank you very much I appreciate your time always a pleasure thank you thanks for listening to learn more about Banyan security and find future episodes of the podcast please visit us at banyansecurity.io special thanks to Urban punks for providing the music
for this episode you can find their tracks summer silk and all their music at urbanpunks.com [Music]
2023-04-16 22:02
