Richard shares what he thinks a successful SASE architecture looks like and why it will lead us to secure Cloud. 

Episode Table of Contents

• [01:37] A CIO’s Journey to a Successful SASE Architecture
• [06:35] The SASE Architecture Rage
• [11:44] SASE Architecture Is as Secure as You Want to Make It
• [17:58] Losing out Trying to Build a SASE Architecture
• About Our Guest

A CIO’s Journey to a Successful SASE Architecture

Arika: Hi and welcome back to The Point Cybersecurity. I am one of your hosts, Arika Pierce, and joined of course by Eric Drexler.

Arika: We have an industry analyst as our guest today, Richard Stiennon. Hi Richard, how you doing?

Richard: Hi Arika, I'm doing great.

Arika: We have a lot today in terms of all the things that we wanted to talk to you about.

Richard: I'm looking forward to it.

Eric: 15 minutes will not be enough for this one, Arika. I'm just telling you upfront, but let's go.

Richard: It's Gartner training where you learn to answer questions in 15-minute segments, so one question, 15 minutes.

Arika: First Richard, you have written a couple of books. Most recently you've written a book called Secure Cloud Transformation: a CIO's Journey. In this book, you took a look at 16 leading enterprise organizations. Everyone from Fannie Mae to Google, Microsoft, Amazon, and really looked at their journey, their transformation.

Major Takeaways That Inspired the SASE Architecture

Arika: How did you come up with the concept and then get the access to be able to talk to these types of organizations? What were the major takeaways when you look at such a range of organizations? In terms of their journeys across the cloud, across security and all other areas.

Richard: Like many people, I treated the cloud as this new infrastructure for computing. Reminds me of the way things used to be with shared time services. I started to understand what's happening in the cloud when I start to see security vendors have solutions for problems introduced by the cloud.

Richard: For five or six years, I was looking at the people that do configuration management or launch cloud, web application firewalls or regular firewall network firewalls in the cloud. I couldn't get a grand picture of where this was all going. Until I was introduced to a few of the companies that were well down this journey. As they talked, I realized that they all had such a similar story that would be a great story arc for a book.

Richard: That story is pretty straight forward. Enterprises are adopting cloud services through software as a service. As they do so they realize that "Hey, we're outsourcing to software as a service for HR. Even finance in some cases or ERP systems, certainly for CRM with salesforce.com.

Poor Cost User Experience

Richard: All of our traffic comes from all of our users on the corporate network which is usually this hub. Spoke network that spans the globe, we're backhauling that traffic to several entry points and then sending it out to the internet, filtering it through a dozen security appliances. Then bringing it all back and sending it out to the customer.

Richard: It leads to poor cost user experience and it's very expensive to do that because we're handling all that traffic.

Eric: That's the way we've always done it though. Why would we change?

Richard: We've always done it that way. But there's one thing that we haven't accomplished. It is how we provide the filtering and controls on people's web activity when they're on mobile devices.

Richard: Even though I'm probably too old, I just don't use my phone for anything other than checking my calendar, emailing and texting. But young people definitely use their phone for absolutely everything and evidently consume web apps on their phone. I don't know how they do it.

Richard: It's a trend that I don't experience but I recognize. How in the world do you stop people in the office from browsing inappropriate websites? That obviously is a number one concern for enterprises and network control. There is no way to do that without looking at something different.

Richard: That's where several vendors have looked at this concept of, hey, you know what? We're going to create a cloud layer, a Gartner's calling it a SASE Architecture, secure access something layer.

The SASE Architecture Rage

Richard: The idea is there's going to be basically a proxy, and you connect to that with SSL or GRE or some sort of tunneling. It takes very thin clients, if any, to point a remote device to that cloud. We're going to apply access controls based on what we sucked out of active directory. And then give people direct access to, most importantly, Office 365 plus everything else.

Richard: That actually improves the user experience and gives you centralized control over what they're allowed to do. So for once, we have a security model that actually is better all across the board.

Eric: So just for our listeners, that’s Secure Access Service Edge, and it's becoming all the rage. Gartner thinks that over 40% of companies will look to adopt it within the next four years.

Richard: For once I actually agree with Gartner. I'm a former Gartner analyst. Any industry analyst tends to automatically disagree with all other analysts, but I think they framed it properly. They've recognized what's happening properly and no surprise because I believe this is what‘s happening.

Eric: We're pushing the security out to the edge where it really needs to be.

Richard: To me it's similar to what happened with content delivery. It soon became evident that rather than the weigh-in optimization solutions that were out there that were compressing stuff, you actually had to push your content to that edge. The edge of the cloud, with Akamai as the best example.

Pushing the Security Access Layer Using SASE Architecture

Richard: CloudPlayer is another one where they basically proxy all your content close to the consumer. And fall out from that happened to be a defense against DDoSs. Now, if you wanted to take out somebody's website, you had to hit every one of those proxies.

Eric: Which was impossible.

Richard: Impossible, because there's not enough bandwidth available to an attacker. You use the same model, then reversed, in order to push the security access layer out to that edge. Then process it and get somebody's traffic as quickly as possible, which you can do once you've grabbed somebody's connection.

Richard: I like to use Office 365 because it's just horribly designed. You make the decision to switch over from exchange or hosted exchange to Office 365 because of all the great features besides Microsoft forcing you to do so.

Richard: Then all of a sudden everything is slow and horrible because you're using a web interface or a very critical always-on application. But once you've grabbed somebody's access, you can just funnel them to Microsoft's servers as quickly as possible, the shortest path possible.

Richard: You do that through peering relationships, direct access with Microsoft ExpressRoute. So you've got another example of better security. Better control, granular access plus better user experience, and those are always winners.

Eric: Yet it's identity-driven. We still know who you are and what you're trying to do so we can determine not only the experience but also the level of access and rights.

Getting a Single Tree

Richard: Of all the 16, 17 people I interviewed, I would ask them what to avoid doing. What are some of the mistakes and also how should you start on this process? Every single one of them said get identity right to begin with.

Richard: That meant consolidating your active directory globally so you've got a single tree. Get all that working first and then it's an easy move. That explains to me why some of the cloud identity providers are doing so well. They're actually doing well when Microsoft already owns that space, so I like that whole idea.

Arika:  So you talk to a range of private organizations. Was there ever any desire or attempt to talk to any government agencies? Do you think their responses would have been any different in terms of the transformation journeys that they're going on as well?

Richard: My perception is that they're behind all of these private companies. If you think of Siemens, even a dairy company in the Netherlands called Friesland Campina, an oil well supply company called National Oilwell Varco. They all were forced down this path through either a need to reinvent themselves. Or in the case of National Oilwell Varco, a downturn in the price of oil. And they had to save money.

Richard: Whereas government agencies, as much as they like to complain about not having money, they do have infinite money. It never goes away. Once they get a hundred million dollar budget, the next year they get a $102 million budget. It keeps going. They don't have the same pressures of a private organization.

SASE Architecture Is as Secure as You Want to Make It

Richard: They tend to listen to the naysayers who say, "Oh my gosh. You can't put our data in the cloud because that's insecure." Totally false. It's always been as secure as you want to make it. The cloud actually makes it easier to make it secure.

Eric: The only thing that the cloud does is it increases accessibility. So if you misconfigure, if you don't understand your data, you can increase the risk from that perspective.

Eric: It's accessible and it's fast.

Richard: And opens you up to fast breaches.

Eric: And loss of data. And your traditional network tools. Especially with direct access, your traditional network tools aren't even going to detect the traffic in most cases.

Richard: You lose visibility unless you're using the SASE Edge Solutions.

Richard: So all that said, I'm saying government agencies are always behind the curve, which is okay. I'm starting to see it at the state and mostly education level where they're starting to adopt these models. It won't be long, especially with the Pentagon choosing Azure for a cloud solution before we start seeing widespread agency adaption of SASE models.

Arika: So for more information on this, you wrote an article for Forbes. Gartner has it right, Palo Alto Networks has it wrong. If I can translate, what you're saying is Palo Alto networks is representing old school network security. And you're using them almost as a placeholder for the old school network security thinking as we need to move to the cloud.

Always About Number of Connections

Richard: Yes, over the last five years I've talked to every firewall vendor about their cloud strategy. It's always the same. I've followed the firewall market since 1995. It went through various phases. It was always about a number of connections you can handle at once and throughout and latency.

Richard: Initially the software was delivered as something you would buy and install on a sun or a deck machine. Eventually, it became Windows only. The next version was appliance space, so NetScreen and Cisco Pics. Let's have custom-built things that have a lot of ports and do network processing really well.

Richard: That turned into a battle for throughput and Check Point, who had dominated the industry kind of lost out on that because they didn't focus on appliances. And NetScreen was acquired by Juniper and along came Fortinet and Palo Alto Networks, and they focused a lot, Fortinet especially, on building in hardware acceleration to appliances, which works great in the data center model.

Richard: In the physical appliance model, but then all of a sudden you get the cloud and you can't move and appliance into Amazon's data centers. So they all virtualized their software, which is easy. Let's just take an instance of our software and run it in a virtual instance of Linux and a VM and sell that, licensed it, right?

Richard: In the past, they used to justify spending $100,000 on an appliance and now they want something else. Probably $30,000 for a license for a firewall that runs on a little VM in Amazon. That one doesn't scale.

SASE Architecture: The Next Big Move

Richard: During peak times, you might need a hundred of those and you can't scale up to that. But too, it's not an edge. It's a centralized point. You're going to force people to VPN or somehow get to that virtualized appliance before they do something else, and it's just cumbersome.

Richard: It's not built for the cloud and so they're all pushing that. They're all saying they're cloud adapted because they've got customers that need a cloud solution. But they are missing the next big move. The big challenge is that in this space and in most technology spaces an incumbent as never succeeded in eating their own children.

Eric: Replacing themselves, displacing themselves. They're making too much money on the cash cow business that's firewalls or whatever it may be.

Richard: Yes, if you're doing 250 million in business selling appliances, why would you risk that?

Richard: Why would you introduce something that's going to make you 100 million if all your customers switched over? Your stockholders would not like you. And the best case of all is Blue Coat Systems.

Richard: Blue Coat was a dominant player in appliances for content URL filtering. They started being challenged by the UTM vendors that had much cheaper appliances that did the same thing that they had pushed out to all the remote offices. There's no way you can take a Blue Coat appliance, which used to cost $50,000 and put it in a two-person office in Utah.

Losing out Trying to Build a SASE Architecture

Richard: They lost out on that and they were losing customers and kind of staying static. They had about 8,000 customers when they were taken private by private equity. After that, we lose sight of what they have. They eventually ended up acquired by Symantec. The entire management team of that company took over Symantec.

Richard: A year ago, Symantec had to report that they were losing out. Their revenue missed their numbers because appliance sales were losing out to cloud services. Blue Coat had tried. They invested $2 million in hiring away a guy from a company called Zeke Scaler, who used to work for me at Fortinet. He spent over a year trying to build a SASE model for them and they eventually gave up.

Richard: I could see that coming a mile away because this was an entrepreneurial startup kind of venture. Big public companies don't succeed at that.

Arika: You have a new book coming out in February, Security Yearbook 2020: A History and Directory of the IT Security Industry. Are there stories and views into the industry like this in that book?

Richard: Absolutely. It's everything I know just put in one book.

Richard: Because I'm primarily a network security guy, the chapter on networks and the history of the network security industry is probably the most rich, I guess. But I reached out to people in the access control business. I talked to a Barry Schrager who was really the progenitor of F and ACF too, so I could start the story for access controls.

Formulating Go to Market Messaging

Richard: I learned a lot, in writing the book. I hope that students, and people just getting into the industry will be able to get up to speed really quickly by reading. The written part of the book is pretty short. The major segment of the book is, I also publish a directory of all of the vendors in this space.

Arika: When you're not writing, what are you doing? Are you always just sitting in or locked in a room writing?

Richard: I've got a little shed I built in the back yard. I sit and watch the birds at the bird feeder. But I travel extensively to speak and consult with clients who are usually vendors. Startups that are formulating their go to market messaging or estimated market size, I work with them.

Richard: The speaking is usually in support of somebody's branding efforts or just sales outreach, but it gets me around the world. I've presented in 31 countries now after my recent trip to Manila.

Eric: Real quick, Richard, you did a Sand Worm book review, really short. I think Sand Worm by Andy Greenberg, who I'd love to have on the podcast.

Eric: He's fascinating, and what a read. The piece that really stood to me was the first sentence. Andy Greenberg's Sand Worm has achieved what I thought was no longer possible. It scares me.

Developing Hacking Capabilities Through SASE Architecture

Eric: For anybody who's not listening, the book's on the Russian GRU hacking team over the last a half-decade or so. Not Pecha, the $10 billion of damage in Ukraine. And he's got a wired article if you can't find the cliff notes or you don't like to read or listen to audiobooks. What scared you about it though? I'm just so curious.

Richard: I tracked the hacking teams and APT this and APT that and I see all the individual cases of what they're capable of doing. Andy takes us back and he shows this lull in the GRU's importance inside the Russian military to kind of their own reinvention when they decided to go full force with developing hacking capabilities.

Richard: Then the rapid evolution of their capabilities right from defacing websites to actually taking out the power grid in Ukraine twice. The second time in a much more sophisticated way than the first time.

Conclusion

Eric: I think it'd be great to talk about this. It scares the hell out of me also. This is really the first major confirmed, that we can talk about, network or nation-state cybersecurity attack that really shows you how bad things can be. How much out of control they can become.

Eric: Love to talk to you again if you're willing.

Richard: Absolutely, anytime.

Arika: Excellent. Well, thank you, Richard, for your time today. We will let you get back to your writing.

About Our Guest

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently relaunched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that, he was VP Threat Research at Webroot Software.

Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner's Thought Leadership award and was named "One of the 50 most powerful people in Networking" by NetworkWorld Magazine.

Mr. Stiennon has presented in 26 countries on six continents his speaking engagements have included:

•  FDIC 4th Annual Technology Conference.
•  Gartner symposia in Orlando, Denver, San Diego, San Francisco, Washington DC, Cannes, Tokyo, Mexico City, Sao Palo, and Tel Aviv.
•  Lectures at the University of Wisconsin, University of Colorado.
•  CIO Seminars in Mexico City, Bogota, China, Singapore, Australia, New York, Boston, Las Vegas, The Pentagon, Anchorage, , Honolulu, UK, Germany, Spain, Italy, Turkey, France, and Sweden.
• Recent Advances in IDS, Case Western University.

Mr. Stiennon has written for Network World (IDG) and CIOUpdate (Jupiter Media) His blog was hosted by CNet for two years and is still published by Network World.

Mr. Stiennon earned a B. S. in Aerospace Engineering from the University of Michigan. He holds two patents.