• Garrett O’Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

    Comments:0

    Add comment
Garrett O’Hara

The Get Cyber Resilient Show Episode #24

Content

This week Gar gets sassy (SASE) with Mike ‘Fergo’ Ferguson, Senior Sales Engineer at Netskope. Mike has been an IT geek his entire life, with a passion for computers fuelled by his father who owned a cyber cafe. Mike started in IT support and contracted out in the UK before heading to the European Central Bank in Germany, then to Australia with Websense where Mike became an SME in data leak prevention before starting his role at Netskope. In a slightly more technical epsiode of the GCR podcast, Mike and Gar dive into everything Secure Access Service Edge, from a high level explanation SASE and it’s capabilities to what protections are possible within the architecture. 

Content

The Get Cyber Resilient Show Episode #24 Transcript

Garrett O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast. I'm Gar O'Hara, and this week I'm joined by Mike Ferguson, Senior Sales Engineer over at Netskope. Mike is better known as Fargo in the security industry. His father owned a cyber café, so the introduction to IT happened early for Mike. It was inevitable that he got into computers. He went out on his own early and contracted in the UK, then made a move over to the European Central Bank in IT support in Germany, then into Websense over here in Australia. He got into sales engineering, he got into networking and became an SME in data leak prevention. Then Fargo got into Netskope, but that was back when there was only three people in Australia. And it was back when we all said CASB rather than SASE or Secure Access Service Edge to give it its full title. Tom Cross the CTO from OPAQ described SASE as security comes to the traffic, not traffic going to security.

And Mike and I really get into SASE in this episode. It's a pretty big concept with lots of parts and lots of material outcomes for a business and Fargo, uh, runs us through many of those. We start with a high level explanation of what, what SASE is beyond a Gartner term. Uh, then we talk about how you can cannibalize the performance uptick with SASE architecture to apply more security checks. We cover what lives inside the cloud entity that is SASE, what protection is possible with the architecture and how to get there. So if you are an organization that wants to adopt the approach, what does that really look like? And while we do cover the business outcomes, this is one of the more technical episodes which I personally really enjoyed, so I hope you do too.

Today I'm joined by Mike Ferguson from Netskope. How are you doing, Mike?

Mike Ferguson: [00:01:48] I'm good. Thanks mate. How are you doing?

Garrett O'Hara: [00:01:50] Yeah. Doing well. Thanks. And, um, do you want to be called Fargo, which I know many people in, in the industry call you or Mike, what's your preference?

Mike Ferguson: [00:01:59] I obviously don't really, um, mind what people call me. I think, um, there's just been a number of different Michaels in, uh, the industry. There's even another Michael Ferguson in Sydney within security. So it's become easier to just refer to myself as Fargo, uh, and the ... yes, typically what people will call me at this stage, but it's not like I'm precious or nothing. You can call me anything.

Garrett O'Hara: [00:02:23] Perfect. At least you're, uh, you're not called a cyber badger and, you know, we'll, we'll leave that one where that, that is. [Laughs]

Mike Ferguson: [00:02:30] You know, he knows who he is.

Garrett O'Hara: [00:02:30] Yeah. Dandy Smith anyway. Um, yeah, thanks for joining us, Mike. Uh, definitely, uh, appreciate you taking the time out. I know you're a very, very busy person, so, uh, lovely for you to, to come along. Um, we normally just start with a bit of a, um, start with a bit of a bio. Um, you're obviously working in, in Netskope at the moment, but it'd be lovely to kind of hear of your, your journey. How did you get to where you curren- currently are within the security space?

Mike Ferguson: [00:02:55] Great, great question. So like, um, it's been a, a long journey, um, to get to where I am now, but the, the basic I was very, very lucky in that, um, my dad, you know, back in the UK, he worked within security in the UK. Did a lot of government work and, uh, he actually was like the one that introduced me to IT in general. He'd always have computers and we'd build them at home and do all this kind of fun stuff as a kid. So, um, it's kind of a nerdy child. And then he had, um, a cyber café in our hometown and all this kind of fun, you know, stuff as a, a young nerdy guy who was interested in that, that type of stuff. And, uh, it was a ... I did my, A levels in the UK. Didn't do particularly well in them, but he encouraged me, he said, "Look, just go and do a, uh, an industry certification."

So I did my Microsoft Certified Systems Engineer, MCSE, uh, really straight out of that. So instead of university, that's what I did. And through that, I was able to, uh, wrangle a, a small contract, uh, I think through contacts with my dad again. And I was just so lucky that people just then knew who he was and then who I was. So I got contracts and started to build up a bit of a, um, a portfolio or profile for myself. I moved to Leeds, did a bit of work there. But being the kind of, one of those people that's kind of curious about the outside world, I moved to Germany and, uh, worked at the European Central Bank on the, um, IT support desk. And after that I met a girl who was Australian, so we moved over to Australia. And I was fortunate enough to get a job with a, a, a vendor, uh, uh, with Websense who sponsored me to, uh, join their technical account management team.

So then I started to work in the vendor space, which was a bit, you know, different as, as you know, and I was able to climb up and, but then became a, um, sales engineer. I think I've always been a bit of a talker, so they recognized that let's get this guy pushing products ins- instead of just, uh, you know, plu- plugging holes and, and fixing things. And from there, I, you know, sort of built up a decent understanding of the Internet and how the, you know, the Internet operates and the fra- frameworks and what people are trying to accomplish when they are trying to secure the Internet, whether, whether it's in bound or outbound traffic. And as a DLP, they have a strong DLP technology. So I started to become a subject matter expert in, uh, data loss prevention. And, uh, after that, I, um, was given the opportunity to join this little startup. At the time, there were only three people in Australia.

At that time it was Netskope, and they were this sort of CASB. They knew buzzword. And I, I jumped over to, to start up and be their first person in Sydney. And now three years later, we have, I think we've got about 30 something people in Australia, about 40 something in OPAQ. So there's been hyper growth in that market. And, you know, the, the technology has obviously been well received. So yeah, I've been very lucky to get where I was at the start, you know, the starting place of having a dad who knew security and had that way of thinking certainly helped me to, eh, tra- transition into the role I'm in now, I think.

Garrett O'Hara: [00:06:29] Yeah, it's awesome. Hey, so you used the word buzzword and, um, speaking of Gartner in 2019 coins, the, the idea of, of SASE, eh, something you and I have talked about, uh, quite a few times. I think the last time might have actually been in a swimming pool in the Hunter Valley at Jerry's wedding. Um, we, we, we should have had better things to talk about, but there you go. Um-

Mike Ferguson: [00:06:56] Such is the way our minds work. Yes.

Garrett O'Hara: [00:06:56] It is. In, in one of your videos, you talked about, um, it being kind of a cloud-based utopia and that's how you kind of described the instate of, of sort of SASE and, um, that's a pretty big call, right? So kind of wondering from your perspective, like, can you just kind of run us through, like, what is SASE, why do you think it's important? And like yeah.

Mike Ferguson: [00:07:12] Yeah, absolutely. Look, ultimately, um, we had seen this shift over the last five years, uh, to leveraging these other services, these external services from our own network. You know, um, you have to look at the way that, uh, businesses have operated and, uh, used technology to transact. You know, ultimately IT is just a, uh, mechanism for delivering whatever the business outcomes are, you know. If, if you are a marketing company, you are trying to design collateral and get messaging out there, generate leads or whatever. Um, or if you're in finance, there, there's these things that the business is trying to accomplish. And back 20, 30 years ago, and yeah, we were all getting started before, before then, but they digitalized that information and put them on to computers because it was easier to edit and, um, deliver that information, than writing it down with a pen and paper and they'd try to copy it and replicate it. So that's why we had computers.

And then when we had lots of computers, we would centralize that information into file servers, and then we'd have databases and application servers for doing cute stuff with that database full of people's contact information and the actual intellectual property we'd created. So we had these network we had to protect and make sure those things were available and the right people had access to them and they weren't doing the wrong things. Eh, it was all, all of those principles of security, the CIA; confidentiality, integrity, availability. It just ... You can see it ingrained in that first approach. Let's build the network to do that. And the, the things haven't changed. We're still using technology to deliver on those business services. But the, rather than us building our own file servers and having this weird expertise replicated across every different organization, how about we just get a couple of smart people to build a really good one in their servers, and we will get a little pockets of it.

We'll get a little, um, tenant of that service. We called them cloud applications, and we're going to store our information in there, and they're going to have great, interesting, um, differentiators in their own cloud applications that we can then leverage and choose to make our business again, more competitive and have our own differentiators and make ourselves, you know, hop- hopefully generate revenue and beat out the competition. That's what those services are there to do. And, and we see that. There's been a huge growth in cloud applications, yeah, ever since the, the birth of the iPhone when, uh, Steve Jobs told us, "Oh yeah, you can just add on these cloud apps."

So there's this ... the abundance of choice in there, but we still need to ensure that they're the right ones, that our data is protected, it remains correct, and it's available. And, you know, we've had other ways of doing this, not just SAS cloud applications, but we have infrastructure as a service and platform as a service to make ... Yeah. Provide different levels of control to the organization, but also it's the same stuff. It's follow ... It's servers and databases and we need to provide control. So that's where our services are, and I think in the last six months, we've ... every organization under the planet has been ramped up in this other area of, um, the experiment that is remote working. Uh, so our workforce is highly distributed too.

And now if we've got a highly distributed set of workers on a variety of different platforms and devices, all trying to connect to this highly distributed set of business services or cloud applications, then we need to ensure that the connectivity to it is available, uh, all the time. We can't rely on things like the public Internet, uh, eh, and all of its, you know, sort of, uh, glory, ambient glory to deliver a high availability, low latency, best retur- um, round trip time, connectivity to those critical services. 'Cause we are ... even in COVID, I need to operate, I need to be competitive. I need my business to survive 'cause it's, it is a vuln- um, a vulnerable time, volatile time.

So there's an entity in this ... in the middle of it that has to then take on the weight of what was the network and the entire network stack, as well as all of the network security stack, the thing that connects us. And, uh, that concept is what Gartner started to call as SASE or Secure Access Service Edge, because it's s- secure, it's providing secure access and it's the edge between all of those different services and, you know, users.

Garrett O'Hara: [00:12:26] Mm-hmm [affirmative].

Mike Ferguson: [00:12:27] Um, so that's what we're talking about with this cloud-based utopia. I don't think we're ever going to go back to, uh, every organization having a file ... uh, a server room and a building-

Garrett O'Hara: [00:12:35] Yup.

Mike Ferguson: [00:12:36] ... they put, put that stuff. But we know that it's a lot easier to offload that, that burden to some smart people who build really cool, sophisticated, and smart and clever cloud applications, I ... but I still need to use them to house my intellectual property and my customer and employee information. And I'm still liable for that. And I'm still vulnerable if that is not accessible. So the SASE is there to-

Garrett O'Hara: [00:13:06] Sort of sit in the middle.

Mike Ferguson: [00:13:06] ... protect and be ... yeah, sit in the middle. It's something-

Garrett O'Hara: [00:13:09] So you, you mentioned that, that, that word, like that phrase, the entity in the middle and you know, when, when I'm sort of thinking about that, it's kind of an amorphous sort of black, black box blob thing that's going to do a bunch of different stuff. But, like, if you take an organization and they're kind of approaching things like a, you know, traditional network, traditional security approaches, you know, whatever they might even be these days, um, you know, they probably have some cloud services. How do they go from that to moving into a SASE architecture? Like what's the actual practical approach to doing that?

Mike Ferguson: [00:13:39] Yeah. Like 'cause it looks like that's an incredible end state. I would loved that. There's the cloud-based utopia. Uh, can't believe I said that, but I can imagine I did.

Garrett O'Hara: [00:13:50] You should get that on a t-shirt.

Mike Ferguson: [00:13:53] Come to Fargo's cloud-based utopia. It's a, it's a yeah, like ... But ultimately we're not that far from it. That's a good thing to note. Uh, there we already have this, uh, conduit for all of our Internet traffic already. All right. It's also a compliance checkbox? We, we have to have a web proxy, um, application there firewall se- secure web gateway. Uh, so we have to have that in our networks anyway, to one, prevent our users from going to really nasty websites that we'd be liable for. Uh, we wanna prevent them from downloading malicious malware, ransomware is still rampant. So we have those things already. The difference is that we have to maybe look at that Internet traffic as something different than just accessing, uh, adult content and news and media or malware, we have to recognize that that entity is the conduit between my distributed workforce and my critical services.

So the network has evolved, that entity has to evolve too, and it has to meet perhaps a little bit more than just, uh, legacy web proxy stuff. It has to have more things in there. Like I need it to provide me with an, an understanding of which applications I'm accessing in a very easy level. I, I need ... it needs to have really strong DLP capabilities. Um, it needs to understand what my users are doing in those cloud applications. Um, you know, a really easy way of looking at is things like group policy. We used to have a whole network in the, you know, whether we build and then we'd set up active directory and group policies and say, certain users and these groups can do these things. Okay, well, there's no that work now, so how do I say my interns and junior marketing team are able to upload content to the file server, but they can't delete content.

Like I wouldn't trust their ... or move it. They can't just move files around. Why would you, why would you allow them to do this? So that, that entity that was the secure gateway has to evolve to say, "I want to be able to see who the users are." There, there, you know, they ... having an understanding of user authentication and policy, but then having an understanding of what people are doing when they are accessing those applications, uh, and hopefully put in place some controls.

A really interesting one I had recently was, um, we had a, um, a large financial organization was saying, "Oh, we've invested heavily in a marketing application, and I want to co- control who can send stuff out." Marketing applications are great, right? They, they're very cool; Marketo and SurveyMonkey, Mailchimp, and all that stuff. Really great, great tools. And ... But they rely on certain types of ... two types of information. One is your corporate messaging 'cause you're a market to them. And then there's your, uh, your customer database. Two highly sensitive piece of information.

You get a messaging wrong, very damaging for the organization. Customer database, uh, is, you know, you're liable for PII data. So would you want anyone in the marketing team to go and sign up to SurveyMonkey or Marketo, create a marketing campaign, put in their own jibberish and their own messaging into that tool and then approve the campaign themselves. This is just too high risk. So it's like group policies in a way that you want to apply different ... the same types of controls or governance on the workforce and what they're doing practically within those new tools. Um, and the only way you can do that is by, uh, leveraging the tunnel, this, this entity in the middle, that all of that Internet traffic is going through.

Garrett O'Hara: [00:17:54] Yep.

Mike Ferguson: [00:17:55] And yeah, but it has to evolve to understand the language that those cloud applications operate over. And that's, again, this is the next level.

Garrett O'Hara: [00:18:06] That's stuff like JSON:API type stuff, and I hear a way off there.

Mike Ferguson: [00:18:09] Yeah. So, uh, most of these applications, like they, they all initiate a connection over HTTP, which you get requests, not to get too, yeah, too technical on it. But the, yeah, we can see the gate request. getdrive.google.com in your web proxy if it's where the other thing is going to go, "Oh yeah, you went to Google Drive and that's perfect." But, um, then there's other things in that, there's other types of ... an extra layer. We almost have to look at the OSI layer model as outdated already, and we need to add extra layers on top to say, um, the API calls inside of there, as soon as you access those applications, they're telling me an extra bit of information. Is it the organiza- your organization's Office 365 or Google Drive, which is great. I want my users to use it ... be using that application, that instance of application, but I don't want them uploading anything to the- their personal ones or a, a third party instance of that application and like, the API calls tell us this information.

So it needs to be able to look at that, that the, your, you know, your web proxy now is secure. Again, we have to understand that. Adjacent strings are ... they're telling us a whole bunch of information around what people are doing in there. You know, whether it's editing, creating, and deleting and moving, sharing uploads and downloads, uh, within those applications. I want to be able to see what they're doing and the JSON strings will tell us that. So again, whatever that entity in the middle is, has to be able to understand normalize and then apply app, um, controls to those, those activities.

Garrett O'Hara: [00:19:51] And that, that sounds like a, an absolutely complex and enormous, enormous task. Like within the ... in that little, in that little ... in that huge thing in the middle, um, what is that made up all of. Is it proprietary tech? Is it third party OEM technologies, like something doing DLP, some of other things doing kind of advanced analysis of, um, malicious URLs or, you know, d- digging into sandboxing and attachments? If it's a storage location, like what's the tech set or the stack sitting in there?

Mike Ferguson: [00:20:20] Yeah. And like I've had a bunch of, uh, people say to me, um, okay, well, it looks like you're, you're a key part of my network now. [Laughs] And that is true. You know, there, there is this, this thing in the middle that is connecting your users to all of its business services and applying all of these controls. So the SASE model, you know, or methodology, you know, is a concept, I guess, of using their secure access service to apply those types of controls. And, you know, I can only speak from Netskope's perspective on the, uh, approach that we have taken to meeting that requirement. Uh, but ultimately we have developed, or we developed way back at its i- inception this, uh, engine that normalized and that looked at APIs and JSON strings inline there from the device to the cloud application and back so that we can understand and normalize and apply controls to it.

And our founder and, and, you know, chief scientist, uh, Krishna has got three, uh, patents on the wall at HQ that talk to this requirement. It understands the, um, the actual, uh, API and JSON string calls and can then make, um, you know, sort of actions based on what we're seeing that allows us to be this super granular. And all of those additional things that we've built on top of it, you know, the, um, CASB, secured gateway, DLP. They just sit on top of the engine. They're like little micro services that are meeting absolute critical security outcomes, but they're all sitting on this ability to go, "I know what that JSON string means, and I could apply controls to it."

That said, you know, um, there are other techs in the industry who are doing ... trying to do the same thing. They've all try ... This isn't ... You know, it's not just, that's good because it's got the, you know, the prize answer. We know that there are other techs that are trying to do things like this, and it could just be looking at the URLs. You know, like we ... you could try and look at the URL and say, "Okay, well I need ... if there's like, you know, a forward slash edit, forward slash and then a string, well, that's trying to edit something. So therefore I could put in place control if their host name is, um, [email protected] or office, you know ... on microsoft.com, and it's got this edit slash. Well, maybe that's an edit and I want to put in place control on it. It's a little bit more rudimentary to looking at API calls, but i- it's trying to do the same thing.

Garrett O'Hara: [00:22:51] Yeah.

Mike Ferguson: [00:22:51] And, you know, I think that that's ... we ultimately need that, that level of control however we try to approach the problem.

Garrett O'Hara: [00:22:57] And, so and in terms of end points, 'cause, um, like where my head goes is mobile devices and things like that, you know, accessing services. So how do you force them to ride through the, you know, the SASE entity? Um, like is there a sort of neural [inaudible 00:23:11] in MDM? Like, is it agent-based? Like what's the-

Mike Ferguson: [00:23:14] Yeah.

Garrett O'Hara: [00:23:15] ... the end point controls?

Mike Ferguson: [00:23:16] So the, the interesting part is you have to be kind of agnostic to the types of devices that your workforce, uh, are using. Uh, for the most part, if a device is managed and owned by an organization, whether it's Windows, iOS, uh, Mac iOS or Android, then it's just a managed device. I'm going to recommend that we put, um, put in place a client that steers the traffic to the Netskope cloud, um, over a secure tunnel. And, uh, we'll be able to just then intercept the traffic in the cloud and, and see it. And because it's only steering traffic, it's a very lightweight type of client. And that there is going to cover, you know, not just, just sanctioned applications, all of the other unsanctioned apps that marketing and finance just sign up to. Oh yeah, I'm going to look at, I don't know, Expensify [inaudible 00:24:10] and then have, have a little play with that [crosstalk 00:24:12].

Garrett O'Hara: [00:24:13] I've got a credit card and I've got a need, so why wouldn't I, you know.

Mike Ferguson: [00:24:15] Yeah. And this ... They, they will we see this a lot, like ... And I'm not, you know, immune to it. Like I see cool applications. I'm like, "All right, let's give that a, a whirl. I want to see it, see if it's going to make me more competitive and maybe do my job better. So we, so ... But if it's your corporate app like, you know, your corporate device, if I'm in security, if I'm in IT, I'm like, "No, no, no." I recognize there's a huge gap here. I need to steer at all of that traffic to this entity, this SASE entity to, uh, gain visibility into what they're accessing. Um, but then also access to what they're uploading and what they're downloading and what they're doing inside those apps as well. And, you know, you can get all the nice reports that say, okay, these users are starting to move away from using box, and now they're all starting to use Dropbox where you see, uh, WebEx was the, um, sorry. Um, uh, WeTransfer was huge, now we're seeing Hightail. Um, yeah, and you can start to make those, those out.

Because you can only do that if you're seeing that in line, and you might wanna use that to then put in place access controls and guardrails to say, "Hey, Mr. User-

Garrett O'Hara: [00:25:25] Don't do the wrong thing.

Mike Ferguson: [00:25:26] ... WeTransfer is pretty, pretty risky from a security perspective. We would really recommend that you use Hour One, and if you didn't know it's there, here's the link." You know you can just ... Yeah. You're just sort of helping them out. I think most people in IT, yeah, I'm sorry, most people that are working for your ... an organization aren't trying to be sneaky. They're just ... they've always used certain apps. You know, like, uh, Dropbox has, has been huge on a, you know, for personal usage. So when the user goes into a workforce and other ... I got to work from home now, there's this horrible COVID thing. I'll just upload it all to Dropbox. Well, Dropbox isn't owned by, um, that organization. And they used to have a policy that said that if you upload data to personal Dropbox, Dropbox owns that data. I don't know, they've changed that policy. I think that might have been changed, but what a huge risk. So-

Garrett O'Hara: [00:26:13] Yeah.

Mike Ferguson: [00:26:14] ... uh, it's not through any malice, it's just, um, you know, they're uneducated about the potential risks. The SASE should be able to, you know, deliver on, um, providing that visibility to not just their security administrators, but even to their workers and say, "Hey, look, this is a risk. Don't use this one. Here's a report if you want. But also here's the one that we have allowed that is safer." And that ... the adoption rate is so much more, um, more impressive because they no longer just think that IT is trying to push their product. This is their preference. They recognize, uh, it's a security risk. Security is a big issue, yeah, I'm on board.

Garrett O'Hara: [00:26:53] Happy to ... Happy to move over. And one of the activities, um-

Mike Ferguson: [00:26:55] Yeah, so sorry to-

Garrett O'Hara: [00:26:57] Sorry, you go.

Mike Ferguson: [00:26:58] Um, yeah, but think ... So that's the preferred approach, but there are devices. You can't have clients on their own managing ... you have guest networks, you have, uh, BYOD devices that can't be managed. So, you know, you- you've got to leverage oth- other technologies and approaches. Things like IPsec tunnels and GRE tunnels that will steer the traffic from your internal network to the external, to the, to the Netskope cloud. Um, or if you've got certain applications like Office 365, or a Salesforce or AWS that you've integrated with your identity provider via single sign on, then there's absolutely no reason why you couldn't put in place controls on those applications, um, to do a reverse proxy. So if I'm accessing those devices from, I don't know, the home share PC, and obviously it's a home share PC and I can't install anything on there. Then I, I've, I can co- I sign in to those tools using my id - identity provider via single sign on that's all authenticated.

But that application can be configured to proxy the traffic back through the SASE to say, "Hey, look, this users logged into this application from an unmanaged machine, do we want to allow him to download any files that he wants?" And that would be really useful to say, look, that that device isn't part of the network at the moment, because it's ... doesn't have a client installed, and therefore I can't allow the exfiltration of data or sensitive data to be moved, downloaded to it, you know, and, uh, on the device that is outside the network. So there's all these different deployment methods that can be, uh, that have to be looked at and thought about to ensure that your users get access to the application and information, but you're securing the confidentiality of your, of your data.

Garrett O'Hara: [00:28:55] Mm-hmm [affirmative]. So it's, it's productivity and security. And in terms of, um, like one of the outcomes of, uh, SASE is, is this whole idea of like the performance budget of network traffic. And, and, you know, when you put it in place, so all of a sudden you get this, you know, be ... obviously you get a better performance. So you can do more things to secure the organization, whether that's DLP-

Mike Ferguson: [00:29:16] Yeah.

Garrett O'Hara: [00:29:17] ... uh, malware analysis, all of that kind of stuff. So it seems like one of those weird and very rare things where you get better performance and better security, you know, for kind of a, you know, zero ... not $0 cost, but zero cost in terms of kind of, uh, time for want of a better word, and you're not gonna annoy the end-users because they're waiting for 30 seconds for a webpage to load or their favorite cloud application. How, like, it just seems like, as you say, like this cloud utopia. How has adoption of this kind of approach gone? And it's ... and a two part question. What are the barriers for organizations not kind of going in this direction when they don't?

Mike Ferguson: [00:29:56] So SD-WAN was also trying to solve some of the problems of this, is providing a secure connectivity between multiple different locations and, you know, the, they distribute the workforce. Um, what we mean by performance budget or gaining a performance budget is if you build your SASE as, you know, as a single platform tool, and it is built on an architecture that is designed, uh, to negate the need for traversing any information across the public Internet. So, uh, you own the hardware. You put that ... your own data centers not inside of AWS and GCP, but build it your own. Put it down in the, in these big data centers as your own kit. And that allows you to manage the pairing relationships with the local ISPs in, in those geographical locations. And then once they're all connected, you can also then own the pairing relationships with whatever service providers are setting in those locations as well.

So everything's kind of connected at the edge to, to the users by their ISPs and to the services via the MSP pairing. And then it's up to that network, that nice secure network to, eh, deliver secure and smart routing between its own different data centers and points of presence geographically, to get the traffic from your user, which may be sitting, I don't know, in the Cook Islands, uh, on holiday. It connects to the ISP, it hands it over to, uh, the local Netskope data center where your smart routing to understand where is it going geographically? It's got to go to MailChimp that's got one data center in Europe and we will ping it across Net- Netskope's infrastructure, negating the need to pop 30 times around different points of the public Internet, direct to the MSP, hand it over directly to that. And then back again. So the return time becomes much quicker.

The high availability is on us as well. And, you know, sort of struggling with, you know, um, any of that type of, you know, the public Internet. It improves it. And hopefully the return time is so much better that we can start to do some cool security stuff with it, with that performance budget. And that's where, you know, if you build this, the architecture in such a way that it is quicker and you are getting a better performance that we can go, "Okay, well, but now we actually really need to look at things like, um, DLP." We need to have a look at the APIs, the JSON strings and, uh, and, uh, and look at those activities. I needed to do, um, use, uh, anti-behavioral analytics to understand what people are doing that is risky and do risk scoring and monitoring. Um, I want to do things like web isolation in there.

So it's, we've got to build it in such a way that allows us to deliver on these extra controls because as soon as those security controls start to become a burden of pain, they, they're out and the workforce is just has a, yeah, a low tolerance for a slow performance. We know what, uh, what it's like getting good Internet. We know what it's like and bad Internet. So, yeah, that, that thing in the middle has to be, has to be smart about it.

Garrett O'Hara: [00:33:21] So I might try and simplify that, uh, for myself. So like when ... as you're describing that, in my head, what I'm thinking of is if I have five hours and that five hours is for me to go and see some friends and have a couple of beers or many beers.

Mike Ferguson: [00:33:35] Mm-hmm [affirmative]

Garrett O'Hara: [00:33:35] Then I've got an option which is get on a bus, get on a ferry, get on maybe another bus and to get to the city. And that's going to take me an hour, hour and a half. And then I've got to do that on the way back. So that's three hours. So it gives me two hours in the pub. Um, but with the SASE model, what I'm really doing is saying, actually, I'm just going to jump in an Uber, and I'm going to go straight to the pub and that's going to take me 20 minutes, eh, both sides. So that's 40 minutes, and that's going to give me, I don't know, four hours and 20 minutes by comparison, so I can get way more beers and maybe some cocktails and by chance, like a nice glass of bubbles. Um, it's that ... It's thinking that way. Right. It's just giving you more time to do more stuff than you-

Mike Ferguson: [00:34:12] E- exactly. Yeah.

Garrett O'Hara: [00:34:13] Yeah.

Mike Ferguson: [00:34:14] Um, and hopefully, because it's built within this secure platform, you're safer in that Uber as well. Your data is more secure. So not only have we done more, you are more secure. Uh, so that's exactly the, the ... what we mean by, um, gaining, uh, performance budget, uh, and trying to ... but basically just trying to improve the Internet. That's how, how it should be.

Garrett O'Hara: [00:34:38] To the, to the utopia with, with COVIDs, um, like that's been a massive, massive change for Australia, but no means obviously a huge change globally. Work from home at scale. Um, you know, the perimeter was dissolving fairly rapidly, I would say anyway. And, um, you know, the, the companies who were probably ahead of the curve, they, they realized that and were building, uh, their approach to IT and security around them. So mobile workforces, you know, not, not kind of relying too much on any sort of, uh, like location-based security for want of a better expression. Um, what are your thoughts on, you know, COVID-19, the global pandemic and how that's kind of been a catalyst for accelerating with like stuff that was probably going to happen anyway, right?

Mike Ferguson: [00:35:22] Yeah, no, it definitely has accelerated the transition, but that transition was coming anyway. But there's ... it's definitely, uh, shone a magnifying glass on some of the cracks in legacy solutions and thinking. Uh, one of those being the, uh, zero trust network access versus traditional, um, remote access VPN. So traditionally when we were working remotely, you would, uh, understand it. Sometimes 30 to 40% of your workforce may at some point sometimes want to work from home to get something done. And we would provide them with a VPN client to then access the network via a VPN concentrator. And it will expand the network out to that device so it gets a new IP, and that user can log into anything on the network. Which is a bit risky anyway, but that's just the way it was. It was a managed machine. Um, and then we started to move certain applications from that network into the infrastructure as a service world of AWS and Azure.

And then if we wanted to provide the users access to those applications when they were out there inside the network, we had to rethink it. Okay, well, do I put another VPN concentrator in AWS, a virtualized version, and then the second VPN client to access that second network when I need access to it. I imagine that if you've got lots of different networks for different applications, it starts to become slightly terrifying. Um, or I can make the app public, but that's kind of a risky option either. Or what I can do is I'll help in the users through, eh, from their device, through the VPN concentrator in the network, and then via a direct connect, uh, tunnel to the AWS instant. Allow them access to that application. So a hairpinning performance isn't great, but look, they've got access to it, let's all just take a breather. And then suddenly COVID hit. And, uh, we all had to work remotely and to gain access to certain applications, whether it's on premise or in AWS, there's a turn on that VPN client and everyone was being routed through that VPN concentrator.

It was overloading the VPN concentrator, and then that was happening back out to the infrastructure as a service. So performance was either flaky or nonexistent because those ... uh, the VPN just couldn't handle the load. And that, that's been the big problem. So, um, the VP ... Um, the zero trust network access model is again saying, okay, "I've got this blob in the middle." I know. All these technical terms.

We've got this entity, the SASE that sits in the, in the, in the center of all of my different distributed SAS services and infrastructure as a service and my network, and all of my end-users, my remote workforce are gaining access to it and accessing it as a proxy anyway. So that's connected.

Why don't I find a way to stitch together the various networks in AWS or Azure or in your local, um, data center and connect it ... connect those different networks to this entity, this SASE entity. So they're all stitched together and the users are all accessing the cloud anyway. And then we can create logical connections to the various applications through those stitched together VPN concentrators to allow a, um, allows a zero trust model that connects those remote workers through to the right applications they need to without hairpinning anything, without exposing the whole network.

And because they aren't just accessing a single point. You know, like if you were all connecting to that VPN concentrator in the old legacy network. Well, what happens if I've got a user that works in rural, rural New South Wales or someone that works in the Cook Islands? Well, he's going to go all the way via public and can get to the VPN, the, the local HQ first. So his, his, uh, performance is inconsistent with the user's performance in Sydney. But Netskope's cloud is all over the world. So, and we've got these pairing relationships with RSPs, so connected to Netskope, and Netskope stitches it together with the various networks. So performance becomes, uh, more consistent as well. And it's simplified. You have a single client proxy for, for, for VPN or zero trust network access.

So this ... the SASE ... The COVID problem of remote workers has accelerated this, uh, that's why we talk about me being very busy at the moment. But this was coming way beforehand. We're not going back to have a legacy data centers and having our own server rooms. We know that the transition is to SASE, uh, to SAS applications, or at least having private applications housed within infrastructure as a service. It's all about finding a way to connect them in, in a new way and applying the same security stack that we always have, but to this new cloud-based utopia.

Garrett O'Hara: [00:40:58] Utopia.

Mike Ferguson: [00:40:59] There we go.

Garrett O'Hara: [00:40:59] I, I think, I think that's the phrase we- we're going to finish on. Um, I think that's a, a beautiful and poetic way to, to round up the episode. Eh, Mike, thanks so much for joining us and, and the insights. I'll have to be honest, when I was doing the research for, this SASE was one of the more confusing, um, things that I've come across. So really appreciate you kind of, yeah, simplifying it, breaking it down and, and really kind of, yeah, highlighting the, really the business outcomes at the end of the day. So I appreciate it.

Mike Ferguson: [00:41:25] No, any time. I, uh, I really appreciate the, uh, um, analogy of getting to the pub via multiple modes of transport versus the secure Uber. I will definitely be, uh, using this in the future.

Garrett O'Hara: [00:41:38] We- We'll have to do that and get the the cyber badger along as well. I haven't seen that go in a while.

Mike Ferguson: [00:41:42] I agree. Absolutely.

Garrett O'Hara: [00:41:43] Awesome. Thanks Mike.

Mike Ferguson: [00:41:45] Cheers mate. Thank you very much.

Garrett O'Hara: [00:41:51] Thanks again to Fargo aka Mike Ferguson for the great conversation there. I learned a lot from that and it cleared up some of my misconceptions about SASE for sure. As always, thank you for listening to the Get Cyber Resilient podcast. We do have a great back catalog of episodes, so please have listened to those, and I look forward to catching you on the next episode.

 

Principal Technical Consultant, Mimecast

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies and is a regular industry commentator on the cyber security landscape, data assurance approaches and business continuity.

Stay safe and secure with latest information and news on threats.
User Name
Garrett O’Hara