SASE and Beyond | Juniper Global Summit 2022

0:01 [Music]

0:08 Hi, I'm Samantha Madrid,

0:09 Global Vice President of Security Business and Strategy here at Juniper.

0:13 Connected security has been Juniper's strategy for the past few years,

0:17 ensuring that security is pervasive throughout the network,

0:20 regardless of architecture.

0:22 Speaking of architecture,

0:24 secure access service edge is top of mind for many organizations.

0:29 Here to speak with me today about SASE, Zero Trust,

0:32 and securing the data center is Drew Simonis,

0:35 our VP and Chief Information Security Officer.

0:39 Hi, Drew.

0:39 Hi, Sam. It's good to see you today.

0:41 Yes, it's good. Welcome to Juniper.

0:42 You've been on board for a few weeks now.

0:44 Yes, a couple of months.

0:45 Oh, wow. A couple of months. Time flies.

0:46 It does.

0:48 Let's jump right in.

0:49 When we talk about SASE, we talk about cloud security,

0:52 the number one thing that customers are always asking us about

0:55 is my work from anywhere users.

0:58 How has the shift to cloud changed a strategy for customers

1:03 around securing their mobile workforce?

1:05 It's really, I think, open people's eyes to a reality that existed even before COVID.

1:11 When we looked at the metrics around

1:13 who was connecting at the office and who was a remote worker,

1:16 what we found was even before the pandemic,

1:18 the majority of users on any given day were remote.

1:21 Whether that's a traveling salesperson

1:23 or somebody visiting a customer site to support them, or a number of reasons.

1:28 People were not always as much in the office as we thought.

1:31 It really helped people understand that

1:33 they needed to provide pervasive security regardless of where the employee was,

1:38 and to embrace something like SASE as a way

1:40 to preserve the protection of the corporate systems,

1:44 even in the disconnected use case.

1:46 That makes a lot of sense because if I think about before COVID,

1:50 I was on the road maybe three out of the four weeks every single month

1:54 so that is a work from everywhere user.

1:56 That's right, and even as we return to the office,

1:59 it really isn't going to change

2:01 because people are still going to spend a significant amount of time

2:04 as a disconnected user from the corporate hub.

2:09 What does it mean for customers

2:10 because when you look at these new architectures like SASE or SSE,

2:14 which is the security being delivered directly from the cloud.

2:19 A lot of those technologies, the firewall, the proxy,

2:22 they're existing in customers' environments today on-prem.

2:26 What does this mean for them when they now have to think about

2:29 delivering those technologies from the cloud?

2:32 You have to go from a mindset of I have a location where people congregate,

2:37 and therefore I can establish a perimeter around that location.

2:40 This is a traditional security architecture

2:43 and I can place a security stack on that perimeter.

2:46 Now, with the remote user, your perimeter,

2:49 your branch offices, your hotel room, someone's living room,

2:53 and you can't afford the same type of instrumentation,

2:56 the same model of built a wall around that branch office or that remote location.

3:02 By delivering the security in the cloud,

3:05 you reach that point of intersection where everyone's crossing through,

3:08 and you're able to clean the traffic and provide a secure connection

3:12 regardless of whether they're in an airplane, or in their bedroom.

3:18 Now, as a customer, do they abandon

3:21 what they already have or I would think as you said,

3:24 it needs to follow that user, follow the device

3:27 because their smart connected device is the new gateway.

3:31 That's right, but you also have legacy.

3:34 Right. Good point.

3:35 Every enterprise is still going to have something in a data center,

3:38 whether it's a co-location or data center they manage or something like that.

3:43 The old model still needs to persist

3:45 and you need to be able to protect that

3:48 and evolve towards harmonizing that protection with the new model.

3:52 How do you provide a coherent policy framework

3:56 across the portfolio of your security controls

3:59 regardless of whether delivered on-prem or in the cloud or even on the device itself?

4:04 You want to have the ability to ensure an adequate level of protection.

4:09 You also want the simplicity of not having to manage three different estates separately.

4:16 Yes, because it doesn't really make any sense.

4:18 If you have your firewall delivered from the cloud, you have your proxy,

4:22 to me having a single sack of software that just looks at the traffic and suspects it,

4:28 validates identity, applies the appropriate policy whether I'm sitting at a cafe,

4:35 or I need access to information sitting in the data center.

4:40 That's right. The policy is very people-centric these days.

4:44 It's about what enables work and what workload is being enabled for that employee

4:50 more so than the location, I think, is what we really should aspire to.

4:54 It makes sense. What would you say, in your experience,

4:57 the toughest challenge in getting there for organizations?

5:00 In some ways, it's recognizing what the future's going to look like.

5:04 There's a lot of competing visions,

5:07 whether it's a cloud-only, a cloud-first, a legacy-only.

5:12 I think people need to begin to understand what they aspire to

5:16 before they can really start designing how to get to that future location.

5:21 The other thing is getting through the noise.

5:27 Even a model like zero trust is still a concept

5:31 more than it is a concrete architecture for a lot of companies.

5:35 There's so many different versions of these implementations.

5:39 We have to learn which patterns apply to which problems.

5:45 There's growing pains,

5:47 and those will need to be worked through

5:49 before people can begin to adopt these things in a large scale.

5:53 Right now, the very big, very capable companies

5:56 who have the resources to work through those growing pains are leading the way.

6:01 Then I think the fast followers amongst them

6:04 will know where to go with a little more clarity.

6:08 I love working through the concept of knowing

6:12 where you want to be and then working towards that.

6:16 Then through there, working through those growing pains,

6:18 as you were just talking about, to me, that's all about experience.

6:22 It's about revolutionizing the experience.

6:25 It's taking a very experience-first approach.

6:29 What are some things that customers should think about,

6:32 partners should think about,

6:34 in the context of experience-first when you're making that shift to the cloud,

6:40 both for the organization and for the user?

6:46 Cloud is an experience model.

6:49 It's much more than a technology model.

6:51 It's, what does that feel like for the end-user who's accessing those resources?

6:57 That mindset, I think, has to be pervasive.

6:59 It's a user design focus of,

7:03 how do I want my employees to be interacting with technology

7:07 in a way that enables them to be productive?

7:09 Particularly in the talent war that we have these days,

7:13 you don't want your employee to come in and have to struggle to be productive.

7:18 You don't want them to have to be burdened by a heavy security barrier,

7:23 or even a difficult-to-access technology stack.

7:26 It's about thinking that through from a productivity perspective,

7:32 from a simplicity perspective,

7:34 and working back from that to say,

7:35 how would I enable my employee to have that kind of a day

7:39 and to be that protected and to be that productive?

7:43 What are the things I have to put in place to make that happen?

7:46 Then how do I manage that in a way that it's sustainable?

7:50 You also have to think about it from the administrative experience of

7:53 what's easy for the technology administrator

7:56 to be able to produce that experience for the end-user.

7:59 It's a multifaceted view, but you have to think about it with that--

8:04 when someone's touching a keyboard, what is their day like?

8:08 I like that you simplified it upfront by saying the cloud is about experience,

8:13 and so this shift to cloud is ever so important if you're really driving to that end goal.

8:19 That's right.

8:21 You mentioned something in one of your earlier comments

8:24 about the data center and zero trust.

8:26 How do you think SASE influences the data center,

8:30 data center strategy, zero trust architectures, if at all?

8:35 Well, it harmonizes the controls.

8:38 It gives you a consistent way to apply the protections

8:42 that are going to support that zero trust.

8:44 Zero trust doesn't mean no security,

8:47 it means I want to take a decision about the access that

8:51 it individually is trying to create at the moment that they're trying to create it.

8:56 I want be informed about a number of dimensions about that person,

9:00 about the workload, about the security demands of that intersection.

9:06 I want to be able to apply controls appropriately and simply.

9:11 SASE gives me that ability to have

9:13 a ubiquitous control layer that follows that interaction,

9:17 whether it's coming back into a VPN for a non-preliminary resource,

9:21 or whether it's going out to the cloud for something

9:23 in one of the majors or hitting a colocation.

9:27 It gives me that universal

9:29 and readily-available consistent way to apply controls.

9:33 I love that.

9:34 That was the genesis of connected security

9:39 when I joined and we brought this strategy to market.

9:42 It's about bringing security to every point of connection, as you said, right?

9:46 You can safeguard your users, your applications, and your infrastructure.

9:50 I think, a lot of times, with these newer architectures

9:53 and whether it be the evolution of zero trust or the SASE architecture,

9:59 sometimes we keep it confined to the traditional security technologies

10:05 and we forget that when you infiltrate a network,

10:11 you'll bypass those traditional sometimes security technologies.

10:16 If your routers are smarter, or your switches are smarter,

10:19 your access points can detect behavioral abnormalities, then it's more secure.

10:26 Well, that's right. It's like everything else.

10:30 With shift-left mentality,

10:32 the earlier in the process you can detect the abnormality and address it,

10:35 the cheaper it is and the more effective it is.

10:38 You can wait and get an identity-based attack

10:41 when somebody's logging into an application

10:43 and you see all sorts of strange behaviors there,

10:48 or maybe your network understands the difference between that person

10:51 who connected a few minutes ago from Sunnyvale

10:55 and is now connecting from some location that's very far away from Sunnyvale.

11:01 That IP-based traffic can give you insights into abnormalities

11:05 that you can interact with much more quickly and much more effectively,

11:09 and begin to isolate that traffic.

11:11 The smarter the network is,

11:13 the less chances there are for attacks to move up the stack.

11:17 Completely agree. I think a big thing that you just touched on is identity.

11:22 I think, from as far back as I can remember,

11:26 for going on -plus years now, we heard a lot about social engineering.

11:32 That still remain, at least correct me if I'm wrong,

11:34 you see this day in and day out but it feels like

11:36 that's still the main effective method for infiltrating an organization.

11:43 Doing so from stealing someone's identity

11:46 going into the organization and spoofing who they are.

11:50 That's right. That's the basis of most phishing attacks.

11:55 It's a shame that still people are very willing to participate in those kinds of attacks.

12:00 They don't even know.

12:02 It's getting harder for them to tell.

12:05 The recent attacks have made phishing in all the training that we've done

12:10 irrelevant because they have discovered new ways

12:13 to attack the end-user in a way that training didn't anticipate.

12:17 We've got to play that cat and mouse game and constantly be retraining people.

12:21 We also have to recognize that they have a limited amount of bandwidth.

12:25 We can't have security take more of their attention than doing their own job.

12:30 Sometimes it feels that way to people.

12:32 Well, it's funny. Though you're not funny.

12:35 Your organization did a test and does periodic tests for everybody.

12:40 I saw an email come through, and I'm like, "This doesn't look right." I just ignored it.

12:45 Then another came through, and it wasn't a test, and I ignored it again.

12:49 Then finally, I thought it was fake, phishing,

12:52 and then someone pinged me and was just like,

12:54 "We actually need you to go and we approve something."

12:58 I'm like, "Oh, I ignored it."

13:01 I asked. I'm like, "Is this actually real?

13:04 "I think that's a big thing.

13:05 People have to be a little bit more hyper-aware.

13:07 Yes, back to that user experience.

13:09 We can't design business processes that look like phishing,

13:12 or else we're going to get more phishing that looks like business processes.

13:15 That's so smart.

13:16 One more question for you is, just in general,

13:21 not even talking about SASE or zero trust per se,

13:27 but what would you say are the number one thing aside from experience,

13:33 because we talked about that a lot,

13:34 that is anybody sitting in your seat as a CISO in their organization,

13:39 what's the number one best practice or lesson learned,

13:42 from your perspective, that they should guide their team on in willing to adopt cloud?

13:50 I guess if I were to give it the number one is that

13:56 the world isn't going to work as you expect it to.

13:59 Regardless of what technology you adopt or what model you try to apply,

14:03 it's not going to be like it is in the textbook.

14:06 You ve got to have the mentality of adaptability.

14:09 You ve got to go into it with a We're going to get part of the way there,

14:13 and we're probably going to have to make a turn.

14:16 We're going to make mistakes along the way," because these things are evolving.

14:19 The attackers force that evolution.

14:22 They pick where we have decided to strengthen to avoid,

14:26 and they choose to attack where we have decided to maybe not prioritize.

14:31 As we adopt more controls,

14:33 they move in different directions

14:35 and that forces us to abandon or adjust our strategy.

14:41 All these things are multi-year initiatives like zero trust or anything like that.

14:46 It's easy to get that fixation on the target and say, "You know what?

14:49 I'm going to spend the next two years adopting a zero trust model."

14:52 You have to realize that during that time,

14:54 the attacker is adapting to what you're doing.

14:56 You can't get locked on the goal without the ability

15:01 to pivot and adjust your course based on how attackers are adjusting.

15:06 I love that. Adaptability.

15:07 They're adapting to us so we have to adapt to them.

15:10 We have to understand that and do that. Yep.

15:12 Exactly.

15:12 Thank you very much for joining me today. Thank you. I've enjoyed it tremendously.

15:15 I loved it.

15:16 Welcome to Juniper.

15:17 Thank you very much.