SASE and Beyond | Juniper Global Summit 2022
PSA: SASE simplifies security management for network administrators
Learn how to protect your user’s connections, from core to cloud. As businesses scale and modernize their networks, data center infrastructures become complex. With more remote users and distributed sites than ever before, network security is even tougher to facilitate. This makes having a Secure Access Service Edge, better known as SASE, top of mind for many organizations that want to protect user data.
In this video from our 2022 Juniper Global Summit, Juniper’s GVP of Security Business & Strategy, Samantha Madrid, and VP, Chief Information Security Officer Drew Simonis discuss SASE and zero trust data center security, including how SASE can solve security management concerns. To uncover even more about zero trust security, check out our whitepaper on the rise of zero trust, which debunks some common myths floating around the industry.
How a shift to cloud requires an evolved strategy for securing a remote workforce
The challenges organizations face in transitioning to SASE
About SASE influence on data center strategy and zero trust architectures
Who is this for?
0:08 Hi, I'm Samantha Madrid,
0:09 Global Vice President of Security Business and Strategy here at Juniper.
0:13 Connected security has been Juniper's strategy for the past few years,
0:17 ensuring that security is pervasive throughout the network,
0:20 regardless of architecture.
0:22 Speaking of architecture,
0:24 secure access service edge is top of mind for many organizations.
0:29 Here to speak with me today about SASE, Zero Trust,
0:32 and securing the data center is Drew Simonis,
0:35 our VP and Chief Information Security Officer.
0:39 Hi, Drew.
0:39 Hi, Sam. It's good to see you today.
0:41 Yes, it's good. Welcome to Juniper.
0:42 You've been on board for a few weeks now.
0:44 Yes, a couple of months.
0:45 Oh, wow. A couple of months. Time flies.
0:46 It does.
0:48 Let's jump right in.
0:49 When we talk about SASE, we talk about cloud security,
0:52 the number one thing that customers are always asking us about
0:55 is my work from anywhere users.
0:58 How has the shift to cloud changed a strategy for customers
1:03 around securing their mobile workforce?
1:05 It's really, I think, open people's eyes to a reality that existed even before COVID.
1:11 When we looked at the metrics around
1:13 who was connecting at the office and who was a remote worker,
1:16 what we found was even before the pandemic,
1:18 the majority of users on any given day were remote.
1:21 Whether that's a traveling salesperson
1:23 or somebody visiting a customer site to support them, or a number of reasons.
1:28 People were not always as much in the office as we thought.
1:31 It really helped people understand that
1:33 they needed to provide pervasive security regardless of where the employee was,
1:38 and to embrace something like SASE as a way
1:40 to preserve the protection of the corporate systems,
1:44 even in the disconnected use case.
1:46 That makes a lot of sense because if I think about before COVID,
1:50 I was on the road maybe three out of the four weeks every single month
1:54 so that is a work from everywhere user.
1:56 That's right, and even as we return to the office,
1:59 it really isn't going to change
2:01 because people are still going to spend a significant amount of time
2:04 as a disconnected user from the corporate hub.
2:09 What does it mean for customers
2:10 because when you look at these new architectures like SASE or SSE,
2:14 which is the security being delivered directly from the cloud.
2:19 A lot of those technologies, the firewall, the proxy,
2:22 they're existing in customers' environments today on-prem.
2:26 What does this mean for them when they now have to think about
2:29 delivering those technologies from the cloud?
2:32 You have to go from a mindset of I have a location where people congregate,
2:37 and therefore I can establish a perimeter around that location.
2:40 This is a traditional security architecture
2:43 and I can place a security stack on that perimeter.
2:46 Now, with the remote user, your perimeter,
2:49 your branch offices, your hotel room, someone's living room,
2:53 and you can't afford the same type of instrumentation,
2:56 the same model of built a wall around that branch office or that remote location.
3:02 By delivering the security in the cloud,
3:05 you reach that point of intersection where everyone's crossing through,
3:08 and you're able to clean the traffic and provide a secure connection
3:12 regardless of whether they're in an airplane, or in their bedroom.
3:18 Now, as a customer, do they abandon
3:21 what they already have or I would think as you said,
3:24 it needs to follow that user, follow the device
3:27 because their smart connected device is the new gateway.
3:31 That's right, but you also have legacy.
3:34 Right. Good point.
3:35 Every enterprise is still going to have something in a data center,
3:38 whether it's a co-location or data center they manage or something like that.
3:43 The old model still needs to persist
3:45 and you need to be able to protect that
3:48 and evolve towards harmonizing that protection with the new model.
3:52 How do you provide a coherent policy framework
3:56 across the portfolio of your security controls
3:59 regardless of whether delivered on-prem or in the cloud or even on the device itself?
4:04 You want to have the ability to ensure an adequate level of protection.
4:09 You also want the simplicity of not having to manage three different estates separately.
4:16 Yes, because it doesn't really make any sense.
4:18 If you have your firewall delivered from the cloud, you have your proxy,
4:22 to me having a single sack of software that just looks at the traffic and suspects it,
4:28 validates identity, applies the appropriate policy whether I'm sitting at a cafe,
4:35 or I need access to information sitting in the data center.
4:40 That's right. The policy is very people-centric these days.
4:44 It's about what enables work and what workload is being enabled for that employee
4:50 more so than the location, I think, is what we really should aspire to.
4:54 It makes sense. What would you say, in your experience,
4:57 the toughest challenge in getting there for organizations?
5:00 In some ways, it's recognizing what the future's going to look like.
5:04 There's a lot of competing visions,
5:07 whether it's a cloud-only, a cloud-first, a legacy-only.
5:12 I think people need to begin to understand what they aspire to
5:16 before they can really start designing how to get to that future location.
5:21 The other thing is getting through the noise.
5:27 Even a model like zero trust is still a concept
5:31 more than it is a concrete architecture for a lot of companies.
5:35 There's so many different versions of these implementations.
5:39 We have to learn which patterns apply to which problems.
5:45 There's growing pains,
5:47 and those will need to be worked through
5:49 before people can begin to adopt these things in a large scale.
5:53 Right now, the very big, very capable companies
5:56 who have the resources to work through those growing pains are leading the way.
6:01 Then I think the fast followers amongst them
6:04 will know where to go with a little more clarity.
6:08 I love working through the concept of knowing
6:12 where you want to be and then working towards that.
6:16 Then through there, working through those growing pains,
6:18 as you were just talking about, to me, that's all about experience.
6:22 It's about revolutionizing the experience.
6:25 It's taking a very experience-first approach.
6:29 What are some things that customers should think about,
6:32 partners should think about,
6:34 in the context of experience-first when you're making that shift to the cloud,
6:40 both for the organization and for the user?
6:46 Cloud is an experience model.
6:49 It's much more than a technology model.
6:51 It's, what does that feel like for the end-user who's accessing those resources?
6:57 That mindset, I think, has to be pervasive.
6:59 It's a user design focus of,
7:03 how do I want my employees to be interacting with technology
7:07 in a way that enables them to be productive?
7:09 Particularly in the talent war that we have these days,
7:13 you don't want your employee to come in and have to struggle to be productive.
7:18 You don't want them to have to be burdened by a heavy security barrier,
7:23 or even a difficult-to-access technology stack.
7:26 It's about thinking that through from a productivity perspective,
7:32 from a simplicity perspective,
7:34 and working back from that to say,
7:35 how would I enable my employee to have that kind of a day
7:39 and to be that protected and to be that productive?
7:43 What are the things I have to put in place to make that happen?
7:46 Then how do I manage that in a way that it's sustainable?
7:50 You also have to think about it from the administrative experience of
7:53 what's easy for the technology administrator
7:56 to be able to produce that experience for the end-user.
7:59 It's a multifaceted view, but you have to think about it with that--
8:04 when someone's touching a keyboard, what is their day like?
8:08 I like that you simplified it upfront by saying the cloud is about experience,
8:13 and so this shift to cloud is ever so important if you're really driving to that end goal.
8:19 That's right.
8:21 You mentioned something in one of your earlier comments
8:24 about the data center and zero trust.
8:26 How do you think SASE influences the data center,
8:30 data center strategy, zero trust architectures, if at all?
8:35 Well, it harmonizes the controls.
8:38 It gives you a consistent way to apply the protections
8:42 that are going to support that zero trust.
8:44 Zero trust doesn't mean no security,
8:47 it means I want to take a decision about the access that
8:51 it individually is trying to create at the moment that they're trying to create it.
8:56 I want be informed about a number of dimensions about that person,
9:00 about the workload, about the security demands of that intersection.
9:06 I want to be able to apply controls appropriately and simply.
9:11 SASE gives me that ability to have
9:13 a ubiquitous control layer that follows that interaction,
9:17 whether it's coming back into a VPN for a non-preliminary resource,
9:21 or whether it's going out to the cloud for something
9:23 in one of the majors or hitting a colocation.
9:27 It gives me that universal
9:29 and readily-available consistent way to apply controls.
9:33 I love that.
9:34 That was the genesis of connected security
9:39 when I joined and we brought this strategy to market.
9:42 It's about bringing security to every point of connection, as you said, right?
9:46 You can safeguard your users, your applications, and your infrastructure.
9:50 I think, a lot of times, with these newer architectures
9:53 and whether it be the evolution of zero trust or the SASE architecture,
9:59 sometimes we keep it confined to the traditional security technologies
10:05 and we forget that when you infiltrate a network,
10:11 you'll bypass those traditional sometimes security technologies.
10:16 If your routers are smarter, or your switches are smarter,
10:19 your access points can detect behavioral abnormalities, then it's more secure.
10:26 Well, that's right. It's like everything else.
10:30 With shift-left mentality,
10:32 the earlier in the process you can detect the abnormality and address it,
10:35 the cheaper it is and the more effective it is.
10:38 You can wait and get an identity-based attack
10:41 when somebody's logging into an application
10:43 and you see all sorts of strange behaviors there,
10:48 or maybe your network understands the difference between that person
10:51 who connected a few minutes ago from Sunnyvale
10:55 and is now connecting from some location that's very far away from Sunnyvale.
11:01 That IP-based traffic can give you insights into abnormalities
11:05 that you can interact with much more quickly and much more effectively,
11:09 and begin to isolate that traffic.
11:11 The smarter the network is,
11:13 the less chances there are for attacks to move up the stack.
11:17 Completely agree. I think a big thing that you just touched on is identity.
11:22 I think, from as far back as I can remember,
11:26 for going on -plus years now, we heard a lot about social engineering.
11:32 That still remain, at least correct me if I'm wrong,
11:34 you see this day in and day out but it feels like
11:36 that's still the main effective method for infiltrating an organization.
11:43 Doing so from stealing someone's identity
11:46 going into the organization and spoofing who they are.
11:50 That's right. That's the basis of most phishing attacks.
11:55 It's a shame that still people are very willing to participate in those kinds of attacks.
12:00 They don't even know.
12:02 It's getting harder for them to tell.
12:05 The recent attacks have made phishing in all the training that we've done
12:10 irrelevant because they have discovered new ways
12:13 to attack the end-user in a way that training didn't anticipate.
12:17 We've got to play that cat and mouse game and constantly be retraining people.
12:21 We also have to recognize that they have a limited amount of bandwidth.
12:25 We can't have security take more of their attention than doing their own job.
12:30 Sometimes it feels that way to people.
12:32 Well, it's funny. Though you're not funny.
12:35 Your organization did a test and does periodic tests for everybody.
12:40 I saw an email come through, and I'm like, "This doesn't look right." I just ignored it.
12:45 Then another came through, and it wasn't a test, and I ignored it again.
12:49 Then finally, I thought it was fake, phishing,
12:52 and then someone pinged me and was just like,
12:54 "We actually need you to go and we approve something."
12:58 I'm like, "Oh, I ignored it."
13:01 I asked. I'm like, "Is this actually real?
13:04 "I think that's a big thing.
13:05 People have to be a little bit more hyper-aware.
13:07 Yes, back to that user experience.
13:09 We can't design business processes that look like phishing,
13:12 or else we're going to get more phishing that looks like business processes.
13:15 That's so smart.
13:16 One more question for you is, just in general,
13:21 not even talking about SASE or zero trust per se,
13:27 but what would you say are the number one thing aside from experience,
13:33 because we talked about that a lot,
13:34 that is anybody sitting in your seat as a CISO in their organization,
13:39 what's the number one best practice or lesson learned,
13:42 from your perspective, that they should guide their team on in willing to adopt cloud?
13:50 I guess if I were to give it the number one is that
13:56 the world isn't going to work as you expect it to.
13:59 Regardless of what technology you adopt or what model you try to apply,
14:03 it's not going to be like it is in the textbook.
14:06 You ve got to have the mentality of adaptability.
14:09 You ve got to go into it with a We're going to get part of the way there,
14:13 and we're probably going to have to make a turn.
14:16 We're going to make mistakes along the way," because these things are evolving.
14:19 The attackers force that evolution.
14:22 They pick where we have decided to strengthen to avoid,
14:26 and they choose to attack where we have decided to maybe not prioritize.
14:31 As we adopt more controls,
14:33 they move in different directions
14:35 and that forces us to abandon or adjust our strategy.
14:41 All these things are multi-year initiatives like zero trust or anything like that.
14:46 It's easy to get that fixation on the target and say, "You know what?
14:49 I'm going to spend the next two years adopting a zero trust model."
14:52 You have to realize that during that time,
14:54 the attacker is adapting to what you're doing.
14:56 You can't get locked on the goal without the ability
15:01 to pivot and adjust your course based on how attackers are adjusting.
15:06 I love that. Adaptability.
15:07 They're adapting to us so we have to adapt to them.
15:10 We have to understand that and do that. Yep.
15:12 Thank you very much for joining me today. Thank you. I've enjoyed it tremendously.
15:15 I loved it.
15:16 Welcome to Juniper.
15:17 Thank you very much.