What happens when a three-year-old laptop, long forgotten, quietly reconnects to your network? It sounds like a harmless scenario—until it isn't.
In today’s digital landscape, what we forget can hurt us.Join Max Clark and guest Alexey Goncharov of Cepheid as they dive into the overlooked blind spots in enterprise security: legacy access points, directory misalignments, and the burnout cycle of patching outdated infrastructure. You’ll hear true stories from the trenches and learn why leading IT teams are adopting identity-first approaches and VPN-less architectures—even if no one’s calling it Zero Trust out loud.
Tune in now before your “forgotten devices” become your biggest threat!
[00:00:00] Max Clark: I do need to get another light over here. I need to get some kind of, um, to find like a key light or something. Not a, I mean, I guess, I guess technically this is the key light, which for some reason is pointed in the wrong direction right now.
Really probably what I should do is mount and hang something from my ceiling, which should be really nice to be not permanent, just like, you know, over my desk.
[00:00:25] Alexey Goncharov: Yeah, I have only, uh, two lights over here and on my back, and in about two hours, the light on my tank, I have a fi big fish tank
[00:00:37] Max Clark: How big,
[00:00:38] Alexey Goncharov: on my, uh, it's, uh, 70 gallons,
[00:00:41] Max Clark: fresh water or salt,
[00:00:42] Alexey Goncharov: uh, fresh.
[00:00:43] Max Clark: what do you have in it?
[00:00:45] Alexey Goncharov: Oh, I have plenty of, it's primarily my daughter, my daughter's hobby. She takes care of it and I just enjoy it
[00:00:53] Max Clark: 70.
[00:00:54] Alexey Goncharov: her time to time to change water in it.
[00:00:56] Max Clark: I mean 70 gallons is a good sized tank.
[00:00:59] Alexey Goncharov: 70. [00:01:00] Yeah.
[00:01:00] Max Clark: It's a good sized tank.
[00:01:01] Alexey Goncharov: Yeah, It's like,
[00:01:03] Max Clark: Yeah,
[00:01:04] Alexey Goncharov: and uh, uh, close to about three, four feet
[00:01:10] Max Clark: yeah, my,
[00:01:12] Alexey Goncharov: long.
[00:01:13] Max Clark: the fish are fun. I, uh, you know, we, we would, I mean, growing up we would just like go to the beach and just come back with buckets of stuff like, you know, like hermit crabs and
[00:01:23] Alexey Goncharov: Mm-hmm.
[00:01:25] Max Clark: and, and would just end up filling it. We had some like 40 or 50 gallon tank that we would just fill up, and then of course everything would just die because, you know, it wasn't being like, cared for or circulated.
There wasn't salt. I mean, it wasn't like fresh water. There was nothing. It was just like we had a, a giant like aquarium that we'd like fill as kids with stuff, you know? I mean, looking back on it, thinking about it, it's pretty morbid, but you know, at the time it was pretty fun.
[00:01:48] Alexey Goncharov: I'm lucky. My, my daughter takes care of it. And, uh, she also has another five tanks across the house, including the small tart.
[00:01:58] Max Clark: Wow.
[00:01:59] Alexey Goncharov: Yeah. [00:02:00]
[00:02:01] Max Clark: This is a serious, this is a serious thing.
[00:02:03] Alexey Goncharov: Uh, yeah, she, she loves it.
[00:02:06] Max Clark: Yeah. We, uh, you know, like we, I'm just, I was just like, I mean, I have space. Oh, my headset does not like when I turn my head that way. Do I have, do I have another clip here? Hold on a second. Lemme see.
[00:02:19] Alexey Goncharov: You can put a big tank just behind your back.
[00:02:24] Max Clark: I mean, I have a nice credenza over here that's just outside of this camera frame right now. I could get a tank in. The problem with that is, um, I know what it takes to take care of it and the temperature fluctuation in this house.
[00:02:39] Alexey Goncharov: Oh, not really. It depends how much you're going to invest.
[00:02:44] Max Clark: Yeah.
[00:02:44] Alexey Goncharov: Because we bought, uh, so we bought the automatic filtration, automatic the sensor, automatic light. Everything is automated through the web application.
[00:02:56] Max Clark: Oh, okay.
[00:02:57] Alexey Goncharov: So I have mobile application and just [00:03:00] once a month we just need to change a little bit, water, change a little bit, other stuff.
And, uh, once a month clean filter. That's it
[00:03:09] Max Clark: feeding for you as well?
[00:03:11] Alexey Goncharov: Uh, no,
[00:03:12] Max Clark: See, that's
[00:03:13] Alexey Goncharov: that is, that is the next step. But it's possible. It's possible. Everything else. The CO2, the filtration, the, uh, lightning, the, everything is fully automated, so,
[00:03:28] Max Clark: way more sophisticated than when I was a kid dealing with this stuff, you know?
[00:03:31] Alexey Goncharov: or
[00:03:33] Max Clark: we were, we were there, we were there with like pH strips, you know, even like sticking the pH strip into
[00:03:37] Alexey Goncharov: yeah. Yeah.
[00:03:37] Max Clark: trying to make sure and. And then, and then something would change and then like, everything would die.
And then you'd spend time trying to figure out like what just happened to the tank? What, what, what, you know? And, uh, I mean, that was, that was something else.
[00:03:50] Alexey Goncharov: We used to have a salt water tank with a lot of, uh, sea fish, some corals. Uh,
[00:03:59] Max Clark: mm-hmm.[00:04:00]
[00:04:01] Alexey Goncharov: one time it was a disaster in California. You remember when in our area we had no electricity for three days
[00:04:08] Max Clark: Oh, that, that's it. No more?
[00:04:12] Alexey Goncharov: and we were doing the manuals and batteries. No,
[00:04:16] Max Clark: no.
[00:04:17] Alexey Goncharov: 90% of the investment. It Just,
gone.
[00:04:21] Max Clark: yeah. No, it's, you can't, that's, that sucks. Um, I love, I love salt water tanks. Um, it, but I, they are, they're so hard to keep going. Like you just, you.
[00:04:34] Alexey Goncharov: small.
[00:04:35] Max Clark: Yeah, I
[00:04:36] Alexey Goncharov: Yeah.
[00:04:37] Max Clark: mean, what, what size, I mean, you think you probably have to be over a hundred gallons before you have enough
[00:04:42] Alexey Goncharov: We had no, we had much smaller, it was about maybe 40, 50 gallons.
[00:04:49] Max Clark: See, 40, 50 gallons. I mean, you can, you can throw that off. I mean, I was saying over a hundred gallons, you kind of have a fighting chance because it takes, you know,
[00:04:56] Alexey Goncharov: Yep,
[00:04:57] Max Clark: you know, you can do a [00:05:00] little bit more with it before it
[00:05:01] Alexey Goncharov: yep, yep,
[00:05:02] Max Clark: on you.
[00:05:03] Alexey Goncharov: yep. But the, we, the smaller tank, uh, aquarium, you have more maintenance is required for that tank. That is the lessons loan.
[00:05:16] Max Clark: We also, um, we also are gone for, for a long time and, you know, long strips of time, you know,
[00:05:23] Alexey Goncharov: Yep.
[00:05:24] Max Clark: with our family in Los Angeles, it's not weird for us to be gone for eight weeks in the summer. So it becomes this thing where like. If I had a tank, I have to have somebody coming in and taking care of the tank, you know, so it's just,
[00:05:36] Alexey Goncharov: Yeah. Yeah. Yeah.
[00:05:37] Max Clark: we have a, my wife rescued a dog, um, uh, a a little bit before we met, so she's actually asleep over here in my office.
Um, we think she's 17 years old right now, but She's
[00:05:50] Alexey Goncharov: Wow.
[00:05:50] Max Clark: this little nine pound dog. And, and even, I mean, you know, and like now she's, she's deaf. She's, she has no hearing whatsoever
[00:05:59] Alexey Goncharov: Mm-hmm.
[00:05:59] Max Clark: been in [00:06:00] diapers now for the last, like, almost six to eight months maybe. Actually no longer than that.
Um, almost a year maybe. You know, she's completely, like, it's weird when the dog loses hearing they go, they revert back to being completely feral. Like effectively. 'cause there's no voice control.
[00:06:17] Alexey Goncharov: No disturbance. Yeah.
[00:06:18] Max Clark: no, you can't, you can't, you know, like, she'll be up on the table like eating leftovers from our kids that left their plates on the table and you can't be like, get off the table because she can't hear you.
So she's just like, oh yeah, I can just do this now. You know, no big deal. Right? So.
[00:06:30] Alexey Goncharov: Nobody stops me.
[00:06:32] Max Clark: it's, it's crazy. It's this whole funny thing, but, you know, she's a sweetheart. We're, um, you know, I, I, uh, you know, of course it's become this joke of like, our, our boys are finally are, you know, are six and eight. So our boys are old enough that they're, we finished with diapers with them.
We finished them with diapers, and then the dog got diapers and we're like, it's just, how do you, how does this work out this way?
[00:06:54] Alexey Goncharov: Yeah, we used to have, uh, Yorkie
[00:06:57] Max Clark: Cute dogs.
[00:06:58] Alexey Goncharov: for 15 years [00:07:00] before he passed away. Yeah.
[00:07:03] Max Clark: it's, it's, uh,
[00:07:06] Alexey Goncharov: My kids don't remember the time when we had no dogs or no animals.
[00:07:11] Max Clark: yeah,
[00:07:12] Alexey Goncharov: before that we, uh, we had a cat for, and then we've got dog. So dog and cat, they were with us, uh, for 15 years.
[00:07:23] Max Clark: I was really, you know, I. There was a point where I didn't think that the boys would be old enough to remember her, but now of course it's six and eight, they're
[00:07:32] Alexey Goncharov: Oh yeah. Yeah. They do.
[00:07:34] Max Clark: but she's, she's gotten the point where she's not like, really? Um, I don't wanna say that she's standoffish. It's, it's, she's like always around us, but she's not like, you know, she's not like a giant golden retriever that's trying to lick them for their faces all
[00:07:47] Alexey Goncharov: Mm-hmm.
[00:07:48] Max Clark: They're like, you, you know? So it's, um, you know, they'll, they'll know her and remember her, but like, I, I'm kind of curious what their memory of her will be in the future. I mean, now she, I mean, you know, like, she's living the great life. I mean, she [00:08:00] sleeps in my office like the entire day.
You know, I'll leave, I'll leave and we can't find her. And she's still in the office, just asleep in the dog bed.
[00:08:06] Alexey Goncharov: Mm-hmm. '
[00:08:07] Max Clark: cause you know, again, she can't hear, so she doesn't know that you've left the room. So it's just this really horrible, funny thing. Anyways,
[00:08:14] Alexey Goncharov: Yeah. Three years ago we've got another dog. No.
[00:08:18] Max Clark: I, uh, um, my wife and I have been talking about it.
I mean, she's, she, this, this, she's probably gonna make it to like 25 at this pace, but. Um, we're gonna enjoy like a no animal house for a little while, I think afterwards, just because the amount of work with her being, you know, she's gonna be deaf, she'll be blind. She's probably gonna completely senile pretty soon,
[00:08:37] Alexey Goncharov: Hmm.
[00:08:38] Max Clark: you know, diapers.
We'll, we'll, it'll be good for us to like, have a little gap.
[00:08:43] Alexey Goncharov: Yeah, we had a break for about one and a half, two years, and then kids ask us, oh, can we get another dog?
[00:08:50] Max Clark: Yeah. You're like, you're like, ah. Okay.
[00:08:55] Alexey Goncharov: Yeah.
[00:08:58] Max Clark: Um, well, [00:09:00] we should get going here. Let's see here. Um, I, I'm, I was thinking about like where I wanted to start and what I wanted to ask you about and, um, I, I, I think the Alexia, I think the, the, where I wanna start is more around dispelling fact from fiction as it comes to marketing with SSE platforms.
[00:09:24] Alexey Goncharov: Mm-hmm.
[00:09:26] Max Clark: And, and, let me, let me, actually, that's a little disjointed, but lemme try to clarify this a little bit and, and start with a question that can be
[00:09:32] Alexey Goncharov: Mm-hmm.
[00:09:34] Max Clark: SS e has become this giant, like acronym soup of things where, where providers are just throwing everything they can think of into the SASS e acronym, right? And you, you originally had this SSE function and they added sd sd-wan. So now you have SD-WAN plus, um, SSE, and then you have Secure Web Gateway and RBI um, ZTNA and CASB and
[00:09:56] Alexey Goncharov: Mm-hmm.
[00:09:56] Max Clark: you know, it's like every day we get a new acronym that that gets, that gets plowed [00:10:00] into the SASS e platform. What I'm always looking for and most interested in is not the acronyms that get thrown at us from the providers, but how the enterprises actually implement this technology and what problems they're solving.
And, and the first one on the list that, that, um, you brought up earlier was ZTNA zero trust.
[00:10:21] Alexey Goncharov: Mm-hmm.
[00:10:22] Max Clark: From an architecture standpoint within the enterprise, um, how has the change from, let's call it like Legacy VPN, remote Access solutions a platform that has ZTNA and Zero Trust implemented inside of it.
What change and what shift does that create and how does, how does that can get communicated back into the enterprise from an end user standpoint and from a, you know, non-technical executive standpoint of like, this is good. We want this, this is gonna solve these problems.
[00:10:55] Alexey Goncharov: Uh,
the [00:11:00] implementation of the SAS e it's at was just the first step.
[00:11:04] Max Clark: Mm-hmm.
[00:11:04] Alexey Goncharov: I never did it before. Uh, of course I had experience implementing VPNs, uh, in my previous companies. It was very common. The biggest challenge with the, uh, VPN, you have to maintain your gateways where your customers are. To make sure that the, the gateway is close to your customer for connection, for faster connection to your line environment.
Uh, with ss e it's all over the places, right? Uh, in our environment, it's a feed. We had, uh, three VPN gateways in North America, in, uh, Europe and in Asia Pacific. Uh, but certain connectivity, for example, uh, in China, we used to have, uh, VPN gateway [00:12:00] connecting through our gateway in North America instead of Asia Pacific.
[00:12:09] Max Clark: But this is, that's, I mean,
[00:12:11] Alexey Goncharov: That means the, the, we address the performance issue first.
[00:12:18] Max Clark: Okay, but this is, this is also like this idea of, um, uh, I mean, I'll just go ahead and lean into all the marketing terminology that I hate, right? Like this idea of like on-prem to cloud, uh, cloud applications or on-prem to SaaS applications. And you know, so in on-prem environments, you typically saw like hub and spoke network architectures.
[00:12:38] Alexey Goncharov: Mm-hmm.
[00:12:38] Max Clark: a central location. And then like lots of satellite locations are central and, and like DR. Location, you know, some sort of like primary sites. And, and so then VPNs got deployed inside of those that's where the resources were.
[00:12:51] Alexey Goncharov: Mm-hmm.
[00:12:51] Max Clark: move into cloud applications or SaaS applications, but that doesn't completely eradicate all the on-premise needs.
Like you still haven't, I what you like [00:13:00] your on-prem changes. It's, it could be A-A-V-P-C in AWS or an Azure tenant or an G CCP tenant, or maybe it's still a data center, right? Like,
[00:13:08] Alexey Goncharov: Mm-hmm.
[00:13:09] Max Clark: but you know, so within the SASS e platform, you're still accessing those resources. They're just. You're shifting where the VPN connection changes to, I mean, I,
[00:13:21] Alexey Goncharov: Mm-hmm.
And, uh, with VPN it introduces different level of complexity. Uh, in terms of how do you connect, for example, your IDP to your VPN solution. Let's say you have your on-prem environment, you have your firewall, let's say Palo Alto. Very good firewall by the way. Um, you set it up how to authenticate user.
It's in your on-prem environment. The easiest [00:14:00] way is to connect to your IDP, whereas your I-D-P-I-D-P is your active directory.
[00:14:05] Max Clark: Mm-hmm.
[00:14:06] Alexey Goncharov: So the connectivity is established with on-prem environment, therefore, the user connecting remotely is authenticated through the call. To active directory domain controller with SS e uh, it creates additional overhead if you want to connect your SASS e provider to your on-prem environment, to your domain controllers.
So with that, you have the opportunity to modernize it, to switch from your on-prem environment to your cloud identity. And that was the first step. We, uh, first thing we did, Uh, to establish the connectivity between reliable connectivity between SE platform and our [00:15:00] identity provider, which was, uh, Azure enterra id, Azure Active Directory,
[00:15:06] Max Clark: was, I mean that, okay, so like I immediately go into like, you see this like cascading like waterfall of like dependencies that start to happen, right? Like,
[00:15:16] Alexey Goncharov: correct.
[00:15:16] Max Clark: put in the SASS e platform. So in order to get the sassy, we want the identity, in order to get the identity, we have to move the identity to enter id.
Right? So it's like now all the sudden, know?
[00:15:26] Alexey Goncharov: You can do that, but y you can imagine I if you need to have that reliable solution. So how many, uh, with VPN gateways, if you have only three VPN gateways, okay, you can establish, uh, connections to the domain, nearest domain controller from each VPN gateway. You are done. And then you need to make sure that all the domain controllers used for, uh, authentication of the remotely connected, uh, users are properly patched, updated, and, uh, highly available.
[00:15:56] Max Clark: Mm-hmm.
[00:15:57] Alexey Goncharov: Uh, at least there is another domain controller. That's [00:16:00] it. At the same time, if you use that VPN gateway or the firewall with a VPN gateway capability, uh, to collect the data for other stuff like. It acts as normal firewall as well. And you need to have a, a connection. Uh, you need to collect the information about the sessions established, not only internally, but also externally, uh, from internal users connecting just to normal internet.
How you to get the, this data you need to grab this data from the domain controller event log, but you never know?
what domain controller is used to authenticate that particular user. So if you have 45 sites and each site has at least two, uh, firewall appliances, and you have, let's say 25 domain controllers worldwide, so you need to multiply 25 by 44 44, this is the number [00:17:00] of connections you need to establish to be able to collect all these logs and then match the IP address with the username in order to reflect that.
Username in your event log of the firewall and then pass it to Splunk. Um, that's a nightmare.
[00:17:18] Max Clark: I am, I'm smiling because there's a lot of really amazing things that you get with ZTNA, right? I'm just, I'm, I forget. Forget the whole sassy acronym. We're just talking about ZTNA and like this V
[00:17:29] Alexey Goncharov: Mm-hmm.
[00:17:30] Max Clark: VPN. Right. One of the top drivers that I have found with our clients moving into ZTNA is being able to audit user sessions
[00:17:39] Alexey Goncharov: Yep.
[00:17:39] Max Clark: logins.
It's, and it's not even close. Like, I mean, you get all these other benefits out of it, but, you know, from like a, I would say like greater than 80% of enterprises that I've, you know, we've helped deploy ZTNA has been about auditing and tracking user authentication and, and user events and, and you know, and then you get into it and you're like, but there's all this other cool stuff I [00:18:00] wanna talk about too.
But, but, but you know, just, just in tracking user authentication, like this is a pretty big problem for an enterprise. And if you're trying to track, if you're trying to, if, if you have any sort of, um, compliance or, or security framework that you have to adhere to, like anything, you have to do these things.
But then you can't, because, you know, in your example, you have this matrice, you know, of, you know, hundreds of, hundreds of places you have to go. Yeah.
[00:18:25] Alexey Goncharov: Yeah.
Uh, because the simple, uh, actually there is very simple question we need to answer.
[00:18:32] Max Clark: Mm-hmm.
[00:18:33] Alexey Goncharov: for compliance reason or for security reason. Uh, we can see the application. A, a is being used by someone in our internal network perimeter who is using that. We can say, oh, this is the IP address. This is what we know. and, then with that IP address, we need to go to someone else. Can you give me, in that particular day, who was the person [00:19:00] on that IP address? Oh, we can tell you. Uh, that this IP address was given to device X, Y, Z. and then you need to go to someone else to find, okay, on the device X, Y, Z on that particular date with this particular IP address, who was the user who logged into that machine?
And there are three different, uh, group of people who are managing endpoints, user identities and network, how we can, put all of that together and actually, and ZTNA helps to address this particular issue. Uh, it makes it more simple because you always have a content of the user connected to, uh, through ZTNA to any resource, uh, through
[00:19:49] Max Clark: and,
[00:19:49] Alexey Goncharov: SAS platform.
[00:19:50] Max Clark: and you can stream those events from your Sass e
[00:19:53] Alexey Goncharov: Yep.
[00:19:53] Max Clark: into whatever team you're using, and then go and
[00:19:56] Alexey Goncharov: Yep.
[00:19:56] Max Clark: correlations. It's, [00:20:00] I, you know, like, like this is, I don't feel like this gets talked about enough of just, you know. Uh, colonial Pipeline, right? Colonial Pipeline. We, you know, like in my brain, like immediately go to, I see images in my, my mind of like people with pickup trucks and tarps putting gasoline in their back of their trucks because, you know, the eastern seaboard United States is not, you know, it's can't, is running outta gas, right?
And then you read the, you know, details that were published and it was here. This was a user credential for an ex-employee that was, compromised on a VPN gateway to then gain access to the network, which then was able to move laterally and cause a lot of damage. And now you start to unpack that a little bit and you say, okay, well why wasn't the VPN gateway [00:21:00] integrated with, you know, their, their IDP.
[00:21:02] Alexey Goncharov: Mm-hmm.
[00:21:03] Max Clark: Well, probably because they couldn't, it was either too old or too hard, or too difficult or too complicated or too, you know, there there's lots of different reasons of like why. Right? But, but you, you take this really simple thing of just maintaining consistent state of user identity across the network and actually authenticating a user.
Like, is this user actually, like is this a real person that should be connecting to our resources right now? And can we, can we, can we validate that, you know, or not? Right. And, uh, I'm gonna, I can pick on Colonial Pipeline a little bit on this one because they of course had a major, major, you know, outage.
Outage, you know, outage isn't the right word, but they had a major event over this. But, um, but it's, it's, it's interesting and it's also interesting to me because when we started this a few minutes ago, you start talking about performance sassy as it related to relu reducing hub and spoke locations and, and.
Long distance [00:22:00] traversal for users as performance gain, but you take a step back and you say, okay, well the enterprise win here can get centered around identity and identity control and identity audit because the enterprise actually has value in that, right? Mm-hmm.
[00:22:16] Alexey Goncharov: Mm-hmm.
Uh, without it, uh, absolutely because we, all the companies operate in one or another compliance, uh, environment. They, they need to comply with certain rules, regulations, and, uh, uh, to be able to provide the evidence that they're compliant. Uh, with, with the performance one, uh, is definitely, uh, by holding the traffic back to your VPN gateway or or to your h headquarter, uh, where you have a centralized environment.
To secure everything in one place, uh, is definitely the performance degradation, significant performance degradation for remote users. They never, ever get the same [00:23:00] experience, uh, when they browse the internet or when they connect to any SaaS applications from the remote site. While with the SAS e platform, they do get almost the same experience as they connect to SaaS applications directly because, uh, their connection is established to the newest pop.
And if the traffic is not routed or doesn't need to go to internal network, it just, uh, being secured by sassi platform and redirected back to internet with all security in place, just controlling the DNS queries, controlling, uh, the type of protocols, type of applications, some, uh, scripts running. If we have CS B or TLS inspection, you can't even see what is inside the encrypted traffic.
So from that perspective, this big advantage to have ss a platform rather than just [00:24:00] use your own. Moreover, on top of that, if. If you have enough resources to maintain your VPN gateways, your firewalls with updated signatures, with updated patches, so like most recently, last week or two weeks ago, it was, uh, big discussion on LinkedIn, uh, about the zero day vulnerability.
[00:24:25] Max Clark: I, I, I mean, I feel like I, I don't wanna, I mean, let's, I'll, I'll pick on, on, um, FortiGate firewalls for a moment. There's been a, a a
[00:24:33] Alexey Goncharov: Yeah.
[00:24:35] Max Clark: now. I mean, this is one of those, when I say I'll pick on them, you have to become a major player before this becomes this type of issue. Right. You know, so like, it's a, it's a byproduct of success.
FortiGate makes an amazing product. Now there's enough deployed and there's enough surface area that, you know, it's a popular platform for people to look at and try to compromise. it does feel like there have been a lot of zero [00:25:00] day and a lot of security vulnerabilities and a lot of critical patch events, or FortiGate and, you know, that's, that's also, I mean, you know, from, um, from an operator perspective, you know, if you're, if you're deploying, I mean, moving off of on-prem firewalls and moving onto a sassy environment, right?
You give up, like these are no longer my boxes that I own. And I feel like some people get really, um, you, you know, they don't want to give up that like, idea of control, right? We don't want to, we don't want to give this to somebody else. But then the flip of it is like, well, if you own it and control it, and now you have, let's just say you have, I don't know.
I mean, if you've got. get, make a simple example, right? You've got 50 locations with dual firewalls each, you've got a hundred boxes now that you have to apply a critical patch to, otherwise it's gonna get compromised and you're gonna have a, you know, major event on your network. Like, isn't that good?
Like, like how do you, how do you weigh and, and you know, I mean, you made this a pretty [00:26:00] big transition. Like if you're talking to somebody and say, well, I want to own my own boxes and I want control, and I don't want somebody else being in control, know, what would you, what would you tell 'em?
[00:26:09] Alexey Goncharov: That was the challenge. We tried to address the, the patching circle was
[00:26:17] Max Clark: It's a patching circle. I like that.
[00:26:20] Alexey Goncharov: continuous, so if you do it, especially if you do it in a manual manner. Everything is manual. You download the patch from the vendor website and then you test it in one firewall. Then you need to make sure that you conduct the verification that this patch does not, uh, disrupt any existing flows inside your firewall.
And then you need to schedule the maintenance. You need to create the change request. You need to make sure that you communicate that properly to your. Uh, internal customers and you need to get the approval from the internal customers, uh, if it's disruptive. For example, some patches you can [00:27:00] apply to one node of the firewall cluster and then reboot and apply to another, but some might not be compatible with this method of updates.
So you need to shut it down, or you need to at least to schedule some 10, 15 minutes, uh, maintenance window to reboot your firewall and to validate, uh, whether it works properly or not. And if you have 24 by seven operations, let's say, manufacturing facility or business operations, it is quite challenging.
So we noticed that we haven't finished the previous patching and we already need to, to go to the next one.
[00:27:46] Max Clark: I'm sorry. I've lived this life so many. Oh, it, it,
[00:27:50] Alexey Goncharov: So that, what does it, mean for business? That means we have dedicated group of people on our [00:28:00] payroll who do this job day in, day out, just constantly patching certain appliances inside our network perimeter.
[00:28:12] Max Clark: I, you know, like that doesn't create business value. Like if.
[00:28:15] Alexey Goncharov: Exactly. That was my primary point. What the, we're not network company, we're a medical company, medical device company, diagnostic company. So we need to be focused on bringing value to business.
[00:28:35] Max Clark: One of the, um, one of the things I've seen, and I've seen this with sass e being deployed, and I've seen it also with like MDM and UEM being deployed onto appliances, is this pushback, um, you use customer, so I'll use your, your language right. Within the internal customer base about like, oh, you're doing this to spy on us, or you're doing this to like, monitor us, or, [00:29:00] you know, and in my, I've I, I've, I've always been very curious about that response.
You know, when you hit this kind of fear button of like, oh, we're just, you're just doing this to spy on us, and I'm like. I'm like, I don't think you understand that your IT team does not have the time or care to be spying on you. Like they're, they're, they're barely keeping up with what they need to do in order to keep the lights turned on, let alone like want to track and spy on you.
So, uh, how do you, you know, from like a internal communication of rolling these tools out, because it be, it becomes a big change, especially with like remote users. A remote user isn't usually, you know, authenticating to get on the internet. If you go into like an SWG platform, now all of a sudden you've got this agent that has to run, that has to be on the box.
It has to be, uh, you know, enabled in order for, you know, somebody to surf the internet on their work device. And, and, change creates fear, you know? And, and how do you communicate that to alleviate that fear?[00:30:00]
[00:30:00] Alexey Goncharov: Primarily
we were focused on what is changing. And from the beginning, uh, our intention was how we can make life for our internal customers, our end users, better, easier, and more secured. That is the focus. And with that, we even called it VPN less.
Always on network access.
What does it mean is the way we implemented our SSI platform. It was always on enabled, and we configured the policies which leverage the [00:31:00] internal PKI to issue certificate for endpoint devices, and we use the single sign-on with enter ID instead of connectivity to internal active directory,
[00:31:12] Max Clark: Mm-hmm.
[00:31:13] Alexey Goncharov: if a user already provided username and password and that password is valid, an account is not disabled, and the device presents the certificate during the authentication session to SASE, which leveraging,
[00:31:28] Max Clark: Mm-hmm.
[00:31:29] Alexey Goncharov: your Azure A-D-P-I-D-P for authentication of the user.
You don't need to reentry your password,
[00:31:38] Max Clark: So you're talk, you're, I mean, you're talking about building an entitlement within the SSE platform, right? So this is, again, it's, this all gets confusing 'cause we're getting like merging terms, right? Because, um, I. A lot of what you're describing is an entitlement policy, right? You have to have a PKI certificate active on the machine, right?
Like, these are all things that users are not even aware of. [00:32:00] Like it is the machine have a PKI, does it have patches? Probably. What else do we see in common entitlements? Um, is the MDM in place in running or is
[00:32:07] Alexey Goncharov: antivirus, et cetera. Yeah.
[00:32:09] Max Clark: Yeah. And, this is all transparent to the, to the actual user on the computer.
They don't see any of this stuff.
[00:32:15] Alexey Goncharov: they don't. Uh, and most importantly, if you have, if you build the internal dependencies, which allows you to make sure that the, it's like the principles of zero trust.
[00:32:31] Max Clark: Mm-hmm.
[00:32:31] Alexey Goncharov: need to verify explicitly, right? So that means if your machine is not under control of the MDM, there is no way you can get a certificate.
If there is no certificate, your machine cannot get connection. Even if you grab the, uh, Cato or [00:33:00] Palo Alto, VP n client from Open Source or GitHub, or from the vendor side and install it on your whole machine, there is no way you can connect because you need to present the certificate. Cato platform does not allow you, because this is the way it was configured.
So that means the. Chain of trust needs to be established first. How you can get that chain of trust is to make sure that the device walk through the enrollment process, entitlement process for that on the identity and access management part of it. You need to make sure that just, I hope it's not big secret, it's the way you can enroll user to be authorized to get connected [00:34:00] through SSI platform 'cause authentication.
Anyone can authenticate, yes, we have all username and valid username and passwords, but is the user after right remote, uh, to uh, for working remotely or not? In order to be authorized, you need to have at least, uh, be part of a particular group. But before you become part of this group, you need to make, uh, we, you need to have at least one device, corporate device assigned to you.
That that means you have a combination of factors, which needs to be in place before the entitlement enrollment process is triggered. So for that we worked with IM group to come up with [00:35:00] how we can make sure that we can collect all the devices, mobile devices. So, and that was another challenge. It was invisibly addressed during the SaaS enrollment process.
'cause before that they had us, oh, we had had bunch of laptops, just a image, laptop, give it to user somehow, I believe it is enrolled with SCCM. But the, as far as you know, SCCM is not the inventory tool. So if your device stays for 90 days, not connected, information's gone. Yeah.
You still have agent, you probably will be able to manage it,
[00:35:41] Max Clark: Mm-hmm.
[00:35:42] Alexey Goncharov: but there is no data.
So for that, we came up with the idea, okay, even if you have the information about the laptop. The most important, uh, question, which needs to be answered, whom that [00:36:00] laptop belongs to. And the answer is usually comes from, uh, guys who are responsible for managing endpoints. Oh, we can grab it from the event log. Yeah.
you can rub it when you can connect to the device. But where in your books you have this linkage between these two entities. So the idea was there are certain attributes available from the IDP, like uh, if you register device, there is an attribute called managed by why not put managed by user attribute to the device to make sure that you can, uh, link the device and user together.
And that will become your primary source of truth. So even if your, um, endpoint [00:37:00] management records disappear for some reason, you still have a copy. Yeah. You know, there is a laptop, uh, which belongs to this user. And once these laptops become active in the network, you will, you will be able to match whether this laptop belongs to that user or not.
So that helped us to create, uh, the next thing as, uh, group membership based on the attribute. So for all users who don't have any corporate devices issued to them, this attribute is empty. It's new, uh, but if you have that attribute not empty, then that user becomes a member of a group. Uh, which defines who has at least one corporate device belong to them.
So that is another [00:38:00] step. So if that device, which belongs to you is corporate issued device, then we need to make sure that all we can start working on the automation for our, on our PKI, how each time we issue the new device and device is linked through active directory. Azure Active Directory doesn't matter through the managed by attribute, we can get the certificate for that particular device for that particular, uh, use case scenario, whether it's a connection to corporate wifi or VPN or always on Global Protect.
SDP. So, and those are two different certificates. It's like, uh, for corporate wifi, Yeah.
you have a library card, but if you want to connect remotely, you need driver lights. And so passport for international travel. So with that, we [00:39:00] uh, came to the conclusion, okay, we now need to create different type of, of templates with the different, uh, os in, in the certificate.
I. To make sure that we can distinguish, this is your library card. It's not for your international travel. This is your, they're all client certificates for client authentication,
[00:39:23] Max Clark: Yeah.
[00:39:24] Alexey Goncharov: but how to distinguish what type of certificate. So you create the custom ID on your PKI and then the PKI is issuing different type of certificates for different use case scenarios.
And that creates the next step for the, you protect not only just identity with username, uh, password and MFA, but also the device. Because then MDM or UDM takes care of the rest. So if your device, but that is the next step. So if your device is not compliant, then you [00:40:00] can enforce certain policies. So you can tell, for example, you can suspend.
Authorization until the device is fully patched. It gets, uh, um, anti-malware or most recent zero vulnerability security patches on it before it is authorized to get connected to our internal network perimeter.
[00:40:22] Max Clark: I, I work with a lot of companies from startup, like Inception all the way through, you know, multi-thousand users and, and I'm, I, I, like trying not to interject because I'm, I'm thinking of all these stories, know, when you're like 50, a hundred, 200 people, you know, who has what equipment isn't really a concern for that size company.
I mean, if you're a startup and you've just taken, you know, uh, an a round or a B round, it's how quickly can we hire? And you're just throwing laptops at them and you're just moving forward and trying to build as quickly as possible. you turn around and you're, you know, 2000, 5,000, 10,000 and, and now you start talking about, [00:41:00] you know, how many devices each employee on average has and touches, and there's a laptop plus a desktop, plus an I, you know, a tablet plus a phone plus this, plus that, you know, this becomes a really interesting problem that you have to deal with and, and, then you get a compliance mandate or a, or a, uh, supply chain mandate or a client.
that says, prove to us or ensure that, uh, our data is only accessed by company owned equipment. And then, and you're like, well, okay, well how do we do that now? You know, and, and, this is a good example of like, well, you're, you're building out a, a chain of trust here. Or how do you actually validate these things?
Okay, well now we know that we own this device and we control of this device, and we have patches on this device, and this device is authenticated and it belongs to who it's supposed to be. And, and these are all kind of things that you start implementing and you start enabling. Um, it's, it's, um, [00:42:00] you know, but inevitably it happens.
I mean, every organization I've ever worked with hits some point of scale where all of a sudden they have this question post to them, which is, you know, along the lines of like, or, you know, and the other thing that I found that. has been very powerful is companies are moving into HRIS platforms and have more an automation, not just from an HR team, but then from all the way down to a manager level of being able to onboard and offboard team members and give them rights.
gives a potential of automation to feed into the IT teams that are managing these platforms where now you don't have to have tickets created and you don't have to wait for people to do stuff on keyboards. I mean, have you, have you, you know, have you seen that change as you've rolled this out? Have you guys gone through the process of starting it to integration, you know, with your HRS.
[00:42:55] Alexey Goncharov: Uh, it's a little bit different in, in our mind, but before [00:43:00] we, we come to this point, uh, it's absolutely, uh, you are absolutely right. It is a great example. I remember in my past experience, maybe 15, close to 18 years ago, uh, in one of the companies, uh, we had a conversation about the certain things about the reliability of our systems.
And I remember the meeting we had when one person was so proud that how our systems, uh, reliably build that. He, uh, had two laptops issued to him and, uh, but the second laptop was staying at his home and he never used it since it was given to him. And then maybe I. Two years later, he was in the situation when the first laptop, uh, the first laptop, he left, uh, in the office, and [00:44:00] he took the, the second one, uh, he haven't used for 1, 2, 3 years.
And he tried to open it, enter, he remembered his old password at that time because it was cached. He, he had some partner of his passwords. He was able to enter it, and then he was able to run the VPN client. The person was a little bit techy and he realized, okay, for VPN, I need to enter my existing password.
And he was able to connect. But that was very bad thing
[00:44:37] Max Clark: Ugh.
[00:44:39] Alexey Goncharov: because with the sa, especially with approach, uh, used at saf, that should never ever work. Because you bring certain risks when you connect with your two, three years old machine, which is not patched, connected to internet. We, we don't know what may happen [00:45:00] with that machine and whether there is in other malware sitting on that laptop, that should be blocked.
But even we, if we cannot block it on the checking, the compliance of the device, at least the certificate on the device will not be valid at the time if you don't, didn't use it for two or three years because we issue the short leave certificate. And, uh, when machine keeps, uh, heartbeat connection to MDM, to SSE, then we renew the certificate.
Once we cannot get the heartbeat from the machine, we cannot renew the certificate. It just, your digital key.
[00:45:45] Max Clark: Sass E introduces, um, sass e introduces CASB functionality, so
[00:45:51] Alexey Goncharov: I haven't answered your previous question.
[00:45:54] Max Clark: please, please.
[00:45:55] Alexey Goncharov: Uh, we, it was about the, uh, [00:46:00] HRIS.
[00:46:00] Max Clark: Yeah, yeah, yeah.
[00:46:01] Alexey Goncharov: Yeah, well, that should be primary source of truth for all HR data. No doubts. So, and many companies are working on the implementation either through the identity governance process, so direct integration with, uh, between the IDP and the RIS system.
Like the, uh, Workday for example, uh, was a little bit different because the, uh, Danaher, he, the parent company owned all the companies, uh, all operation companies, uh, and primarily managed the HR system, HRIS system. So all the integrations, uh, between HRAS system and identity system. Uh, supposed to go through the identity governance, uh, platform.
And there are plenty of platforms available, some well known, some less known, [00:47:00] uh, like Cell Point. One of them. Uh, Microsoft has its own, uh, entitlement management, uh, system, uh, which is deeply integrated with, uh, enter ID as well. Um, and, uh, my previous company we had the integration between the ServiceNow, the ServiceNow workflow, the Workday and, uh, active directory and Azure Active Directory for the, uh, automatic, uh, uh, account provisioning, deprovisioning and uh, uh, role-based success control.
It is like the both right, uh, permissions, which are assigned by default to the pro, uh, appropriate person based on the profile defined in the workday. But that requires a significant amount of time and effort. You need to define the org structure and then, uh, reflect that how that org structure [00:48:00] and the group membership should be applied, uh, to your profile across different type of application systems and your, uh, security clearance level.
I would say
[00:48:15] Max Clark: It. I mean, if you haven't rolled out, integration, I mean, this is a lot of it's, it's a lot of work, right?
[00:48:22] Alexey Goncharov: true.
[00:48:23] Max Clark: but, uh, you know, the, the, the, I guess you could say the, like the light at the end of the tunnel here is, um, nobody, no, I don't think any enterprise, and I mean, this is true for it as well. Like it doesn't want to be in a position where we're like.
the business from being able to function or people can't work because, you know, they can't get access to something. I mean, it, I, I find this like misconception still occasionally of like, you know, like this, this, this, this, you know, like, like it is just there to people, you know, to block everybody from doing stuff.
And it's like, no, no, no, we're, we're here to, so you can [00:49:00] work and we're also here so that way we don't like accidentally kill the business at the same time because of something Right. You know, it's, um, it's very much like an entitlement, an enablement function for the company. But it's, know, when I've, I, I guess, I guess my, my little commercial on this is place I've seen that has integrated their HRS system with their identity that has fed this end to end has enjoyed the benefits of doing it, and, um, has been able to, um, increase their pace and their speed.
Then of course if you don't have an IT practitioner doing certain manual tasks and it can have some automation from like hiring, they can do other things that can help the business move forward. Again, you know, going back to this earlier point about patching, right? You're not dedicating resources to do, you know, to do tasks that, that, know, there's no reason you can't automate.
[00:49:58] Alexey Goncharov: Yeah. Mm, completely [00:50:00] agree. And, uh, not only that, it uh, actually improve the user experience because, uh, manual work usually, uh, proneal error.
[00:50:13] Max Clark: Sure.
[00:50:14] Alexey Goncharov: we had plenty of errors like misspelled name, misspelled family name that may create wrong. The UPN, uh. Creates the misspelled email address and it takes time to replicate it.
Once it is replicated, you cannot create a duplicate one. You need to delete the old one and then wait for the replication to take place and then create the new one and et cetera, et cetera, et cetera. Uh, also,
[00:50:46] Max Clark: It's such a benign example and And it's such a problem. It's such a pain to fix.
[00:50:52] Alexey Goncharov: yeah, Yeah.
because you have to first to remove it. But if you have, if you are a big organization. You [00:51:00] just made the error and overnight it was replicate, it replicated across the globe, across all the domain controllers. Before you can create the new one, you need to make sure that the old one removed. But if you removed from your domain controller, it will take a while before all this data is replicated across all the main controllers.
And then you need to create corrected one and wait for another day of at least few hours before the data is replicated. Once again. Uh, but the, there is another challenge with that, that actually may create some security risks as well. Let's say, uh, usually in all identity systems, if the identity system is a primary source of truth, I.
Uh, there are certain attributes, uh, which used by third party application for [00:52:00] authentication and then for authorization through internal built in system of roles and permissions. And let's say you have John Smith, vice President of Finance, uh, who left the company. Uh, usually when the person leaves the company, the account of that person is disabled.
And then after a certain period of time, the system gets this account removed completely. But if there is another person, John Smit, let's say customer service agent with the same first name, the same last name, comes on board in HRS systems, those two John Smiths. We'll be completely two different people.
One John Smith with a history of the Senior Vice President and another John Smith is a customer service agent. While in the [00:53:00] identity, identity will keep just only one attribute, John dot smit@company.com, So, any system which is after configurable automatically send notifications about the transaction, they will start sending emails to that SNTP address, and that could be sent to New John Smith, agent of the customer service. And it could be sensitive data,
[00:53:29] Max Clark: So, I mean, this goes back to identity governance and
[00:53:32] Alexey Goncharov: correct.
[00:53:33] Max Clark: I mean, you know, a lot of this is like, these aren't technical problems, really. Like, these are business policy decisions, you know? I mean,
[00:53:45] Alexey Goncharov: I would say it's a process problem '
[00:53:48] Max Clark: cause 'cause you have, uh, you know, you're talking about really is like, has the company been, has the company matured to the point that they've had this problem yet?
Right. And if they haven't had the problem yet because they haven't had name collision, at some point it's just a, [00:54:00] you know, like how big do you have to get before you have name collision? At some point you do, and then you have to start making decisions. If you're doing first, initial, last name, what does the next person get?
Are they gonna, you gonna put numerals after it? Like you have, you know, like, until you've done it, like you don't have a, you don't know what to do, and you're like, okay, now what do we do? Right? And, and then, and then companies change from first initial, last name, and they do like first name dot last name, or then they, you know, and, and, and it, like, it starts, it starts opening up all these other things you have to think about, like you just said, right?
If you had a John Smith that then left and then a new John Smith that came in, can the new John Smith have the same email address or not, you know, and
[00:54:38] Alexey Goncharov: or they may coexist. You may have John Smith. Um, for example, in my previous company, we had many people with the same, uh, name from, uh, like Rodriguez. It's very famous name, very purple name. In, uh, Costa Rica, Mexico, there are many Rodriguez. So there is a middle [00:55:00] name and there are different middle names, and there is a second first name.
So for that particular purpose, for example, most of the hr, uh, HRI assistants, uh, these days, they support, uh, not only just first name, second name, first, middle name, second middle name, last name. They also support the preferred name
[00:55:21] Max Clark: Mm-hmm.
[00:55:23] Alexey Goncharov: the HRIS system allows the generation of the unique identifier, not only just the id, but uh, the identifier for automatic generation of the SMTP address, which is then reflected to your UPM.
For authentication, which will be used for as your primary login to any corporate systems and applications. It's like the, yes, you probably the small company and you never faced that before. But the smart people learn [00:56:00] not from their own mistake, they from learn from someone else's mistakes. So if it never happened to you, it doesn't mean it will never happen to you in the future.
[00:56:12] Max Clark: Or, or you end up like, um, uh, at and t where, where, you know,
[00:56:17] Alexey Goncharov: Oh yeah.
[00:56:17] Max Clark: I, if I work for at and t, my email address would be like, mc 3, 7, 4 2 9.
[00:56:22] Alexey Goncharov: Oh yeah, yeah. Yeah.
[00:56:25] Max Clark: and then they've started aliasing, you know, so Max do, Clark gets forwarded to, you know, mc 3, 7, 4, 2 9. I mean, it's, you know, I mean, again, these are, these are all, um, you have to be successful in order to have these problems.
You know, like it's, this is, this is definitely a byproduct of success.
[00:56:41] Alexey Goncharov: And, and we need to keep in mind, uh, there are certain attributes, uh, which clearly bill for applications to be used within the application. Like, uh, my employer id, [00:57:00] it could be, uh, the combination of symbols, letters, numbers, et cetera. It's not human readable. It's readable, but it's not human friendly SMTP address.
So the UPN by design should be human friendly. So if I remember Max, uh, Yeah.
I know max.at it broker.com. That is my, uh. Association with Max, whom I had a pleasure, uh, communicating with, or if I have my business partner, patrick.at kate network.com.
[00:57:46] Max Clark: Yeah.
[00:57:47] Alexey Goncharov: So there are certain things for people to make their life easier, certain things, certain attributes like, uh, gui unique identifier, It's, [00:58:00] for machine for applications.
I cannot remember gui, especially if the GUI 256 symbols long or the encryption keys 2040, 48 symbols.
[00:58:16] Max Clark: I'm trying to forget numbers, not add more to my brain. At this point. I'm, I'm, I'm like, I'm tapped out. Um,
[00:58:22] Alexey Goncharov: Uh, yeah, I don't even, uh, these days I don't remember the phone number. Okay. I. I'm lying. I remember the phone number of my wife, but if you ask me the phone number of my close friend, no, way.
[00:58:35] Max Clark: no.
[00:58:35] Alexey Goncharov: Uh, in all days it was the, uh, natural to remember the phone numbers for your parents, for your close relatives, for your some these days?
No. I have more than thousand of contacts in my contact book. No way I.
can remember even 5% of it.
[00:58:57] Max Clark: I had a CIO [00:59:00] roll out, um, roll out A-Z-T-N-A platform. And um, and this is before SASS E existed and the conversation that we had, his expression was, I want my offices to look like Starbucks. Meaning that, you know, he didn't care where people were located, what network they were connected to. You know, at the way he was managing and thinking about how he was, you know, supporting corporate resources, it was just, you have a work, you have an, you have a company device that's issued to you, and that company device is connecting to the internet in some way.
And then once you're connected, you can then authenticate with us and you can get access to corporate resources you know, so he used the Starbucks term in, in the sense of like the only infrastructure they put in their offices. They had network and they had internet, and they had wireless, and they had, you know, you know, plugs, you know, uh, physical, physical network reports you could plug into, but there wasn't any security built into it, wasn't [01:00:00] any, um, assumption that be, you know, being in the office was any better for you than being anywhere else in the planet, except that they had really fast interconnections.
I mean, they, they went out of their way to make sure that people wanted to go to the office. And there was lots of other amenities in the offices and lunch and snacks and, you know, games and all the different things that you put into an office. But, you know, um. And I'm curious, like as you rolled out, you rolled out sassy and you moved into this always on idea, you know, and, and, and what was your quote, right?
Um, always on network access, vpn, less always on network access. Right. I love that. I wrote it down. has that, did that end up changing you looked at and related to your corporate network assets and your office locations and what assumptions were being made around them? they were managed, you know, how people worked inside of them.
[01:00:59] Alexey Goncharov: We [01:01:00] can distinguish different use cases and scenarios in a corporate environment. Uh, we're not trying with sas zt a, we're not trying to protect user endpoint devices, let's say, in spite of the fact we do that with SE platform and SDP client, ZTNA client rollout. What we're trying to protect is our corporate, I would say crown jewel.
[01:01:40] Max Clark: Mm-hmm.
[01:01:42] Alexey Goncharov: Our data, our intellectual property, our products, our information. This is what we're trying to protect
With that said, [01:02:00] you, we may have different use case scenarios for the deployment of the SE platform. Uh, from the network perspective in, uh, classical Starbucks, no one is expecting, uh, it to bring any gears or whatever to Starbucks in order to allow, let's say someone VP level to be able to connect and read his or her email when that person is in Starbucks.
But the. Expectation that the level of security when the person is at Starbucks is the same as the, when the user is connected in the office. With that said, we need to define the environment. Where do we have anything to protect in the [01:03:00] Starbucks except that laptop, nothing. Right? Uh, not, definitely not a coffee machine.
It does not even belong to us. So from that particular use case where there is nothing to protect in this environment, do you really need to build your own infrastructure? That is question number one, and there is no. Right or wrong answer because there are other components to that. If your office is just five 10 sales customer care people and there is nothing in there, just coffee machines, printers, reception, maybe we don't have anything to protect.
But if you have the same environment but [01:04:00] multiplied by a hundred, you have 500 daily users in that environment, you can imagine the overhead of 500, at least 500 devices connecting simultaneously from that location is a different story. So we need to keep that in mind, and in each case, the answer might be different.
So if you have lab environment or your manufacturing environment. You definitely want to protect it because you cannot put the SDP client on your lab machine, or you have certain type of devices, sensors, IOT devices, which cannot even handle SDP. They work on much higher application level. Level. They cannot handle on the lower level.
You cannot put anything on there, and they have their own requirements for the protection. [01:05:00] And Santa, in many cases, you cannot even patch those devices because they are managed by a third party vendor. Then your approach is different.
So you need to protect that environment completely separately. And in many cases, like as a feed, you need to put multiple layers of protection. So the SASS is just one, one of them. But there is a second and there is a third, and there is a fourth layer of protection. Like in OT environment, you may have multiple firewalls.
It's full fully air gapped, and uh, certain configuration is applied on the endpoints and your land, your wireless environment, and before it reached even to SE. So it's multi-layer approach, but answering your question, yes. Uh, and even at, we had one use case where [01:06:00] two use case where we had no infrastructure, it just another office with internet access and people just were connected through it, uh, to the public internet.
With SDP client, they're all protected and they're all secured the same way as when they work from home or from another office. SDP is, uh, always on. For that particular use case, if the office is not big and the bandwidth is enough, and they, uh, don't need to protect any assets inside that particular office.
Yeah, absolutely. The answer is yes.
[01:06:41] Max Clark: How does somebody sell this to their company? Let me, let me, let me expand on this a little bit, right? Um. I, I, I feel like so much in it distilled down to can you quantify return on investment? You know, if we [01:07:00] spend X money, we're gonna get y as a result of it. And in a sales function, in a marketing function, in a manufacturing function, usually can, can line inputs and outputs up to some degree.
It's harder in it, and it's really hard in cybersecurity spaces to say, we're gonna spend this much money and we're gonna get this tangible result back to the organization. In some cases, um, when you're talking about replacing legacy infrastructure, you know, we have these firewalls. It costs us this much per year to have them, we have to have this support agreement attached to them.
We have this many people maintaining them. We have this many people patching them. We have all these Now you can kind of quantify and you can build out this thing. You say, okay, collectively for this program, we're spending this much money, and instead of spending this much money over here, we wanna spend it over here on this other thing instead.
And, an organization can then understand it because you have that's already in the books, right? You're just gonna, you're gonna switch the columns where that expense is [01:08:00] going. Um, but in most, in a lot of cases, the benefits that you're gaining out of these things, the benefits that you gain out of identity and having identity governance go end to end to authenticate, right?
Like that. You know, saying we're gonna spend a dollar per user for stronger identity governance. You know, like, yes, there's benefits to the organization, but it's not readily apparent if you haven't been through this before of saying, this actually solves this problem for the company. And, and a lot of this, you know, sass, E-Z-T-N-A, you know, the IDP integration, you know, being able to, we haven't talked about CSB and DLP and these other things.
Um, and a lot of cases are net new deployments for people. The company has never experienced running a csb. They don't have experience with DLP, they don't have experience, you know, with, with, you know, having entitlement based on a, a certificate being pushed to a corporate device and what they get out of it as a benefit.
How does somebody sell this to their [01:09:00] organization they haven't been down this path before?
[01:09:04] Alexey Goncharov: We didn't sell it. Those are the benefits we've got
[01:09:09] Max Clark: Mm-hmm.
[01:09:09] Alexey Goncharov: after the implementation. Uh, for example, I knew from the beginning this is the way we should do that. To build a chain of trust to build the dependencies because that is the only way it, uh, will not with a nightmare of maintaining it. Because with the affirmation of this process and building the dependencies between different components will allow you to build a smooth process of the onboarding, of boarding, entitlement, and, uh, reduce the day-to-day operations.
Uh, it's impossible to sell the day-to-day operations
[01:09:57] Max Clark: Yeah.
[01:09:57] Alexey Goncharov: a benefit. As a benefit it [01:10:00] because that initially that didn't reduce the number of, uh, people resources required to support. Nothing. Uh, the only for, in our particular case, we reduced the headcount on the network portion because with the SE we don't need additional people just to patch all these firewalls or cellular peak appliances, the SD one appliances because, uh, since we moved to SSI platform, it's the responsibility of the vendor to make sure that each device is properly patched and the version is compatible.
And, uh, to make sure that the in, uh, high, highly available environment, we have, uh, two appliances at least one is up and running while the second one is, uh, being patched or updated, and it's full automated. And all the additional benefits you just described, the [01:11:00] security benefits, additional compliance level, the ability to get logs, this is what you can sell to.
InfoSec and to CIO to, uh, your leadership team because that is one of the goals. So if it's one of the objectives they want to achieve by doing certain things which are not possible with the legacy platforms or with the legacy platforms, it's technically, it's possible to connect 25 whatever domain controllers with 90 firewalls worldwide.
But it's a lot of complexity and uh, that will come at a cost
[01:11:40] Max Clark: Right. But
[01:11:40] Alexey Goncharov: because.
[01:11:41] Max Clark: um, that's like a reactionary. That's, that's a like a reactionary place. Like, hey, as an organization we want to be able to connect identity authentication authorization. We have, we have a, you know, we're, we're, we're, you know, from a compliance standpoint, we have to do this from a customer contract requirement or supply chain.
You know, we have to do something and then now it [01:12:00] can go out and, and, and create it, right? Um, a, hey, we already have firewalls deployed and people are in the offices are connecting to the internet and we have this VPN solution from our firewall vendor that's pinning traffic and it's horrible for the end user, but they still can connect and remotely access our resources.
Um, and we don't have this, this strong identity path from point A to point B and we wanna do these things, but to do these things, we have to spend money. Right. Without it being reactionary from an IT team, but more pro proactive from that team, like how, how would they go about taking that back to the organization and say, Hey look, you know, we need budget to do these things because we want to get.
You know, these results out of it. Um, if the organization hasn't crossed that line where they say, we need to have these things go, go facilitate it for us.
[01:12:49] Alexey Goncharov: Uh, maybe it's more theoretical because in each organization they might be different use case scenarios. Uh, for it was rapidly [01:13:00] growing, uh, especially. Pre Covid and during the covid time, uh, and with the rapid growth, uh, the complexity on the, on the, of the environment, uh, became, I cannot say unmanageable, it was still manageable, but the number of issues and, uh, the impact on the business started growing.
[01:13:29] Max Clark: Mm-hmm.
[01:13:30] Alexey Goncharov: And, uh, at one point it became painful. So to reduce that pain, uh, the pain reduction required some prescription. And, uh, the doctor prescribed Sass E
[01:13:48] Max Clark: Yeah.
I,
[01:13:53] Alexey Goncharov: so for us, it just like, uh, we had multiple. [01:14:00] Incidents and some incidents were minor, some major, uh, and the process was not very mature and the some discrepancies and the gaps in terms of the managing the tools and technologies we owned at that time.
[01:14:24] Max Clark: mm-hmm.
[01:14:25] Alexey Goncharov: So SASE is, was not a solution. SASE was one of the components, uh, with the people and process changes inside the organization, which help to make it more scalable and, uh, simplify the infrastructure footprint in our environment.
[01:14:51] Max Clark: He made a comment a minute ago about, um, needing less people in the network team because you weren't patching anymore. It became the responsibility of the [01:15:00] sassy vendor. this wasn't that, like, uh, you know, like they just shifted into doing other things as opposed to being responsible for patching, you know, x.
In number of firewalls on a, on a weekly basis, like I would imagine that their, you know, happiness and enjoyment of their jobs probably went up significantly because, you know, like if you're, if you're in this constant like windmill of just patching and doing mini, um, menial tasks, I mean, even if it's on a keyboard, it's still not really satisfying, you know, in the, in the grand scheme of things.
Right?
[01:15:35] Alexey Goncharov: Not only that, uh, it if your job is just to do patching, so you hire generalists who are familiar little bit with it. Firewalls, little bit with Silver Picks, little bit with Riverbed five, whatever, uh, tools and technologies you may have in your environment. And they just do it constantly and you have very high, [01:16:00] uh, it's low retention rate because you people just become familiar with the process.
Uh, they reach their maximum, they just start looking for another job. And, uh, then you need to spend your internal resources, uh, your internal time, uh, and resources to teach newcomers. What is our process, how, what we expect from you to do, et cetera, et cetera. And also your engineering team is actually when the environment is unstable, your engineering team, instead of bringing value to the business, the constantly involved in, uh, resolution of the existing technical issues in your current environment.
So instead of doing that, one of the approaches we, uh, took at that time was how to build the network. DevOps not two separate groups, [01:17:00] but those who build the environment. Run it
[01:17:07] Max Clark: It's,
[01:17:07] Alexey Goncharov: first. Yeah.
It's, a big it, it was a big change.
But that because they are involved anyway, because it was three times a week. They were on the call for one two hours. I. Just to help operations team to figure out What might be, what the issue is and, uh, how to address it and, uh, how to make sure that it will, it doesn't go from bad to worse.
And, uh, the number of tickets we had to vendors like Cisco, like Palo Alto or Silver Pick, was huge. It just, uh, but when teams started doing, uh, network DevOps where they are focused on the product. So if you own the SS e platform, everything related to SS e it's [01:18:00] yours, of course, you are interested on the, uh, stabilization and affirmation of the routine tasks.
If your operations, no, you are getting paid by the number of tickets you resolved. So, and if you have the same issue appears again and again, open the ticket. Click, resolve the ticket. Wait for the next one, even if it is the same.
[01:18:28] Max Clark: What surprised you in this process? You know, going through and identifying and then rolling out and deploying, and now maintaining a SASS e platform.
[01:18:37] Alexey Goncharov: Uh, the biggest surprise was I would say, uh, the simplicity,
[01:18:49] Max Clark: How, what? How so?
[01:18:51] Alexey Goncharov: uh, one console for everything. One, it, it's usually, [01:19:00] um, you know, there was a marketing, uh, one pane of glass where you can see everything and each vendor comes with the same thing, uh, again and again, and sometimes one. Pane of glass actually becomes one glass of pan, um, with, uh, Cato. Was it perfect? No, but much, much, much better than what we had before by jumping from one console to another console.
Or if you want to change this, you need to go there or you want to routing or you need to go there and you need to go to different products. No, they, and
[01:19:49] Max Clark: So the surprise being that it actually was a single pane of glass and it
[01:19:52] Alexey Goncharov: yeah. Yeah,
[01:19:53] Max Clark: actually, worked.
[01:19:54] Alexey Goncharov: yeah, yeah. I really like that. and uh, with modern ui, [01:20:00] uh, again, are there, uh, any areas for improvement? Yes, no doubt, but it was so easy, so, uh, intuitive. I. Uh, human friendly to present it to someone very easy. So even some non-technical people were just, wow, it was good. That surprised me a lot. Uh, their ability to fine tune, tweak the product and respond quickly was another one.
Uh, what else? Uh, the speed. They're implementing new features and capabilities, uh, and, uh, introduced the security fixes on the platform for various, uh, vulnerabilities. So attacks, [01:21:00] uh, was another one. And of course the people. Who were ready to help at any point of time, because we heard a lot that sometimes it's not about the product, but the level of support you can get,
[01:21:15] Max Clark: Mm.
[01:21:16] Alexey Goncharov: uh, from the team and, uh, with Cater.
It was fantastic. Yeah.
Was it perfect? No, but it was a continuous improvement, uh, process with them and I really liked the way we collaborate, communicate with the, with the Cater group. Uh, few things maybe. We can, we expect it to be a little bit more technical, like the, uh, uh, training materials they published, uh, especially for folks with 10, 15, and 20 years of experience.
Uh, guys you need that should be more [01:22:00] technical
[01:22:00] Max Clark: Yeah.
[01:22:01] Alexey Goncharov: than what you published. Uh, but anyway, it was very good. It was very good starting point because a lot of other stuff we learned, uh, during our collaborations, uh, during the implementation process as well. That was very good.
[01:22:17] Max Clark: You made the example about moving to a DevOps, uh, model
[01:22:22] Alexey Goncharov: Mm-hmm.
[01:22:22] Max Clark: team the people building the network, own the network and maintain the network, right. This, this, this kind of idea and approach. And, you know, earlier I mentioned, um, another CIO that, you know, took on this mentality around like the Starbucks idea of their offices and their
[01:22:40] Alexey Goncharov: Mm-hmm.
[01:22:41] Max Clark: going through this.
How, how, how have other things, how have things changed for you in how you approach infrastructure, security asset? this organization, like, and at a conceptual level. Right? Because you, you mentioned something that was, that was actually interesting to me, [01:23:00] which is like, primary goal is not protecting your user devices, but it's protecting your intellectual property and products and information and data of the business, right?
So like what's really valuable is protecting the business. And know, I, I hear that a little inference that like, the device isn't necessarily, it's like an ancillary, you have to protect, you know, you need to protect the device in order to protect what you actually wanna
[01:23:21] Alexey Goncharov: Mm-hmm.
[01:23:22] Max Clark: But not, the goal isn't necessarily protecting the device.
The, the goal is protecting the company. Um, but you know, from like a mentality shift of, of approaching this, of, you know, what else changed for you along the way.
[01:23:40] Alexey Goncharov: Uh, the way the team work
[01:23:45] Max Clark: Mm-hmm.
[01:23:45] Alexey Goncharov: changed. So we established from the beginning, uh, when we just started thinking about it, how we can make it more optimal way. And it was not directly related to SS e because we actually adopted it [01:24:00] across other groups within the network team. And, uh, with, uh, unified communication collaboration team, we, uh, to be more agile.
To be more agile, uh, less reactive, more proactive, uh, get the better understanding and full visibility and transparency not only within the team, but across the entire, uh, organization. What we are doing, what keeps us busy, what is in our roadmap, what is coming soon, uh, to make sure that. We are focused on the business priorities.
What is important for business, do we solve the problem business expect us to address? Because in many cases, you, we just, we were focused on IT issues, not on the business issues. [01:25:00] Just can give you one example, like, uh, is it wireless critical
in the office environment? In the business environment? Oh, you know what, yeah. Wireless is nice to have. Yeah. Sometimes some VP can connect laptop or at the end of the day they can plug their laptop to the cable present in the conference room. Not big deal. Yeah.
When you visit the site, when you speak to people, uh, just can give you one example, um, in our warehouse, you can imagine the warehouse is huge space when the person need to make the inventory,
[01:25:49] Max Clark: Tall racks. Yep.
[01:25:51] Alexey Goncharov: with racks. Yeah. Uh, they used to do that manually by entering the information [01:26:00] to the computer system. Uh, and, uh, there was wireless, uh, connectivity established for the exhibit scanners.
And because the wireless was, I would say not completely designed, uh, in accordance with, uh, best practice and standards.
[01:26:29] Max Clark: Warehouses have very specific requirements to
[01:26:31] Alexey Goncharov: Exactly.
[01:26:32] Max Clark: in them. Yep.
[01:26:32] Alexey Goncharov: Yeah. And we noticed that in some places they were designed the same way as the office environment. Um, just can give you one example. Uh, the, the, the wireless network was built when the warehouse was built.
[01:26:48] Max Clark: Yeah.
[01:26:49] Alexey Goncharov: That means it was empty.
[01:26:50] Max Clark: Yeah.
[01:26:51] Alexey Goncharov: But when you put all the, your staff to the shelves, there is no wireless signal
[01:26:57] Max Clark: Yep.
[01:26:59] Alexey Goncharov: because [01:27:00] the wireless access point, not in each and every row
[01:27:02] Max Clark: Yeah.
[01:27:03] Alexey Goncharov: more row, there are no directional antennas over there. So there was a lot of work. But yeah, wireless is less critical. But for people it is 80% reduction in productivity.
It's one story. If you can go and scan with a barcode scanner, another story, you need to write it down, go back to your computer and enter it manually. So wireless is business critical for the productivity because if they cannot complete the inventory, we cannot start shipping products to clients. If we start don't ship products to client, we don't get paid.
We don't get paid. We cannot, uh, put into our books. The revenue can book revenue that impact shareholders.
[01:27:55] Max Clark: Yep.
[01:27:57] Alexey Goncharov: So very simple, [01:28:00] think minor, think is, but can dramatically change the way people work. In another example, the, uh, collaboration, those who design and build, run it. Uh, if you have one team, they are deeply involved and communicate not Just only, uh, when they design an effort, but when they.
Work on day-to-day basis on a personalization process. Iterations process. At one moment it was the just request for operational request. Uh, there was new model of the zebra scanners and our team responsible to provide support for the warehouse. They just come up with the question, oh, guys, we, it was model X, YZ.
We are going to, to buy X, y, z two. It's modern, easy to use Android base. Cool, cool. good. [01:29:00] Because it was the joint team, they immediately knew what questions needs to be raised before they respond to the request. If it just operations, oh yeah. Go ahead
[01:29:15] Max Clark: Yeah.
[01:29:16] Alexey Goncharov: and they sit together, they check the text pack. We knew that we are going to replace our, uh, wireless network upgrade was already scheduled.
Guys, we need to make sure that it will be compliant with the new format, new starters. And then they realized the model proposed by the vendor may not be the best feed because they do not support certain channels. We expect to be available from, uh, our Cisco environment. And these channels in those frequencies are critical for reliable connectivity.
So, uh, they work with, uh, uh, with another vendor, with that vendor to come up with a different, uh, version of the [01:30:00] zebra scanners, which will com which are compatible with the Cisco wireless protocols, uh, introduced with a new wireless success points. And then we work perfectly. If it never comes to the engineering groups, if people who design the environment and people who run the environment are different, uh, sometimes it's the right approach, but in some cases it's better to have smaller group, fully automated, but able to respond immediately with the knowledge and experience rather than just to have two separate groups, uh, where the architects or because I don't expect the person with a 20 years of experience architect doing day-to-day job.
Simple things manually entering new SSID. So DHCP scopes, uh, on the DHCP server, configuring VLANs manually. Hell no, we don't [01:31:00] hire such people to do so. Simple job, but we hire those people to. Properly put the optimization in place where you don't need even to hire the person who will enter all this information manually or do that manually because you can run the automation.
[01:31:18] Max Clark: It's, it's a,
I love the example, and I'm trying to like distill it elegantly here, really this, change from, you know, reactive with the organization to partnering with the organization and the different business units. And if you are. If you're, if you're spending too much time just being reactive to tickets and reactive to events and reactive to outages or reactive to this, or, you know, or, or manually doing things, you never cross the line into actually being able to go and sit with [01:32:00] the person in the warehouse and understand what's going on with their job and how are they actually doing things and how do you know, how is productivity impacted and how do you improve productivity, you know, isn't necessarily, you know, that's not like an IT responsibility per se.
Like a lot of companies aren't gonna say like, the IT department's responsible for warehouse productivity, right? Like, that's not like A-A-K-P-I that's being
[01:32:21] Alexey Goncharov: Mm-hmm.
[01:32:21] Max Clark: but, but then going around and, and enabling that. You know, has direct impact on the business. It has direct impact on, you know, operations team's, managing warehouse and, and shipping orders and, and, and maintaining inventory.
And by the way, finance cares about how much stuff is in your inventory because they have to
[01:32:38] Alexey Goncharov: Yep.
[01:32:38] Max Clark: that in your books, right? So they care very much So, um, you know, and there's all these like trickle downs, right? And you use the example of revenue. But like, there's so many of these different things within the organization that get touched by this relatively, seemingly, seemingly simple thing.
But being in a position to actually go and invest time and energy and to work with that other [01:33:00] team and work with that other department and understand what's going on with them, and then say, Hey, we can now implement and support you and, give you a better outcome here because we're not bogged down these other things that we used to be.
I mean, this goes back to my earlier question of like, how do you sell this to the organization? Right? Like, well, you can't quantify that, right? Like, I, you're not gonna be able to quantify to the cfo like, I'm gonna get you a better inventory numbers as a result of implementing the Sass e platform, so that way you can close your books faster and report, you know?
But, um, but I bet you it happened, right? Like, so, you know, it's, it's, it's a very, the story always stands out to me because after the organization sees it, they can never imagine going back to what it was like beforehand. But if they haven't experienced it yet, it's really hard to paint that picture and say, this is where we want to get to, and this is why we wanna make these investments.
because, you know, they, [01:34:00] should we? Right? Like, it's, it's a, it's, it's like this weird thing.
[01:34:04] Alexey Goncharov: You, you can only look back
[01:34:07] Max Clark: Yeah.
[01:34:08] Alexey Goncharov: and see the results. You cannot predict or imagine in, uh. Many use cases, managed scenarios. It's like, you remember it was the Steve Jobs who said how we can just create a focus group and then start asking them about, uh, how or what the best user, user interface should look like if they have no clue what the user, inter graphic user interface is all about The same thing here.
It's, uh, some people can recognize when they look back where they were and where they are after the implementation, and then they can say, oh yeah, it, that was a change and, uh, the impact is [01:35:00] positive or the performance was increased. The improved. And the then we can measure, uh, in comparison where we were one to three years ago.
Uh, the same with SSE. It's, uh, one of the examples I gave you last time we spoke, uh, I never thought about it like, uh, when r and d or some manufacturing or the, our scientists, uh, who run some in, in the lab environment, some tests and test takes sometimes unpredictably from 10 hours to 18 hours and you need to get that data, but you don't know how the machine will calculate that data.
And when they work with the sample, so it just robot doing certain things and collect the data and when sample is completed, then they can. Take that, the [01:36:00] data about this sample and start analyzing it. So, and in many cases, the person who run the test on the machine, uh, start the shift and then goes home, and the next person who comes on the second shift monitor it and maybe sometimes even pass it to the third one, third person next day.
And, uh, in, if it's critical, important, what they do, they, uh, need to connect remotely to the machine to validate whether it is completed or not. If the machine in isolated environment cannot just automatically send their results of the test, whether it was completed or not. So in, and in this case, they sometimes need to validate whether it is going in accordance with design criteria, uh, with, in accordance with the process they built.
So they need to have the real time data on it. Uh, and, uh, there are plenty of machines installed in that lab environment. What they do, they, uh, connect remotely and [01:37:00] see how it's going. In order to connect remotely, you need to establish VPN. In order to connect the VPN, you need to, uh, conduct authentication.
MFA. If you are connected and you are inactive for 15 minutes, then you need to reconnect and again, do password and MFA and the reconnection. And all this stuff. We'd, uh, always on v PN less zero trust. Yes, you do it once and then it keeps alive. Uh, you are connected, you, you can do that. But can you imagine the people who need to connect 6, 7, 10 times a day
[01:37:37] Max Clark: Mm-hmm.
[01:37:39] Alexey Goncharov: And
there are 20, 3,000 people like that.
It's a, it's a painful process for them. So, as I said, how we can make their life easy, how we can enable it, uh, [01:38:00] enable them to do it more efficiently with no compromise on security. So from that perspective, SASE was enablement for, uh, the simplification of their processes. Uh. Just with always on, always connected, always secured.
Even if it's, uh, it adds few milliseconds for the connectivity to any public internet resources from their corporate device. it's,
[01:38:33] Max Clark: it's, um.
And in your case, scientists working and creating product is hugely valuable for the business and protecting the product that they're creating is hugely value valuable for the business. Right. So like both those things from a core function for the business are hugely important and hugely valuable.
[01:38:56] Alexey Goncharov: uh, absolutely, but this is not what you [01:39:00] can efficiently measure in advance to calculate your ROI.
[01:39:09] Max Clark: Right. Exactly. I mean, that's, that's the problem I've run into like all the time. It's like, how do you, you know, there is there, it's, it's not like a, you know, this, I think the, I don't know.
[01:39:18] Alexey Goncharov: When you come to, if, if you call, you can do that, but that will be just
measure the wind speed. Oh Yeah.
Maybe five, 10 meters in our, uh, no, no. It just, yes, some assumption based, it's not really real use cases. So in sometimes you need to be focused on other things and the examples I just provided, those are the additional benefits of the transitioning to [01:40:00] this asset platform
[01:40:01] Max Clark: Right,
[01:40:02] Alexey Goncharov: or any other, it investments.
It just some sort of the yes, we cook the cake And this will be the cherry on top,
[01:40:10] Max Clark: right.
[01:40:12] Alexey Goncharov: all these.
[01:40:12] Max Clark: once people, and then once people experience all the benefits, they never want to go back and they can never imagine life without it. And then it's entrenched, you know, it's, it's not a, uh, you know, I find this with a lot of different things. It's just, it's, um. I wish there was an easier way making this shift with people if they haven't experienced this beforehand.
Right? Like your experience of saying, you know, a single glass of pane versus a single pane of glass, you know, your experience, every marketing team is telling you that we're gonna give you a single pane of glass. And the reality of it is, is you just, you can't, you know, like these, especially if you have loosely coupled, disparate, different systems that were, you know, usually acquisitions by that manufacturer, that that never really completely, fully integrated.
Um, that's a different experience. [01:41:00] And, you know, it's, it's so to be a little jaded and be like, oh, sure, you're gonna gimme a single pane of glass, you know, but then you experience it and you're like, oh, wow, you know, this really does work. And people, you know, it's nice and, and our teams are more efficient and, and like it, and our engineers like it, people working on this platform like it, you know, and, and, um.
I'd imagine you'd be very resistant to change at this point of going to a different platform if you were gonna lose that same thing with your teams, right?
[01:41:31] Alexey Goncharov: W actually, uh, with, uh, I cannot say that there was a huge resistance, uh, because at the end of the day, when you work, uh, in enterprise environment, you always need to keep in mind that there, there are plenty of, uh, new shiny bright. Objects in the market. Oh, this is a new revolutionary. Oh, this is new eii, EI [01:42:00] powered system, which reduce your total cost of ownership by 90%.
The question number one, we need to answer, do we have right people with the right skills to support it? When everything is implemented, what will be our, uh, our operational model, how we are going to communicate with the vendor and integrate this platform with other systems? What will be, how the platform will look like in three to five to seven years timeframe?
What capabilities will be incorporated into that? Uh, how we can make sure that that will not become our biggest challenge and problem and vendor log. In the nearest future. And from that, uh, perspective, we need to select a partner [01:43:00] rather than just a vendor.
[01:43:02] Max Clark: Mm.
[01:43:03] Alexey Goncharov: Because if you hate to work with this particular vendor because they support is crap, um, maybe it's not the best, uh, solution for your organization to go down the road with this particular vendor.
Maybe you need to choose a different partner at the same time. Uh, very important is if all, let's say Danaher operations companies are leveraging Palo Al. So you have experience and you can grab the knowledge from other operation companies. You, you can help each other. So from that perspective, the Palo Alto looked, uh, like more preferred solution for.
We always need to keep that in mind. It, it's extremely important.
[01:43:55] Max Clark: Yeah.
[01:43:56] Alexey Goncharov: And, uh, I recently [01:44:00] had a conversation with folks like, uh, it's not only inside your company, but also outside the company. Uh, can give you one example if the Microsoft, whether it's a good, some products good, some products not very good, some products well designed, some require some area, have some areas for improvement.
But what they do very well is they build the communities around their products, even if the product has some gaps in terms of the capabilities, functionality, or maturity of the platform. There is a community who can help you if there is a community. You don't need to worry internally that if this person X leaves the company, I have no resources to support it.
[01:45:00] I can go to community and, uh, hire someone else because it's widely available on the market. So from that perspective, Kate was a little bit of risky. Uh, and, and as long as they will continue to build their community where the engineers learn about the platform and the benefits and the number of people available in the market to hire
[01:45:26] Max Clark: Hmm.
[01:45:27] Alexey Goncharov: or manage service providers who can provide the service for your environment on the cable platform.
Uh, so that is number one about people, about the process, how the platform can help me to mature my internal process. Align it with the best practices for the zero trust enablement. And as I said, in in our environment, it was successful, uh, because we were able to build a chain of trust from a [01:46:00] user to device, from device to certificate, from certificate to authentication mechanism, from authentication to authorization, from authorization to sizes from size and say some capabilities exist, some easy to manage, some not so easy to manage.
So that is how the platform can help me, can help me to mature my internal processes. So in this particular case with Gateway, it was very good. Uh, there are other solutions like, I dunno, Z Scale or, or some other proxy based solutions. Uh, I need to. Set up two different clients, Z-P-A-Z-A, uh oh. What if ZIA is installed, but ZPA is not installed?
What if the
[01:46:49] Max Clark: Mm-hmm.
[01:46:50] Alexey Goncharov: there are too many, uh, variables you need to answer that will require more complexity and, uh, increase your operational cost? [01:47:00] So, and last but not least, the, so we started with the people, then the processes, and now with the technology itself,
[01:47:11] Max Clark: I'm, I'm smiling because I how many times people try to run that in reverse technology process people. Right. it really is people, process, technology, you know, the acronym, you know, PPT is like the
[01:47:29] Alexey Goncharov: uh, you,
[01:47:29] Max Clark: that
[01:47:30] Alexey Goncharov: you are frozen for about two seconds.
[01:47:33] Max Clark: um, I should have told, um, I was saying it's, it's how often we see this, you know, where people try to run this in reverse, especially marketing teams.
Like, they try to start technology and then push technology down, you know, through a process into people. And it's so backwards and it really is as people and then processing the technology and working up from the bottom that way. Um, and, you know, there's, there's this, like, [01:48:00] you know, every time I've seen a failed deployment, I think it's because it's been approached backwards, you know, and not actually looking at, you know, just the way that you just laid out.
[01:48:12] Alexey Goncharov: Uh, honestly, it, why start from people? You cannot do it alone
[01:48:21] Max Clark: Mm-hmm.
[01:48:22] Alexey Goncharov: by yourself. So if you don't have the right team, I was lucky that I've got. Very, very good team, like engineers, managers, uh, around me. Very good without them. No way. So you need to make sure that you have the right people even to implement it, to roll it out, to go through all the bumps on the road you may have, uh, because you may find, uh, certain things you didn't, you missed or weren't able to [01:49:00] discover during the discovery phase.
So if you don't have right people, it's directly, it's path to fail. So we, I had a brilliant folks, uh, for, specifically for Sass e It was, uh, sba, shaker and, uh, David, uh, three guys. And of course, uh, my boss who had my back supporting me, uh, Sandeep. Uh, and of course our CIO
[01:49:32] Max Clark: Yeah,
[01:49:33] Alexey Goncharov: Yeah,
[01:49:34] Max Clark: it's amazing.
[01:49:34] Alexey Goncharov: CSO and the CIO. Yeah. Without that, no.
If you don't have right people in place, no way you can succeed. 'cause every time there is a, even the minor issue, it could be escalated. And Uh,
I had experience with folks who were in the different positions who were just screaming with a minor issue. One laptop is affected, some [01:50:00] minor misconfiguration.
They was just, oh, you are doing Cato. It's so bad. It's because of your calm down. You need to focus on big, bigger picture. If there is some misconfiguration somewhere in one laptop, that means our process is not mature enough How it happened, that one laptop is different than. All other laptops.
[01:50:29] Max Clark: mm-hmm.
[01:50:31] Alexey Goncharov: And this is another second important thing, is how the platform, once you build a chain of trust, which needs to be followed, can help you to mature your processes.
'cause in our case, there was no such type of, such a thing, like a chain of trust. Laptops were provisioned without assignment to, uh, users with a proper attributes, linkage, et cetera. There [01:51:00] were no certificates. There was no PKI with, uh, uh, custom attribute based, uh, certificate templates for various use case scenarios.
There was no certificate based authentication for wireless. There was no always on v VP n, there was no automatic, uh, account provisioning to, uh, SS e applica, uh, ss e platform, uh, through scheme through our cloud. IDP. Those are just additional benefits, uh, people will, will look back and then will re realize it.
How many other changes? Because SASE was the primary driver of all other changes, which helped to mature the processes, align them with the business objectives, align it with the best practices, build a chain of trust after meeting the entire, uh, the workflow, et cetera. Uh, providing the full visibility across the network with, [01:52:00] uh, en enablement of the zero trust network access, which is not fully zero trust, that was the first step to full zero trust, but at least one, the first step was done, uh, was made in the right direction.
So.
[01:52:20] Max Clark: Lexi, I think this is a perfect place to wrap on a, a great note. Um, I, I probably could, you know, I have a feeling we could go for another three or four hours. I, um, I had a question and I wanted to, to, to pose this and I'm, I'm afraid I'm gonna open up another can of worms here, but I'm gonna ask it anyways.
One of the things specifically with Cato, they offer. Is this idea of like, you can really, um, crawl, walk, and run. there is a layering of services, and this is true of, of most sass e platforms today, where [01:53:00] you can start with a very basic service and you can increase, you know, and you can layer things onto it, right?
So you can add cas B, you can add DLP, you can r add RBI, you can add all these things into the stack. And, and, just like you had said earlier around like the single pane of glasses already is really there. It really works being able just to en um, enable an another ent, you know, entitlement within the platform and get additional functionality out of it.
Um, I'm curious how that, how that played out with you. As you went through deployment and you thought about, you know, like our objectives of solving this first initial problem, but then looking at it as it's like holistic. We're gonna start here and then we're gonna layer on. Was that intentional all the way from the beginning, or was that, or, or have you, you know, on things you weren't expecting to ever use because you found a use case for it, or you found a requirement that was driven by the business?
[01:53:56] Alexey Goncharov: Uh, the, the entire project it is. [01:54:00] Approach from the beginning not to try to get the big bang. Uh, put the basic, the, the foundation first. Once the basic functionality is available, uh, some basic functions, sites are connected. DHCP is available. Uh, the connectivity across the sites and the firewall rules up and running, and then enable these, uh, ZTNA,
[01:54:36] Max Clark: Mm-hmm.
[01:54:38] Alexey Goncharov: with SDP client, uh, and, uh, it's reliable or with always owned, with the, uh, all the components built, uh, for the PKI for the authentication.
Authorization. And MFA is configured for the, uh, endpoint devices and the client is properly being updated across various platforms. Then think [01:55:00] about the next step with additional capability capabilities. In our case, we have very specific ask from InfoSec for this initiative. Uh, and we kept that in mind and we, from day one, we, uh, communicated it to all vendors.
This is what we expect the platform to deliver because we want to enable it. Uh, with that said, we clearly communicated, uh, certain things will be enabled on the six months after the deployment. Certain things after nine months of the deployment, certain things we expect to be available and, uh, will be delivered after 12 months.
Uh, for example, we, uh, uh, CS BTLS inspection that was in our lease. But we didn't expect that to be delivered from day one because that [01:56:00] had more complexity. You need to build a foundation and then start, build the walls and then have windows in, in those walls
[01:56:07] Max Clark: Another good analogy.
[01:56:09] Alexey Goncharov: before you put the roof on top of it.
[01:56:11] Max Clark: Yeah.
[01:56:12] Alexey Goncharov: Yeah.
Um, so answering your question, absolutely, uh, the layered approach is the right approach.
Uh, it's less risky, uh, less impact on the business, uh, easy to adopt and, uh, with the layered approach and much easier process for selecting certain functions and, uh, getting those services as other SaaS or infrastructure as a service platforms, uh, allows, uh, to get those services from them. Uh, like Azure, AWS, uh, I strongly believe, uh.
S vendors. So sooner or later we'll offer something similar to that where you can enable certain capabilities, play with it, and then disable it if you don't like it, or select [01:57:00] the different combinations and, uh, do it, uh, on, uh, how it's called the, uh, uh, usage based,
[01:57:11] Max Clark: Yeah.
[01:57:12] Alexey Goncharov: uh, instead of, uh, subscription based.
[01:57:15] Max Clark: Yeah,
[01:57:15] Alexey Goncharov: Like you need to subscribe even if you don't use it. Uh
[01:57:20] Max Clark: idea. It's interesting.
[01:57:22] Alexey Goncharov: uh, uh, but yeah, there are different models for that. Of course, you can get a bigger discount if you, uh, announce about the capabilities you want to use in the future, uh, or get. Uh, like with other SaaS vendors, they have over subscription for, in certain cases where you commit certain amount of, uh, a certain number of, uh, licenses in advance, you get a big discount.
But in many cases, if you calculate the total cost of ownership, sometimes it's even not even worth of the discount you get from the vendor. [01:58:00] So it's a little bit tricky.
[01:58:03] Max Clark: Yeah. That's a, that's a completely different discussion.
[01:58:06] Alexey Goncharov: Yeah. Yeah. Yeah.
[01:58:07] Max Clark: Alexi, thank you very much for your time. Thank you for your insights. Um, I. It's always interesting to me to talk to people that have implemented this stuff inside of organizations as opposed to like the theoretical, you know, we talked to a lot of sales engineers, for instance, who don't operate.
Um, and I, I always enjoy talking to people that actually are pushing this stuff out and supporting, supporting businesses and users day to day because you see a very different side of things. Um, so I appreciate your time.
[01:58:37] Alexey Goncharov: Oh, always my pleasure to talk to you, max. Uh, it was nice meeting you and, uh, looking forward to continue our conversation about this topic and other topics as well.
[01:58:46] Max Clark: Likewise.
[01:58:47] Alexey Goncharov: Yeah.