Zero Trust is all the buzz today, but it is often hard to cut through the noise to figure out what it actually means or how to operationalize a zero trust security model in your organization. It’s critical to start by understanding how zero trust security can deliver a better and more secure remote access experience for your workforce. Then, you can design a zero trust architecture that extends your existing single sign-on, device management, endpoint security, network access, and other enterprise security tools. With a clear architecture and end user experience in mind, you can identify gaps in your tooling and evaluate commercial and open-source solutions that can help you implement your zero trust initiative.
In this discussion, targeted at IT & Security teams tasked with researching or implementing zero trust security for their organization, we will cover:
The basic principles of zero trust security
How to pick a starting point for your zero trust initiative
Real-word examples of zero trust deployments
Live demo that compares and contrasts an end-user VPN-centric workflow to a zero trust workflow
View Transcript
Den Jones:
We are live
Jo McDougald:
Good morning, good afternoon, or good evening, depending on where you are in the world. We’re going to start here in just a few minutes. I’m going to give everybody a chance to grab a cup of coffee and get themselves situated. In the house, we have Den Jones, our venerable CSO who’s joined Banyan over the last few months. Drawing on more than 20 years of experience driving IT and security initiatives at large enterprises like Adobe and Cisco. Den has brought Zero Trust implementations to over 150,000 employees.
Jo McDougald:
Tarun Desikan, our COO and co-founder of Banyan. He’s responsible for product strategy and ecosystem partnerships. Today, the two of them are going to talk about our journey to the modern VPN alternative. Just a little bit of house keeping. If you guys want to chat with us at any time, you can raise your hand. Can I see a show of hands, just to make sure that’s working? Den, can you see hands going up? Den, I see your hand. Okay, everybody can go ahead and put their hands down.
Jo McDougald:
Also, you can pop in questions at any time in the Q&A are and Den and Tarun will take questions throughout the event. With that, hope you guys have a nice cup of coffee, you’re settled in for a fun and entertaining and insightful conversation with Den Jones and Tarun Desikan. With that, I will pass it over to Den.
Den Jones:
Thanks, Jo. Tarun, I think you’re the man with the slides. So, why don’t you kick us off.
Tarun Desikan:
Awesome. Well, welcome everyone. Thanks, Jo, for the great introduction. Maybe Den and I will start out with a little deeper dive into where we came from and then we’ll jump right into the heart of the content.
Den Jones:
First of all, yes, I joined Banyan in December as the Chief Security Officer. I run security, IT and our Customer Zero program. Prior to that, I actually led enterprise security at Adobe and Cisco, where we implemented the Zero Trust platform and architecture, solution, strategy, covering over 150,000 people and over 200,000 devices. I’ve got some scars and some good lessons learned. Tarun, over to you.
Tarun Desikan:
Awesome. Hi everyone. My name is Tarun Desikan. I’m one of the co-founders of Banyan. I’ve been in networking and network engineer for about 20 years. I started my career fairly low down in the stack of photonics, L1, L2, L3 networking layers, and then I’ve slowly moved up. We’ve been working on Banyan now close to six years. When started Banyan, Zero Trust wasn’t really a thing yet. It was just a thesis and an idea, and it’s been amazing to see the market, customers and the general security industry as a whole evolve to where now we can actually have a conversation on how to roll out Zero Trust at scale. For our agenda today, we have a few items we wanted to cover as we think about-
Den Jones:
Hold on. Tarun, this is the same [inaudible 00:03:33] we’d done last month. Isn’t it? How about, I’ve heard that you’re into a bit of role playing. Let’s do a little bit of role playing. Actually, who isn’t into bit of role playing actually. I’m going to play the role of a new customer. I’m a CSO at some company, and I’ve heard about some Zero Trust. Why don’t you play the role of the co-founder COO of a Zero Trust company trying to sell and educate someone like me on what Zero Trust is and who Banyan are.
Den Jones:
Maybe just scrap this kind of deck, so we don’t kill everyone with slides. First of all, I’m assuming that’s okay with you.
Tarun Desikan:
Yes.
Den Jones:
Because I heard you like role playing. I would love you to play the role and I’m going to kick off with… Use whatever slides you’ve got and I’ll play the role of new customer wannabe. The very first thing is, I’ve heard a lot about Zero Trust, and I hear everybody is a trust company these days. Why don’t you share with me a little bit, what is Zero Trust?
Tarun Desikan:
Right. Well, if we’re going to do this, Den, can I suggest the audience also just pepper in questions as they come up?
Den Jones:
Absolutely. Yeah, I’d love to see some audience questions, and especially, if I’m not doing a good job of being a customer, then, yeah, let’s see some audience questions along the way.
Tarun Desikan:
Okay. Let’s just cut through some of the noise in the market. Zero Trust is probably… Actually, before we jump into that, Zero Trust is one of the buzziest terms around. Maybe we’ll come back and see what other buzzy terms there are. But why did people even get started with Zero Trust? How did the concept even come up? What does it even mean?
Tarun Desikan:
If you look at it, the fundamentals are actually pretty clear. We built our whole security architecture around a model where an office worker came into the office to do their job. That was a fundamental thesis behind how enterprise security was done. Not only did you have to scan a badge to get into the office, or maybe you had someone upfront let you in, so they know you were physically, you plugged your laptop in, you got an IP address, and then you were on the network and that’s how you did your job.
Tarun Desikan:
That’s been that way for like 20 years, when you and I started our careers, we had to go to the office to do our job. It made sense that security was based on that model. But if you look today, that’s not how, especially after the pandemic, that’s just not how the workforce operates anymore. On this slide, you see on the left hand side, it’s not just about the office worker, the worker who comes to the office, you have a remote workforce, you have developers who are working from laptops often from coffee shops, you have third parties. You now have a lot of applications that are in the cloud that need to be part of your corporates, enterprise thinking.
Tarun Desikan:
The other concept is that your resources don’t run in a nicely defined network anymore. Your private applications may run in a data center, but more likely, they have moved to the cloud. They’re often delivered as SaaS. Your developers are now doing what they call cloud native development. So, it probably changes all the time.
Tarun Desikan:
What has essentially happened in our industry is, we have basically put bandaid boxes, one on top of the other. The first box was the VPN, then you built a second partner VPN, then you built a web gateway with firewalls, proxies, bastions, just so many boxes. What essentially happened is that enterprise security do not have control over which device and which user gets access to which application.
Tarun Desikan:
The fundamentals of Zero Trust is just, how do we fix this problem? How do we fix this problem that has happened over the last 10, 15 years of evolution of enterprise and network security? The solution, and that’s the model market term that has evolved is to create a new layer, which essentially allows access from any user, any device, to any resource they need. Doing so provides better security and also a better user experience. That’s my quick summary of what we define Zero Trust to be. I know, you are in the market a lot, you probably see different definitions also, right?
Den Jones:
Yeah. Well, it’s funny because you get people talking about backend workloads, and you get people talking about things like NAC and network level stuff. For me, deploying what I would think of as a Zero Trust strategy and architecture and platform was really all about recognizing the user experience is highly important to an organization.
Den Jones:
With that in mind, Tarun, why don’t you share a little bit about, Banyan, what do we think we do? I get this slide here, hey, we’re going to replace a bunch of stuff. From a user experience perspective though, can you share a little bit about what that user experience is? If you’ve got 40,000 or 10,000 employees, what do they see, what do they do?
Tarun Desikan:
Absolutely. But maybe before we jump into that, Jo, do you think you can kick off a quick poll? One of the concerns I always have is, Zero Trust is a buzz word. I’ve experienced-
Jo McDougald:
Den, you have to launch the poll.
Tarun Desikan:
Pardon me?
Speaker 5:
Den has to launch the poll.
Tarun Desikan:
Yeah. Den can launch the poll. I’m just curious, how many of our attendees… Okay, what is the number one buzzword in security today? Is Zero Trust on par with blockchain or AI? I’m just curious for the audience or shift left, even, what you guys think. Please submit your answers and maybe midway through the presentation we’ll surface the results.
Den Jones:
Awesome. Okay. User experience. I always think of thousands of people trying to access applications on services. Why don’t you just share a little bit from that angle.
Tarun Desikan:
Let me just share what a typical Zero Trust implementation looks like, and then we can go into, hey, what is an example of a user experience for this implementation? Typically, most users, especially enterprise environments are used to some sort of VPN. When I go into the demo, I’ll show you guys what that means. The VPN essentially simulates as if you were in the office. That’s essentially what the VPN was designed to do. It gives you an IP address that belongs in your office IP range, puts you on the network, so you can pretend that you’re in the office.
Tarun Desikan:
A typical Zero Trust implementation does away with that concept. Instead, it has three core components. It has a device user component, it has an access gateway component and a policy engine component. Anytime a user needs to access a resource, they need to be explicitly authenticated. In this reference implementation, we go to an identity provider, we have SAML to make sure, hey, this is the user. Then we go to an endpoint security tool. That’s where an EPI to make sure this user is on an approved device. Of course, if the user is in a BYOD or a contractor, you can skip this step.
Tarun Desikan:
Then you explicitly figure out what user and device it is in the command center, you attest to their posture, and then you give them access into a specific resource. That’s just a high level overview of how a Zero Trust implementation looks. Now, from a user experience perspective, what is the difference? For that, let me just show you example user experience.
Tarun Desikan:
Let me start with the VPN first, and then we’ll jump into a Zero Trust user experience. Imagine Den’s… In my environment, I’m going to show you a VPN first. Imagine Den has sent me an email saying, hey Tarun, look, there are some awesome new findings. Hey, click this link to learn more. So, I click the link. Typically, in a VPN environment, the user doesn’t always know that this link is behind a VPN. They click a link, they’re like, oh crap, this is behind the VPN.
Tarun Desikan:
Here they go, they’re like, okay, I need to turn on my VPN, because a VPN by default is seldom on, you need to turn it off. Then you connect, you have to enter some kind of password. Most networking guys have caught onto multifactor authentication. The next step typically is pull out your mobile app, which I’m going to out and enter a passcode. Okay. Now, I’m on the VPN and now I can refresh. Okay, at least I have connectivity, but I use self-sign certificate. Then I get in. This is-
Den Jones:
Can I pause you second? Public service announcement for the audience, don’t click random links from strange Scottish guys, all right? Keep going.
Tarun Desikan:
Yes. With that, and even Chrome warns you not to secure a strange Scottish Guy. It warns you. This is the user experience many traditional VPN customers are accustomed to. You can train your workforce to get used to it. They suck it up. But if you saw me there, I lost like two, three minutes of my day just connecting to an application. More and more workforce will not tolerate that.
Tarun Desikan:
That’s from the user experience side. Let me just show you one thing before I jump into Zero Trust user experience. This was a crap user experience, but probably what’s even worse is it’s a fairly insecure system. Let me just do one thing here and show you how insecure it is. I dropped you onto the network just so you could access one website.
Tarun Desikan:
I’m on the network, so I can ping the website. The thing works just fine, because I’m on the network. I can take that IP address there, and I can start poking around a different port. Look, port 22 is open. Not only is port 22 open, it’s running a vulnerable version of open SSH. Great. Now, I can start entering that server, if I was a hacker. Then I can start moving laterally in the network. The VPN is just a fundamentally broken security model. It’s also a fundamentally bad user experience.
Den Jones:
There was a couple of things there, because I want to hover on this thing just before you go to the good experiences. But I was always saying to people, well, two things. One is, when you build a VPN out, your full-time employees generally get wide open access to that network. You don’t have, from a cost perspective, the desire to get to fine grain. When people talk about least privilege, I think the industry is a little bit flawed or it’s maybe our dirty little secret that we’re not really doing least privilege because all employees get access to all the stuff.
Den Jones:
The other thing is, most VPN systems still rely on really old fashioned tables in order to give access to IP addresses, and then those IP addresses resolve back to an application, but generally it might be even a load balancer. Whereas, what we’re doing in the future is we’re using our existing directory identity-based access and not giving you full access to the network. The other thing is, from a user experience, users shouldn’t need to know if the application is associated internally, or cloud, they just want to get to their app. Can you show us, what does a good experience look like, where I can just get to the app?
Tarun Desikan:
Right. Let me just turn off my VPN to answer the question you posed like five minutes ago on what a good experience looks like. Let me just disconnect. I’m no longer on the VPN. You can see, I no longer can access this. A good experience would be, hey, I get this email, I click on the link and it’s just like clicking on a bookmark.
Tarun Desikan:
Let me just show you all the steps, one by one, before I… Let me just open an in private window so you can see the actual steps and then I’ll show you the actual seamless experience. Good experience would be, you click on a link. Behind the scenes, the system checks your device, and that was a certificate prompt. It sends you into your identity provider-
Den Jones:
That certificate, Tarun, that’s what we’re doing to replace the username and password. Is that what we’re doing there?
Tarun Desikan:
It’s doing a couple of things. The first thing the certificate does… Actually, let me just even show you the certificate again so our participants can see it and gory detail. If I click on the certificate information, it does two things. The certificate, the first thing it does is it tells me what my device serial number is. I can attest to the device strongly, I can authenticate the device.
Tarun Desikan:
The second thing it does is the certificate also contains my username, in this case, my persona is daisy@medsoft. It also attests to my user. The certificate essentially authenticates my device and the user. Some people call this password list. You don’t need to enter a password anymore. You just-
Den Jones:
If you’ve got five devices, you’ve got five unique certificates. What that means, if I’m a bad actor trying to log into your device with another username or password, that’s not going to be possible to access our applications and services, because our platform expects that certificate. It doesn’t expect another device.
Tarun Desikan:
Yes.
Den Jones:
In support perspective, I’ll tell you, sometimes, no, I love that. Because I’m like, the IT support team can have their accounts hijacked to then go and rampaging through the environment. It really helps us lock it down.
Tarun Desikan:
Right. I think one of the most common threat factors, phishing attacks, is I think what you’re referring to is a user’s username and password gets compromised. It’s not that hard, it’s just a password. Most likely, it’s like your daughter’s name, dash birth date or something like that. It’s not that sophisticated or it’s SolarWinds123. It gets pretty bad. It’s pretty easy to compromise a credential. This really secures you against credential compromise, which is one of the most common attacks you see today.
Den Jones:
Yep. Awesome. The good experience, you’ve clicked the link. You went, yeah.
Tarun Desikan:
Let me just come back and… In this browser… That’s a good experience. Let me just do that again. The good experience is transparently, I click a link, it opens up. If I have an active session, it won’t even ask me for this, but I keep opening in an incognito browser. It just ask me for my MFA to activate a session and I’m in. I’m not talking about turning on a VPN, tunneling my traffic.
Den Jones:
That certificate popup is purely for the purpose of demo. Normally, for users, you don’t see that.
Tarun Desikan:
Yeah. We suppress that certain under most situations. Things like a ping don’t work. You’re not put on the network. You’re just given access to that specific application. You can’t really poke around and see what other ports are available. You can’t move laterally. Not only did we significantly improve the user experience, this click a link, it just works. A modern VPN alternative will also prevent you from moving laterally in the network. It also improves your overall security posture.
Tarun Desikan:
That’s just a quick… Just to extend this further, think about a mobile device. This flow works seamlessly on a mobile device, and nobody wants to install a VPN on their personal phone. It just drains the battery. It sends all my network packets all over the place. It’s just the worst thing ever.
Den Jones:
Awesome. A couple of things. That’s the users, and the users, they’re doing their business. Let’s talk a little bit about the benefits here. One of the things that I used to always share with executives, either as part of the deployments I’ve been involved in, or just in general, when I meet people out at conferences and elsewhere, I almost say it’s like, you’re going to improve the user experience because I’m not doing passwords during authentication, I’m not VPN-ing in, I’m just going directly to the applications and services.
Den Jones:
Even from a privileged perspective, if I’m talking about DevOps or privileged management and things of that nature, we would set maybe CyberArk behind this, or if you’re not doing like, I’ll call that full on privileged identity management. Let’s say, you just want to actually get access to infrastructure in AWS. You can go VR platform, do a posture check of a device and then you can get in and we can do short lived sessions, tie that into something like service now.
Den Jones:
Use cases, I start to rack up a couple of things here. I’ve got improving the user experience, and for thousands of users, I’ve got DevOps type people that are running platforms and services. We’ve got a thing called service tunnel. Ultimately, I’ve got this new way of working where I’m not getting access to the full network. Then I can turn my network into a guest type network, like a Starbucks. That would mean that any time someone is on the network in the office, I can’t just suddenly, even while I’m on that network, just run rampage through the network. Any other use cases that you think, that you tell people about when you share what Banyan does?
Tarun Desikan:
Well, I think especially as it pertains to a traditional VPN and I used to be a network engineer, I spent a lot of time maintaining IP white lists. It was just a thing, and it was so easy when we got started. At my first company, I remember we had our headquarters were in Sunnyvale and then we had a couple of remote offices, one in the east coast, in Maryland, one in Pennsylvania. Essentially, we just IP white listed those two offices. Connected them to our network, and it was great, it was fine.
Tarun Desikan:
That’s where everything starts. But today, if you look at someone’s IP white list, there are like thousands of lines. Something as simple as I need Slack web hook to trigger an internal application workflow. Something as simple as that, someone says on Slack, “Hey, Den, kick off this approval workflow.” Okay. They set up an API integration. You have to IP white list, not just Slack. Slack is now owned by Salesforce. You have to IP white list every single Salesforce data center around the globe, and it keeps changing.
Tarun Desikan:
The only time you as a network admin know is when something breaks and the guy emails you saying, my slack web book is not working. My CFO did not know about this deal I was going to sign. Now, everybody’s really pissed off with the network engineer because the IP white list didn’t work. One of the key things you want to move away from, or you can move away from is this idea of maintaining these long access control lists based on IP addresses. As someone who did this for a long time, that really excites me, just moving away from IP white listing is just a big win.
Den Jones:
I’ve been a directory guy since the mid-’90s. For me, I always think of it like, all I want to do is say, hey, that’s the group of people can access the app. If I’ve added you to the group, then you can get access to the app and it should all just flow, and then you’re suddenly like, oh, wait, in network level, I need to go do some extra widgets and da, da, da. Moving away from that was a bit of a joy.
Den Jones:
I got a question, Banyan integrates with many things, as part of a zero to trust architecture or solution. There’s this notion of TrustScore. Now, can you show me, what is a TrustScore and what affects or changes a TrustScore?
Tarun Desikan:
One of the key principles of Zero Trust is to get user and device context in to make a decision. What we saw historically was that people relied a lot on roles, role based access control, RBAC, they might use ABAC, attribute based access control, which is all fine. They’re all good techniques, but they just became very, very, very complicated.
Tarun Desikan:
The thousands of roles in an organization, the hundreds of attributes, then you acquire a company, you suddenly get 200 attributes. Those techniques just became so complicated, and it didn’t help with the fundamental problem statement, which is, this user and device trusted? That’s all you’re trying to figure out.
Tarun Desikan:
In Banyan, we came up with this idea of a TrustScore. I guess I don’t have a ready made slide for it, but maybe I’ll just show you the Banyan app. We came up with a simple concept of a TrustScore, which we show in the Banyan app, we can visually see it in the Banyan app, that looks like this. To us, a TrustScore is pretty simple. It’s, what are the factors that your enterprise security team, your organization thinks is important, that makes you trust it?
Tarun Desikan:
In my demo organization, it’s pretty simple, I’ve just used my device’s basic posture. As long as you come from a device that’s registered, maintains good hygiene, in terms of the firewall and the operating system and the disc encryption, I will trust it, I will trust the device. Now, in some of our larger organizations… This is just a small demo organization. Some of our larger customers, they extend what trust means.
Tarun Desikan:
If you’re in a managed device, it must be running CrowdStrike and CrowdStrike must say, it is not compromised. As a user, you must be running an entity behavioral analytics tool, and that behavioral analytics tool must say, you have not performed any risky behavior in the last 24 hours. We quantify the trust, and then this trust is what gives you access to the application I showed you. It allows you to move around and access this application.
Tarun Desikan:
You compute the trust and you make it very simple to understand. Green is good. Red is bad. If you’re green, you get access. Now, let’s just make my TrustScore low, let’s see what happens. There are a few different ways. I can launch some malware, but since I have a demo account, I can just click that button, and then I click that button, it drops my TrustScore to zero. Just for demo purposes, it overrides my TrustScore.
Tarun Desikan:
Me now, as a user, I know something is not right. Why is my TrustScore zero? From an access perspective, if I refresh this page, all my access also gets blocked. I no longer can access the resources previously. I could just click a button and get to. The TrustScore on one hand is user facing and tells the user what their level of trust is. On the other hand, it is in real time and forced from a policy perspective. If your trust falls, you lose access. It’s just a way to simplify how to implement Zero Trust in an organization.
Den Jones:
You could start off having this be passive so that you’re not going to block their access to begin with. You can configure this so that over time, you might decide, hey, I want to now enforce a level of posture, maybe before you ramp up in your project, you don’t have to begin like that. I certainly know, from experience of doing this before that when you enable something like this with self-remediation, that people instantly… We saw a huge improvement just on the posture of our end points, just by enabling this.
Den Jones:
It was great just to see people self-remediate and improve the posture. Then the other thing is, if I’ve got contractors where I’m not in charge of their configuration, I can use this as a method to say, hey, I can let contractors work with us. Because the only other method that I know of where people say, “I need to have these vendors and contractors use my apps and services is you deploy a very expensive VDI platform and then they connect to a managed device.” Rather than spending all that money, a great way to leverage something like this, because again, you’re just trying to ensure a minimum set of security requirements to access the app. You don’t want to deploy a very expensive VDI platform.
Tarun Desikan:
Historically, for contractors, third parties, they’ve either set up a completely separate VPN. Sometimes they do that. They call it a vendor VPN. They’ll set up a completely separate VPN stack, gives them completely different network rights or they’ll set up a VDI platform. Both of which, if you think about it, is a huge amount of perimeter security infrastructure, and which is actually what… We have learned this the hard way, it’s actually really easy to bypass. It’s really easy to get past those. It normally isn’t expensive, it’s actually pretty easy to bypass as well.
Den Jones:
Yeah. Definitely. In most cases, they do both, because they’re doing the VPN, partner networks or things of that nature, just to give access to apps. But in order to trust the device or think about a better security posture on the device, then they’ll also do the VDI thing too.
Tarun Desikan:
Yes.
Den Jones:
That’s a very expensive proposition.
Tarun Desikan:
It’s a really clunky user experience. Vendors are forced to do business with you, especially if you’re a large company, so you can put them through that. But, I think the world is changing. There are much easier, simpler, more effective ways to pull off all these-
Den Jones:
Well, you end up in large organizations, vendors that work on site still quite often turn up with their own devices and their access in your apps services while they’re on site from a device that you have no idea what the posture is.
Tarun Desikan:
They figure out that, if you’re on site, you can just plug into the ethernet connection and suddenly, you have full access. We see this over and over again where inconsistent security posture, depending on how you connect to a resource, we will enforce different policies. I think that is the antithesis of Zero Trust. It’s just, I understand why administrators have to do it sometimes, but if you were designing a system from scratch, I think you would say, it doesn’t matter how you connect, you get the same policy enforcement. I think that’s another tenet of Zero Trust.
Den Jones:
Yeah. Previous companies, we use this mechanism, so that we had one enforcement and it was during the auth to the app. That means that you don’t need to then go over complex on your NAC stuff, right on your VPN stuff or these other things, you just need it while you’re logging in. It’s a very easy way to interject this into the authentication workflow.
Den Jones:
This is the admin console, this is where you set up the policies and stuff. I think it’s a very easy way to say, hey, I want to associate this app with this policy and require certain things. Do you want to just give a couple of seconds on these policy in the app?
Tarun Desikan:
Yeah, absolutely. I just want to highlight a couple of things in the Banyan product. We spoke a lot about the end user experience, how it’s so easy from the end user perspective. While that is true, one of the things that we also really wanted to do was make it easy for an administrator to move to a modern, VPN replacement solution.
Tarun Desikan:
Part of that means, what does it mean to move to a modern VPN? The first thing for us, at least it meant is that you need to insert yourself seamlessly. We have a capability called service tunnels, which is under the hood, a wire guard VPN. We do give you a VPN. On day one, you just turn on the service tunnel and your users just don’t even know anything has changed. They can still have the same VPN experience. Then from an administrative perspective, they don’t have to worry about change management or any of those concepts. They just turn one thing off, turn the other thing on, turn Banyan on and you’re done, you’re in.
Tarun Desikan:
Gradually, you can start publishing more granular policies and more granular services. What that essentially means is, once you publish a service, the user no longer needs to be on a network to access that application. They will be able to access the application by asserting user and device trust. That’s what publishing a service in Banyan means. Once you do that, you can also write more sophisticated policies.
Tarun Desikan:
For example, maybe I’ll start with a simple policy and then talk about a more sophisticated policy. A simple policy would be, hey, these users, users on a registered device or administrators can access this resource. There’s no IP address, complicated language here. You can start with some very simple policies just based on the user groups, which is what these essentially are. As you get more sophisticated, you can start getting more complicated policies that go into what type of URLs they can access, what different complex trust scoring algorithms and so forth. But the idea is, once you start on this journey, you start with the very basics and then you can progress and improve over time.
Den Jones:
I always think of simple, stupid is best, because the more complex, then, A, the more expensive. But B, it can become quite confusing after a while. I think you have the ability to say, look, I want to publish all my applications, say they’re Okta or paying enabled applications. I want to publish the apps and I’ll have one policy that governs access to all the apps. Then I’ll maybe use my directory’s group membership to see if you’re allowed to access specific applications.
Den Jones:
Then as you go through this environment, the access gateway pieces, if the applications are inside your network, then that’s really the reverse proxy that enables that internal access. One thing, do you need an army to build all this stuff out? Tarun, I’m getting really nervous that I’m going to need an army of people. How expensive does this become to operate?
Tarun Desikan:
One of the things we are really proud of is this self-serve model that we have created. As I mentioned, I come from a networking background and we used to guard boxes, forget about an army on your side, we used to send you our reserves as well to set it up. That’s how, for the longest time, networking was sold as, we would send you our reserves, you would have a bunch of guys on your side. They’d spend a month together, cobbling together all the cables and writing the policies. It’s just not how things work anymore.
Tarun Desikan:
The Banyan product, at least, is available for free on the internet. You can download it, you can get started in less than 15 minutes. That’s our promise. We have several videos of people doing it as well as videos and tutorials for you to get started. One of the cool things about a good Zero Trust solution, such as ourselves, is that not only is it secure and designed for scale, you can also self-serve and get started immediately.
Den Jones:
Hold on, the pesky sales people… I do like sales people and I always joke about it. But after 25 years of being a customer, I was always getting hounded by sales people. Sometimes you try and dodge them. There’s nothing better for me than to see a product that I can actually go online, get signed up, set the thing up or have my team set the thing up and actually start getting some value pretty quick.
Den Jones:
I want to go back to the self-service. The notion for me having been a Banyan customer long ago. I’ll change my hats right now, because I’m role playing. As a previous Banyan customer, I didn’t have to increase my staff. I increased the team by one, because the existing directory team, the existing Okta team, the existing endpoint team, they were the people that really just tweaked slightly what we were doing in order to make this real.
Den Jones:
I think, that for me was pretty impressive. Now, just to remind the audience, we do have a buzzword poll. Hey, we’d love you to click that poll button. Really, all we’re asking for is, hey, what’s the biggest buzzword? I think, so far, Zero Trust is the winner. I really think that blockchain security and XDR, these things are hot in the heels, and everything, there’s digital transformation and it always has been.
Tarun Desikan:
Just to take that discussion a little further, Den, this is a reference implementation. The good thing is, well, when we first got started, this was still kind of new, people were like, what are you building? Why is this important? But in the last couple of years, what has happened is, we’ve had some really successful roll outs.
Tarun Desikan:
I just want to cover a couple of those. Some of them have been small, less than 500 users, but some them have been really large scale, and it has been really awesome to see. One example is a global technology company that we’ve mentioned several times in this webinar already. Today, if you talk to them, pretty much, every employee is using Banyan to access their internal resources. Probably, the best part is not a single employee knows Banyan even exists because it’s so transparent, and just behind the scenes.
Tarun Desikan:
The way we were able to accomplish that, the way we were able to both impact user experience and security, is by integrating with those existing tools. If you build a platform that just leverages your existing investment and identity and device, and even networking, you can roll out Zero Trust with a relatively small workforce, relatively small team and have a big impact. This is one of those examples that you mentioned
Den Jones:
I’m familiar. Yeah, I’m familiar. Now, one of the things, for me, and I’ll share something was, we had someone contact our security team and they thought they were the genius that discovered some big security vulnerability within the company. They’re like, “I can tell these internal apps and services without needing to VPN in.” They opened up a security incident. The security team started to investigate, because they didn’t connect the dots, and then they reached out to our team and we were like, “Well, wait a minute, is the device got our certificate? Is the device meeting the posture check? Was it IT managed? Was it talking about connecting to apps that were already published via our Zero Trust platform?”
Den Jones:
We were like, there’s no magic here. They are a user benefiting from our Zero Trust platform. They were just like, “Holy shit.” I think the cool thing was, we didn’t contact a lot of users. We’ve done article on our internet to say what we were doing. But I’ve never had to contact someone and say, “Would you like to log in less? Would you like to access stuff without having to VPN in?” You don’t ask your users that kind of question.
Den Jones:
It was really cool, because not only did this person think they were the genius that found the security flaw, but then the security team, their incident team, they hadn’t connected the dots, and they’re like, oh crap, is there something going on here? It was when we got to our team and we were part of the same security organization. It’s like, you’re laughing about, oh my God, this is how transparent this thing is, and how well it works. For a company that’s got 30,000, 40,000 people, it’s a big change.
Den Jones:
Now, I know we’re going through a time here, so let’s see how that poll’s looking. Are there any questions from our audience? I’m not seeing any. I could invent some. If we’ve none, I’ve got another one for you. Integrations with existing technology. One of the things that I thought was really cool was the CrowdStrike piece, where you show there’s some malware in the device and it instantly cuts the sessions. I think that’s a cool thing. Then the other thing is service tunnel. We’ve got this DevOps scenario. Either of those two things, I’d love you to share just a little bit about both of those.
Tarun Desikan:
Yeah, and then I’m going to have a question for you, Den, after this, on how does someone get started?
Den Jones:
Oh yeah. I’ve got a podcast [inaudible 00:41:59]
Tarun Desikan:
Yeah. I’m going to answer your question on service tunnel, DevOps integrations, which is another case study. I’m guessing most of our audience has eaten at this restaurant chain. It’s a nationwide restaurant chain. When you have an organization like this, what you’re talking about is, many of these restaurant chains are actually software companies, because they are franchise models running multiple, multiple, thousands of different types of software, depending on the type of restaurant location and so forth.
Tarun Desikan:
This is one place where they were in a traditional [inaudible 00:42:34] shop, traditional VPN and they’ve been using it for 20 or 30 years. What Banyan was able to do was essentially move them to a model where the developers were able to run faster. That was using some concepts that we had previously discussed, like a service tunnel and a catalog of services.
Tarun Desikan:
They were able to connect to their resources faster. From the operations perspective, using Banyan’s techniques, we really were able to simplify the networking. When you were in a restaurant, previously, in order to access your application, all traffic was being back hauled to headquarters. But back in the day, it wasn’t a big deal. But come COVID, the restaurants to go orders, they basically converted every restaurant from a sit down restaurant to a to go restaurant. Every single transaction was happening over the network. It had become insanely slow.
Tarun Desikan:
Moving to a Zero Trust model, actually significantly simplified operations as well, simplified the networking setup. Connectivity could go straight to where the applications were instead of back hauling it through some network choke points. Those two techniques allowed this particular restaurant chain to both, scale how quickly they could deliver their software, but also deliver their sandwiches.
Den Jones:
It is almost lunchtime.
Jo McDougald:
Now, I feel like I want to be like Robin from Howard Stern, where I just laugh in the background. I just hear her laughing.
Den Jones:
You can laugh if you start making lunch for us, or order some DoorDash.
Tarun Desikan:
I had a question for you. In your career, when you were rolling on Zero Trust, say you decided… Because, first of all, how did you decide you wanted to do a Zero Trust project at these organizations? How did it happen? Was it a board mandate? Was it just an innovative engineer saying, I want to try this, Den? Then, once you decided you want to do it, how did you get started?
Den Jones:
It’s funny, 2017, I was fortunate to be working with an architect in the organization. I hired this really creative and fun guy to work with. We’re still friends and hang out today, and he kept going on and on and on and on and on about this thing called BeyondCorp and Zero Trust. I’m like, “But we’ve got a really good Okta implementation. It was really solid.” I’m like, “Well, I don’t want to make it more fragile and add another cog in the thing.” He kept going on and on about it, and then he started talking about, “Well, could you imagine doing a password list? Can you imagine… ” He was starting to tell me and I’m all of a sudden, I’m like, yeah, okay, I’m now curious.
Den Jones:
Go ahead and throw a pilot together. A couple of weeks later he comes back and he is like, “Okay, I’ve got this rough pilot here.” He shows me logging into an application without a password. I’m like, “Holy shit, you got me there.” The second thing was, oh, the application was on our internal network and I’m going via the guest network. So, I’m basically coming in and there was no VPN.” That was before we met Banyan. Our initial deployment was really injected into the authentication workflow, a really basic posture check because the technology partners we had, it was really, really basic. Then if it was an internal app, then it would route through.
Den Jones:
What we recognized was, if I run the identity and access platforms and I’m the auth king of the company, then I don’t need to ask permission. We started with authentication, leveraging the existing investment and the existing team. Then we got better as part of that piece. When we met Banyan, it was a case, I wanted to find a company that could consolidate three of the vendors that were part of the existing architecture, and have one vendor.
Den Jones:
Actually, I wanted better posture check. I wanted better control over the policies and stuff of that nature. We started there. We leveraged the same team that was doing all the NAC stuff and the logging and the end point team, the device management team. Existing talent was huge. What we did do is we brought in one person who would really focus on this being their day job. That was really important for us.
Den Jones:
What was ironic, when I got to Cisco, Cisco were investing heavily on this. In fact, they were investing so heavily, they had so many people. What I had to do is grab one of the leaders and say, okay, you’re going to be the one leading this forward. Let’s excuse everybody else. We almost excused 70 people from being involved, and we’d peel people in as when we needed. But ultimately, having an army isn’t necessarily the best thing, because it slows you down. You’ve got too many opinions, too many people. Then the other thing is from an executive sponsor perspective, you need those execs to be totally on board.
Den Jones:
The way I had done that, I didn’t really tell them about Zero Trust. I wasn’t using the buzzword. I was just talking about outcomes. Would you like 40,000 people to not enter username and password? Would you like 40,000 people to not have to use VPN? If your answer is yes, let me go deliver this. I didn’t spend much money. It wasn’t multimillion dollars per year. It wasn’t a huge operational cost. The thing for us was, getting out the gate, was pretty quick and we deployed in seven months from that silly POC to 40,000 people, 2,000 apps. I can’t remember the number of devices, but probably about 50,000 to 60,000 devices. It was pretty quick.
Tarun Desikan:
But that’s a huge scale, Den. You’re talking tens of thousands of users and devices. What advice would you give for someone with a much smaller organization? 200,000 500,000 employees.
Den Jones:
Wow, you can go in 15 minutes or less, I guess.
Tarun Desikan:
I think so.
Den Jones:
I would love to say, yeah. You start with what the vision is and the vision’s not the marketing hype. Going back to our polls, and this is why we done the buzzword poll, it’s not about the buzzwords, it’s about, let’s start with a little set of outcomes, so when you’re selling the vision, you’re talking about outcomes, you’re talking about results that the business will benefit from. You get a small core team, you get a really small use case. Maybe all I want to do is have one engineering team that access lab stuff within AWS or lab stuff on-prem, or, or maybe both. I want to start there. Or maybe I just want to start with dealing with one application that is used by HR, and we’re like, “Hey, we want the HR people when they log into that an app to ensure the posture check on the device is good.” That’s it. Start there, get it out there.
Den Jones:
The focus communication is funny, because it was really all internal. I became a big fan of doing, here’s the weekly status update. In the top right, dropping in a number, number of business days to done. I wanted to create a sense of urgency. At Cisco, it was about RSA. We wanted to be on stage talking about it. At Adobe, it was a case of, we had M&A’s around the corner. We’re like, well, in order to be ready, we might need to have that communication.
Den Jones:
You remove the holidays, the weekends, so that number is as small as it can be. Then when you meet people, you’re like, “You know what, we’ve only got 47 days left. We can keep talking about this and procrastinate all what you want, but we’ve got a deadline.” All that for me was brilliant. I was never a good fan of PMs that continually said their project’s green because they moved the date. That just doesn’t work.
Jo McDougald:
I’ve got a couple questions coming through. Guys, you can send them directly to me, or to put them in the Q&A, it doesn’t matter. You mentioned password lists. How does that work if we’re moving to password lists, when there are regulators that have requirements about password lists or resetting passwords every 90 days?
Den Jones:
I’m going to put my Banyan CSO hat on for a minute, because I’m playing these different roles. As a Banyan CSO, we’ve got our SOC too. We’re about to go through our annual audit. We do an internal audit. As part of that, they have this thing, it says passwords every 90 days, blah, blah, blah. In both Adobe and Cisco, we next that. We say, we’re going to follow in this guidelines. But the control about changing your passwords every 90 days was born in the late ’90s, because that’s when they said, we don’t know if someone’s compromised your account.
Den Jones:
The first thing they’re going to do is say, “Well, let’s change it every so often, so that if it is compromised, that’s the longest a bad person will have it.” But we’re being attacked differently now. You can change your password every four seconds for all I care. If your device is compromised, they got it every four seconds, right? The reality is, moving to certificate-based where you store that certificate in the TPM or secure enclave, that enabled us to move away from saying to auditors, passwords are as important. They’re not as important and we’ve got MFA, and then maybe we’ve got some security intelligence where we’re working out if it’s possibly compromised.
Den Jones:
The cool thing is then you go to auditors and say, “We’re not doing this, but we are doing these things here.” As we go through our SOC too, we can demonstrate why passwords are not a good method, why changing your password… Because all you’re ever going to do is add another one at the end or some bullshit. The reality is people skirt around that crap pretty easy. Easy answer with that.
Tarun Desikan:
Having said that, Jo, we do support passwords, if you really want to put your users through a lot of pain. If you really want to turn on password lists and date them, rotate their passwords every four seconds.
Jo McDougald:
One of the other things that you guys mentioned, and thanks for the questions, that has resulted in fewer support tickets. How does that work? How do you-
Den Jones:
Right. If you no longer have forced your users to change passwords every 90 days, you no longer have confused users contacting the service desk when they lock themselves out because they forgot their new password. In a service desk in large organizations, password related tickets are usually always in the top 10. What we found when we implemented this during my time in Adobe was the service desk ticket reduction was about 60% to 80%. Just from a cost perspective, that’s huge. Not to mention, everyone being off because every 90 days you have to change your password, and then you go and update five devices and blah, blah, blah.
Tarun Desikan:
Well, I feel like there’s also ticket reduction unrelated to the password. A common issue is actually network performance. When you use a VPN and you’re back hauling a lot of traffic and maybe if you haven’t set up the split down link properly, and there’s so many misconfigurations that can happen. I remember, one of my favorite tickets was titled, Why Do You Care What Netflix Movie I Am watching?
Tarun Desikan:
We had a customer that had, for whatever reason, that set up their prime tunnel servers in AWS, I guess. But when you turned on the VPN, all your Netflix traffic was going through it. They had an employee who had traveled abroad and really wanted to watch Netflix because he was traveling for work, he was abroad. He figured out that if he turned his VPN on, he could watch his Netflix shows.
Den Jones:
It’s also good for the BBC iPlayer.
Tarun Desikan:
Entirely. But essentially, by back hauling the traffic through the data center, he was able to watch Netflix while abroad.
Den Jones:
I’m going to say we’re call rating, but I guess you need to put your finger out and get involved in the call rating piece of this, but we are going to have a VPN, a blog or something that is talking about, hey, I’m just a twisted VPN vendor. I’m a big box maker, and I’m now a Zero Trust person, but everything needs to come via me because I want to look at your packets. Once I’m online, that’s a bad thing, isn’t it?
Tarun Desikan:
In this case, forget about looking at his packets, he was bringing the entire VPN infrastructure down. The amount of traffic these Netflix shows take is not trivial. If you run it long enough, or you run it at the right times, you’re going to break people’s networks. Another reason you actually cut down on support tickets, it’s just by simplifying networking. You just simplify networking. If point to point access, make it performant and people will stop filing tickets.
Den Jones:
If I’m going from a workstation in Starbucks to my cloud app, like Salesforce, isn’t it a good thing for me to come into the corporate network to then go back out? [inaudible 00:56:41]
Tarun Desikan:
There might be situations where you do want the traffic to come to you and you should accommodate that. It’s just that most VPNs who are built, assuming all traffic should come to you, and I think we’re well past that.
Den Jones:
Then that came up with a really good term. This is the only reason I want this blog post to be finished, guys, is because look, I think that video killed the radio star, but I think VPNs kill the Zoom video star.
Tarun Desikan:
Yes.
Den Jones:
I don’t care about the rest of the blog, I just want that line to be out there and go viral. Everybody, I know we’re at time. We really appreciate everyone’s participation. We concluded the poll realizing that, yep, Zero Trust is the most overused buzzword in marketing term, and we apologize because we participate in that as another vendor that claims to be Zero Trust. Jo, even has that in the background. Everybody, thank you very much. We’d love your feedback. Please share any feedback with us. Anything before we wrap, Tarun, or Jo?
Jo McDougald:
Yeah. We’ll be recording this session and we’ll send out the recording to you and all the other registrants and you can go ahead and share it. We’ll also be sharing it again on social media. We saw some of you came in from our Twitter feed. Nice to see you. Welcome to the party. We’ll be hosting yet another webinar, I think it’s the 22nd of May. I think that’s going to be a deep dive into DevOps and how Banyan can help secure DevOps infrastructures, is a groovy thing. Thanks so much. We’ll talk to you guys soon.
Den Jones:
Yeah, excellent.
Tarun Desikan:
Thank you, everyone.
Den Jones:
Thank you very much, everyone.
Jo McDougald:
Bye, everybody.
Close Transcript
Book Office Hours with Den Jones
If you are interested in chatting with Den Jones in a more informal setting to talk about your challenges, he hosts office hours that you are welcome to schedule with him directly.
Den is a seasoned professional and loves talking about the best ways to get started, how to measure progress and finally how to get things done.