How SASE Enables Zero-Trust - Security Boulevard

How SASE Enables Zero-Trust

On this episode of The View With Vizard, Mike Vizard talks with Kelly Ahuja, CEO of Versa Networks about their latest $84 million funding round and the ways SASE enables zero-trust. The video is below followed by a transcript of the conversation.


Announcer: This is Digital Anarchist.

Michael Vizard: Thanks for the throw. We’re here with Kelly Ahuja, who is the CEO of Versa Networks. They are fresh off raising yet another $84 million in funding. Welcome to the show.

Kelly Ahuja: Thank you, Michael. Glad to be here.

Vizard: You’re in this whole category called SASE, secure access security layer.

Ahuja: [Laughs]

Vizard: I’m not sure what the acronym stands for. But I seem to remember back in the day we had secure SD-WANs and then we had SASEs and they’re kind of like the next flavor of that. But maybe you want to explain the category a little bit and what’s different now versus what people remember as just an SD-WAN.

Ahuja: Yeah. No, very good point. So first of all, SASE stands for secure access services edge, and it is the fastest-growing category today in networking and security. So needless to say, it’s a hot market and it’s on the mind of every customer, every analyst everywhere. And it’s expected to grow and grow big between now and the next few years. Now what SASE encompasses is a combination of networking and security combined together to solve what the enterprise has been trying to do, and what the enterprise has been trying to do is really they’ve gone on this digital transformation journey.

And what that journey is asking them to drive to is connect users to applications anywhere, anytime. So you as a user could be at the office or in a branch office or maybe on the road somewhere, and they want you to be able to connect to applications securely and reliably, and those applications could be anywhere. They could be in your datacenter on prem or it could be in a public cloud or they could be SaaS applications. Now the challenge for the enterprise is really to allow this connectivity to happy (a) securely and (b) reliably and provide the ultimate in application experience.

Why? Because no one in the IT team wants to provide a poor experience. And users can tell you, “Hey, my call didn’t go through or my application experience or my transaction point so transactions aren’t working when I’m seeing a client,” or whatever else. So it’s really designed to address that need for enterprises of secure and reliable connectivity anywhere, anytime to connect any user to any application. Does that help make sense?

Vizard: Yeah, that helps a lot. Who’s driving that? Is it the security people and the networking people or are security and networking teams converging as a result?

Ahuja: It’s actually both. It’s both. Because this is where networking and security come together, and we see this all the time. We’ve been talking to both teams, because as a company, as Versa, we’ve always had networking and security integrated in part of the portfolio. And the first use case we applied that to has really been on the Wan edge side in the enterprise, and that’s where SD-WAN came about. But fundamentally, we’ve always done security and we’ve always had the combination of networking teams and security teams talking to us.

Vizard: Do I build this myself or do I consume it as a service? What are you seeing people prefer?

Ahuja: Yeah, most people are consuming it as a service. However, there are verticals or certain types of customers that prefer to do it all themselves. So we’re seeing the blend of both, and this is partly another definition in SASE, says that it’s not just networking and security, which means it’s got SD-WAN, SWG, which is secure web gateway, firewall-as-a-service and all these other functions – ZTNA – but it also requires that it should be able to do it on prem, which is on the customer premise, or in the cloud. And to explain that, let me just kind of give you an example.

If I’m an enterprise, call it a large retail or technology company, maybe I’m going to have some offices and distribution centers where I need to be able to protect that site directly at that site. Why? Because I’ve got internet connectivity, I’ve got lots of traffic going out and coming in, and I want to be able to protect that site right there where my internet perimeter is. For other things, maybe for example if I have kiosks somewhere or if I have remote sellers that are going out and talking to clients or being at their site and they just have a laptop, for them I don’t necessarily want to put security where they are at the edge. I want to put it more towards in the cloud, which is closer to the applications they’re trying to get to, and still secure them and give them a secure experience.

So for that reason, in any enterprise you’re going to have cases where some of these functions have to be closer to the user or closer to the cloud, and closer to the user could be that you’re in a corporate office, head office, a branch office, or closer to the cloud would be when you’re a remote user or you have a lot of small offices that you don’t really want to put the functions on prem. Why? Because that’ll drive cost up. If that makes sense.

Vizard: A lot of people today are still using VPNs to log into things. Is the VPN dead? Is it an extension of all this stuff? Where does this thing wind up at the end of the day?

Ahuja: Yeah. VPN technology has been around forever, and really it solved a lot of good problems in those days, but it was more designed for cases where you needed to provide connectivity from point A to point B, right? So in the site connectivity world, when you have branch offices and private datacenters, MPLS VPN has been used a lot, and it still is being used a lot. Why? Because of the performance guarantees, the QoS and the reliability of the service, and that will always continue to be used for site-to-cloud connectivity by many enterprises. It’s not going anywhere.

However, for remote users, most of them have been using VPN and VPN concentrators, VPN services to connect to the private cloud. Now what’s happened though is because of the change in applications being away from the private cloud to multi cloud and SaaS, now users need to be able to connect to those applications directly from where they are, and for that reason the VPN architecture needs to evolve. Because the old VPN architecture was even the remote user would VPN into the private datacenter and then use that corporate firewall to get access to the internet and all the cloud services. And today now with ZTNA architectures, you can actually take those remote users, and with SASE, you can take those remote users and connect them directly to those cloud applications while giving them a secure experience through the SASE cloud services. If that makes sense. Now does that work?

Vizard: Yeah. So I’m not backhauling a bunch of traffic all over the place for no apparent reason.

Ahuja: Oh, yeah.

Vizard: Does this mean my traditional router at the edge there is being replaced?

Ahuja: Well, [laughs] with the right SD-WAN solution, like Versa, where we actually integrate routing, SD-WAN and security, we’ve seen a lot of customers collapse all those functions into a platform like Versa and run it on a standard x86 platform that they can buy directly from the manufacturer and get a lot of cost savings but also get a ton of visibility and control, which is what they need to be able to kind of manage the environment. Now those routers are typically at the branch offices. And like I said before, in the past you knew where traffic was coming from and going to, right?

In the internet world of today or the multi cloud world of today, you don’t know where the users are going to come in and where the traffic is going to go to. So router has to change to routing as a function, and that routing could be as part of an SD-WAN appliance or it could be in the cloud as well.

Vizard: One of the things we do see is people are trying to deploy a lot more apps to the edge. They’re trying to, closer to your point, where the data is consumed and processed. What are the implications of that for network architectures? If I want to actually go do that and I have a DevOps team and I’ve got to continuously update that application, it seems to me like that’s going to force this issue, because I can’t really have – the existing architectures just aren’t resilient enough to kind of support that level of continuous updating of applications so I guess when we see more conversions of what we call DevOps and NetOps and the edge to make that happen.

Ahuja: Yeah, you’re absolutely right. The application world is trying to evolve quickly to be able to put the workloads and applications where it’s best needed to process. In many cases, where to process those applications and workloads may be closer to the edge, right? We see this in areas like retail, for example, where you want to be able to have a lot of processing within the store as opposed to send traffic directly back, and this could be for inventory management and other things. So all those applications really kind of become – and in some cases they call it an edge compute, et cetera, from a workload standpoint.

But what that requires now, to your point, the network architecture can become very complex. Why? Because you need to connect all these stores to each other to do backups or disaster recovery scenarios or to be able to go anywhere. So that’s where a dynamic as opposed to a static architecture is absolutely needed, so that really kind of talks to why a software-defined environment, which can do network as well as security, is fundamentally needed as a platform to be able to do this. And this is no different than many of our customers today who are moving applications and workloads to multiple clouds.

They have their private clouds or datacenters around the world. They’re leveraging all the public clouds and moving some workloads there, and sometimes the workloads are shared across those and they want to be able to provide the user the ability to route the user’s request to the best place which is going to drive the best behavior and not application performance. And that’s where our technology, our platform comes in, to be able to understand where the user is, where the applications are, have a zero-trust architecture where they don’t know each other, where each other is, but you’ve got to be able to provide the right connectivity securely for them. And those workloads could absolutely be on the edge itself. In fact, for many workloads, for many verticals and applications, they should be at the edge.

Vizard: You used the magic buzzword phrase of the year, zero trust. Is this something I buy or is it just kind of a concept that I kind of subscribe to?

Ahuja: Yeah. Zero trust is an architecture, a framework. It’s a capability, where it says that user don’t know where the applications are and the applications shouldn’t know who – like there’s an abstraction in between, right? So that’s what zero trust is. But that requires many things. So while someone may say, “Yeah, we do zero trust,” well what do you do in zero trust to get there? Do you do multifactor authentication?

Do you allow for a user to be able to connect to applications in multiple places? Do you do segmentation or micro segmentation of saying this user with this profile, if they’re coming in from this place, what happens to what applications it can access? So all those pieces have to kind of factor in to really deliver a zero trust architecture. Now the marketing brochure may say yes, but the details matter. So you’ve got to look deeper and understand how it’s implemented.

Vizard: Alright. Speaking of marketing, there’s a lot of companies out there that throw around the phrase SASE all day long. I can’t imagine the number of companies that I hear who use the term. What ultimately differentiates you guys and all the other players in the space and how should people be thinking about all the people who want to be a SASE vendor?

Ahuja: Yeah. So SASE as it’s been defined – and I think Gartner defined it back in 2019 – they defined the features required, the functions required. They said it’s a framework and implementation and it’s got to meet certain criteria. Is it cloud native, for example? What does that mean? Can you put it in the cloud and it can be elastic, meaning scale in and scale out?

Is it hardware-agnostic, which is software only? Is it multitenant? Is it all these other things? And then from a function standpoint, there’s been definitions of what the core functions are and what the optional capabilities are. And also from a deployment standpoint, can you do both cloud and on prem?

When you put that on a list in a spreadsheet and you check the boxes, we have the broadest coverage across all those requirements of anyone in the industry today. We have a deep integrated stack or platform which integrates networking or routing, all the networking services, SD-WAN and security. You can deploy that both on prem and in the cloud. You can actually check all the functions that are required, whether it’s an SD-WAN, security with firewall-as-a-service, secure web gateway, blah, blah, blah. All those things as well.

So that gets us further ahead in terms of our capability. And our platform’s very mature. It’s used by over 150 service providers today. Thousands of enterprises are already using it. And it’s a platform that has been around the industry for a while, and it was built ground up for this capability, which is really kind of the market’s moved to us and realized that this platform addresses all those needs that are there today.

Vizard: I feel like COVID certainly accelerated the adoption, but where are we on this curve? It feels like it’s a bit of a long haul. What’s your sense of how long will it take before this is the common architecture for zero trust and routing at the edge?

Ahuja: Well according to some of the analysts – they all have their views – but according to analysts, the growth rate in SASE, which covers both remote users as well as branches or offices – because we’re going to be in this hybrid environment for a long time now – and what enterprises want is a unified policy framework and a single pane of glass that they can actually say this user, Michael, when he’s using his laptop or his iPad, and he’s doing it from this place, should be able to have this policy. So that single-policy framework and a single pane of glass to be able to look at you, whether you’re in the office like I am today, connecting via my SASE application to the cloud, or when you’re on the road, all of that has to be in one place. And that fundamentally is a journey that most enterprises are on, and I would say that according to Gartner that 40 percent of the enterprises will have adoption strategies for SASE in, I think, it’s 2024. But we’re already seeing much earlier adoption of that. We’ve got large enterprises and customers that have already been on that journey today already with us.

Vizard: Alright. Well there’s an old joke that says the only thing that a developer and the server guy can agree on is it’s the network guy’s fault, so it sounds like things are getting better in the land of networking.

Ahuja: Yeah, that’s true. And what we’re helping the network guys do is get to what I call, I heard from one customer, which was MTTI. They want to get to MTTI. Do you know what MTTI stands for?

Vizard: No.

Ahuja: Mean time to innocence. Every network guy wants to prove it’s not the network, right? So they need the knowledge, they need the capability to be able to say – when a user comes in, they want to be able to say this is what’s causing your problem, and do it quickly. In today’s world, today’s environment, it’s difficult to do that.

Vizard: Alright. Well hopefully the network guy won’t have to call a lawyer to prove his innocence.

Ahuja: [Laughs] That’s right.

Vizard: Thanks for being on the show.

Ahuja: Thank you. Thank you so much for having me. Appreciate it.

Vizard: Alright. Back to you guys in the studio.

[End of Audio]
Featured eBook
The Dangers of Open Source Software and Best Practices for Securing Code

The Dangers of Open Source Software and Best Practices for Securing Code

More and more organizations are incorporating open source software into their development pipelines. After all, embracing open source products such as operating systems, code libraries, software and applications can reduce costs, introduce additional flexibility and help to accelerate delivery. Yet, open source software can introduce additional concerns into the development process—namely, security. Unlike commercial, or ... Read More
Security Boulevard

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 325 posts and counting.See all posts by mike-vizard