Over the past two years, we have seen a transformation in the work model, with businesses adopting flexible or hybrid work models because of the pandemic. This has driven digital transformation to handle these new needs by connecting users to applications. However, this has also led to an increased risk of cyber attacks. In response to this, many organizations have adopted the Zero Trust model for the hybrid work architect for multi-cloud and digital.
In this episode of TFiR Let’s Talk, Swapnil Bhartiya sits down with Kumar Ramachandran, Senior Vice President of SASE Products, Palo Alto Networks, to discuss Zero Trust Network Access (ZTNA) 2.0 and how it is different from Zero Trust Network Access 1.0. He also goes into detail about some of the current security trends we are seeing and the growing number of threats.
Ramachandran says, “Today, at Palo Alto Networks, we see and stop about 224 billion threats every single day. When you think about the scale at which the threat actors are operating, what becomes very clear is that traditional methods of applying security are not sufficient so you need to have a new way.”
Key highlights from this video interview are:
- The WFH and hybrid work models have changed the way people need to be connected to do their work. However, it has also increased the surface area for cyber attacks. Many organizations have since looked to adopt Zero Trust to mitigate these risks. Ramachandran explains how Zero Trust can be defined and what led it to be adopted.
- Ramachandran believes there are three key principles that make up ZTNA 2.0, the principle of least privilege access, the principle of continuous trust verification as well as deep security and data protection. He goes into detail about these principles.
- People can often think that Zero Trust is a new concept but ZTNA 1.0 was invented in the 2010s. However, it was not designed for a post-pandemic world with the need to consistently provide security and user experience when the user is anywhere in the world. Ramachandran explains some of the limitations of ZTNA 1.0 that led to the need for 2.0.
- With smart home devices and laptops being used for both private and work life, how we access enterprise applications have also changed and with it, the security risks have grown. Ramachandran discusses the magnitude of the threats and why there is a need for new methods and solutions to tackle the scale of this challenge.
- Having awareness around security versus putting them into action has been a long-standing issue. Ramachandran believes that awareness and understanding of security are very high; however, if people are not trained then they can be a weak link. He explains the problems with the human component of security and how data science is helping.
- Edge computing means that applications are running closer to users but this presents security challenges. Ramachandran discusses the importance of having 5G natively built into the networks. He explains how edge computers are about teaming together great user experiences with security and how their ZTNA 2.0 product is doing this.
Learn more about Palo Alto Networks (Twitter)
The summary of the show is written by Emily Nicholls.
Here is the automated and unedited transcript of the recording. Please note that the transcript has not been edited or reviewed.
Swapnil Bhartiya 0:03 Hi, I’m Swapnil Bhartiya. And welcome to another episode of TFiR Let’s Talk. And today we have with us, Kumar Ramachandran, Senior Vice President of SASE Products, Palo Alto Networks. Kumar, it’s great to have you on the show
Kumar Ramachandran 0:14 Swapnil. It’s a treat to be here with you and your audience. Yeah.
Swapnil Bhartiya 0:18 Today we are going to talk about zero trust network access dot zero. Before we talk about specifically to zero, I would like to understand from you because these days we talk a lot about security, I came back from cube con and security was a big topic, and not just security, software supply chain security as well. So before we talk about all those things, I would love to know from you, how would you define zero trust network?
Kumar Ramachandran 0:43 You know, it all starts back with the transformation that’s happening, right. I think in the last two years, we’ve seen one of the biggest business and social transformations because of the pandemic. Right? Today, just think about it two years ago, we wouldn’t have thought that the extent of hybrid work, flexible work models will be here to stay. Most enterprises today, pretty much have gotten to a place where employees can work from anywhere, as long as it’s feasible. The second big transformation we’ve also seen is the acceleration in digital multi cloud, etc. Right? So we’ve moved from this place where you’re connecting branches, to data centers, to all of a sudden we just need to connect users to applications. If you remember, Swapnil, even a few months ago, we used to say I’m going to go to work, because work was a location, right. Whereas now we just open our laptops and start work. Work is an activity, it’s not a location. So when you look at this change, what happens is that as you connect users and applications, and the users multiply, right, you have a large number of users from anywhere form mobile, from the branch location. And the applications can also be anywhere. So that matrix creates a very large surface area for the bad guys to attack. So as your design for this new world, you have to ensure that you’re protecting that large surface area. That’s the reason why you need zero trust. Now, when we think about zero trust, there’s a bunch of principles that we can get into but overarching Lee, enterprises are looking to architect for hybrid work architect for multi cloud and digital, they are the ones that absolutely find that zero trust is a mandate.
Swapnil Bhartiya 2:32 Excellent. Once again, thanks for not only explaining that, but also bring, bring it in modern context that how I loved it, when you said that instead of work is no longer a place, you know, it just another activity, you know, it’s like it’s a state of mind, to be honest with you, since I have always been working from home from early days, work from home is more like a state of mind, right? You are switching between personal life versus work. And people can be very, very efficient, because there is much more better balance, you do need discipline. I’ll go back to the point of zero trust. Because we have been talking about zero trust for a very long time. Because of this pandemic is just like in that Avengers endgame movie, there was a blip of five years everybody disappear. So this COVID kind of had been a blip in the IT world as well. So when we were hearing about zero trust a couple of years ago versus when we talk about it now. So that’s why I was asking you that how would you define deterrence? Because when we do look at zero trust network, some people say no, you don’t trust anything, but the fact is you do trust tasted due to processes. So I just want to quickly talk about how would you define it?
Kumar Ramachandran 3:42 So when we think about zero trust and ctma to Dotto, I think there is there are three principles that we think are absolutely crucial. The very first is that you want the principle of least privilege access. Let me try and explain what that is. So in the legacy VPN, what used to happen is that as long as you’re in my network, I will give you access to all the resources in the network, right? What we’re doing with Z DNA two Dotto is really ensuring that only the resources that are absolutely required to complete the activity, you get access to those resources. So let me give you an example. Right, now that we’ve all started flying. If you think about when you go to an airport, right, which is a plane, which is a resource, you get access to your driver’s license says this is my user ID, right. And then your boarding pass explains which resource you have access to. And the boarding passes. You have access to one plane that takes off on a certain date certain time. And in fact, even within that plane, a certain section and within that section, one seat. That’s the resource you have access to. I cannot have an economy seat and then sit in the car get off the plane. Right. So what we found is that the older ZTE and a one Dotto implementations, they kind of gave access to anything in the airport, right? As long as they got to the airport, you could vote any plane. Clearly, that’s not good. The second big principle is this principle of continuous trust verification. Now, it’s not enough that someone’s checking your boarding pass, someone’s checking your driver’s license, as you’re entering the airport. Once you’re on the plane, if you’re misbehaving throwing your drink on the stool, or you’re banging on the cockpit door or trying to open the exit door, you’re going to be stopped, your access is going to be taken away. Similarly, just because I gave you access to the application, doesn’t mean I stopped monitoring it real time there has to be continuous verification of trust and revocation of trust, the moment that trust is violated. And then the third is that you need deep security and data protection. What we mean by that again, and then use the airport analogy one last time, is that, yes, someone’s checking your boarding pass and driver’s license. But in addition to that, your luggage is going through an x ray machine, right? Someone’s applying those infrared or what were deep inspection into to see that you’re not carrying any anything untoward. Similarly, there has to be deep security inspection, there has to be data exfiltration inspection on all the traffic. So when we think zt na two Dotto, these are the principles that we’re bringing to fall in the marketplace.
Swapnil Bhartiya 6:33 Excellent. And I love the way you share analogies. They’re so good. It makes it easier for folks to actually understand because sometimes security can be challenging and complicated. Now, while you do explain these three kinds of concepts or ideas behind you get to the zero. I would also love to hear a bit about let’s just look at version one. When it was developed, what kind of specific problem because it’s early days, but more or less like you have carpet fireballs or you know, VPNs and stuff like that. So talk about you know, at time that it was compared, what was limitation that we now need to dot zero? Yeah. So
Kumar Ramachandran 7:10 if you think about it, right, very early on, you know, let’s say in the 90s, that’s when you had legacy VPNs being deployed. I think legacy VPNs were anchored around connecting branches to data centers, right, and then started going through some amount of home usage. When Palo Alto Networks was founded by Mirza Lee Claridge and others, pretty much Palo Alto came out with this modern concept of saying, you can connect those locations or users, but you have to apply user ID app ID and device ID against the constructs. Palo Alto invented the ability. See if you think about it, all traffic at that time was that trap. A lot of traffic was becoming web traffic. It was but just not enough to say, oh, it’s web traffic, you have to understand which application is it? Is it salesforce.com? Is it workday? Is it a different application? Just because it’s web web is not an application, there is an underlying application. So Palo Alto brought in the notion that you have to understand that then now, what happened with DTNA one Dotto is that ZTE one Dotto got invented in the early 2010s. Right sometimes people think ZTE and a is very new. It’s not right. It’s I keep reminding people. I make this dad joke that when ZTE one Dotto came about people were dancing to Gangnam Style, right? It’s that old. And what happened is that the pandemic happen ZTA wonder two inventors are implementers. They didn’t architect for the pandemic world. The companies that are trying to architect their infrastructure and the security today, they are worried about saying, Oh, I’m not architecting for a pre pandemic world. I’m architecting. For a post pandemic world. The difference in the pre pandemic and post pandemic world is that now I truly have to ensure hybrid work, I have to ensure that my user can be anywhere, I still need to provide a consistent security and user experience. Similarly, the pandemic also saw a dramatic acceleration in cloud adoption because of digital. In fact, there was this really interesting poll on LinkedIn that I saw some months ago, it said Who accelerated digital in your organization, CEO CIO COVID-19. Right COVID enterprises just realized to keep pace with the changing dynamic, you have to digitize every part of your business. Now, what does digitization mean? It means that for most people, it has meant that we have to implement cloud Cloud Native applications, SaaS applications across the board. So this new model is where z 21 Dotto fails, right? If it was a simple pre pandemic world, then one Dotto could have been helpful for some customers. So right Now what we’re seeing is we’re seeing that customers are moving from VPN directly to CCNA to Dotto, there’s just no need to stop at the one door to PitStop.
Swapnil Bhartiya 10:09 Since you’re talking about hybrid warfare. One more thing that is changing is that in early days, in the world of VPN, you used to get a laptop from the office. Now folks are using the private and personal life is also done on the same laptop, same computer. Our networks are also connected all the way from TV to smart fridges. So everything is on the same network. How has that changed? Because the fact is that if your TV is compromised, everything else is gone. Right? And you’re using the same, it could be iPad, it could be mobile phone, it could be your laptop is not a separate work laptop. So how has that also, I mean, when you talk about hybrid workforce, the challenges are also different, because the way we are accessing our you know, enterprise application is also different.
Kumar Ramachandran 10:55 So the real, you’re hitting on a very important point, right? The reality is that the scale and spread of the attacks, they’ve just gone up dramatically. In fact, today, at Palo Alto Networks, we see and stop about 224 billion threats every single day. Right? That’s just a enormous scale of magnitude. Now, when you think about the scale at which the threat actors are operating, what becomes very clear is that traditional methods of applying security are not sufficient, you need to have a new way, right? You can fight, you can be in a gun battle. With a pocket knife, right, you actually need a different set of tools. So about five years ago, Palo Alto started investing very aggressively in data science, right and in operating data science at scale. So today, we’re seeing the results of it for our customers. So 95% of all new threats. These are threats that have never been seen before by our system. Today, we stopped using inline AI and ML, right. So in all these cases, there is no need for zero victim, there is no first victim or victims, you will need to generate signatures, propagate signatures, etc. And the remaining five person, which will apply 4.3 million security updates every single day. Right. So just see the scale at which the entire system is operating. When it comes to the home, right, I know your friends the home, the reality is for most of us, for all of us, right? In the end, our families are our most important asset, our home and our families, they’re as important if not even more important for all of us to protect. So at Palo Alto, we released a product that addresses full home security, it’s a protocol OQ. And you can actually deploy OQ at home. And what oto does is you can create two segments, one file personal segment by your kids, your family and your refrigerator, and all the other devices are there. And then a work segment that integrates with the rest of us zt in a system. The reason to separate these two is because the personal segment, all of us wanted to be completely private. We don’t want our employer or anybody else to see it. Right? My kids browsing my you know, anybody else at home? It’s none of anybody else’s business, right? It’s whatever is happening, and employers don’t want to get involved in it too. Right. It’s privacy solely for the person. So we guarantee and ensure that the way our audio device operates when setup, right, is that the private segment is completely private. And then the word segment fluidly integrates with the rest of us DTNA capabilities. So we’re seeing customers that you know, have call center employees, employees with multiple devices, printers, IP phones, etc. It’s very useful, but also seen companies that have, you know, specific employees that taking 1020, or whatever the right percentage of employees that they think are handling sensitive data, or their execs, highly visible execs, they want to apply extra protections because otherwise they might retaliate or tax on their home. They’re applying those protections across the board.
Swapnil Bhartiya 14:22 Yeah, maybe when it comes to it’s just not about personal activities. Sometimes personal activities can be sensitive as well, I may be accessing my health information, I’m going to be talking to my doctor. So I don’t want to know there’s so many different things. One more thing that I want to talk to you about also that while we talk a lot about security enterprises do understand there’s a difference between there’s an awareness about it, versus how much is being practiced. So what have you seen how many organization you see are kind of because then we see all the reports. Sometimes things are still scary, where you do see attacks or of course attacks are not going to go away. A security is not a product, it’s a process. And there will always be bad actors could be for whatever incentive they have. So, so talk about what you have seen awareness versus practice, you know,
Kumar Ramachandran 15:11 definitely security has become a board level conversation now. Right? It’s one of those things where yes, nobody is deploying security for security sake, people are deploying security, get their business done in a secure manner, and ensure that you have security and infrastructure operating at scale. At the same time, I do think that the awareness and the understanding and the sensor sensitivities around it are very, very high, in most well run organizations. Now, you’re spot on and pointing that the human part of it is can be the weak link, if your people are not trained, the non contract compliance training, and then they’re not exhibiting the right kinds of behaviors, right. So most companies, because the layer eight, right, it’s not enough for the networking layer, layer one through layer seven stack, the layer, the human component is absolutely critical. And so we are seeing, most customers are very conscious, could always be more conscious, or always be, you know, paying more attention. But there’s definitely is significantly heightened awareness across the board. Now, the other thing I’ll throw in that is the power of data science, right? What we’re also doing with the power of data science, is to be able to understand both in a reactive manner, what is the expected behavior, what is the deviation from expected behavior, and then being able to proactively take actions? And then there is also the point on response times, if there is an incident, how quickly can you respond? How do you ensure that there are not lags? Again? So those are all areas where, you know, Palo Alto is just an absolute leader, right? We’ve invested very aggressively in helping our customers stay secure. Against all these things. I’ll throw one last bit on the topic. You know, one, one place where people wind up being, you know, making compromises really is if security and usability get in conflict, right? You’re trying to get this, you know, you and I right now we’re trying to get this conversation going and done. If for some reason security got in the way, there is a temptation to say, Oh, let me let me just shut down my security and quickly complete this transaction. And that’s the challenge, right? So what we’ve done with our CCNA, to Dotto Prisma access products, really, is ensure that we can deliver great user experiences while delivering great security. So you never want usability and security to be in conflict.
Swapnil Bhartiya 17:49 It’s not nothing new but edge computing. And when we talk about edge computing, I’m not talking about you know, tiny IoT devices, it could be edge data centers, we’re with the advent of 5g, private, especially 5g Private Networks. Edge is moving like kind of closer towards you know where the users are. So how do you look at edge when it comes to zero trust network access? Well, because you know, that’s where applications running closer to the users not going all the way to the cloud.
Kumar Ramachandran 18:18 Yeah, so actually, you know, 5g is an exciting development, right? So Palo Alto, we’ve invested very aggressively in 5g security and ensuring that 5g networks as built out by the carriers have security natively built. And so if you think about the internet, right, the Internet was built, open in an insecure manner. And then we had to ensure that as enterprises and customers use it, it had to be secured. So we’re helping all the carriers ensure that security is natively built in to the 5g networks. What we’ve also done is that we’re seeing interesting use cases of 5g branch office locations. So as an example, I have, you know, busy customers where someone has internet broadband, and then they’re deploying 5g, the carriers are getting pretty aggressive in terms of creating attractive pricing options when it comes to 5g. And, you know, as these 5g rollouts are gaining steam, customers are seeing that, hey, I could skip terrestrial in certain areas where I was challenged, or I could just use internet, broadband and 5g and use all of it in a secure manner. So with our branch products, right, we now have native 5g cards and 5g capabilities natively built into our products, right? So you bring security and network together, rather than letting these be divorced. And then the last thing you know, I think part of the journey for this, for edge computing is about performance. Right? In the end, you’re trying to solve for ensuring great user experiences and lower latencies. Now a lot of that So the visibility that you want visibility into what is that end user experience. And so then you can take actions to ensure that you’re delivering these end user experiences really well. Now, at Palo Alto, what we’ve done is we’ve invested very aggressively in this space. So today, you know, when you’re sitting at home, right, most of us, we’re at home, we’re on Zoom calls, work calls, etc. And oftentimes, if there’s a performance problem, we don’t know what’s really gone wrong, right, all we can do is open a trouble ticket with it, and hope that it will get to us. So what we can now do with the Palo Alto CCNA products, is that if there’s a problem on your zoom call, or whatever platform you’re using, or an application like Office 365, or Google Docs, or anything else, we can actually expose to the end user, hey, there’s this problem, because maybe you have too many browser tabs open and your laptop is running really slow. Or maybe you’re sitting in your backyard, but your Wi Fi coverage is not strong enough. Or maybe your kid is like, and family are downloading so much Netflix content, that there is not enough bandwidth left for a video upload like this. In all those cases, your corporate, it cannot help you, you really need to self serve, but you need visibility so you can self serve. So we’re providing all those tools to the end user natively as part of our CCNA two Dotto product, and which is why I keep saying that security and use user experiences both have to come together to truly stay secure and truly get business done in an agile manner.
Swapnil Bhartiya 21:35 Kumar, thank you so much for taking time out today and talk about of course, you know, zero trust network access and also share your insight and indoors. So thanks for sharing them as well. And I would love to have you back on the show. Thank you
Kumar Ramachandran 21:46 Swapnil thanks so much for having me.