SASE Deployment Journey: Challenges and Considerations
Sep 13, 2023 3:00 PM - 4:00 PM EST
As more organizations adopt Zero Trust policies for their networks, SASE (secure access service edge) has become a coveted model for integrating security into cloud architectures. But with so many vendors, use cases, and regulations, how should you consider deploying SASE in your infrastructure?
SASE model deployments often depend on the unique structure of cloud environments, which may include shared infrastructure, containerization, network traffic, and integrated SaaS platforms. Performing an in-depth analysis of your cloud architecture is essential in selecting an ideal SASE strategy and vendor for your business. This also allows you to determine an optimal level of security for operational efficiency. When identifying vendors, evaluate their capabilities holistically to leverage a tech stack that most closely aligns with your organizational objectives.
In today’s virtual event, Greg Irwin interviews Robert Davila, Brian Engle, and Russell Moore of GDT about deploying SASE models in cloud infrastructures. Together, they talk about the most commonly deployed SASE methodologies, cost structures and considerations, and the challenges associated with successful deployment.
Co-Founder, Co-CEO at BWG Strategy LLC
BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.
Director of Security at GDT
Robert Davila is the Director of Security Services at General Datatech (GDT), an award-winning international IT solutions provider. With over 26 years of experience in networking, automation, and cybersecurity, he has consulted with several Fortune 500 companies, helping them plan and execute their mature security journey. Before GDT, Robert was the Principle Cloud Consultant at Set Solutions, where he implemented best-of-breed cloud solutions.
Senior Principal, Security Services at GDT
Brian Engle is the Senior Principal of Security Services at GDT, a cybersecurity consultant, and a risk advisor. With 20 years of experience in information technology and security, he has worked with enterprise organizations across multiple sectors, including government, manufacturing, healthcare, financial services, and retail. Brian has led security operations and engineering, threat intelligence, and program management for professional services organizations.
Senior Cyber Security Solutions Architect at GDT
Russell Moore is the Senior Cyber Security Architect at GDT, where he focuses on delivering measurable solutions. As a security professional, he has over 25 years of experience working within IT across various disciplines, including cybersecurity, data center, and software development. Russell has worked in the healthcare space, focusing on information security and HIPAA and the reseller space, providing cybersecurity services around network security and compliance.
Co-Founder, Co-CEO at BWG Strategy LLC
BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.
Director of Security at GDT
Robert Davila is the Director of Security Services at General Datatech (GDT), an award-winning international IT solutions provider. With over 26 years of experience in networking, automation, and cybersecurity, he has consulted with several Fortune 500 companies, helping them plan and execute their mature security journey. Before GDT, Robert was the Principle Cloud Consultant at Set Solutions, where he implemented best-of-breed cloud solutions.
Senior Principal, Security Services at GDT
Brian Engle is the Senior Principal of Security Services at GDT, a cybersecurity consultant, and a risk advisor. With 20 years of experience in information technology and security, he has worked with enterprise organizations across multiple sectors, including government, manufacturing, healthcare, financial services, and retail. Brian has led security operations and engineering, threat intelligence, and program management for professional services organizations.
Senior Cyber Security Solutions Architect at GDT
Russell Moore is the Senior Cyber Security Architect at GDT, where he focuses on delivering measurable solutions. As a security professional, he has over 25 years of experience working within IT across various disciplines, including cybersecurity, data center, and software development. Russell has worked in the healthcare space, focusing on information security and HIPAA and the reseller space, providing cybersecurity services around network security and compliance.
Senior Digital Strategist at BWG Connect
BWG Connect provides executive strategy & networking sessions that help brands from any industry with their overall business planning and execution.
Senior Digital Strategist Tiffany Serbus-Gustaveson runs the group & connects with dozens of brand executives every week, always for free.
Greg Irwin 0:18
We're gonna spend an hour in an interactive session discussing kind of real world experiences around SASE deployments. Normally SASE is part of an overall Zero Trust initiative. And it has a real deep, you know, integrations in terms of the policies that you set as an organization's the overall layout of your the type of organization working in in terms of the architecture and geographic distribution and the use cases. And I think there lots of different flavors of it. And that's why I think there's such interest in in the topic, the way this works in terms of a format is, the more interactive, the better. That's why we do it on just like a plain old Zoom, zoom video. If you're able to turn on your camera, please do it, it'll just make it that much more interesting. If you're putting in the time, you know, might as well might as well chat through it. Let's see a couple goals for today. First, I want to we're gonna learn from each other, which means this is not just going to be BWG and GDT. Talking, don't be surprised if I come to you and ask you a question or two or share or share a story that you may might have good stories or bad stories. They're, they're all interesting. And then to like, we have a lot of folks in similar seats here. And, again, beyond GDT and BWG. I'll encourage you to connect across this group, just go LinkedIn, if you want some help with an intro, you got it like we do. We do reference connections all the time, you know, hey, I'd like to talk to somebody who's tried Cisco's SASE deployment. And you know how it went, those kinds of connections. That's the type of thing that we do. And then the last thing is this chat window here on the right. Incredibly, it's incredibly effective in this kind of format. Because you're sitting back and you're listening, and you know, you have something on your mind. So it's a good way to have a sidebar conversation. It's okay, if it's not spot on with what we're talking about. But, you know, be be proactive with it. So reply to others. If you have a real view about what somebody is asking, jump in with it. If you have an anecdote to share and go for it, I promise more you lean in and more valuable this whole session will be. So actually, I'm going to ask everybody, let's get started. In the chat, please include one question or topic related to SASE and Zero Trust that you want to hear from your peers today. And it'll help us set up the agenda to make sure that this conversation is aligned to what you care about. So here, here's a good opportunity, please, please take it. While we're doing that, I want to take a moment and just introduce myself and our colleagues, our peers over at GDT to introduce the firm and introduce who's going to be helping lead the conversation. I'll go first. And I'm a moderator for a living here, kind of by surprise, I'm born and bred as a developer and Product Manager. But for the last 10 years, I've been moderating sessions. And I'm the founder of BWG, which is a large research from Robert you want to go next year, just give a little intro and maybe maybe a little intro here on GDT
Robert Davila 4:09
Sure. I'm Robert Davila. I'm Director security here at GDT. I, I've been in the industry probably 25 years, most roles and an engineering role. So everything from you know, sock work to network security to architecture work, I've kind of been a full scale involved in all of those aspects. GDT is a is an integrator and services provider. We've been in business now roughly around 23 years. A little bit over a billion dollars in revenue in terms of size. We have several conversations and as we're often involved in things like SaaS deployments, several security types of initiatives, everything from kind of governance risk and compliance work, to architecture to engineering. In services for for our clients. And beyond that we have a wealth of services around a networking, collab type of services data center. So, pretty nice to go.
Greg Irwin 5:16
This is probably for everyone. This is probably as far as we're gonna go into sales pitch here. So let me just make sure I got it. How much Day Zero strategy are you doing? How much day one implementation? Are you doing? How much day to support managed service? Do you do this in terms of where were the efforts? Like,
Robert Davila 5:32
I'm still, you know, we're heavily involved in all three. You know, we'll we'll come in as a trusted adviser in the beginning and really help organizations align the right OEM and partner in terms of service assay for their organization, to help them scope out, you know, what are those prereqs that they really want to look at as an organization, and then help them do that journey of really moving from, you know, an idea and a concept to a implemented solution for them. So we cover all those angles
Greg Irwin 6:02
for for the client. Excellent. Robert, thanks for CO hosting here. Hey, Brian, can I get you in here next quick intro? Sure.
Brian Engle 6:12
Brian Engle, I'm a, I guess, a longtime security practitioner and been in the services side of things now for probably the past six or seven years. In previous life, I've been a CISOs, in a couple of organizations, a little state called Texas was a statewide seaso, and a couple of other organizations. So in my very distant past, I was more technical. I started on the networking and telecommunication side of things work for internet service providers, before kind of making the jump to more specific in governance, risk and compliance. And I think I consider myself kind of like a risk geek, I really, really like looking at problems in the big picture. But I was trying to make sure that when we get really deep in technology that I try to relate things on a different plane, or represent the plight of the seaso. So today, I will I will take the conversation to the places of how does this relate to the cybersecurity program? How does it potentially help or introduce risk? Yeah, so I'll try to not just introduce platitudes or high level anecdotes, but really kind of challenge what, what is this going to do? How is it going to potentially strain existing cybersecurity capabilities? Or, you know, to the good benefit of a cybersecurity capability? How can SASE really help enable enable things, or help solve challenges along the way? So
Greg Irwin 7:48
that's the bent that I'm bringing today. Very good. Brian, we'll get you involved throughout Russell, please. Quick Intro. Hey, good afternoon,
Russell Moore 7:58
Russell Moore, I've been working in it for about 25 years, roughly half of my career, I worked in a healthcare system, it was a 500 bed hospital, we had about 10 other businesses that we supported rehab hospitals, retail, did a little bit of everything in that. But the last four to five years, I was heavily invested in cyber and specifically, at that point in time was when we were rolling out the all the requirements around HIPAA and having to become compliant with that. Around 2010, I transitioned over into consulting on the reseller side. On the consulting side, I've done delivery with technologies and security consulting around frameworks and PCI and, and several different facets. I think the thing that, you know, I like to think that I can bring to a conversation with people is, most of the time, I focus very tactically, you know, there's a problem, how are we going to solve it? And, you know, over the last, you know, five to 10 years, I've probably worked with, you know, close to 500 plus different clients. And a lot of them have a lot of similar problems. You know, it's especially around security and network security. And you know, how are we going to get our hands around traffic flowing into another organization? How are we going to secure it? How are we going to identify it, how we're going to manage this ability into it? So I can think I can bring some value there.
Greg Irwin 9:28
So Excellent. Well, this is gonna be a good conversation. I know there's a lot of interest, I kind of feel like Zero Trust has gone from kind of out of the education phase out of the pilot phase into the, you know, adoption phase. I've spoken with more companies in the past year about their deployments then I can imagine you can imagine so one. One more rule for the road for this session. Forbidden words to wear is it depends. We know everything depends, but we're gonna we're gonna avoid a you have to take a shot. If, if anyone says the words, it depends. So we're going to try and try and get to the chase, obviously, you know, it's all going to be relative to everyone's requirements and system. But that's what we want to get at. We want to hear those stories. So Robert, we set this up all about talking about a journey, or journeys around SaaS. So let's get specific. Don't share the name of a customer. But I want to hear about the customer. I want to hear about what SASE was the definition of you know, what was actually deployed? This is just that we just talking about a web proxy? Or is there more to it? How did it play into the Zero Trust architecture? And I want to ask them questions about the environment. Is it all an entirely Azure environment? Was it an on prem AWS environment? I want to I want to dig in. So please take us through one SASE deployment you've done here in the not too distant future. Not too distant past?
Robert Davila 11:08
Sure. First of all, great question, a great starting point. Um, I've got a few examples. But I think one that kind of hits a lot of elements was a deployment that was handled for an oil and gas organization, right. So they have quite a lot of compliancy challenges. They have requirements from state and federal government requirements as well. They had a very mixed environment, initially, in terms of, they were leveraging some technologies for things like DLP CASB, they had other elements in their environment and for edge security, other vendors for things like SDR, so very discontinuous in terms of solution that they were using, as they started down this journey. One of the things that was became apparent is when you started looking at SASE, one of the key aspects really from a pre qualification perspective, I'm one of things I like to have organizations really look at as it is I like to one understand and have a good understanding of really how their ad infrastructure is looking at. I think, for SASE, your primary focus is always going to be identity, in terms of, you know, do you have a mature program around? how users are assigned when groups are in? Do you have discontinuous ad infrastructure? Meaning do you have multiple forests that aren't communicating to each other? Or do you federate? What is your cloud infrastructure look like? Do you have? Again, from a cloud perspective? Do you have landing zones that you could consider for like, transit types of scenarios or for shared infrastructure that you would use to manage specific V PCs in there? Or are you doing containerization or SaaS platforms? And then ultimately, you know, what are your What are your sacred cows in your organization itself? In terms of, you know, what are your critical systems? How do they function today, the oil and gas, it was very interesting, because, because, because when we look at some of the applications that they would run, you know, there were portals and systems that were leveraged by engineers that would look at water quality, right, and, and different aspects and aspects of stuff that would fall more kind of in a SCADA infrastructure. So really having a good understanding of that traffic flow. And what that was, prior to really even starting the journey of SASE was, I think, was a key element for
Greg Irwin 13:41
them, so that I can in the traffic? How did your understanding of their traffic lead to your recommendation?
Robert Davila 13:51
Well, for example, yeah, there's a couple of different methodologies you see in SaaS D today, or as a SASE deployment from the vendors. And the two most common would be a routed topology where you see environments where they, you know, the users connect via VPN, and then that are via a VPN to the cloud firewall is applied on the front end in terms of filtering and capability. And then, in terms of communication back to your infrastructure, they will leverage things like a EBGP link. So they're doing a routed connection back into your infrastructure. That's that's one philosophy. The other one we see is very common is the proxy scenario, right? Where you've got a you may have some sort of form of, you know, encrypted traffic from your users going into their cloud, and then they leverage proxies that are deployed within your environment to really kind of give you that capability of connecting back to your infrastructure. There. There are pluses and minuses with both. It really having that understanding of traffic really helps you marry which technology or which strategy you probably want to leverage in terms of your infrastructure.
Greg Irwin 14:59
Would you describe this, this organization, were they a Cisco shop with a Apalla shop before net shop checkpoint shop or a just, you know, a dog's breakfast.
Robert Davila 15:11
So they were, they were both a palo and a Cisco shop, they had some acquisition in their history. So they had some conflicting technology in their environment. You know, on the endpoint side, they were leveraging CrowdStrike. And they brought that in, and that capability and from like, from an SDR perspective, they had some technology that is unique to oil and gas in their environment and their SCADA environments as well. And that was something that was there was a real, there was a need to have a deep understanding of that environment. And part of the reason was for them, you know, they provide reporting to federal agencies in terms of data, and if there's a loss of reporting, it's a fine for them. So so really understanding where those connections lie, how they did their reporting, how they built their, how that traffic traverser environment, I think was key. And for him for this for this vendor, to give you an example, as we came to a conclusion for them a proxy strategy in terms of in terms of SaaS, he was really the ideal solution for them, um, one because they didn't have a mature strategy around BGP, in terms of their routing today, and their environment there, they had various, you know, a call and read for us, but they had very critical super secure infrastructure areas where they wanted to create scenarios where maybe they wanted to provide access to specific engineers, but they wanted to minimize the amount of traffic that would traverse there. So in those scenarios, we could leverage proxies, the only specific engineers could could could leverage to get to that resource for them. And the other thing, it was least impactful in terms of transition from, you know, a non SASE state to having as as the fabric across your environment, and I think that was kind of the key element at the end of the day.
Greg Irwin 17:07
What vendor solution did you put in place?
Robert Davila 17:10
So So in this scenario, what was the scaler? And I think, you know, there was a, there was a couple of reasons, right? Being able to, to deploy those proxies, within that environment, the way that we did, I think, I think, create an ideal situation for them from a, you know, permissions model, and really, from a restriction perspective to in married well, with the technology they had in their environment today. Now they're there. And then they're also a very heavy acquisition environment. So typically, you know, and heavy acquisition environments, there's one thing you can do as a scalar, that I think that is can be compelling is a is a, you have a capability of really being able to stitch together networks that have conflicting IP space. And I tend to think of it as a temporary solution, right? So in a scenario where you know, you bring in a new account, you can leverage your proxy to both environments can talk to each other, while you kind of figure out your long term IP management strategy.
Greg Irwin 18:16
A couple of big headline questions, how long did it take? How much did it cost?
Robert Davila 18:23
Oh, great question. The length of time within that deployment from from deployment, to really maturity for them. I would say that was probably you're getting to the final level of maturity was probably about an eight month journey for them. You know, some of that is, is taking individual use cases, figuring out how they're applied in that scenario for them. And to give you an idea from, from technology perspective, you know, one of the challenges they had is they had a, they had a reporting engine that some of their finance teams would use. And by the way that they would do is they would leverage some traditional Cisco technology, and they had to, because the other end of that connection was Cisco, and there was a there was a there was a force for them to kind of go this route for that traffic, it was gonna stay and, and some of that was engineering solutions that allowed us to allow their users to leverage both. And this was, you know, right as, right as COVID was starting right there workforce of transitioning to home quite a bit, right. So these resources still needed to be able to be able to leverage this technology, be able to pull data, leveraging kind of Zscaler getting their infrastructure, and be able to send it across and have multiple streams of connectivity to both sides. Right. So there's some unique use cases from that perspective there.
Yeah. And give me give me some sense eight months. I get it. You're you're building policies around use cases. How big? How big is this organization? Is it 10,000 100,000? People?
This one was roughly 50,000 people and then location wise, you're looking at God, it would be an estimate somewhere around 25 locations, right, somewhere. That includes, you know, if you think about it oil facilities and remote areas and offices,
Greg Irwin 20:29
what would this cost? Give us a, you know, round rounded to the rounded to the nearest million?
Robert Davila 20:36
Oh, God cost? That's a great question. You know, when you think about? So that's a tough one. I'm not really sure at the end cost on that one. And there's a couple of people
Greg Irwin 20:49
that I'm asking, and for this group is, everyone here is thinking about SASE? Yeah. And I think it's, you know, help us just generally understand, what's, what does this normally cost? Yeah, right. So
Robert Davila 21:04
there's the typical licensing costs, right, and you're talking, you know, for an organization this size, depending on the feature sets that you're leveraging traffic and pieces. I mean, you're, you're talking probably in the low, you know, somewhere around like 1.5 million? I would, I would, I would guess, and that just kind of covers licensing feature sets, capabilities, that the thing, you've got a standard eight in terms of this journey, right? Is it there, there is technology that the solution will replace, right? So there is a cost savings from that perspective, there's an operating model change. So you know, in that particular journey, part of it, it wasn't just implementing it, it was really training their teams to maintain it long term. So so with that organization, I mean, we were sitting side by side, working with their teams, that were going to support it long term in terms of how do they you know, address issues that come in as policy written? How do they look at DLP? You know, how do they interpret the data that's coming out in terms of the logging capabilities. And I think, you know, one thing that's this become really valuable on the Taskey, side, whichever OEM because I think, you know, all of them have a version of it, I think, probably the most important feature set that you can buy, or you can look at is really that Experience Manager piece. And it's relatively new for most platforms. But it gives you visibility into the underlying architecture. So you can see things like, you know, hey, I've got a remote user somewhere who's complaining that he can't get to an internal application, I can look at, you know, utilization on his desktop, I can look at what his Wi Fi connections, like, what that journey for that traffic from his desktop to that application is. And then I can do comparative analysis for people that are in within, you know, various regions. So you can see how his access and say, Hey, it's your Wi Fi. Yeah, yeah. So you could potentially say it's a Wi Fi, that's a huge time saver from a staffing and cost perspective. So, so I think that there's a big value in that aspect. So even though, you know, SASE tends to be a, I think, a more expensive chunk, right than a lot of the traditional solutions that were out there today. But I think overall, there's there's there's significant cost savings around kind of operational efficiency, once you get it optimized and
Greg Irwin 23:29
deployed. Right. So I'm, I'm pretty good at asking questions, but it's more fun. When others ask questions, and we got a bunch of them here in the sidebar, I think everyone's kind of had a chance to look at him. XID a love a nice to see as a, but I love I love that question in terms of the long term, ongoing costs, it's so we we almost never cover this. And this is I know, based on my history, I know this is a big deal. So I'm going to ask that one. But then I'd like others to jump in, like anybody can just either raise your hand, or you can. Or you can just you know, unmute yourself and jump right in. All of it is good and fair. And, you know, I look forward to it. Like I said at the beginning, the more you lean into this session, the more valuable it's going to be. And don't worry about taking us down a rat hole. So let's take zetes question, Robert. All right. This oil and gas company spent a million and a half dollars over eight, eight, over eight months, deployed Zscaler. And now that it's in and experience manager was edX, I think they call it now that it's in what's the ongoing requirement to keep this functional and effective. So I think for most of the
Robert Davila 24:57
I know this in this example is the scope I think for most of the mature SASE platforms out there, I think that the trend team seems to be similar in that you save a little bit on staffing costs over time, right? Because you start to you basically have a native solution that covers a lot of buckets for you. I like to think of SASE deployments as a Zero Trust enabler. Right. I mean, I think it helps you along the journey. It I know, they, you know, the vendors will say, hey, Zero Trust brings ASEAN, but I think, I think the really the message there should be that it solves a lot of the challenges around a Zero Trust strategy. You know, it's not gonna get you 100% There by any means, right? You're never gonna get a Zero Trust cert. Right. But I think that it covers a lot of buckets, and, and helps you kind of think about what the next thing is that you need to look at. You know, it doesn't solve everything for an organization, right? You're, there are, you know, differentiations, in terms of capabilities around like DLP. Some of the Caz B integrations, there are, you know, there's always going to be challenges in implementation that people have to think about the, they probably haven't in the past, right? I mean, if you if your organization hasn't done things like SSL decrypt, right, I mean, that, like, that's a core tenet for SASE. And that journey alone, you know, you have to understand applications that you hit with your environment, you have to understand what what's out there that might be certain and might cause problems from a whitelisting perspective, you have to have a mature strategy around sites that you don't want to decrypt, right, which is kind of PII data for your employees or, or, you know, medical data, you want to stay away from that stuff. And then and then you have to address it from perspective of, you know, there are certain applications that that have a more mature program around decryption, right. So like, you know, M 365, for Microsoft, right, maybe I don't want to decrypt that data, unless I'm leveraging certain technologies and SASE versus others. You know, I'll leave that for for Microsoft to kind of handle because I know that they've got a pretty mature process. And I think they require certain pinning in their environments, Google tends to be the same way from that perspective. So you have to do the inspection via other means, if something you want to do so.
Greg Irwin 27:28
One, last one, I'm going to squeeze Chris's in and then Andrew, thanks for the hand. And thanks for the commentary on that scope here. I'd love to love to bring that up. But before we go there Chris's question, Robert, are they using cspm? And CASB? From Zscaler? Are they going into Microsoft, kind of what do they call it the m pas. You know, the, the native Policy Manager at within Microsoft, leveraging M casts and Microsoft, I'm gonna come over here to terus Russell, ought to take a first shot at this. And there's some meat on the bone in terms of the comparison between, you know, net scope versus, versus the scalar. And any, any experience, you've seen around Iboss.
Russell Moore 28:19
I agree with the comment, we've typically seen Iboss more in the K 12 space. And primarily on the swig side, not a not any exposure on ZTE, and a or a VPN replacement. As for like, between Z scalar and net scope, you know, there's they're extremely similar products, they basically work off of the same premise reverse proxy to a virtual box within your organization. If there is a differentiator between the two today, Z scalar, may be a bit more mature in that space. And they do have the experience manager components. So if you start having performance challenges, it is a tool to kind of help chase that down a bit. But probably the bigger challenge with moving from like a global protect to Z IA isn't necessarily the technology it is the planning and understand what we're doing. If you're not, if you're just using VPN today, and you're maybe restricting a couple networks, or you pretty much just given everybody blanket access through VPN, and you move to more of a zt and a model. There's a lot of organization that needs to go around applications mapped to identities so that when people log into the portal, they're presented with the necessary applications to do their job and then those applications after they're published. There needs to be a fair amount of testing to make sure that proper dependencies are met that it's not causing problems and workflow. The technology is typically not the problem It's the context in which is being deployed. A, you know, we are that a year ago, we did a project around ZTE and a project for a company. And one of the biggest challenges with us is they just weren't completely honest with us with what they wanted to do, they presented us with a very narrow set of success criteria for the project. And then as soon as we finished, they added a bunch of applications into the mix, that when they deployed, they didn't work. And then of course, it was the products fault, and it was the vendors fault for incorrectly deploying it. So what you know, come back to as is they didn't take into consideration any dependencies to those applications, that were going to be involved when they started trying to deploy them through a reverse proxy. So I think my advice would be is, you know, understand what it is you're wanting to do and how you're wanting to deploy CCNA. And then just give yourself plenty of time to do POC testing with a couple of different products,
Brian Engle 31:02
when you're embarking on the journey is to really consider the organization and how things might get stressed or strained beyond how things are divided up or where things occurred before. One of the places that this kind of goes to Zeds question earlier as well, where things kind of break down is after the the initial implementation and maybe after the consultants are gone, when there's any degree of addition change, new application, new business functionality, things of that nature, is being prepared to approach it outside of the traditional silos, or that the project team maybe has gone into an operational mode and you're no longer approaching things in that same proof of concept mode. But yeah, when you've got things that were traditionally network routing, before now it's functionality inside of software and application or it's been pushed out more towards the edge of the endpoint, I think it's just it's really deserves a really solid look at as you as you get to stages of the journey, considering how the team might need to be morphed or adjusted to be able to support going forward. I think that we you end up seeing kind of like reclamation projects to try to get SASE revived or resuscitated, at certain points, because of some of those more organizational structures more than the technology itself, or the understanding of the technology and other silos. Maybe you've maybe have looked at it within teams,
Greg Irwin 32:28
would you? Brian, if you were advising Jiang, is there any way to kind of shortcut a SASE project so that he doesn't have to kind of go through this stepping stone of a VPN replacement? Well, I mean,
Brian Engle 32:47
I think one of the things that I would really highly advise is to to establish sort of an onboarding process for an application or a business function that you can go through and make sure that there's there's a solid handoff of making sure that it works or functions shortcutting the replacement of it, I think, the biggest guidance that I ever would give is start small, achieve success with that, and then kind of emulate it versus, you know, the rip and replace, or being in a place where, you know, significant amounts of, of the business environment has been, you know, consulted because of a complete change, or
Greg Irwin 33:28
I love that. I mean, the one Yeah, the one silver lining in that going to SASE now is Jay's got some time to test this, maybe in a small, you know, a small department or a small division and kind of see how it fits with the environment. Let me come back here to Robert, cuz I think you probably have seen the most in terms of time strategies to execution. But I'd love anyone else who can share, you know, an anecdote on putting together an SSE strategy? Sure, first, great
Robert Davila 34:02
question. Because I think you know, and MSSP use cases a little unique, right? You've got multi-tenancy options, and you being a state agency, you have compliancy issues, you've got to require you out here to as well. And then when when we look at kind of those environments, the couple of things. I look at it from that perspective, we didn't tend to look at it from a perspective of what's your operational strategies today in terms of things like automation? What type of traffic is coming across this environment? Does this vendor need to be FedRAMP as an example, or not? What data do you consider has to be encrypted? What does not what's your strategy around data and rest? Right, so those are kind of the key functions and then integration with the platform you have today. I know you mentioned Viptela, and I mentioned Fortinet. You know what other technologies that are in there in play that look at kind of data and trends If you have a, you know, a proxy-based Caspi solution like Forcepoint or Proofpoint in your environment, right, those are things to also consider. And then long term, how is this stuff being managed today? Do your tenants have access to a management portal? Do they not? Or do you kind of run that all inherently breaks? I think it's if there's one of the things about the SSE component of SASE, is that when I look at the vendors out there today, they all kind of handle that multi-tenancy aspect a little different. So really understanding your dependencies on it, and what level of maturity you need, I think is key. I think, in your environment, when you talk about a SASE deployment in a in an MSSP. I think that the thing that I think that would keep me up at night, right, is, is operational efficiency, and having that visibility to really understand what's coming across, and being able to distinguish it within my multiple tenants. And really being able to embed it into my current workflows. So those are the things that I look for first and foremost, in terms of those environments. Because, you know, Powell is a great example. Right, Powell has the st. Wang component, they have the, you know, prisma access and prism, St. Lan, right, that inherently connect together, they have their multi-tenancy aspect of it. But it doesn't necessarily mean that they integrate well, with things like, you know, maybe you're using ServiceNow, whatever tools on the back end, right, maybe you have current integration, automation workflows, depending on what you're using for orchestration that can change things as well. Right? Because I think to me, MSSP it's about efficiency, I think is a key component of it.
Greg Irwin 36:54
Robert, I'm gonna thank you, I want to pick on a little bit more in terms of the strategy and, and, and the broad strategy. I think that's, that's fair.
Brian Engle 37:05
Right? Can I Can I jump in with just like two or three quick points on the strategy front? And then I'll kind of also Mike's dilemma of, you know, state agency as a provider as well. But I'll be
Greg Irwin 37:17
Brian doesn't want to get a heads-up. I want to get the cat involved. Governor. So we've got we've got about we've got a couple minutes here, I'm going to do is print around some of the other guys who are here. But Brian, Brian, you've got the you've got the floor.
Brian Engle 37:32
Yeah, I'll just I'll just summarize a couple of quick points. And we want to link up that sometime later. That's fine as well. Because I in that strategy is there's a myriad of I would just say features, right? But the functions are capable capabilities. And what ultimately do you need to accomplish with his use case, it's going to it's going to have a lot of various variations based upon different agencies different needs, as the as the provider is probably something that would relate to everybody though. And it's kind of going back to even just the core things that you're trying to accomplish in a cybersecurity program, the visibility, being able to still monitor and detect. So I think that all of those things have to be introduced in that strategy to make sure that any of those technologies, what are you using existing sim soar capabilities, any of those other types of functions, because in that visibility, your ability to respond to react or the implications into Incident Response Plans, containment strategies, all of those things, I think are factors, way more than we could probably dive into in these minutes. But I love where Mike was kind of going with that. And I love the thought of kind of breaking that down because those decisions are so multifaceted. And having a good thought of the strategy going in will will help paint some of those use cases that maybe you know, you later have repercussions or remorse for for some of the decisions that get made upfront.
Greg Irwin 38:48
Is it Is there one out one, one guiding principle that can help, you know, eliminate some of the degrees of decisioning.
Brian Engle 39:02
I mean, it a high level unravel as much as you can lay it out and know what you're trying to accomplish the name it as an objective, phrase it as an objective so that you can see are you meeting the objective? Because otherwise, it's just a feature? And are you just kind of checking through the boxes of what a technology can provide versus functionality? What am I trying to actually achieve with this? And does this help me do it? And there's just I guess the biggest thing in the unraveling is there's gonna be trade-offs because they're not going to be able to, to basically check every box. So can you prioritize? And as a provider that put Mike puts Mike in a tough spot, right, because the needs of the many, but how do you get to the place where somebody's special need might not get met because you have to get to the to the many.
Greg Irwin 39:43
Robert, there's too much for us to tackle here. Yeah, but it certainly it gives lots of opportunity for more discussion. Help us with a couple of closing thoughts, and we'll let everyone get back to their days. Sure, I think I think the key
Robert Davila 40:05
takeaways here is really when you're looking at Taskey. And regardless of vendor, and regarding the elements that you're looking to implement, think a lot about your current integrations and what technologies you have today. Often you see environments that have conflicting technologies, you might have one vendor doing one thing and another vendor doing another. And that can, can be problematic for organizations. It can work, but it can create kind of operational overhead for an environment. So, you know, I'm a big proponent of when you look at these vendors, look at them holistically in terms of what they offer today, and look at leveraging as much of their stack as possible. Whichever solution you end up going with, and then obviously, you know, make sure you work with a, you know, a qualified integrator to really help you partner through that experience so that you kind of cover
Greg Irwin 40:55
all your use cases. Yeah. Very good. Very good. Hey, thanks, guys. Great grip, great session. Remember our goals. I think we knocked number one out of the park in terms of learning from each other stories. Number two, use this group for some connecting with people who are going through similar things. You need help connecting just come back to us here at PW JD. Thanks. Thanks, everybody. are great speaking with you and look forward to follow up. Have a great day.