In this episode, host Raghu Nandakumara sits down with Stephen J. White, the CEO of Viking Technology Advisors to discuss the critical role of Zero Trust Network Access (ZTNA), cloud adoption, and AI in modernizing network security. He emphasizes the importance of visibility, automation, and holistic approaches to enhance operational efficiency and security.
In this episode, host Raghu Nandakumara sits down with Stephen J. White, the CEO of Viking Technology Advisors to discuss the critical role of Zero Trust Network Access (ZTNA), cloud adoption, and AI in modernizing network security. He emphasizes the importance of visibility, automation, and holistic approaches to enhance operational efficiency and security.
--------
“It's about making security the enabler for Google, like you just said, it is the enabler, but then it's also making it invisible to the user community, so that it's secured, controlled, managed, but they can do their jobs as effectively no matter where they are. And it's just, this is a really pivotal time." - Steve White
--------
Time Stamps
(04:42) The security challenges of modernization
(17:29) Connecting business and security outcomes
(29:02) Should cybersecurity and network teams merge?
(31:01) What will generative AI bring to security?
(49:31) The borderless network and managing the perimeter
--------
Sponsor
Assume breach, minimize impact, increase resilience ROI, and save millions in downtime costs — with Illumio, the Zero Trust Segmentation company.
Learn more at illumio.com.
--------
Links
Connect with Stephen on LinkedIn
[music]
0:00:02.6 Stephen White: It's about making security enabler for Google. It is the enabler, but then it's also making it invisible to the user community so that it's secured, controlled, managed, but they can do their jobs as effectively, no matter where they are. I mean, it's just, this is a really pivotal time.
0:00:21.4 Raghu Nandakumara: Welcome to The Segment, A Zero Trust Leadership podcast. I'm your host, Raghu Nandakumara, Head of Industry Solutions at Illumio, The Zero Trust Segmentation Company. On this episode of The Segment, I'm so excited to be joined by Steve White, a very storied network and security engineer and architect. He spent many years, especially in financial services, building out network and security infrastructure for some of the world's largest banks. And now as founder and CEO of Viking Technology Advisors, he brings all those years of experience to help his clients in their digital transformation efforts. So Steve, welcome to the segment. It's great to have you.
0:01:09.6 Stephen White: It's great to be here. Raghu, thank you so much for the opportunity to have this exciting conversation with you today.
0:01:15.9 Raghu Nandakumara: It's my pleasure. It's always a pleasure to speak to someone with so much practitioner experience. So I think just looking at your background, right, and the long career that you've had in network and security engineering, when you look at where we are today with the state of network security and you look back, it must make you very excited that we are now solving problems that you've probably wanted to solve for many years.
0:01:38.5 Stephen White: Yeah. It's funny you say that. My go to market business plan for Viking Technology Advisors has been evolving over the past seven months since I initiated the company. And one of the interesting things I did is to look at that historical time period that's happened over the past, believe it or not, over the past 30 years. And there have been major new technology injection that's been business impacting over those 30 years. So in my mind, digital transformation really isn't new, it's something that's we've been living through many years. And each of those new technologies have actually had one thing in common, increased pressure and demand on network and cybersecurity. And what that's also done is it's actually caused a massive sprawl of point solutions and increased complexity that's made it very difficult for networks and cybersecurity to stay ahead of the business demand.
0:02:38.8 Stephen White: And that is only increasing. Now, when you look at cloud, although cloud's not really new, it's been around for, believe it or not, it's been around for almost 20 years, but it's really seems like companies are in earnest are going after it over the past five to eight years. And now with AI and generative AI, now that now the rate pace has picked up even more. And there are some really new exciting technologies out there that are in cloud-based network and security controls that are gonna dramatically change the way companies need to think about their perimeters. Their perimeters are gonna be very different than what we've traditionally looked at, who traditionally what we've thought of as the key control points. So from that aspect, it's people, process, and technology, all need to come together to make this transition. And I really like the word modernization is what we're using now in our marketing materials because it's not necessarily about transformation.
0:03:35.5 Stephen White: It really needs to be modernized for today and the future. And that's the challenge. How do you deliver customer's need today or what your company needs today, and also be able to support the future. I've built this company around the model of if I was going to go to work for a large enterprise, this is how I would approach my management of that enterprise. And that's really the value proposition that we bring to any of our customers is that point of view is we've walked a mile in your shoes, we know exactly where you are, and we are bringing the vested breed partnerships and automation to help realize that modernization goal.
0:04:17.3 Raghu Nandakumara: Well, I think to that to paraphrase your own expression that you've walked a mile in hopefully many of our listeners shoes, right? So they'll be eagerly listening to the insights you're gonna provide. I wanna go back to something that you mentioned about how, whether you call it digital transformation or modernization, right? Your choice of words, but what you said was that each of these steps actually results in new challenges to network and cybersecurity. So the first question is that, do you think that as we are embarking on that step of each step of that modernization, do you think we are aware enough of those cybersecurity challenges or is it just hindsight is a wonderful thing?
0:05:01.5 Stephen White: It really seems like everything's being done in a hindsight manner, right? To me, it feels like roadmaps and strategies are all based on cloud adoption. And one of the interesting thing... What's really exciting about the cloud actually is the automation capabilities, cloud native capabilities, but's really the standards. Think about the amount of standardization that's in the cloud. Workloads cannot work in the cloud unless they can meet the structured standards that exist from the cloud. On-prem and legacy environments or traditional infrastructure environments, have all been built custom to meet specific application needs. That includes the cybersecurity components as well. So those cybersecurity components are all point-based solutions. And then when you get these new application or new business requirements laid on top of that, the first thing you know, enterprise executives or infrastructure operations leaders need to do and cybersecurity partners is to assess the current portfolio tools and technologies.
0:06:05.3 Stephen White: And oftentimes you end up finding yourself trying to jam a square peg into a round hole to try to make something work. And it doesn't necessarily... It might be just good enough, but sometimes good enough isn't all that's required and there's the risk and regulatory aspects of these decisions that end up playing significant roles here. So if you don't do it right up front, you end up with a risk and regulatory hangover associated with that, where you have accepted risks or risks that are unmanaged and then they just become a continual drag on the organization's stability to be successful.
0:06:43.0 Raghu Nandakumara: So do you think that modernization transformation allows, enables for security not just to be done better, but also more simply? Because when I look at or when I read in the popular media, in the trade media about the challenges with security, a lot of what I see is security is really complex when you move to cloud, security is very complex as part of your digital transformation journey. What's your perspective on that?
0:07:15.7 Stephen White: Well, it's interesting in the industry landscape, one important data point I'd like to share with the audience is that I'm a CXO advisor for Netskope and very fond of technology in the approach that Netskope has brought to the market to help solve this problem. There are obviously other competitors in that space, but the true cloud adoption, the remote worker, all the COVID impacts and the adoption of ZTNA, Zero Trust Network Access and moving away from perimeter based security controls, but doing that based on identity in seven different parameters to make an intelligent decision on whether or not access should be allowed, locked, coached, or reprovision. These are like really exciting things because now the opportunity to actually deliver the capabilities of today, but also scale support the future is right at our doorstep. And think about the introduction of AI in the past and I won't embellish the timeframe on this, but technologies that are being delivered by companies like Netskope solved that problem even before it existed.
0:08:28.7 Stephen White: Because they have the capabilities with Zero Trust Access to be able to provide the business enabling capabilities based upon intelligence of identity and other controls. That is super powerful because in the network space and the cybersecurity space, it was always [0:08:46.8] ____. We never had the option to say, well, what other intelligence could we bring to that decision making? Those are game changing capabilities that companies really need to take serious and look at. And what that does is that takes the fresher off your perimeter security architecture. So now you're moving those three things up into the cloud, you're bringing better proximity to the applications where they're hosted. Improving that customer experience in the colleague experience, and that colleague experience some of it is super important because you want them to feel exactly the same way. Whether they're in the office, they're remote, they're in the airport, wherever they are to perform their business.
0:09:27.1 Stephen White: 'Cause we work everywhere and we're not just working in one location, we work every... Be able to have a unique consistent policy. I often look back on the legacy firewall based approaches and I was always trying to find ways to leverage like Illumio and combine Illumio with AlgoSec policies to be able to bring transparency to segmentation strategies and whether or not the level of maturity and segmentation within a particular company and a few of the companies I worked for, that was a big regulatory control that we need to put in place. But the management of policies is just so draconian from 20 years ago. Port destination access, port destination and the source IP, destination IP port, it's not granular enough to keep the rate, keep up with the pace as companies are trying to adopt migration or transformation to the cloud or modernization of cloud.
0:10:23.4 Raghu Nandakumara: Yeah, absolutely. And I think that's such a great perspective because what you're really getting to here, is that in order to truly accelerate modernization, you need not just the technologies that are really kind of part and parcel of the modernization to sort of be able to be dynamic and scale and be automated and as much as you need them to be. But also you need the security capabilities, security technologies that are supporting that to also be the same. Because once when you have a set of security capabilities that is able to be that, you suddenly kind of hit this point where that sort of that cliche of security becoming an enabler, that truly happens versus security becoming something that is actually slowing down progress. And I think that you're absolutely right. That trying to port over security capabilities that were essentially were best of breed 25 years ago and expecting that they're still capable of doing what we need them to do today, is I'd say that that's madness to expect that.
0:11:31.1 Raghu Nandakumara: But it's interesting 'cause you were talking about ZTNA. And so let's sort of uplevel a bit and let's talk about Zero Trust. And frame it in the conversation of modernization. Firstly, as a longstanding practitioner, when did you first come across Zero Trust and what was your reaction to it?
0:11:52.4 Stephen White: We stumbled across the Zero Trust strategy a few years ago as we were considering a transformation from a traditional on-prem sway to cloud-based access. And that's what really became the visible that that brought to us is, is this isn't just about placing one component within your environment. This is a holistic change in strategic shift from point solutions delivering certainly access befalls like VPN and SWG for web access to actually migrating to a cloud strategy where ZTNA security component that's overlay on top of that, that allows you to provision access to on-prem solutions without those traditional controls, because...
0:12:42.5 Stephen White: And it's good transition state, 'cause what it does is it allows you to actually move workloads around and still without necessarily the customer being aware that something has changed. They don't even know the application has moved because traditional ZTNA process, it's the same control as on-prem, it's the same that's in cloud. That's one of the challenges I see within the architectures that exist today is everything's been replicated in the cloud. It's a separate set of processes, separate set controls and there's on-prem and that's just kind of running as it's running today, but not having the full integration of the on-prem in the cloud. What it does is your on-prem environment becomes a barrier to success.
0:13:27.0 Stephen White: And by integrating ZTNA in that In that you can actually start to bring both of these things together because now you can deliver microsegmentation controls with Illumio on-prem, delivering the same capabilities and controls in the cloud. And you can do that with the same policy. Think how cool that would be. Right? And I know partnership, I'm not sure if it's been fully announced yet, but a partnership with Netskope and Illumio. I mean, there's some exciting stuff happening there, where these two technologies would play very well and compliment each other. And at the end of the day, it's about making security the enabler over... Like you just said, it is the enabler, but then it's also making it invisible to the user community so that it's secured, controlled, managed, but they can do their jobs as effectively, no matter where they are.
0:14:16.4 Stephen White: I mean, it's just this is a really pivotal time. And I remember, I probably aged myself a little bit with this story, but I worked for a company called International Network Services back in the late '90s. And when I graduated college, IP networking was in its infancy. And I remember, INS, their professional services model was built around helping customers modernize their IP network environments, because everybody was fumbling through it. They were trying to figure out how to make it work. They struggled with the various protocols and God, there must have been a myriad of different protocols. And that's why Cisco really landed as being the premier networking providers.
0:14:53.4 Stephen White: 'Cause they have regression support for all of those things. We're at a very similar time right now with these new technology adoptions and specifically cloud-based network security, ZTNA, microsegmentation, it's a shift from the traditional thinking like and being a practitioner in the network space and having grown up with my hands on the keyboard and evolving into senior management roles, we'd always gravitate towards physical firewalls, architecture of a network around creating isolation and segmentation.
0:15:27.2 Stephen White: But that's just not a reality. Most companies don't have the time and effort to spend to do that and be able to utilize software-based controls to be able to deliver that virtually and improve the security posture of the company is a tremendous opportunity. I'm super excited about where it's at. And that's really one of the key reasons why I had the inspiration to start Viking Technology Advisors is to start with the assessment phase. Do that fourth full automation, do that light touch within 30, 60, 90 days and help the customers build that roadmap and their strategy to adopt these technologies. Because this stuff is a multi-phased, multi-year effort. But it also needs to be managed in compliance with budget availability and a customer's interest or willingness for change risk, right? Management of change risk is important as you have to manage those two aspects.
0:16:21.8 Stephen White: We bring both of those things. 'Cause that's what I've done in my career. My whole career has all been about the business aspects, the technology adoption, but really how does it drive the business outcome? And these capabilities are all about driving business outcome. And this is really what... I think this is the transition, the true infrastructure platform engineering, this is the product, right? That's one of the things I struggle with, Raghu, too and I think about this, it's like everybody talks about platform engineering. They make sense. It's all about products, right? I get that, but what's the product in network and security, right? How do you make that a product and how do you transition to infrastructure platform engineering? That was a big topic of conversation at the Gartner conference back in December. The infrastructure, operations, cloud strategy summit.
0:17:12.5 Raghu Nandakumara: There's so much that you've shared there and I'd love to unpick bits and pieces of it. Let's start actually with what you said really about being very outcome focused, right? Because that is, I think if I look back in my own sort of background as a network security engineer, right? The business outcome piece often wasn't what you really connected to, right? You kind of, you very much kind of very focused on, okay, what is the security outcome you're trying to drive towards? Right? Or you even like, it's somehow good, you mentioned the thing about, well, that sort of, what is the 5-tuple that I need to construct in order to enable you to do this, right? But can you talk to us a bit about how you uplevel the conversation with your clients to folk start with the business outcome and then ultimately get down to the how from a security perspective?
0:18:06.7 Stephen White: I think the key thing is to understand, we meet the customer. We begin by understanding where they are on their journey. Having that visibility and having that detailed conversation with their stakeholders, but then what we do is we combine automated discovery of their environment to bring real data points to that as far as network infrastructure, including inventory configuration, vulnerability and cash, topology and the current state investments. And we also do that with the view of their telecom expense managing platform, that a budget in a financial services firm, a big part of a network budget is telecom expense. And then the last piece of the puzzle. And I've also got a recent new partnership that's budding that I'm working on with a company called X Analytics that it's bringing transparency and data to the measurement of their cybersecurity risk maturity and a score assertion.
0:19:07.0 Stephen White: Now you can have conversations with the C-Suite executives about really what is the business status, where is the risk associated with security, and what levers can actually be pulled to actually improve that maturity score. By doing that, now you've actually connected the dots to real data that's business-related. And the other thing you've done with that is now you can actually have a discussion and build a plan that will deliver that outcome and be able to measure the success of it.
0:19:44.4 Stephen White: The measurement of success is a tremendously important element. You ask for millions of dollars for budget. When is it done? Like in the ZTNA-based cloud network security adoption program, when is that done? If you're gonna bring that business piece forward, you want to bring that business case forward with a point of view of the totality of the project so that you can plan the budget for that. The other thing you could do too is you can look at the consolidation opportunities. As we talked about earlier in our conversation, there's probably somewhere in most enterprises between 30 or 40 different point solutions that are being managed and deployed, so that licenses, hardware, knowledge of people. The power of this is to consolidate all of that and prove the efficiencies of how things are delivered, deliver real time.
0:20:33.3 Stephen White: And the outcomes of that is also delivering self-service where they don't need to open a ticket or call somebody on the network team. I don't have access to this. It's all about enabling that self-service. So if you take the metrics of the maturity score from a security perspective and you combine how the capabilities of network and security, automation are delivered to enabling application developers to perform their jobs more seamlessly, that's how we think about it. And that's how we have those conversations because then it's measurable and deterministic along...
0:21:14.4 Raghu Nandakumara: So it's part of that, right? And the whole, the measurability, I think is so important. Being, having a very deterministic path to success is super important. How do you see the introduction of like Zero Trust and the adoption of a Zero Trust strategy, when does that come in to the conversation? Or is that a conversation that your customers, your clients are already having and the projects then typically aligned to that strategy?
0:21:43.4 Stephen White: The strategy is all built around the adoption of Zero Trust, because that's the big pivot. And technologies like Illumio enable you to do that very seamlessly, both on-prem and in the cloud. And you can do that using the iterative process. The deployment, I've been using Illumio at two different firms over the past, at least over the past 10 years, had tremendous success with the product. In that capability, not having to physically change the technology of the network or the infrastructure to deliver those outcomes is tremendous. The visibility that Illumio provides within the policy compute engine on all the application flows, you've got the foundation. Then you can layer in each of these components on top of that as a strategic journey. So it's the end state in my mind, Zero Trust. There's a journey to get there. The path on that journey or the roadmap for that journey is exactly what we spend our time with our customers to help them understand each of the steps along that path. That's exactly how we approach it.
0:22:48.4 Raghu Nandakumara: Right. And I want to come back to actually the way you described sort of the foundation of the whole Zero Trust strategy is visibility and then you sort of use that visibility to identify what controls you sort of need to layer up in order to let's say remove the amount of implicit trust in your environment to better protect your environment. But the actual sort of decision to adopt a Zero Trust strategy, is that on the back of conversations and you talked about sort of assessment services, that you sort of bring into a customer or is the adoption of a Zero Trust strategy something that they are already bought into? And now it's like, "Hey, Steve, how do I execute on this?"
0:23:33.8 Stephen White: Great question, Raghu. So I would say it's both. Some customers have a level of maturity where they may have deployed Illumio, they may have deployed Netskope, but they might not have taken full advantage of the transition to ZTNA. They might have deployed a SWG component thinking about VPN replacement. But when you think about VPN replacement, you're not really replacing the VPN. You're holistically changing your access methodology and that the outcome of that is replacing VPN. And it's not a like-for-like replacement. And the same thing within the Illumio space, if a customer already has Illumio, where are they on their journey? Implement the controls on-prem? Are they doing monitoring in the cloud? What's the next step to get to a consistent policy between on-prem and the cloud?
0:24:20.3 Stephen White: So now when you are provisioning access, you're provisioning access with the view of the totality of the access requirement, not just the individual unique component. Oh, I need a firewall change in my cloud on-prem, but I'm going to need an access control list change in my AWS instance. And oh, by the way, I'm going to have to push a change on-prem as well. There's five or six different points in that one example. That's really the value proposition, the output here is, with ZTNA, you could provision that ubiquitously and make it seamless right off the bat. But you need to do the planning up front and you need to layer in all of the dependent elements to be able to deliver that. Sometimes that takes time. Sometimes you have to slow down and go faster to do that. But one of the things we try to focus on, helping the customers continue to maintain their rate and pace while they're working on that journey, 'cause the opportunity to actually stop doing what they're doing, that's not an option. So that's really the automation. It's like networks. People talk about automation. Networks, in reality, are pretty stagnant. They don't really change that often. If they are changing quite a bit, then there's most likely a design or an architecture challenge that needs to be addressed that's causing that need. Because it really shouldn't have to be.
0:25:39.6 Raghu Nandakumara: Absolutely. And just there, if you've watched sort of other podcast episodes, I start to smile more and more as I hear the guests say things that I sort of... I feel like I've been preaching for a long time and it makes me very happy. So I want to come back to a few things that you just said. I think the first thing that I think is really important for listeners to understand is that you may have technologies that help you achieve essentially a Zero Trust posture. But just because you've got them, it doesn't mean you're truly on the path towards Zero Trust. I think your point about, oh, well, hey, I've replaced my VPN with a ZTNA technology. So I must be doing... I must be on that Zero Trust path because one of my technologies has got Zero Trust in the name. Or equally, I've got a microsegmentation technology, but I'm not really doing any segmentation with it.
0:26:33.9 Raghu Nandakumara: So I'm not truly doing Zero Trust. So I think that part of it, not just about having technologies that are capable of doing this, but also then really looking at it holistically and focusing on building those security policies where you are truly reducing the trust in the environment. And the other thing I think is that was really important was ultimately looking at it holistically. Because it can't be a strategy if you then have different strategies for every little pocket of your environment. This is truly an opportunity, I think, about how can I get to a much more unified security posture across my environment, which will take like baby steps. Which will take incremental changes to achieve, but I need to be thinking about that greater sort of picture that I am really aiming towards? Is that a good summary?
0:27:29.8 Stephen White: Yeah, 100%. Yep, absolutely, well said. And the overall architecture of the network is a critical component. The shifts from traditional hub and spoke designs to SD-WAN adoption, but really SD-WAN enabled by business class internet services, that's the key. You need to bring both of those things together. And I want to highlight one important point around the people and process thing that we talked about earlier ago as far as bringing these teams together. Each of these projects and initiatives around ZTNA really require multiple stakeholders. You've got the chief information security office. You've got the network infrastructure team. You've got endpoint and desktop engineering teams. You also have the cloud teams. There's multiple stakeholders there. Each of those stakeholders are all going to have their own opinions about how to solve the problem.
0:28:26.0 Stephen White: But the reality of it is they all need to come together and agree on what that vision and the strategy is. So, I mean, I've been recently starting to participate in the Open Network Users Group, ONUG. And in the ONUG session back in October, this was a big point of conversation; Should cybersecurity and network teams be coming together and merge? And my answer to that question would be yes. That's the fundamental shift. You start to adopt a ZTNA-based delivery model that you've got to bring these teams together. They no longer can operate in silos. And that's almost the more difficult aspect of it, but the technology is gonna force it. It's gonna make the conversation happen. And I think I'm going to start to see more and more companies think about their organizational transformation and modernization of the way their organizations are structured to adopt these technologies. 'Cause traditional models are not going to work. And that was a big part of what Gartner talked about at their conference back in December.
0:29:28.0 Raghu Nandakumara: Yeah. I think that's such a great point because, and it's a point that many of the other guests have made, George Finney in his book Project Zero Trust, and then John Kindervag, who is the Chief Evangelist at Illumio and sort of one of the founding fathers of Zero Trust, kind of really speak about is that when this is done properly, it is not just a transformation in how you're doing security, it is truly a transformation in how you're organizing yourselves. And in order to achieve that, as you just so eloquently put it, it's everyone needs to be involved in that process. It is not just the security team, it is the network team, it is the infrastructure team, it is the application team. It is your risk team. Like every part of your organization in some way or the other is involved in this, in let's say the RACI that sort of governs how you do this. And that's the only way you're going to be able to drive sustained transformation. Is that how you see it?
0:30:26.5 Stephen White: Yeah, a 100%. Yeah, exactly. Well, nice job summarizing.
0:30:31.8 Raghu Nandakumara: I think like just moving on, right? And you spoke about the possibilities that AI and generative AI offers. As a network security practitioner, and putting aside Zero Trust for a second, what are the exciting things that you see that AI is going to bring to our discipline?
0:30:53.8 Stephen White: It is a super-exciting time, I think. Early on, maybe some people might be scared of it. Like it's sort of gonna replace their jobs or they're going to be replaced like an autonomous vehicle. But it's... You think about the level of administration that goes into managing a DevSecOps organization or the level of effort that it takes to actually build templates and configurations and standards and making that available in the NetSecOps team. Having the automation of AI and generative AI, you will automate all the functions that usually never get done. Everybody talks a good story about having SOPs and automating responsiveness to incidents and events and improving the ultimate availability, because let's face it, IT fails. It's always going to fail. Now everybody's expectations is five nines availability. But the key here is that when something does go wrong, it's how quickly you can respond to it, how effectively you respond to it, and how you minimize the business impact through the right design of the infrastructure.
0:32:07.5 Stephen White: AI and generative AI is going to drive significant improvements in those areas. And it's gonna enable teams that are logged down and managing that administration to focus on more higher value. And that is like super exciting stuff. I'm aware of a few different startups that have popped up and some partnerships that I have some friends of mine that are doing these startups and they're building exact models around what I'm talking about. The whole large enterprises, crew efficiencies in these areas without necessarily having to build it on their own. Because the other component I'd like to share too is, the do-it-yourself-based approach for some of this stuff just doesn't make sense. So I'm also sprinkling another company in there that I'm a strategic advisor for is Gluware.
0:32:55.4 Stephen White: But Gluware is the only intelligent-based, low-code, no-code, network automation platform on the market. And it eliminates the do-it-yourself-based approach, proves significantly the efficiencies of an organization. And networks are pretty stagnant. And they're also highly complex. It's not like automating a server or automating an application, you've got 6,000 of them, you've got 3,000 or 4,000 individual components that have unique attributes to them. To automate those requires customization and scripting if you're going to do it. It's a do-it-yourself-based approach. Gluware eliminates all of that complexity.
0:33:35.6 Stephen White: And that's one of your first steps on that journey towards AI enablement and improving efficiencies 'cause now you've taken all these engineers that are focused on doing day-to-day administration, you've eliminated that by introducing the automation. Now you can have them start to really focus on higher value tests, AI, generative AI, continuous improvement, new technologies, Zero Trust adoption. These are big projects and initiatives and your current teams that are on the ground, would love nothing more than to be part of these projects and initiatives. They would love nothing more to learn these because then it becomes stickiness for the company that they're part of because they're learning new things, it's helping them evolve their resumes and they're staying challenged. Nobody wants to continue to have to do the same thing over and over again. But I think a lot of infrastructure and operations leaders are really struggling in that space because they've got one foot on the dock and one foot in the boat, and they're about ready to fall in the water because they can't possibly keep both of them... You can't possibly keep a float on both of those at the same time.
0:34:43.8 Raghu Nandakumara: [chuckle] As you were saying that, I was actually visualizing that exact scene. So that's really funny. But I agree. And actually, I like the... And I think that's the key thing to the possibilities that development AI, I think really offer. Are really around, how is this going to take a lot of those mundane tasks that I do, essentially to keep the lights on, that in terms of actual value, are not adding value? They're kind of just bringing me to zero? How can I take those tasks that just bring me to zero and offload them, whether that's sort of reducing outages across my infrastructure, just by being much more diligent in terms of configuration deployments? Or sort of making those failure domains much more robust, in a way, and I hope this is not too much of a leap.
0:35:31.5 Raghu Nandakumara: But I actually feel that the adoption of Zero Trust in many ways gives organizations the same level of resiliency in their infrastructure in that you're effectively trying to create as small sort of failure domains as possible but in a highly dynamic way so that you essentially have... Even if you've got a failure and by a failure I mean it could be a misconfiguration but it could be an attacker. Failure sometimes it's very difficult to differentiate between those two events because the unexpected happens but by having an a security approach in place which really limits sort of limits the abuse of privileges, limits the abuse of access, you're able to contain that, which means that your security team, rather than being overwhelmed by an incident that truly just gets out of hand, is able to focus on putting out that much smaller fire while they continue to do the rest of their value at us. And I think, I hope that analogy is not too sort of out there. But I feel that sort of AI in many ways provides the same that Zero Trust provides from a security perspective.
0:36:43.9 Stephen White: It absolutely does. What's really cool about it, is AI, artificial intelligence, it's human thought to the use of data. Think about all the different data points that exist out there. You've got Illumio, you've got Logs, you've got Swank, and all the logs and all these different various systems. Being able to make that data useful in a traditional mode of methodology, you have to have some way to offload it into a database and then build a script to be able to extract the data. And you're gonna need a subject matter expert to do that. And it's, oh my God, it's going to take weeks to do that.
0:37:25.6 Stephen White: One of the challenges that infrastructure and operations leaders have is actually obtaining the data that they need to make a decision on what to do. AI really eliminates the complexity of doing that analysis and helps an engineer that might not be able to script, obtain the information that they need to be able to make a decision about where they want to go. So that's around solution engineering delivery. Also in the operations space, like we just talked about DevSecOps, having well-defined SOPs for different incidents, but you can't possibly have an SOP built for every single incident. Like cyber security ransomware. Oh my God, with an event like that, we often would do tabletop exercises. We test ourselves and prepare ourselves, but there's always nuances here.
0:38:18.0 Raghu Nandakumara: Yeah, absolutely.
0:38:19.0 Stephen White: AI helps with bringing full transparency to what data points that are necessary to figure out exactly what's happened and react to it, reduce the amount of time that it takes to react because as I mentioned earlier, it's all about reduction of risk, reduction of impact, and maintaining the business, right? So those elements is all about how you respond, and AI is gonna be a very important component to that. And then generative AI more specifically to your particular company's environment is also gonna bring you a lot of transparency.
0:38:53.5 Raghu Nandakumara: Yeah, absolutely. And I think that thing that you said just now about the reduction of risk, reduction of impact, reduction of cost, I think that's a really interesting thing because the shift that I've seen from a prioritization perspective for organizations is I think as sort of particularly cyber attacks have become increasingly targeting the stability and availability of applications and of services and of infrastructure. I think there's definitely been a shift in terms of how we think about the AIC or CIA triad of security and really putting a lot of premium on the availability pillar of that triad, right? And I think that's the, with sort of the increased, I'd say like the term cyber resilience is now sort of very ubiquitous. And I think that's because of that focus now on how do I limit the damage, right? Sort of prioritizing that, not that of course that integrity and confidentiality are not important, but availability, which has always felt, put a bit of bell on the back burner is now really coming up trumps as something that cyber practitioners are prioritizing.
0:40:07.8 Stephen White: And that really reinforces at least in my mind the importance of bringing those two teams together. Beause we always have strong collaborative relationships and I've always had strong collaborative relationships in my previous firms, we had cybersecurity and we were always [0:40:27.2] ____ On every major incident that was happening 'cause they would always bring knowledge and experience around the incident, around the event and have ability to help control or maintain. But then the networking was really instrumental in that as well, because they were the ones that were like, maybe it's a better way to implement that control in the environment. But Zero Trust brings a full level, whole different level of control here, which is microsegmentation on steroids. Now you're not thinking about... Traditional microsegmentation models were all about creating a model around the workload. Now obviously you still have those base center controls there, but now with Zero Trust, it's only based on a finite number of users that have access to those workloads, and it's much easier to manage that and you're not doing it again, relying on 20-year-old isolation based approaches using physical aspects of network and security. You're truly doing this as software now, which is really kind of cool. It seems like the network and security are the product to where everybody else is from a capabilities perspective.
0:41:37.2 Raghu Nandakumara: Absolutely right. And I think actually when you do it right, you have the ability with Zero Trust and whichever pillar you are focusing on within the Zero Trust sort of framework that you have the ability to instrument a significantly more granular and more dynamic policy in a way that is way simpler than you would ever be able to do with traditional approaches, which feels contradictory, but it's the truth if you do it properly.
0:42:10.4 Stephen White: And the threat actors are gonna have the same access too, right? They're gonna have access to AI, generative AI, they're gonna use automation to improve their efficiencies. Zero Trust based model is how you stay ahead of it, right? It's all about what do we do today and how do we deliver today? And then how do we plan for the future? Are we ready to deal with the unknown that's gonna happen in the future? That's where these technologies really play. That's why it's important for companies to look at it from a security physical infrastructure and the applications that are around it. You need to have a holistic based approach for a policy regardless of where the workloads sit. Most firms are gonna end up in a hybrid model where they're gonna have on-prem workloads, you got side workloads and a lot of the selection of products, there's a little bit of religion and politics, people have their things that they like and others have things that they like, but at the end of the day, I think everybody can agree that having consistency in policy and administration improves the effectiveness of the infrastructure and operations teams and security to manage this and availability is what it's all about. That's the outcome, right? Because at the end of the day, if it's not done right, that's really the impact is availability.
0:43:33.8 Raghu Nandakumara: Yeah, absolutely. And you said it very well, right? 'Cause ultimately as an application owner, I don't care where my application is running, right? I just wanna be confident that when I want to run it, I'm able to run it and it's got all the right security around it. And I think that's really what Zero Trust is about. One of the things is about being able to guarantee that you are able to run an application with the right level of security around it in whatever environment, confident that only those who should be able to access it or things as other actors that should be able to access that are able to access it. That ultimately is what Zero Trust is about, it's not about the infrastructure that you are running on, right? It's not about the environment, the technology. It's about being able to essentially guarantee that for the application owner.
0:44:25.8 Stephen White: I like what you just said, and I just wanna double flip there for a second, is key component here is creating the separation between the physical infrastructure and the control. Because if everything depended on the execution of delivery of an architectural change within the physical topology, huge expense, lot of time, and the business needs at now, right? So none of that is gonna work, right? So it creates that layer of abstraction between traditional legacy infrastructures as an overlay, if you will. I know what an overlay is, but I'm not sure if it's the right term for... But I'll use it anyway now. It's like an overlay on top of the physical environment. And it's a fast track to even on parts of your environment that might be end of life, a lot of companies are struggling with end of life patch management, a lot of challenges and all of those things take time, right? And you only... Think about the number of maintenance windows that large companies have, and then if you're in healthcare industry, God, you don't even have maintenance, right? Like you can't take anything down because you can't tell a doctor they can't do what they need to do because I'm doing maintenance on the system. That just doesn't...
0:45:45.8 Raghu Nandakumara: Yeah. I like that because you are reframing it from the perspective of when you think about how can I apply this approach and where is it gonna give me benefits? It truly has benefits not just in terms of your transformation, your modernization, but it also has relevance in your existing legacy infrastructure as well. And I love that the word that you used was overlay, right? And I love that because you are abstracting away from essentially all the things that constrain what you can do, right? Which is the infrastructure, the infrastructure constrains what you can do. And now if you are able to essentially uplevel and say, "Actually, I'm not gonna worry about the infrastructure, it can do what it needs to do and run whatever technology, but I'm gonna uplevel that and actually shift my control to as close to the thing that I'm trying to protect, then I have far more flexibility and capability to be consistent, to have coverage and to improve that security posture that I've always wanted to do."
0:46:53.3 Stephen White: 100%. And just to plug for Illumio here, they've been doing that for a while, right? I mean, that was one of the things that was really exciting about that technology when I learned about it seven, eight years ago, was the simplicity of being able to deploy every workload in the environment, establish a set of tags, create visibility on the flows that are associated with that, move to execution of policy both in monitoring and as well as in containment, and do that at scale. The simplicity of that is really building on that simplicity. You can overlay the next level of containment and I mean control, which is ZTNA on top of that fabric that's already in flight. So it's super cute right? And it's really the wave of the future, in my opinion, that moves you fundamentally away from traditional control access with firewalls to true policy-based access.
0:47:55.0 Stephen White: And you're not managing the set of... It's just the concept of firewalls like zero... What was the borderless networks like? I've been hearing that term for many years, and I actually think for the first time we are actually there. I think that these are the technologies that actually, I mean, I'm visual learner and someone that thinks of things logically and I can see it, like in my mind I can see that truly borderless network, where an enterprise doesn't even manage the perimeter. That perimeter is up in the cloud. That perimeter is at the application control, and it doesn't really matter who the users are. You're not worried about creating a trust zone between a cloud instance and an on-prem instance and managing the firewall policy between the two.
0:48:46.3 Stephen White: It really is super exciting. And the key to all of this success is having the right plan. Having the right transparency on the starting point of where you are on that journey and layering it out over time so that it could be adopted consideration for willingness to constrain risk associated with change, and the ability to fund, right? Because that's most important element here is the cost aspects, and how those cost aspects deliver business value. In being able to bring transparency to the C-suite executives, on exactly what they're getting for what they're spending, that's huge, right? 'Cause at the end of the day, that's why they have infrastructure and operations teams. That's why they have technologists. The technologists worry about that, C-suite executives worry about business. And everybody working together delivers on that outcome. It's pretty cool stuff. This is a really great time in the industry and I'm super excited about it and really passionate about it, having a lot of fun right now on having conversations like this and being part of executive advisory and spending time talking other customers and helping customers solve these problems is really great stuff.
0:50:00.5 Raghu Nandakumara: I mean, Steve, you just gave us such a great line to wrap on. And Zero Trust provides the entire organization with transparency across their security posture, across sort of their maturity, across their spend. So it really is when adopted and when done properly, it is essentially a value creator for an organization and an enabler for modernization. I think that's the gist of your message today.
0:50:31.7 Stephen White: 100%. Yep. Well said.
0:50:32.8 Raghu Nandakumara: Oh, Steve, it's been an absolute pleasure to have this conversation with you, to really tap into your experience and your real practical, technical experience about how you are making this real for your customers today. And it's been such an eye-opening conversation. It's great to have deeply technical individuals like yourself on this podcast. So thank you so much for joining us.
0:51:00.0 Stephen White: You're welcome. Thank you very much for inviting me and I'd love to come back for another conversation in the future sometime, we talk more about some of the outcomes that we're realizing.
0:51:11.2 Raghu Nandakumara: I'm sure with all the changes happening in the technology landscape, in the security landscape, I'm sure we'll... 12 months from now we'll have lots more to converse on. So yeah, I'd love that.
0:51:22.6 Stephen White: Fantastic. Great. Thank you so much for your time. I really appreciate it.
0:51:24.0 Raghu Nandakumara: Thank you, Steve. Thanks for tuning in to this week's episode of The Segment. We'll be back with our next episode in two weeks. In the meantime, for more Zero Trust resources, be sure to visit our website www.illumio.com, and find us on LinkedIn and X using the links in our show notes. That's all for today. I'm your host, Raghu Nandakumara, and I'll be back with more soon.
[music]