Get IT Started Podcast

GISGID – EP 16 – Den and Tarun Desikan Talk Device-Centric SSE

In this episode, our host and Banyan’s Chief Security Officer Den Jones speaks with Tarun Desikan, co-founder of Banyan Security. Banyan has just built a new class of SSE solution centered around the idea that the device is the new edge. They chat about the core SSE offerings (SWG, CASB, VPNaaS, and ZTNA) that are critical components in building a security strategy centered around devices…one that addresses threats at the network, application, and cloud levels.

View Transcript

Speaker 1:

Hello and welcome to Get IT Started. Get IT Done. The Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s chief security officer, Den Jones, speaks with Banyan co-founder, Tarun Desikan, to discuss Security Service Edge or SSE technologies, and why Banyan is rolling them out now. We hope you enjoy Den’s discussion with Tarun Desikan.

Den Jones:

Okay, everybody, welcome to another episode of Get IT Started. Get IT Done. I think we’re at episode number who gives a shit, actually, I don’t know. We’re somewhere down the line. We’ve done about a year worth of these. Today I’ve got an amazing guest who was actually our very first guest on the show, because he is one of our company’s co-founder. Tarun, why don’t you introduce yourself just for those who have no idea who you might be.

Tarun Desikan:

Awesome, thanks, Den, thanks for having me. I remember when we first did this podcast, I said, “Den, it’s going to be you, me, my mother, your mother,” and it is just amazing to see how far the podcast has come in the last year or so. But hi, everyone. My name is Tarun Desikan, I’m one of the co-founders of Banyan Security. We’re a zero trust security provider for organizations looking to better secure their workforce from modern threats faced on the internet.

Den Jones:

Awesome. Yeah, I still don’t think my mom’s listened to this shit, to be honest.

Tarun Desikan:

I made my mom listen to it once, yeah, she said, “You have a face meant for radio.”

Den Jones:

Yeah, no, my mom said I have a face for video podcast, but she didn’t know what a video podcast was and I gave her the $20 to say that. So, when you were here last time, we were talking about Banyan, the journey we were on and a lot of zero trust. Why don’t you start by saying, rollback couple of years ago, hey, we were doing this zero trust network access. Why don’t you share just what was that journey all about as we then, we’ll, translate, transfer, then we’ll move on to the up-and-coming journey. Let’s talk about the history, what was the journey we were on for the last few years?

Tarun Desikan:

Well, zero trust itself is such a funny word, zero trust, what does it even mean? But it also has been such a catchy phrase. People have taken zero trust and applied it to everything. In its original roots, zero trust was a concept coined by a Forrester analyst, John Kindervag, to speak about network segmentation. “Hey, do not trust everybody on your network,” was kind of the origins of zero trust. But over the years people have taken that term, zero trust, and applied it to zero trust network access, applied it to, I most saw, zero trust data backup. I saw that recently. People have bastardized that term, essentially. It means anything to anyone.
Even when we started Banyan, we never called ourselves a zero trust company. We were always a secure remote access company. That’s how we got started. And of course, as Gartner and other analysts popularized the term zero trust, we of course jumped on the bandwagon and we said, “Hey, our secure access technology solves your zero trust problem.”
This is one of these things, I don’t know if there are other words you can think of, Den, that have just crossed the chasm as it were. You can say zero trust to pretty much any IT professional and they will nod their head, they’re like, “Yes, I know of zero trust, I have heard of zero trust.” Do they actually mean the same zero trust you and I talk about, do they understand the nuances of zero trust? I’m not entirely sure, but zero trust has kind of become AI, artificial intelligence. Everybody knows what it is, everybody wants it, but not everyone can clearly articulate what it is and how it’s going to help their business yet. Anyway, that’s the provenance of zero trust. From Banyan’s perspective, I think we’ve always been a secure access company. It’s always been about providing secure access to your workforce to the resources they need to do their job.

Den Jones:

Yeah.

Tarun Desikan:

Zero trust is [inaudible 00:04:43].

Den Jones:

Sorry, I was just going to say zero trust is more of a marketing buzzword these days, and I think it’s like you say, applied everything to everybody. Everyone’s got a different opinion of what it actually means to them, and different vendors want to be zero trust. I think of it more like digital transformation. When everyone said, “I’m doing some digital transformation,” I’m like, “Bullshit, are you really? What do you mean? You’re migrating from Exchange to Office 365? That is just a migration project. You can call it digital transformation all you want.”
I think ZT’s got like that. I do think a lot of vendors, and maybe I think we fell foul of this at Banyan was I want to label ourselves because we want to be in a Magic Quadrant or we want to be… We know, if you look at the definition, we fall under the definition for certain pieces of the puzzle. I think we’ve been very crisp with our audiences over the years, which is, you could look at a zero trust architecture and you could say, “Hey, Banyan will solve this and this of a zero trust architecture.” We might solve the remote access piece of that puzzle. We might solve the device posturing piece of the puzzle, but we don’t solve DLP data tagging or network segmentation. We don’t solve lateral movement within a network if you’re already in the network.
But we might solve lateral movement if we don’t provide network layer access, because we’re providing the application level access. So, I look at it like it’s all in the nuances. Now, what’s really interesting is we’re about to… I don’t know if retagging, how would you describe what we’re about to launch? It’s almost like we’re about to glom onto another fancy buzzword, SSE. So, Tarun, why don’t you explain for everybody what is this tweaking of our messaging that you think we’re doing? Why are we doing it? And why now?

Tarun Desikan:

Yeah. I mean, there’s a lot to unpack in there, but SSE is a concept articulated again by the analysts, this time Gartner, to stand for Security Service Edge. The idea that a lot of security capabilities that were historically found in an office network, typically on a firewall close to your wifi access point, is where these security capabilities used to lie. You no longer keep them in your office. Instead, you deliver them from an edge, which is essentially a cloud point of presence close to the user. That’s what SSE stands for. It’s a set of security capabilities that are delivered in the cloud.
From Banyan’s perspective, from day one, we’ve been a cloud-based company. We’ve always done secure access. The reason for us the good time is Gartner has something called a Magic Quadrant where it starts tracking vendors in a space. The cool thing for a young company like us is that this space did not even exist six or seven years ago when we started the company. Now, I would be lying if I said, “Yeah, Den, I had the foresight. I knew this market called SSE would emerge in seven years, and therefore we started Banyan.” No, that’s just not true.
So, I think people have entered the SSE market from two different angles. There is one class of vendor that has sold firewalls for the longest period of time. They took those firewalls, they delivered them to the cloud, and I’m going to name names like Palo Alto, Zscaler, Cisco. These guys have sold hardware for the longest time. They took their hardware model, they delivered them in the cloud, they’re going to call themselves SSE and show up in Gartner. That’s fine.
There’s another set of companies that have been taken a cloud-native approach, which is we have thought from day one, what does it look like if your applications don’t run on premise? What should the user experience be if the user doesn’t always come to the office? We call ourselves a cloud-native approach to SSE. So, we have taken a cloud-native approach, in our case, focusing on the endpoint, focusing on the user, focusing on context, but still delivering the same security capabilities. So, you’re going to see both types of vendors, but we are solving the same set of problems for an organization, which is how to better secure your workforce? How to provide the security capabilities that was traditionally provided in the office for a hybrid world?

Den Jones:

Yeah. I think, from a threat landscape perspective, what is it you think we’re solving for with SSE?

Tarun Desikan:

So, when Banyan got started, the primary threat landscape we were solving was the one that was used to attack, say, the Veterans Affairs or SolarWinds, which is credential compromise. Somebody compromises your user, gets into the network, and then starts spreading in the network. That was the primary threat vector we were protecting against. The way we were protecting against it was by posturing your device, requiring device posture for all accesses. Then, when you do that, it’s very hard for a bad guy to just phish you as a user and get access to your network. Then, of course, you extend that with least privileged principles and give users and devices access just to the applications they need. That was the core of Banyan when we got started.
In this release, what we are focusing on, is extending that core capability. We’re now also blocking malicious websites. We’re also now blocking malware that could be downloaded onto your device. We have expanded our protection layer to also look at internet threats. I think the one thing you asked is, “Hey, why now? Why are we doing it now?” It is just, as a young company, entering a space that is dominated by big players, one of the key things for me as a product guy is we need to be really good at everything we do.
We didn’t want to take on internet threats until we had really nailed the user device context and least privilege access problem. I honestly think right now we have nailed that. We have nailed that, how do you really posture a device? How do you handle the different types of clients? Clientless access, contractor access, developer access, service account access, managed device access, we have nailed all of those. Once you have gone deep and solved one set of problems, I think you earned the right to solve the next. That’s why SSE is ready now for us to go after.

Den Jones:

Yeah, it’s funny, because I kind of look at it like, the new perimeter of your security is really the device. I mean, the endpoint device, the user, block that context together, you’re not all in your network. Then, I don’t care which business you’re in these days, you have a percentage of your workforce, which is not on your network, and they’re accessing apps and services that are not on your network, they’re cloud-based. Depending on your industry, it might be a smaller percent. But the reality was 2017 in Adobe, we were catering to about 20% of the workforce that were remote, and about 60% of the apps and services who are now cloud.
Then, as COVID hit, obviously, that went even more extreme, from a workforce perspective. Now I’m going to pause slightly. Here’s a little bit of a curve-ball. So, AI, we’ve been talking a lot about AI in the world these days. I decided with ChatGPT’s help, I’ll get a list of questions together regarding SSE. So, I wanted to know what ChatGPT thought the top five questions were regarding SSE. Here’s number one for you, Tarun, what is SSE and how does it differ from traditional security models?

Tarun Desikan:

Well, ChatGPT… Can ChatGPT also answer these questions for you?

Den Jones:

I probably could ask. I tell you what, I’ll ask that question and then see what it says right now. I want you to give me the answer from your perspective, then I’ll tell you what ChatGPT says.

Tarun Desikan:

Well, I would say, SSE differs from traditional security models primarily in that it does not assume you are in the office, and it does not assume that your applications are in the control of your IT team. So, SSE allows you, as an organization, to provide a security layer for your workforce that highlights today’s hybrid reality.

Den Jones:

Well, that is pretty good. Now, the first time I said what does SSE stand for? I didn’t add in Secure Service Edge. So, I’ve done it again. The good thing, Tarun, is your answer is way more succinct than the four paragraphs of nonsense I get from ChatGPT. “The security model that focuses on securing the edge of the network where applications and users connect rather than securing individual…” Oh, geez. See, I don’t know, but it seemed like it was really confident in its answer.

Tarun Desikan:

I feel like ChatGPT does that. I ask ChatGPT a lot of questions just for the confident response.

Den Jones:

Yeah, no, by the way, that’s most of the bullshit I say. I don’t know if the answer’s right, but I make it sound right with a good accent and then everyone’s like, “God, he knows his shit.” And I’m like, “No.”

Tarun Desikan:

That’s the point of life, isn’t it? Deliver BS with confidence.

Den Jones:

Yeah, I mean, that’s how my whole careers went to be fair. So, here’s another one. What’s the potential risks and challenges associated with an SSE deployment?

Tarun Desikan:

Yeah, I think one concept that everyone who deploys SSE should be aware of is, you are putting more trust in a third-party security vendor. That’s just the reality. See, in the old world, you bought, say, a Cisco firewall and you put it in your office, it was still in your office, you touched it, you know how to manage it. Now, the problem of course is all the bad guys also knew the credentials to it and they could get in. So, that was a slightly different risk. The old model, the risk was everyone knew the root password to your Cisco VPN. So, that was a problem.
But in the new world, you are now trusting a security vendor to deliver your security services. As an organization, you have to be comfortable with that level of risk. Now, in the last 10 years, we’ve gotten comfortable putting all our proprietary sales data in Salesforce. We put all our proprietary files in Dropbox. We put all our proprietary emails in G Suite, in the cloud. So, folks have got more and more comfortable, but there is a risk associated with saving your resources or trusting another third party. So, that’s one thing.
The other one, I think, the risk, and this to me is a big risk is you just stop caring as much when you hand over the service to somebody else, and you see this where, “Hey, why is this service slow?” “Oh, it’s not my fault, I purchased so-and-so vendor, it’s that vendor’s fault.” No, I think the IT team is still responsible for a poor user experience, even if you purchase a vendor. I don’t think we should let IT teams off the hook. Just because you checked a box and you purchase some third-party vendor doesn’t mean you’re off the hook. So, I personally think IT teams should still stay responsible for the user experience and the quality of service and so on, even after they purchase an SSE product.

Den Jones:

Yeah. Look, yeah, I don’t think it removes your accountability or responsibility as a service provider. If you’re the IT team and you’re responsible for delivering email services or collaboration services, regardless of where you source and how you deliver that, it doesn’t change your responsibility to be the person on the hook for delivering the best experience you can to your workforce. That comes from a guy who’s spent 25 years delivering shit to thousands of people.

Tarun Desikan:

How did you retain that control? At some point, when you touched every server that you owned, you could feel the ownership and responsibility for the experience. But when you’re just going and buying service providers, how do you retain that feeling of, “I control it, I want to deliver the best experience for my users”? Instead of waving your hands and saying, “It’s up to somebody else”?

Den Jones:

Well, I think it is, I’ll use Okta as an example, because a lot of people, especially a lot of our customers, use Okta as well. In Adobe, we were an Okta shop, and before Okta, we were homegrown built or SSO platform with clusters of servers and a couple of people in the team that looked after it. The reality is we didn’t have enough full-time staff to really deliver the best quality of service to manage and maintain and patch servers, patch applications, upgrade applications. I mean, the whole life cycle of the thing. Now, if I even talk about before my Adobe team met Banyan, we were hodgepodging what we thought of as our zero trust remote access solution. A lot of it was duct tape, smoke and mirrors of things that we were running internally. I asked the team, “Go find me a vendor that will be cloud-native, cloud-first, so that we don’t need to do that.”
That’s when the architects discovered Banyan and we went into a partnership together with the Adobe and Banyan team, so that we could get a cloud-first service. Now, if I put my Adobe hat on for a minute, where my predecessor has this responsibility, just because Banyan is delivered in a cloud service, it doesn’t mean that he’s negated away from the responsibility of 40,000 people still using that service, and accessing apps and services on a daily basis. It’s dial-tone service. So, if there’s a problem with the Banyan platform and the accessibility of everybody in Adobe to do their job, it’s still on him. They don’t give a shit, and nor should they give a shit. I kind of put it like that. Now, from an SSE perspective, buzzword bingo and all that nonsense, what is the one feature you are most excited about in our up-and-coming launch? What was that one thing that you think, “Oh, this is brilliant”?

Tarun Desikan:

Yeah, well, I love how we think about Trust Profiles. The feature is called Trust Profiles. The idea is, historically, it has been one size fits all for an organization. Either you’re on the network or you’re not. Either you’re on the VPN or you’re not. What trust Profiles do in Banyan is allow you to treat different devices differently. So, you can treat a managed device that you are shipping differently from a contractor managed device that is managed by somebody else, from a bring your own device, from a completely unregistered device, where you have to give clientless access to resources.
So, it really highlights the fact that Banyan has thought about this world from a first-principles approach. We’re not a hammer that says, “You must be on my network to access resources.” It recognizes the different types of users, the different types of applications. So, if I were to choose one feature, that would be Trust Profiles. And Trust Profiles are reflected everywhere in Banyan. You use Trust Profiles for access to which resources you have access to. You can use Trust Profiles to say, “Hey, these are the threats I need to protect you against.” So, it’s used broadly. But just the ability to think about devices differently, think about policies differently for those devices. That’s the one feature that I love.

Den Jones:

From a business benefit, how would you describe that business benefit to people?
Tarun Desikan:
Yeah. The clear business benefit is you don’t use the hammer for every approach. Say marketing onboards a contractor and needs to give them access to HubSpot. In many organizations, that poor contractor will have to either get a fully managed device from the vendor, from the company, or they’ll have to go download like a Cisco AnyConnect VPN, and essentially let that Cisco AnyConnect VPN do whatever it wants on the device to give access. So, the tangible benefit for Banyan is we can give you clientless access just to HubSpot, just for that user, securely with all the controls you need. The ability to do that for a targeted population and to really reduce the friction, it saves the company a lot of money, but honestly makes the employees so much happier.

Den Jones:

Yeah.

Tarun Desikan:

People, I know there are some, I had a call earlier today where the guy was like, “We focus on organizations on secure environments, where we don’t care about the user experience.” I’m laughing, I’m like, “Well, that’s the government, that’s the banks. Okay, I understand. You have highly regulated industries that require that.” No, we focus on people who care about user experience. I think it’s really important to provide a great user experience.

Den Jones:

Well, it’s funny, because even a highly-regulated environment, I mean, you still don’t want people complaining and knocking on your door.

Tarun Desikan:

Yeah, I feel like, yeah, exactly, I mean is that why our government sucks? Is it because the security vendors give them such terrible user experiences, they’re like, “I’m going to take it out on you”? No, I feel like user experience should be uniformly good for everybody. You shouldn’t compromise security for user experience.

Den Jones:

Yeah. It’s funny, because you’d normally think of a bit of a trade-off between improving security at the expense of user experience. Whereas what we found is you have in… I say we found, in Adobe, what we found was you can improve security and improve user experience and it’s a win-win. For me, that’s the goal, that’s the goal. Now, hey, we’re about 25 minutes in on this, Tarun, I don’t want to take up all your time. I know, because of your blurred background, that you’re in Tahoe, it’s a sunny day outside, there’s been a big dumping of fresh powder, you’re really just dying to go there and secure a snowboard edge. I mean, is that the edge that you’re looking for, I guess?

Tarun Desikan:

Oh man, listen, if there was an SSE solution that provided a secure snowboard edge, a guaranteed edge, no matter which slope I was coming down, I would [inaudible 00:24:50].

Den Jones:

You’d be all in on that business.

Tarun Desikan:

Be all in on that.

Den Jones:

[inaudible 00:24:53] that business. Now, yeah, you’re going to get to go to the slopes, I’m going to join some meetings and talk to prospects and stuff like that and all that business. Yeah, it is a different life, I guess, the life of a snowboarding founder. Yeah, look, hey, I appreciate your time. This has been awesome. We have this pod, we’ve got many other podcasts, we’ve got blogs. Are we going to have blogs? Are you going to be writing anything about this SSE business or we have other people on the team that do that for you, right?

Tarun Desikan:

Both. But I am writing one on how to evaluate SSE. I think one of the biggest requirements for an industry as you adopt a new technology is not to just buy something because your buddy bought it, or your boss told you to buy it. I think it’s really important for a new technology stack to use the product, try it in different scenarios. Every organization, I mean, one thing we have learned and then you’ve known this is every organization is different. They have different culture, they have different tools, they just have a different way with dealing with problems. It’s incumbent on IT leadership to actually try a few different tools. In today’s cloud world, the switching cost is so low, there is no excuse for you not to say, “I tried A, B, C, and C is the best fit.” That to me is my big hope for the industry is that they get into the habit of trying a tool, using it. There’s so much innovation today, the switching costs are so low. I think try it and if it’s a good product, it should work well for you.

Den Jones:

I think the big thing as well, these terms like digital transformation, zero trust, EDR, XDR, SSE, they’re all buzzword bingo. At the end of the day, we solve concrete problems and the industry, as a practitioner, we are paid to solve concrete problems. So, if accessing your apps and services remotely from any location is a problem that you’re still struggling with, then I’d certainly say, “Hey, this is something to take a look at and peel it back.” Then I was in a call this morning with the CISO at a bank, and we’d met at a trade show and his whole struggle was, “Hey, I want to get started, but I’m struggling on how and where.”
Our conversation was like, “Hey, within your own team, grab 10 or 15 people. Grab one application that you are responsible for that actually should be super secured anyway, and let’s focus on playing around with that. Because if you have your team get to taste it, feel it, touch it, then they’ll know what the experience is like and they’ll know what the security benefits are, because you’re doing it.” That’s what we’ve done at Adobe. That’s what we’ve done at Cisco. That’s how we even do a Banyan, right?

Tarun Desikan:

Yeah.

Den Jones:

So, the reality is get started and then-

Tarun Desikan:

Get started now.

Den Jones:

… get it done.

Tarun Desikan:

Oh, get it done. Sorry, you’re right.

Den Jones:

Get it started and get it done, Tarun.

Tarun Desikan:

Awesome, thank you, Den.

Den Jones:

Hey, thank you very much. I appreciate your time. Always a pleasure. Thank you.

Speaker 1:

Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to UrbanPunks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

Close Transcript

< Back to Resources

Free for 30 Days
Simple, secure, & free!

Quickly provide your workforce secure access to corporate resources and infrastructure.

Get Started Now