Think about the collection of networks that exist in an enterprise and think about them as underlay. We want them to be highly available. We want them to be high-performing some of those we own and operate ourselves in terms of as an enterprise, some of those we sort of borrow, whether that's a remote access running over the public internet or some that are provided by hyperscalers. But the basic premise is that we want to leverage those underlying networks regardless of what that technology is, and be able to orchestrate an identity based overlay across them. Learn more in this short interview with Elisity.
Mike Matchett: [00:00:00] Hi, Mike Matchett with Small World Big Data. We are here talking with James Winbrenner, who is a, you know, real expert in security, and he's got quite a long history. I'll let him explain that today, but he's managed to put together a company now called Elisity, which is focusing on identity access. And it's kind of an interesting way. It's going to take us a little while to unpack this, but we're really looking at how do you go from an implicit trust model where you have networks and fortresses and castles to this kind of explicit trust model where you've got more of an amorphous network across the world and you've got to specifically say this user can access this data, can access this network, can access this and work at that level and have the system automatically understand that. That's in a nutshell we're going to talk about today. Welcome, James.
James Winebrenner: [00:00:52] Thanks, Mike. It's great to be here.
Mike Matchett: [00:00:53] So let's start out. You have an interesting background. You've been at Cisco, you've been in Sudan. Tell us a little bit about what your experience has been.
James Winebrenner: [00:01:02] Yeah, absolutely. So I actually started my career twenty five years ago at Check Point Software, so started on the security space and and, you know, have seen the evolution as as I've worked in security and infrastructure rules of security being primarily a perimeter focused exercise to obviously now understanding that we live in a perimeter of this world. And so the proliferation of security controls across, you know, across traditional networks across the cloud edge, et cetera, obviously has been very important. As you mentioned, I did a tour of duty with Cisco and then left to build go to market for a company called Botella, which became a leader in the software defined wide area networking space and then return to Cisco when we were acquired in 2017. And I'm excited to be be building something again with with Elisity.
Mike Matchett: [00:02:03] All right. And so you've obviously noted and we were talking earlier that one of the big problems with what's going on today is security, and you can't just solve security in one place, right? It's no longer sufficient to say, let's do security up to the firewall or let's do security on the WAN, or let's just do security in our VLANs. Inside, security has to be more end to end, and where the end is is pretty flexible these days for folks, right? How do you how do you sort of see that evolving?
James Winebrenner: [00:02:31] Yeah, absolutely. I think the two, the two big points, there are one. It's very difficult to try and build systems and build policies for a place in the network. You know, obviously the idea of a traditional traditional kind of castle and moat idea, it doesn't make a lot of sense in a world where most organizations treasure in terms of their applications and their data has moved into the cloud or into a number of clouds. And then, with the advent of COVID, the villagers all left the castle too. So. So the idea of that kind of traditional perimeter based approach to to building systems and building policy doesn't doesn't make sense. What we really want to do is look at being in a situation where we where we we just assume that we don't trust the underlying network, no matter what right? And instead of trying to build policy around those network constructs we want to build policy around is what actually makes sense to the business, which is the identity of the enterprise's assets. So, so users applications, data and devices and how those different assets should interact in a least privileged manner, build that policy and then make that policy available to to be instantiated really across any underlying network, whether that's the the premise remote access or the cloud edge.
Mike Matchett: [00:03:54] All right. So let me see if I can summarize that. So we wanted to build security policies at the level of the objects that are doing things that need to be secured. So we got users, they want to access data there on certain devices. They want to access a given app. That's the level at which we want to define our policy. Then when we look at our IT architectures, we've got networks, we've got complex layers and layers of different networks that you mentioned underlying networks of various different kinds, from VPNs to cloud to edge, so on and to take a security policy that's written at that sort of business layer and then make it so in the networking layer traditionally involved going to lots of network devices and putting in lots of different ACLs and things like that, right? This is almost I mean, I don't want to say firmware, but it was very much an exercise in trying to stay current, which is almost futile. And what you are coming along now and saying is, look, look, we can do something better. Maybe you can explain then how you take a business level security policy and instantiated, I think, is the word you used into the networks that the company might have.
James Winebrenner: [00:05:01] Yes. So so the basic premise is to think about the the collection of networks that exist in the underlay as as being just that. Think about them as underlay. We want them to be highly available. We want them to be high performing some of those we own and operate ourselves in terms of as an enterprise, some of those we sort of borrow, whether that's a remote access running over the public internet or some of those now are provided by by the hyperscale cloud providers. But but the basic premise is that I want to leverage those underlying networks really regardless of what that technology is, but then be able to orchestrate a an identity based overlay across any number of those, right? And I could think about, you know, going from an enterprise manufacturing floor on-prem directly into into the into the cloud edge to be able to provide data from. From a from a process controller that I want to be able to take action on in the cloud and be able to just only allow that access and the overlay where it's explicitly authorized by the identity based policy. Similarly, if I bring a remote user in that might be working from home or working from working from Starbucks, be able to provide that at least privileged access. There are only only able to access the applications that are required, and some of those applications may be hosted still on-prem in a private data center. Some of them may be hosted in the cloud, but be able to manage a consistent policy for for both.
Mike Matchett: [00:06:40] And even if that user moves around so they're at Starbucks, or you mentioned one day in their office and access at home, the next, you've only got one policy now for that user and that application and the engine that is Elisity in between is going to keep up with that and say, like, we're going to we're going to make that security policy consistently applied to that user and that application, that data, no matter what the networking is, situation is that day.
James Winebrenner: [00:07:05] Correct. And it's this idea of continuous verification, right? So it's the identity of the of the of the user of the device. And then it's the context of where are they and what are the other contextual elements about them and then be able to provide that provide that at least privileged access based on based on those attributes?
Mike Matchett: [00:07:26] Ok. And so does this replace like Active Directory and Okta and some of those other things? Or, you know, how do you actually implement this?
James Winebrenner: [00:07:35] Great. Great question. So, so so no, we don't replace existing sources of identity or existing identity providers actually working in concert with those. So things like Active Directory or Azure Ad, Okta, et cetera. But being able to understand once I've once identified a user understand where that user is and what they have, what they're allowed to have access to and then build that identity based overlay based upon that, that identity. Similarly, think about cases where it's not a user. And so what? We need to be able to identify a device and what that device should have access to, whether something as simple as an IoT device running on the network and Apple TV or a Sonos, or something far more complicated, like a process controller running into on a manufacturing floor.
Mike Matchett: [00:08:27] All right. So what's emerging in my mind is this idea that, you know, we had some of these capabilities in SD-WAN when we had some micro segmentation abilities in VLANs where we could set that up. We had some of this, some stability in some of the ways we could actually implement some application Zerto. But it's not consistent across everything. There's no like one policy that and what you're saying is you then can come in from the policy and really take over and automate the implementation of that, whether it's across the WAN or the VLANs or the LANs or whatever else. And we don't have to try to manually map that up anymore.
James Winebrenner: [00:09:04] Correct, right, we want to we want to abstract the identity of those assets, the users, the applications, the data and devices, and manage the least privileged policy at that identity based level. And then and then be able to leverage that policy across a lot of those different sort of traditional networking constructs that you mentioned without having to go back and manually provide all those mappings to a particular plan or segment or network construct,
Mike Matchett: [00:09:31] I think is going to take a while for some people to wrap their head around, which is exactly what you're saying, because at one level, it seems like it's a complex thing to unwrap. On another level, it seems too simple, too good to be true that I can actually say, I want this user to access that app. And that's all I have to say securely. And you have the policy engine in the middle that's going to make it so. So that's really cool on there. I like it. And you also I believe we also had you mentioned just in passing that you have some VPN like service, direct access to that you have something. So Elisity's a cloud service, then
James Winebrenner: [00:10:03] So, so Elisity is provided as a cloud based subscription. And so so any company can can onboard, integrate with their existing identity provider and begin building policy right away. One of the places that that a number of our customers start is with replacing their traditional legacy VPN technologies, the sort of harbor based VPN concentrator and bring users into the Elisity access service. And then that policy that they're building for at least privileged access for those users. When those users come back on site, that policy follows them and we can implement that policy across the enterprise network in the cloud as well.
Mike Matchett: [00:10:47] So really, starting with the remote users, which is a big thing for a lot of people in the last couple of years with the pandemic and remote going over. So somebody doesn't have to do a whole lift and shift here if they want to start doing a better job of this micro segmentation, the least privileged networking and get to more of this explicit model of trust, I believe you're talking about. They can just start with the remote users and whatever investment they make in that policy will continue because of the way you're mapping it. They don't have to then go and update that when that user comes back into the office or they said, goes to Starbucks, here's another plug for a coffee shop. I don't know why we're doing that. This is some very cool. So, you know, I think there's a there's a there's a great idea here, James, and how do you see people starting? What would you recommend they start with if they were to do this with those remote users? How would someone look, look more into Elisity and get started with it?
James Winebrenner: [00:11:38] Yeah, I mean, so as I said, we built the platform to be very simple, to get started, to integrate with with existing identity providers, to start to understand what what assets exist on the network and then begin to build those policies and. And again, the goal here is to not not make perfect the enemy of the good. When we talk about moving from an implicit trust model where sort of based on my location, I kind of have access to everything to an explicit trust model. If I have to try and define all of that policy upfront, that can be overwhelming for a lot of organizations. So the goal is to get started and to start moving things over time. I can I can identify more of the applications, more of at least privileged access and start authorizing more of that, more of that access. And then at the same time, understand things that should be denied. And eventually I get to the point where the things that are that are sort of in the middle, if you will, that were allowed but unauthorized, that goes to zero. But there's a ton of incremental value in getting started along the way, and we make it very simple for customers to get onboarded and typically especially with with with cloud based IDP like Azure AD as an example, we can we can be up and running in under 30 minutes and begin building that policy for for for user application access.
Mike Matchett: [00:13:00] And you guys are definitely going to see some interest from lots of different companies with big challenges I imagined and you know, everything from manufacturing to health care to even just sort of medium enterprises that have some challenges with where their remote users are today. I think it if any of those folks are interested in finding out more information, what would you have them do?
James Winebrenner: [00:13:25] So obviously, there's a ton of data available on our on our website, and we can also through through the website request a demo and a proof of concept, and we're available in the marketplace to make it very easy for customers to get started and on board.
Mike Matchett: [00:13:47] Oh, was great to bring your credit card and you can get going right away. Do that all the time. Awesome. Well, thank you for explaining this. I know this is a lot to unpack for some people, but take a look at it in something that you might want to bring your security and networking people together to evaluate because it can make both their jobs easier. Thank you, James, for being here.
James Winebrenner: [00:14:08] Great, Mike, I appreciate it and and thank you very much for the discussion.
Mike Matchett: [00:14:12] All right. Take care, everyone.