Once you get outside the perimeter of the data center or the organization, say someone's at a coffee shop, how do you implement trust there? Equally, if someone's in the company, how do you make sure that they can only get to a certain part of your network? It's basically like saying, ideally what I want is VPN between user and anything he does explicitly defined every time they connect, no matter where they're at right, which is a big task to ask somebody to do because we think of networks as the way that everything ties together. And now we want to say, really, what I want to do is I'm going to create channels in that network that are hardwired or at least flexibly wired based upon some sort of identification of that user.
I talked to a company here called Elisity with an E, and they are moving from this idea of having implicit trust model set up for devices on a network to an explicit trust model. And what they mean by that, I think there's I think we'll see in a clip that I'm going to show you here in a minute is that in an implicit model, you're sitting inside an organization and anything inside the firewall you can trust in an explicit model, it's a little bit more like zero trust for everything. I have to make sure that I authenticate and understand everything every time it connects or wants to talk to something. It's really hard to do, though. Once you get outside the perimeter of the data center or the organization, say someone's at a coffee shop, Dave, how do you implement trust there? Equally, if someone's in the company, how do you make sure that they can only get to a certain part of your network? It's basically like saying, ideally what I want is VPN between user and anything he does explicitly defined every time they connect, no matter where they're at right, which is a big task to ask somebody to do because we think of networks as the way that everything ties together. And now we want to say, really, what I want to do is I'm going to create channels in that network that are hardwired or at least flexibly wired based upon some sort of identification of that user. That's the best analogy I can come up with right now off the top of my head. But let's roll the clip and talk to Elisity about what they're doing in their words.
Dave Littman: [00:22:02] Okay, sounds good. Let's go to the clip and we'll finish up with BlueCat after we speak with Elisity.
Elisity: [00:22:09] Digital transformation is driving businesses today with the shift to cloud and remote workforces. Access is still managed with legacy security solutions. This creates huge challenges for enterprises with fragmented islands of identity and policy that are difficult to manage in scale. The impossibility of providing the right level of access for every user. Device and resource and the inability of systems to adapt as user behavior changes. The result is not only increased cost and complexity for customers, but also increased attacks and no amount of architecture turns legacy tools into solutions. Enter Elisity cognitive trust. Elisity is the industry's first cloud delivered solution that combines zero trust networking with software defined perimeter with Elisity enterprises have tools they need for attack prevention and access protection from a centralized portal. Elisity lets you provide the right level of access for every user, app and device. Access is also critical based on context like location, time of day risk and trust scores, and the sensitivity of data enabling secure access across every domain, including Cloud, DC, SaaS Campus Branch and remote access. Access is never taken for granted. It is constantly monitored and verified by a built in A.I. automatic policy recommendations. Ensure security is maintained. Bid farewell to traditional network based security constructs like IP, Mac, ACL, VLAN, VPN and VARs with ICT access is based on identity. Elisity provides in-depth visibility and analytics across all domains. Administrators can monitor user behavior and risk whether they are accessing resources from remote locations or locally, and implement just in time and just enough access. Elisity is a true transformation and enterprise security, providing cognitive trust and access across your entire digital footprint.
Mike Matchett: [00:24:27] Welcome, James.
James Winebrenner: [00:24:30] Thanks, Mike. It's great to be here.
Mike Matchett: [00:24:31] So let's start out. You have an interesting background. You've been at Cisco, you've been in SD WAN. Tell us a little bit about what your experience has been.
James Winebrenner: [00:24:40] Yeah, absolutely. So I actually started my career twenty five years ago at checkpoint software, so I started on the security space and, you know, have seen the evolution as as I've worked in security and infrastructure rules of security being primarily a perimeter focused exercise to obviously now understanding that we live in a perimeter of this world. And so the proliferation of security controls across, you know, across traditional networks across the cloud edge, et cetera, obviously has been very important. As you mentioned, I did a tour of duty with Cisco and then left to build go to market for a company called Capella, which became a leader in the software defined wide area networking space and then return to Cisco when we were acquired in 2017. And I'm excited to be be building something again with with Elisity.
Mike Matchett: [00:25:41] All right. And so you've obviously noted and we were talking earlier that one of the big problems with what's going on today is security, and you can't just solve security in one place, right? It's no longer sufficient to say, let's do security up to the firewall or let's do security on the LAN, or let's just do security in our VLANs. Inside, security has to be more end to end, and where the end is is pretty flexible these days for folks, right? How do you how do you sort of see that evolving?
James Winebrenner: [00:26:09] Yeah, absolutely. I think the two, the two big points, there are one. It's very difficult to try and build systems and build policies for a place in the network. You know, obviously the idea of a traditional traditional kind of castle and moat idea, it doesn't make a lot of sense in a world where most organizations treasure in terms of their applications and their data has moved into the cloud or into a number of clouds. And then, with the advent of COVID, the villagers all left the castle too. So. So the idea of that kind of traditional perimeter based approach to to building systems and building policy doesn't doesn't make sense. What we really want to do is look at being in a situation where we where we we just assume that we don't trust the underlying network, no matter what right? And instead of trying to build policy around those network constructs we want to build policy around is what actually makes sense to the business, which is the identity of the enterprise's assets. So, so users applications, data and devices and how those different assets should interact in a least privileged manner, build that policy and then make that policy available to to be instantiated really across any underlying network, whether that's the the premise remote access or the cloud edge.
Mike Matchett: [00:27:32] All right. So let me see if I can summarize that. So we wanted to build security policies at the level of the objects that are doing things that need to be secured. So we want users, they want to access data there on certain devices. They want to access a given app. That's the level at which we want to define our policy. Then when we look at our IT architectures, we've got networks, we've got complex layers and layers of different networks that you mentioned underlying networks of various different kinds, from VPNs to cloud to edge, so on and to take a security policy that's written at that sort of business layer and then make it so in the networking layer traditionally involved going to lots of network devices and putting in lots of different ACLs and things like that, right? This is almost I mean, I don't want to say firmware, but it was very much an exercise in trying to stay current, which is almost futile. And what you are coming along now and saying is, look, look, we can do something better. Maybe you can explain then how you take a business level security policy and instantiated, I think, is the word you used into the networks that the company might have.
James Winebrenner: [00:28:39] Yes. So so the basic premise is to think about the the collection of networks that exist in the underlay as as being just that. Think about them as underlay. We want them to be highly available. We want them to be high performing some of those we own and operate ourselves in terms of as an enterprise, some of those we sort of borrow, whether that's remote access running over the public internet or some of those now are provided by by the hyperscale cloud providers. But but the basic premise is that I want to leverage those underlying networks really regardless of what that technology is, but then be able to orchestrate a an identity based overlay across any number of those, right? And I could think about going from an enterprise manufacturing floor on-prem directly into into the into the cloud edge to be able to provide data from. From a from a process controller that I want to be able to take action on in the cloud and be able to just only allow that access and the overlay where it's explicitly authorized by the identity based policy. Similarly, if I bring a remote user in that might be working from home or working from working from Starbucks, be able to provide that at least privileged access. There are only only able to access the applications that are required, and some of those applications may be hosted still on-prem in a private data center. Some of them may be hosted in the cloud, but be able to manage a consistent policy for for both.
Mike Matchett: [00:30:18] And even if that user moves around, so they're at Starbucks. You mentioned one day now in your office and access at home, the next. You've only got one policy now for that user and that application and the engine that is elicited in between is going to keep up with that and say, like, we're going to we're going to make that security policy consistently applied to that user and that application, that data, no matter what the networking is, situation is that day.
James Winebrenner: [00:30:43] Correct. And it's this idea of continuous verification, right? So it's the identity of the of the of the user of the device. And then it's the context of where are they and what are the other contextual elements about them and then be able to provide that provide that at least privileged access based on based on those attributes?
Mike Matchett: [00:31:04] Ok. And so does this replace like Active Directory and Okta and some of those other things? Or, you know, how do you actually implement this?
James Winebrenner: [00:31:13] Great. Great question. So, so so no, we don't replace existing sources of identity or existing identity providers actually work in concert with those. So things like Active Directory or Azure, Ad, Okta, et cetera. But being able to understand once I've once I've identified a user understand where that user is and what they have, what they're allowed to have access to and then build that identity based overlay based upon that, that identity. Similarly, think about cases where it's not a user. And so what? We need to be able to identify a device and what that device should have access to, whether something as simple as an IoT device running on the network and Apple TV or a Sonos, or something far more complicated, like a process controller running into on a manufacturing floor.
Mike Matchett: [00:32:05] Right. So what's emerging in my mind is this idea that, you know, we had some of these capabilities in SD when we had some micro segmentation abilities in VLANs where we could set that up. We had some of this, some stability in some of the ways we could actually implement some applications. But it's not consistent across everything. There's no like one policy that and what you're saying is eliciting then can come in from the policy and really take over and automate the implementation of that, whether it's across the WAN or the VLANs or the LANs or whatever else. And we don't have to try to manually map that up anymore.
James Winebrenner: [00:32:42] Correct, right, we want to we want to abstract the identity of those assets, the users, the applications, the data and devices, and manage the least privileged policy at that identity based level and then then be able to leverage that policy across a lot of those different sort of traditional networking constructs that you mentioned without having to go back and manually provide all those mappings to a particular plan or segment or network construct,
Mike Matchett: [00:33:09] I think is going to take a while for some people to wrap their head around, which is exactly what you're saying, because at one level, it seems like it's a complex thing to unwrap. On another level, it seems too simple, too good to be true that I can actually say, I want this user to access that app. And that's all I have to say securely. And you have the policy engine in the middle that's going to make it so. So that's really cool on there. I like it. And you also I believe we also had you mentioned just in passing that you have some VPN like service, direct access to that you have something. So Elisity's a cloud service, then
James Winebrenner: [00:33:41] So so to you is provided as a cloud based subscription and so so any company can can onboard, integrate with their existing identity provider and begin building policy right away. One of the places that that a number of our customers start is with replacing their traditional legacy VPN technologies, the sort of harbor based VPN concentrator and bring users into the Elisity access service. And then that policy that they're building for at least privileged access for those users. When those users come back on site, that policy follows them and we can implement that policy across the enterprise network in the cloud as well.
Mike Matchett: [00:34:25] So really, starting with the remote users, which is a big thing for a lot of people in the last couple of years with the pandemic and remote going over. So somebody doesn't have to do a whole lift and shift here if they want to start doing a better job of this micro segmentation, the least privileged networking and get to more this explicit model of trust, I believe you're talking about. They can just start with their remote users and whatever investment they make in that policy will continue because of the way you're mapping it. They don't have to then go and update that when that user comes back into the office or they said, goes to Starbucks, there's another plug for a coffee shop. I don't know why we're doing that. This is some very cool. So, you know, I think there's a there's a there's a great idea here, James. And how do you see people starting? What would you recommend they start with if they were to do this with those remote users? How would someone look more into Elisity and get started with it?
James Winebrenner: [00:35:16] Yeah, I mean, so as I said, we built the platform to be very simple, to get started, to integrate with with existing identity providers, to start to understand what what assets exist on the network and then be begin to build those policies and. And again, the goal here is to not not make perfect the enemy of the good. When we talk about moving from an implicit trust model where sort of based on my location, I kind of have access to everything to an explicit trust model. If I have to try and define all of that policy upfront, that can be overwhelming for a lot of organizations. So the goal is to get started and to start moving things over time. I can I can identify more of the applications, more of at least privileged access and start authorizing more of that, more of that access. And then at the same time, understand things that should be denied. And eventually I get to the point where the things that are that are in the middle, if you will, that were allowed but unauthorized, that goes to zero. But there's a ton of incremental value in getting started along the way. And we make it very simple for customers to get on board and typically especially with with with cloud based IP like Azure. As an example, we can we can be up and running in under 30 minutes and begin building that policy for for for users of application access.
Mike Matchett: [00:36:38] And you guys are definitely going to see some interest from lots of different companies with big challenges I imagined and you know, everything from manufacturing to health care to even just are medium enterprises that have some challenges with where their remote users are today. I think it if any of those folks are interested in finding out more information, what would you have them do?
James Winebrenner: [00:37:03] So obviously, there's a ton of data available on our on our website, and we can also through through the website request a demo and a proof of concept, and we're available in the marketplace to make it very easy for customers to get started and on board.
Mike Matchett: [00:37:25] Oh, it was great to bring your credit card and you can get going right away. Do that all the time. Awesome. Well, thank you for explaining this. I know this is a lot to unpack for some people, but take a look at it in something that you might want to bring your security and networking people together to evaluate because it can make both their jobs easier. Thank you, James, for being here.
James Winebrenner: [00:37:46] Great, Mike, I appreciate it and and thank you very much for the discussion.
Dave Littman: [00:37:51] All right. So you know, Mike, we've spoken to iX. You spoke to Elisity, see any common thread between the two technologies.
Mike Matchett: [00:38:00] I don't know if it's common, but I think you start to see this idea that they build upon each other into a sort of a new world of computing where I can put my data anywhere I can move that that perimeter of where I'm actually computing wherever I need to to be more efficient or be more cost effective, or to reach my users and be more performant, whatever my criteria is. And now, with something like Elisity, you can start to see how the security layer is going to support that because we're going to have this explicit trust model where I take my business policies for security and it implements them in the network and creates really this idea of continuous verification and adaptive virtual private networking overlay. No matter where you are, no matter who's connecting. And then you have the very explicit control over who gets access to what, no matter where it is so. Ai systems put start putting your data wherever you want, Elisity start controlling who has access to the data, no matter where they are. Right. So