Name: What comes after VPN and NAC: Reimagine secure access for a zero trust world
Uploaded: 2025-10-30T16:53:04.934Z
Duration: 34 min 21 s
Description: What comes after VPN and NAC: Reimagine secure access for a zero trust world

Transcript for "What comes after VPN and NAC: Reimagine secure access for a zero trust world": Welcome everyone to today's webinar. My name is Mike Anderson. I'm the chief digital and information officer here at Netskope. And I'm excited to introduce a very exciting topic who we have some great guests here to talk about. We're talking about what comes after VPN and network access control and how do we reimagine access for a zero trust world. You know, the perimeter of our organization has changed. You know, our traditional VPNs and NACs, they're increasingly difficult to manage. And as we think about the new perimeter of our organizations, which is really our users and data and how we apply zero trust principles, there's a lot of different things that we have to consider. And I'm excited that we have two great speakers here today. First, we have Mark Fabbi, who's a former Gartner vice president and distinguished analyst. And we also have Steve Riley, who is also a former Gartner analyst and a field CTO here at Netskope. And so with that, I wanna welcome Steve and Mark to the stage. Hey. Thanks, Mike. And hey, Mark. It's great to see you. How you been? Doing well, Steve. Happy to be here. Yeah. Thanks for joining. You know, I feel like industry has been discussing this notion of perimeters for a long time and how they've changed. I can remember even back in, like, 2003 when I was at Microsoft, I wrote and spoke about the death of the DMZ and the perimeter is dead. Are we finally at the point now, do you think, where this is a reality? I think we probably are because, you know, when we think of the world that we're in at this point, users, applications, you know, devices, they can be anywhere. And so I think, you know, we're at this stage where we really have to start rethinking how we look at that mapping from, you know, users to applications and so on. And, you know, when I think about it, you know, one thing one thought that I use when I was advising CIOs and heads of infrastructure was this idea of, you know, follow the application flows. And that really teaches us everything we need in terms of how we build infrastructure. You know, we don't build infrastructure for the fun of building infrastructure. We build it to support I did. I think probably we all did at some point. Right? Yeah. It's early. Yeah. Reality is that there's a purpose for it. Yeah. That's true. So if we think about maybe where where we're headed now, I think it's kind of interesting how, especially the the zero trust principles. You know, they're not new. They've been around for a while. You can go back to some academic papers in 1995 that discussed trust in digital systems. And, you know, I almost think it's impossible to eliminate trust. It's more like we need to figure out how to manage it the the right way. What do you what have you actually seen emerge in the market that can help companies begin to adopt these principles and make them a reality in in, in their environments and how they conduct their business. Yeah. I think the key here really is, you know, understanding, you know, the users and applications that we have and so on. So this idea you're right. You know, Cindy, we at some level, we have to trust something. Right? Yeah. And, so, yeah, I think we have to decide, okay. Now what in our overall environment, what's the model in terms of how we bring that level of trust, you know, into this zero trust kind of atmosphere environment that we're trying to build here? But at a certain level, there has to be something that that we do. And, you know, when I think about the the whole idea of, you know, again, these these application architectures and so on and the the loss of perimeter, in fact, you know, I think maybe we redefine the perimeter and the perimeter's around our users and devices now. Yeah. Yeah. Right? And and so we totally flipped the architecture on its ear, where, you know, the perimeter used to be protecting our assets. They were in a data center and they were in our, you know, corporate locations and so on. We sort of trusted all that stuff because we controlled it. Well, the only thing that we control now are our people. And those people are sometimes, you know, on prem, sometimes they're off prem, you know, that whole idea of a hybrid user. But if you think about the application flows, hub and spoke has been turned inside out. You know, the hub used to be that data center where we could control things and trusted things because we that was our core environment. And the the spokes were all the users and so on in terms of how we got into that core. The the hub of our new world is actually the user. And the spokes are all that long tail of and growing tail of applications and resources that we use as users. And so the trust model starts thinking, okay. Now it's a user based going to this great unknown. Right? And so again, this model has been literally turned inside out. Mhmm. Yeah. It was interesting. When I was working on the z today market guide back in my time at Gartner, it became pretty obvious that, wow, one of the big differences between this and, like, classical VPN and remember folks, VPN's really old, like, 1996 is the first one. And it was intended for remote admins to tinker with routers that, VPNs connect devices or networks to other networks, whereas, z t n a connects humans, people to applications and data. And you're right. That does completely change it, and it it makes the it makes the human center now, and what can the human interact with and what can the human not interact with. And, you know, I I think and I know we're gonna touch on this a little bit later, but just sort of, like, tease folks now, this idea that sort of in the early days of zTNA, when I was writing that market guy, I had only in mind, like, you know, remote people. But actually, it's really been interesting to think about expanding zTNA to cover all access no matter where somebody is, even when they're on Corpnet. We can maybe come back to chat about that universal z t and a a little bit later because I am a huge believer in that. I've got kind of a funny story to tell around it. But one thing I like about it, and I'll just say now, and I think you probably might agree, is that we have one place now for companies to be able to manage access, for all people. Well, let's say all security principles because soon enough, that's gonna be devices and agents. Manage access from those principles to resources no matter where the principles and the resources sit, which is kind of you mentioned that earlier. Yeah. And I think that's, you know, a a critical aspect, you know. And and often when I use the term user, I think beyond just the human user. Yeah. Right? Because we do have to think about devices and, you know, IoT devices and OT and, you know, so I really think about user and it's very abstract, you know, sort of, you know, norm, if you will. Yeah. I I guess I'm letting some of that, Microsoft centric thinking still live in my head when I use the word security principle because that's that's what they do. But I say that sometimes at conferences, people look at me like, what do you mean? So maybe human nonhuman users a better way to think about that. Exactly. Yeah. So, you know, the the technologies here, it's been around for a while. I wouldn't say it's super mature yet, but it does feel like all of the vendors in the e t and a space have kind of arrived at a similar way of, the fundamentals of of enabling that access are kind of similar now. So given that it's been a choice and it's becoming easier and easier choice for so many buyers, it's curious to think about why VPN and even network emission control, network access control, and that still remain so popular. What do you do you have any thoughts about that? Yeah. Absolutely. So, you know, I think one aspect is it's easier to maintain what you've got, and so Sure. It's it's just that, you know, just incrementing, you know, yeah, you know, just yeah. And it's almost the flywheel effect. Right? You just gotta keep going with what you're doing. I think almost more important though is how many organizations still measure their infrastructure teams and it's around availability. So change is scary and change impacts how you're measured, how you're rewarded. You know, so many infrastructure organizations, their primary metric when they're judging their teams is availability. And, you know, we also, you know, you know, think about, you know, when people call the help desk, what do they say? It's not that, hey. I can't get access to application x, my finance app or whatever. It's like, hey. The network's down. Right? And so just from a, you know, a a human perspective, when you're working in IT and especially on the infrastructure side, change, you know, is disruptive. It's difficult and it can impact your pocketbook. Right? And so the idea of, you know, being resistant to change is one that we've unfortunately made part of the IT culture. And so we haven't necessarily rewarded people for innovation and, you know, user experience and, and simplifying of operations and so on. And this comes up in infrastructure, it comes up in security. Right? You know? Yeah. You know, we we look at, you know, security devices and they have tens or hundreds of thousands of rules because no one ever wants to touch it and modify it and modernize it in case that one rule is an important one. Right? You know, so again, you propagate the old forever and ever and ever and it just creates this operational mess. Yeah. In the late nineties, I, well, in the mid nineties, I connected my employer at the time to the Internet, and that was a fun project to work. And so I basically ran the firewall for the up until the late nineties. And, the the rule sets, you said, hundreds of thousands of rules, it would just get bigger and bigger and bigger. And it's like, I can't remember all this stuff in my brain. So about once a year, I would delete them all and just kinda sit back, wait for the phone to ring, and see which ones are really important. I don't know if you could do something like that these days given how much more critical the Internet is to so many businesses than it was in the nineties. But anyway, it's kinda fun to do that. Probably doesn't pass the board scrutiny at this point. Do you know what I mean? Think they wouldn't do that anymore. That's right. Yeah. But you know what else has changed from the nineties is the the traffic patterns. So, yes, VPNs and NAC were all they're afraid familiar with, but they were principally useful when data was static and when people were static. But you alluded earlier that fact that data is everywhere and people are going everywhere now. So, I mean, it almost seems like VPNs and NACs don't even see a lot of the traffic anymore, which means we've got to have some kind of security architecture that accommodates this new way we all work. Yeah. Absolutely. And, I think back to my Gartner days here and, you know, so long before Joe Skorupa, and Neil McDonald, you know, did their, you know, groundbreaking work on the the taxonomy behind SASE and that whole emerging market, Joe and I wrote a foundational note. It was titled the future of application is partly sorry. The future of application delivery is partly cloudy. I I remember reading that note. Yeah. Yeah. And what we were talking about then is exactly the point you bring up in terms of well, the environment has changed, application flows has changed. And so, again, you you think about it, you know, and this note was written over ten years ago now. And so we were starting to move away from the traditional old architecture. But, again, you know, perimeter defense on, on the data center, we could inter, intercept most of our flows. And whether that was for application efficiencies, whether that was for security, whether it was for network optimization, so on, we put all that stuff in the data center. Security devices, WAN optimization, application delivery controllers because that's how we, you know, we could put that in front of the applications and it was sort of the modern front end front end processor. Right? But we were anticipating this this era where that wasn't going to be the norm. Right? And so traditional approaches, you're absolutely right, they don't see a growing percent of corporate traffic. And so this idea of, you know, more, you know, more Internet based traffic, more, you know, the long tail of Internet based cloud applications and so on, more mobile users that don't necessarily even connect to the corporate network in some ways, you know, using mobile devices and all this. And so we were looking at all of these future trends at the time. And so I think we wrote the the this note back in 2014, 2015. And so we were anticipating fundamentally how this was gonna change. And then we looked at, well, then how do we provide this whole suite of services to improve application performance and and performance not just in terms of how quick, but in terms of security and efficiency and all this kind of stuff. And we came to this conclusion that those services had to reside in the cloud. So we had to move from this device centric, data center centric model to a highly distributed, but, you know, model where we had a whole suite of services that we could apply. And that would be, you know, really a cloud centric services based model. Mhmm. Yeah. But I can remember some of the early days of those of those cloud models. You know, I and I feel like I was pretty fortunate to be at Amazon Web Service for for a couple years right at the beginning of cloud two thousand nine, twenty ten. And I noticed that, customers were having to contend now basically with two disparate sets of, of controls and access. There's there's the on premises controls and on premises access. There's the cloud controls and the cloud based access. And I think, you know, that might have been some part of the friction of those early cloud days is that to be to be, like, in the cloud meant that j random employee would have to tinker with the infrastructure in some fashion to get wherever they wanted to go. And so I think that I'm glad those days are behind us and that now customers have a nice wide array of choices of tools and techniques and vendors they can pick from who can offer this sort of unified way of securing the entire state, whether it's components in a data center or in the cloud, and it's people who no matter where they happen to be. They don't have to think about what or how to get to what they wanna do. They can just concentrate on getting their work done while simultaneously being secure. It's kinda like striking that right balance. Right? We as as providers of this great technology, can help our customers strike that balance so that people can get work done without introducing unnecessary security friction, you know, like going around just to get that work done. Yeah. I mean, you're absolutely right there. And because and I think the transition's difficult because, you know, we are going from that very controlled, you know, centralized environment to one where we're not really sure of how decentralized it was going to become. And so I think you're right in those early days that transition was difficult. But also that brings to mind some of the related research that Joe and I did looking at how this market might evolve. And another, you know, term that I've, you know, used fairly often in those days was this idea of the ping ponging effect. Oh, yeah. You know, so there was lots of innovation starting in those days. Right? There are some cloud services and there were some some of the early vendors, but they typically offered one service. And so now but, you know, if you think about an application flow, we we don't apply one service, we apply many services. You know, two or three levels of security, maybe some optimization and some, you know, some some other, you know, optimization. Talking amongst themselves and yeah. Absolutely. Right? I mean, they get all these other flows and so on. And so we talked about this idea that ultimately the market would have to converge so that there were providers that would provide a a a full suite of service layer capabilities if you wanna use that kind of description. And so so hence, you know, ZTNA being, you know, an extension and, you know, to the, you know, the the SSE and SASE marketplaces because, again, it makes sense for, you know, a one provider to have a complete set of universally available services. Right? Because otherwise, you know, traffic will start bouncing around all over the place and now we've caused all sorts of other problems. You know, maybe we can kinda come back to the the the notion of zero trust for a moment. And I wanna use your definition of of user being much broader than a human. One way I like to conceptualize this is that a good zero trust strategy provides the right access by the right people, well, by the right users of all types, to the right resources at the right times for the right reasons. And I feel like this is something that practitioners I remember back in my day, it's something that I wanted for a really long time. But I it's only recently have I been able to avail myself of something like that. When we look at modern tools like SASE and SSE, how they gather signals and context and and then combine that with scores so that the the access can be tailored to just exactly what, what is needed at that right moment as another way of striking that that balance between getting staying steering and getting work done. Are are you seeing this how are you seeing this extend to the non non human users? I think it's fairly easy now to conceptualize this for people. But when we think about, devices and servers and agents, will the same thing work? What do we need to bring the nonhuman users into this sort of new modern access architecture we've been discussing? Sure. So there I guess there's, you know, there's a few things here. So first, you know, we have to acknowledge that all those nonhuman users are out there. And then really start looking at okay. You know, using your I think it was five point principles there that you rattled off. Okay. What is the right access at the right time to the right resources and so on? And really start doing that mapping just like we've traditionally done on the human side of of the world. So I think that that's certainly the first part. I think one of the other challenge is those nonhuman users, can be very restricted in terms of, you know, the software that's available on those devices. You know? Yeah. You know, in some cases, they can be using very, very old, by their nature, insecure, you know, operating systems. I remember talking to a Gartner client not that long ago, that was still using, you know, Windows Server, you know, like, almost initial release. And because it was an embedded system, in a very, very complicated environment, very hugely proprietary environment, and, you know, so we have situations like this where the endpoints don't necessarily have modern OSs and and so on. And so that certainly complicates, the environment. On the other hand, it does point to why you want controls somewhere in the center. Mhmm. Because then, you know, you know, then we're not relying on that end station to have updated software and, you know, the latest, you know, patches and so on. To To a certain extent, that matters less in this modern environment than it did maybe in the past. Yeah. And edge is all the rage right now, but sometimes, I still think that we can have this notion of, let's call it, distributed re centralization, right, where we can, have some of the decision making occur centrally because not everything can be an edge that participates. Right? Let's let's I wanna talk about universal CTA, and I was sort of hinted at that at the beginning. And I wanna I wanna start with a story. I'm just gonna read here from my notes to make sure I get it all right. In 2009, a member of the Chinese Politburo became unhappy with what he read when he typed his own name into Google. And so not shortly after that, a Chinese APT known as Elderwood Group compromised Google's Corpnet. They targeted a bunch of other companies too. They were looking at vulnerabilities in Internet Explorer and a a version control utility called Perforce. The primary goal was to modify source code repositories at various technology and defense firms. And apparently, these the neck networks were wide open. No one had sought to secure them. And, ultimately, what happened is that this group, Elderwood, compromised systems. They were stolen rack space VMs and make connections to CNC servers in Illinois, Texas, and Taiwan. It's pretty pretty wild attack. Now what happened was that Google built an architecture that smells a lot like z a t and a before it was even a thing. Remember, I wrote that first market guide ten years after this. Yeah. And Google moved everybody to an unprivileged network, even those inside Google office, like, whether you're on the WiFi or plug in the Ethernet. You're outside the firewall if you can think about it like that. Yep. And all access, no matter where you were from, even when you were in an office, had to go through what Google called an identity aware proxy. Get a lot more bits into it now if you look at those diagrams from 2009 than it does today, and they called this BeyondCorp. Subsequently, Google has published some papers about how well that has worked over the years and why for them it has been a great mechanism for reducing risk. And if we think about what's possible with z t n a now and the announcement that Netskope is making around universal z t n a where the the cloud component, the publisher, can be placed inside the corpnet so that when people are in the corpnet, local traffic stays local. We don't reverse hairpin them out of the corpnet through the cloud based broker and right back into the corpnet data center again. I absolutely love this model for the same reasons that Google found that it worked for them. I can remember a couple other places where I've worked. They were contemplating such a model too. And what else is kinda cool is that this eliminates the need for a NAC. I can remember having a conversation, in a Netskope EDC a couple years ago with some folks about this. And they kept asking questions. Well, what about what about top of rack switches? And I said, well, there's no network path in the in the in the, peep in people's PCs to get to that anymore. It's like, well, but isn't there an IP address? No. Not one that routes on that network. It's not devices to networks. It's people to data. No path to the top of rack switch. Therefore, no reason for NAC. I'm just kind of curious what your, impression of Universal's e t n a might be. And and if you see maybe, some angle that I might have missed or or just, what what is your appetite for moving companies in this direction also? So I'm actually a a big supporter of this as well and for a couple of reasons. I and the first one comes back to this idea of operational simplicity, you know. So I think about it from an operational perspective. And I had a story in the back of my mind here and it's not as colorful as yours and mine goes back, you know, probably next for ten years. But we've seen this this show before. Yeah. Right? And this was at the advent of, you know, of corporate wireless networks. And I'm sure some of us will remember the days when we manage those separately. If you plugged into the, you know, the wireless network, you know, IT managed that in a totally separate way. And then when you plugged into the, you know, the physical, you know, Ethernet wired network, will you manage differently? I do recall that. Yeah. Right? And so from an operational and ultimately, that's what led to NAT. Right? Is this idea that no matter how we connected to the to the physical corporate network, whether it was wired or wireless, we would manage that in one way. And so we reduced, you know, the operational, you know, requirements there. We closed one of the doors in terms of, you know, potential mistakes we could make, you know, in terms of how we manage employees and from security perspective. You know, we when we terminate an employee, well, we've had to make sure that we we we dealt with all the ramifications on both sides of the fence. Well, that solved all that. Well, here we are, you know, twenty odd years later, and we're talking about these hybrid users, and we're never sure where they are. Are they, you know, working remotely? Are they in the office? And so you start thinking about why should we have two totally different systems? A VPN when they're not in the office and NAC when they're in the office because, you know, again, we've now opened, you know, two different doors here. Right? And so the idea of, you know, managing a user regardless of where they are because, again, you were building infrastructure to get access to critical resources. And, you know, so this whole idea of zero trust to me applies equally, so we can have a consistent user environment, user, you know, user experience. We certainly reduce the operational burden because we have one system to deal with. And, you know, in terms of just whole managing that whole user to application, you know, mapping, why would we have two? And so we're strengthening the capabilities we have by moving towards the ETNA. By making it universal, we solve a lot of the operational challenges that we've, you know, imposed on ourselves because we're again, we are solving for older problems before. Right? And so, you know, application flows have changed, users have changed, how we think about applications, whether deployed has changed. Well, we need a new model and that model can simplify it up from an operational perspective, but also close security doors for us as well. Yeah. Well, if we think about maybe a few bits of advice, for the folks listening to our webinar today, I I I think we mentioned this, earlier, but we're essentially moving to something that is identity based, for all all the access and identity both of humans and non human. So clearly, one important piece of advice would be, to make sure that, you have great confidence in your identity store and your identity governance. And if you don't have good confidence in that, then, you know, address that first. Right? Because that's sort of the root of all of the policies you're gonna be creating in in this new world, in this new form of of modernizing access. So we need to know who every human is, who every device what every device is, and ensure that the records and directories are up to date and that we're doing a good job of deprovisioning. You mentioned that earlier, Mark. Users who are no longer, or entities who are no longer needing to participate. We also need to think about right sizing permissions and privileges to ensure that we don't, create risks of too many permissions on too many objects. What else you would you like to add to that list of things for folks to start planning for? Yeah. I think on the identity piece, I'll take that a step further here. And, you know, from an IT perspective, we certainly know and should know who our human users are. Yeah. But we often don't have a very good idea who the nonhuman ones are because they're often deployed not by IT. They're deploy deployed by different parts of the business, and not necessarily with the IT oversight or permission or how we're going to describe that. Yeah. And so part of that process of identifying who all those entities are and who and what they are, IT has to reach beyond the boundaries of IT. And so that's a really important one if we're gonna have a complete solution for this generic ID of users. So that's I would certainly start there. I think the next step is then starting to categorize those users. Right? And so, you know, put them in roles and personas, however you wanna describe that. So we start, you know, getting to a point where, you know, they have accepted targets and appropriate targets in terms of what those application resources are on the environment. So I think that's, you know, maybe extending at that next step a little bit. Then clearly, we have to define what all those application resources are, and, you know, again, do some of that same kind of classification. And I think that's where, you know, some of the, you know, advanced maybe, you know, AI, you know, inspired, you know, application identification type tools really come into play. So we don't understand the nuances of all those applications that we're using within the corporation. Yeah. I think one one interesting interesting capability that maybe not, everyone immediately comes to appreciate is the fact that because the best way to sort of implement these new ways of of managing and controlling access involves getting in line and seeing all of that traffic so that the amount of access can be adjusted depending on the signals. That simple exposure to the traffic can go a long way toward helping companies identify the applications that they own, the people who are using it, and then sort of maybe think about well, is the list of people who are using it, does it match the list of people who we think should be using it? And then that's another way to sort of think about right sizing those permissions and privileges. There's a lot of value in getting in line. And I think that first value that's really important to recognize is helping to identify what's going on, what should it be what should be controlled, and how it should be. And so yeah. I just I'm I'm a big fan of that kind of thing too. Yeah. Absolutely. Alright. Well, Mark, it's been a great, event chatting with you here, and I look forward to more conversations like this. So thanks for your time. And, back to you, Mark. Thank you, Steve and Mark, for that amazing webinar and for sharing those great insights. Hopefully, you got a chance to click all the different resources that were made available during the webinar. If you didn't, go check them out on our website. Go to the resources section. For those of you that maybe wanna go back and replay certain parts of the webinar or share it with a friend, you're gonna get an email in the next twenty four hours that that provides a link to do just that. So good luck to everyone as you think about how you evolve your VPN and NAC in a zero trust world. Have a great day.