Video: From SSE to SASE: Transforming Connectivity with Netskope One SD-WAN | Duration: 2708s | Summary: From SSE to SASE: Transforming Connectivity with Netskope One SD-WAN | Chapters: Introducing Netskope's Vision (141.28499s), API-Driven Data Protection (413.745s), Netskope's Platform Evolution (613.95496s), Netskope Platform Overview (881.29s), Unified SASE Architecture (971.82495s), SASE Solution Components (1103.89s), Consolidating SASE Solutions (1496.8301s), Conclusion and Resources (1736.885s)

Transcript for "From SSE to SASE: Transforming Connectivity with Netskope One SD-WAN": Welcome, everybody, to from SSE to SASE, transforming connectivity with Netskope One SD WAN. I'm excited to talk to you. I'm Sanjay Beri, the CEO and founder of Netskope. And joining me a little later will be Parag Thakore, our chief product officer for SASE at Netskope. And so let's dive right in. I'm gonna start with a little bit of the history, of Netskope and our vision and then bring you forward to today, where we're a leader in SASE. So when you think back twelve plus years ago when we built Netskope, these were some of the big trends and thoughts we had about the future that really influenced what we wanted to build, how we wanted to build it, and how we wanted to bring it to market. The first was really around cloud and AI transforming the Internet. And when I say that, I always think about security, and I think about security only being really as good as your understanding of the Internet. And when you think about that Internet, I thought about people sitting on their computers and laptops, agents now, IoT, OT devices before. And when they did something, went to SaaS, web, public cloud, on prem, the vision was that it would emit trillions of APIs on the wire. The language of the Internet would not be the web. HTTP, HTTPS, right, URLs. It would be APIs, JSON. That's what I meant. Cloud and AI transformed the language of the Internet, making traditional web proxies on prem or cloud not able to understand and govern the new world. The second big trend was really around protecting data. My belief was that data would be the new oil. Ultimately, everything you do and in addition to your users, it would be about data. And I remember talking to one of the largest customers, in The Americas, and they would tell me, look. I've never had more people attack or try to get at my data than now. Nation states, malicious insiders, traditional criminals, they all want my data, and no doubt. Whether it's to monetize, whether it's to train, whatever it is, people are after your data. The third big piece, was this notion that security, traditionally, when you think about delivering it, you have to do it and sacrifice performance. We set out to solve that paradox, right, to deliver security for the cloud era, AI era, the advanced security you need, but enhance and accelerate the end user experience. Now that wasn't easy. It took a long time, you know, to build and to build this infrastructure and the network and the software, but you can solve that paradox. And then cyber risk, of course. I don't have to talk to you about that. You can read any stat or, you can ask your favorite Gemini or ChatTBT or surf the web, and you'll see what is happening in the world, around cyber threats. And so with that backdrop, I wanna walk through a little bit about what is today when you think about the factors that are shaping a hyper distributed enterprise? What does that look like and what do they expect? And so when you think about that hyper distributed enterprise, and I'm not just talking about people, but I'm talking about, for example, IoT, OT devices. I'm talking about AI agents. I'm talking about partners and contractors and beyond. What are their priorities? Well, one of them is, look, seamless end user experience. End users rule the world. They brought in cloud. They're bringing in AI, and you cannot inhibit their performance. And so you can see the bottom step. So many people just stop, right, if their performance is affected. Performance is a definite priority. And cloud apps, we talked about it, redefining networking. You can see the TAM. The modern branch requiring a new infrastructure paradigm, no doubt. That's what we're gonna talk about. How do you thin out the branch, consolidate, leverage the cloud for the rest? Right? Typical concept similar to what many people wanna do on their endpoint. And then, of course, connecting everything. The reality is today, everything talks to everything. It's any to any communication. Right? Could be an AI agent talking to an LLM. Could be an app talking to an app. Could be a user going to back on prem or SaaS. Whatever it is, you gotta be able to have that any to any connectivity and deliver security and the performance for all of that connections. So I talked a little, and I alluded to this notion that when we thought about building Netskope, we thought about, well, in this new age, the language is APIs. It's JSON. You look at MCP, you look at eight a. Right? You look at every transaction with a SaaS app, social media, modern websites are like dumb SaaS apps. Under the hood, they communicate using APIs, JSON. And so the old world, which was your traditional cloud based proxies, your on prem devices, they spoke the language of HTML. These are next gen firewalls, next gen, you know, traditional web gateways and so on. And the problem with that is that they forced you into a decision of block or allow, block chat gbt or allow it, block one driver or allow it. But that's not what people want. People today, when you sit in a boardroom and they and the CIO or CEO says, the policy I want, they say things like, well, you can use ChatGbt, but only if it's a corporate version, and you can't query with sensitive data. You can use OneDrive, but, no, you can't share data externally. Okay. You can chat on Slack with sensitive data but to no external third parties. It's not block the app or allowed. And the reality is that granularity can only come if you understand the language of the cloud and AI era, which is really what Netskope, pioneered. And we are the first and only high speed globally distributed, what I call API JSON proxy, who understands natively the language of Internet. So you don't have to say yes or no. You can say yes, and here's my guardrails, my guardrails to SaaS, to social media, to AI, to on prem apps, and do it in a simple converged way. From a data protection perspective, the thing to remember is your data lives everywhere. If you look at a typical enterprise, and I was just in an EBC with one of the large banks, 80% of their data didn't know where it was. 90% plus unstructured, right, some files and medical records and so on. And so in that environment, how do you find it everywhere? On your endpoint, email, web, cloud, SaaS, data lakes, data warehouses. How do I know and find it, classify it, and then protect it? And that's what we do at Netskope. We have, a common when I think about platform, it's not about a bunch of things on a price list. It's how do I have a unified system. Right? And so we have one data protection service applies everywhere, whether it's at rest or in motion, consists of the traditional mechanisms you expect like entities and beyond, but also in addition to the regexes and entities has neural networks. I wanna find an image. I wanna understand what's in that image. I wanna identify source code. I don't wanna specify what that means. I don't wanna just use exact data match or OCR. A combination of using neural networks through the AI labs teams that Netskope has had for seven and a half years, infuse the ability to get high efficacy data protection everywhere, and then put policy and governance around how you can use your data and track your data as it moves so you know the lineage. That's really what we mean by data protection. So I went through that quick. It's a little bit the history of Netskope. Cover all traffic everywhere. Doesn't matter if it's an end user, an agent, right, contractor, a partner, a device. No matter where it's going, on prem, external, or so on, protecting its malware and threats, insiders, and beyond, accelerate the traffic. Well, as we built out that vision with our customers and with our own thinking about the future, we thought about, well, wait a minute. There still is something on prem at the edge of a branch, the edge of a public cloud in a multi cloud environment, in a manufacturing floor, in an oil rig. There's something there. Right? And you wanna make it as thin as possible and as simple as possible. But it has something that has an aggregation of functions, and those things would include things like, perhaps, routing, perhaps backup five g, perhaps SD WAN. And that was really why we set out to find technology in a team that had pioneered that notion of that new on prem edge. And that is where really where we found Infiat. Right? Some of the early founders of the first SD WAN who left to build the next generation SD WAN and on prem gateway, and we're very happy at that point to acquire them. A few years ago, they it was designed in a modern way the way that we would have designed it seamlessly could fit in, integrate with our new edge network, the largest private cloud in the world, so you could on ramp to the Internet and get an amazing experience. So when you think about the things that, we were trying to address, it really comes down perhaps I'll summarize it in four. One is when you think about a better network, you think about things like remote access, SD WAN, wireless WAN, multi cloud. How do I consolidate and aggregate that into that thin system? Cloud managed, right, but very simply operated. Second was, you think about cloud and AI in that era. How could we have a solution and a platform that thinned out the branch, leveraged that massive cloud that we had that was fast and was ready for AI and SaaS. That would take application QoS, for example, and say, well, that's a risky cloud app. I don't wanna give it a high priority versus I don't wanna give that port or that URL. Right? How do you actually get ready for this cloud and AI era? Well, it's not as simple as that. You wanna take into this next level of granularity, into your policy such as your QOE. And there's a lot more, of course, into that. The third, consolidation. We already consolidate so many different platforms and systems into one. Right? Your data protection system, your WED gateway. Right? You think about your VPN. You think about how you did DLP before you know, so many different areas. But as well, doing that on the on prem edge SD WAN, firewall, IoT security, DM routing, you know, into one simple system, which could be remotely managed, and could on ramp you quickly to the Internet through Netskope's network. And the last I alluded to, which is those app based policies, moving from port and URL based policies to app policies and making sure that can happen both on the security and the network, like QOE case. Those are some of the big reasons, we did what we did, which was extend, which is always our vision, into the broader platform of SaaS. And when you look at that, where we are today, I'll fast forward you now many years till, the current day, you can see Netskope is a leader in SaaS, right, the leader of the furthest right vision and a leader in SSE. The only, really, platform and the only company which is number one or two in every single use case in SSE or SASE with the highest score in both. And so, really, for us, when we think about the future, we think about simplicity, we think about delivering advanced security without performance trade offs and doing that for companies around the world in a way where it's a true platform. One client. Right? One network. Right? One zero trust engine, one gateway, and so on. So with that, I'll walk you through one last thing, and that's really what do we think about as we step back and look at the Netskope platform. This is a table of contents view of how to think about it. I've touched on some of the components, but the bottom is the world's most performant and connected network. 120 plus data centers, semi plus regions, all services everywhere, built in closed and service providers. So we have full control and full visibility for our customers so we can control the user experience. That's New Edge and the network software that runs on it. On top of that is built this high speed layer a proxy, zero trust engine with a granularity, and our 160 plus machine learning models. And on top of that are our products, all in the same common platform. Right? One GUI, one network. If you need a client, one client, and beyond. And you can see them in the top, security, networking, analytics. And that really is, when you think about it, our SaaS platform. And every year, you see a few new modules and products built on this common system. For you and for our customers, they grow because it's a true platform very easily. Because once you've implemented one, you're pretty much nearly implemented for the next because of that commonality of capability. So with that and that quick overview of platform, I'm gonna pass it to Parag, who's gonna take you home into the deep dive of our SaaS with fully integrated SD WAN. Thank you, Sanjay. Like Sanjay mentioned, Infiort got acquired by Netskope around three years back and from the get go, the vision was to build this unified SaaS architecture. And we made that vision into reality by integrating across five different pillars. These five pillars were one console, which is single console for SD WAN and SSE, one zero trust engine. Think of it as the shared brain. It's the control plane, and that's shared across SSE and SD WAN. One gateway, which is really running multiple applications on your appliance, and it provides an on ramp to New Edge. One client, which is industry's first and only unified SaaS e client, and one network. As you know, New Edge New Edge is our world's, world class platform with full compute in over 75 regions across the globe. Earlier, we used to run only SSC services in New Edge, but we also run SD WAN in New Edge. Now our results speak for themselves. In this year's Gartner Magic Quadrant, Netskope was not only a leader in that Magic Quadrant, but out of the four use cases that Gartner had defined, Netskope had the highest cumulative score. If you look at it, foundational SASE, which is little bit of networking, little bit of security, but you don't need to be advanced network or advanced security. In that use case, we were at the number one spot. Zero trust SASE platform, which is a use case where you look for really deep advanced security functionalities and AI capabilities, on securing AI, we landed at the first spot. The third one is coffee shop networking, which is really hybrid users, employees working from home or it could be a small office, we work like environment. Again, Netskope was on the first spot. And in secure branch network modernization use case, which is really as D WAN use case with core deep networking capabilities, Netskope landed on the second spot. So we are really excited on where we landed, in this year's magic quadrant. Now there are three components to our solution. One is SASE gateway or this could be clients, in case of remote users. We have our management plane and we have our control plane. These SASE gateway appliances are designed to call home to the cloud and download a bunch of policies onto these appliances. And at it is at that point that these SaaS gateway appliances will secure optimized connectivity using any underlay of your choice. It could be Internet, five g, MPLS, back to your data center, and it can also build topologies back to the new edge, which is very unique. There are several vendors who have a cloud only architecture, and they have inflexibility for on premise. There are a lot of vendors who have on prem only. And then finally, they lack, like, cloud optimization and security. What we believe is in giving customers that flexibility and mixing and combining these intricate topologies to give you maximum flexibility. Now there are five benefits that I wanna talk through, and each of these are related to the five pillars that we spoke about. The first one is our one engine. Now extending that one engine, the zero trust engine into the SASE fabric is critical. And like I mentioned, it is about really the shared brain, which is sharing this between SSE and with the SD WAN stack. As an example, let's say Pat logs in into her corporate device and is accessing sureviewip.com. Not only we do we look at the application, we look at the context of the application called CCI, which is Cloud Confidence Index. And if your view IP has a score of, let's say, 36, you can take an SSC decision. Hey. I want to coach the user. Go use Office three sixty five. But from an SD WAN perspective, I want to deprioritize that application. On the other hand, if you are using Office three sixty five, which has a score of 87, which is a really good score, maybe you want to give high priority for those applications. You want to have these forward error corrections, sub second failover. You want to give it to your enterprise grade application. But what you notice here is number one, we have the largest database of applications that you can optimize and secure from a SaaS fabric perspective. So the same engine that works in the cloud from SaaS perspective, the same exact DPI over 85,000 applications work on us as we get to appliances. In fact, we go to the JSON layer and we can look at what the CCI score of these applications are and take the decisions for those applications accordingly. So I tell customers often that whatever SD WAN did, you needed. Right? You need the network layer. You need to look at the latency, jitter, packet loss, bandwidth. You need to take the right decision, do the sub second failover. But on top of it, your fabric needs to be context aware. Look at application, application risk, device, device risk, user, user risk. These are different attributes with which you want to make more granular policy decisions inside your SASE environment. Now the next benefit is around that one gateway appliance. And really, it is about building this extensible platform. Think of it back in the days, you know, customers or consumers used to carry different phones. Right? Like, you would have Nokia for making calls and you had Blackberry for receiving emails, and then you had a GPS. You would carry a Garmin GPS around for navigating your way. And iPhone came in and they revolutionized the whole aspect, wherein you have multiple apps that are working on the iPhone. You like Apple Maps, you can use the default apps from Apple. Or if you like applications like Google Maps, you can go ahead and download it from the App Store, and you could be using Google Maps. Think of SaaS gateway appliance that's hence the name one gateway is very similar, wherein you can run a variety of third party and partner applications of from net from Netskope partners, or you could be running a set of Netskope application. For example, SD WAN is one such application that you can run on our SaaS gateway appliance. You can run firewall, IPS from Netskope, the same firewall that runs in the cloud runs on premise on the appliance. Netskope has a product called digital experience management. PDEM is another application that runs on the appliance. IoT security is application that runs on the appliance. So these are variety of these different application that Netskope publishes, and you can run on that SaaS gateway appliance. And in addition to that, you can run third party applications as well. And the idea behind this is customers are really tired of stacking up more and more appliances in their branch offices because that makes branch pretty heavy. So how can we consolidate and have more of a software centric architecture so you can provision up, you know, different Netskope apps or third party applications on these SaaS gateway appliances. Example of the these SaaS gateway appliance apps is security as an example. Like I mentioned, we have this concept of hybrid security wherein security can run-in the cloud, and then the same security can run on premise on the box. For example, if you need east west protection, you maybe you need firewall on the appliance, maybe you want IPS on the appliance. But we want one engine, one stack that is powering both the cloud and the on premise appliance, because, again, you are looking for that consolidation. And second key aspect is when you look for this connectivity back to the Netskope cloud, you can deploy these appliance. For example, you can take a box, power it up, and maybe you deploy a box in San Jose. And then you take this box and you have another site maybe out of New York. Maybe you have a site in Europe. So what we do is we automate connectivity back to the Netskope new Azure infrastructure so you don't have to do box by box provisioning. For example, if you have two links, we can we'll have four redundant paths to Netskope at any given point of time for resilience reasons. So, again, this is key. Like, you wanna have security in the cloud for your North South protection. You can have consume SWIC, CASB, ZTNA, firewall as a service, and then you can have a variety of on premise applications that are running on the SASE gateway appliance as well. The third benefit is really extending SD WAN optimization to the new edge infrastructure. Like I mentioned, new edge is this world class footprint that is there from Netskope. It's full compute in every region, and we are in over 75 regions. And in each of these regions, because we have full compute, we used to initially run our SSC stack there. We still have that. We run our SSC stacks with CASB. Everything is run out of the newest footprint. But one of the benefits we got is we could really extend this footprint to SD WAN. So we host our SD WAN software inside the same new edge infrastructure. And why do we do that? Imagine if you have traffic, like going to Zoom or going to Office three sixty five, and if you want those SD WAN benefits like sub second failover, forward error correction, you name it. All of those benefits apply from point a to point b where you have two SD WAN software. And, really, the traffic is going to the cloud, so why should I be sending it back to my data center for the traffic to benefit from SD WAN optimization? So by having a cloud footprint, let's say if you were sending a UCaaS application or UCaaS as a service for Zoom, for Office three sixty five, you can go direct between the site back to the new edge infrastructure. Also, you have this global WAN service. You can either use one of our ecosystem partners like AWS, Google Cloud WAN, and we can build this fabric for you. But we also have a new edge global WAN for which we can connect, for example, a remote user trying to access resources back into the data center, which may be somewhere remote. You can completely leverage the New Edge global WAN in those use cases. Now benefit four is really consolidating into a single client, both for security and connectivity. And if I go back in my past life, I had sold these SD WAN appliances, into one customer I clearly remember with 25,000 appliances for employees working from home because they wanted to get the same level of optimization that you get in a branch office for these employees who are working from home. And, really, what ended up happening is they had a DLP from some other vendor. They had SSC. They had VPN. They had an SD WAN box for optimization. And these employees were using 4 or $500 Dell laptops. And at the end of the day, we were shipping $2,000 appliances for them. That was not scalable. So at Netskope, what we have is industry's first SaaS y client, and that SaaS y client has endpoint DLP. It has SD WAN. It has DEM. It has SSC. All consolidated into one single form factor. And it can replace your VPN 100%, give you all the zero trust benefits, and it will give you full visibility and optimization that SD WAN promised you in a branch office, but for a remote worker using a software form factor. And last pillar, goes without saying we need to consolidate management, you need security and SD WAN into a single console. And there are two parts to it. On the left, what you see is we have a four tier managed service provider managed SASE portal. So in that, Netskope sits up on the top as an operator. We can spin up master managed service providers. These managed service providers can have their own partners or resellers, and underneath them, you can have their own end organizations. So that way, it is very easy for MSPs if you're using one to completely manage your infrastructure. But at the same time, you also get a single UI for both SSE and SD WAN functionality. So it's all kind of built into one. So it's full suite services, SSE, SD WAN, full DLP, full, the z t n a and full VPN replacement, all comes from a single pane of glass, along with all the monitoring and troubleshooting aspects using our demo and advanced analytics. Now I did want to cover a few real world use cases. If you look from, you know, five high impact customer use cases that I'm I'm gonna cover today. One is secure SD WAN, which is really built for mid to large, branch and data centers, highly distributed micro branches, which is small offices all in one. People look for more and more consolidation in a micro branch office. IoT OT device intelligence, which is the IoT security solution that we have. Universal zTNA, which is built to deliver that consistent zero trust access across users and sites. And lastly, multi cloud networking, which is how do we simplify and optimize not just for a branch office, but also your multi cloud environment. So the first one here is, is a customer, you know, I I visited BLEM on-site, in fact, and they are one of the largest wholesale roofing distributor in The US. They have around, over a 100,000 stores, and they were adding 70 to 100 new stores per year. They were an existing Netskope SSC customer. And, basically, they backhauled all the traffic from the legacy firewalls back to the data center, and that is where there was the exit out to the Internet to the Netskope new edge infrastructure back from the DC. Now, they were planning a refresh for their firewall, and, ultimately, it came down to three vendors. Vendor one got eliminated very quickly because of lack of SSE. They wanted SSC and SD WAN coming in from one vendor. Second vendor was eliminated because they were looking for on premise firewall and on premise SD WAN coming in on the same appliance. So what that vendor promised is, hey, we'll give you four boxes, one to run IPS and firewall and other security services, another box to run SD WAN. But, really, that was increasing the cost, and the customer was looking for consolidation, ease of use, and reducing the cost at the same time. So our one click integration between us as we get the appliances and Nuance stood out, we could obviously run SD WAN and the security on the same appliance and meet the requirements. And plus, they were looking to troubleshoot these devices very quickly, and we were we we support proactive them running on the SASE gateway appliances, so they could troubleshoot and resolve these issues much faster. This second use case is of a global travel retailer with shops in over 5,000 airports and cruise lines. They had a stack of appliances, four g, five g from vendor one, IPS, and firewall coming in from a second vendor. They had a router inside that store, plus they had a Gen one SD WAN solution, and they were using cloud security from a third party. And really, they were looking for point product consolidation because these were a lot of products in their infrastructure causing complexity. And what we could deliver them is an all in one solution because it's almost like a micro branch, where you don't want a big form factor. You want four g routing, application QOE, SD WAN, on ramp to New Edge for the SSC services, all built into a lightweight small form factor device, and ability to run containers on the same appliance in future for adding more services. So this was more about consolidation, somewhat different from the previous use case where it was we already had a footprint from Netskope. So it was an existing SSC customer that migrated to SASE, wherein this case for all 5,000 stores, it's a net new logo for Netskope and highly distributed, lightweight in nature, and then most of the security services are running in the cloud. So this use case, comes from a customer who is a global retail group, which is a supermarket store. They have over 500 supermarket stores and around 5,000 plus devices, one of the largest in Europe. And they have two goals. One is they wanted to eliminate their MPLS and migrate to Internet. And the second one was around IoT device visibility and control. We ran through a POC and what we noticed is they had a camera in their environment and camera was safe day zero. And, thirty days into the POC, we noticed that the camera is doing SSH activity. So we were able to dynamically detect that on our SaaS gateway appliances, and we could automatically take actions not just on our infrastructure, like to block the North South communication, but we can also program these high risk devices and send an SD LAN policy back to an Aruba infrastructure saying, hey. I want you to block this on your Wi Fi. What we also did notice in their environment was we were we increased the visibility by over 40%. 40% of their devices and their network were unknown, and 60% of the corporate assets were not even listed. So, again, huge from an IoT, OT visibility perspective, but we also ended up adding controls. So if a high risk device was identified, we could dynamically block those high risk devices. Now this is a use case where if you look at it on the left side, customer had NAC, and, NAC obviously lacks consistent zero trust and uniform policies. It was built if you look at NAC as a technology, it was really built for an on premise solution. It would give you broad network access. And once it gives you that act network access, it really doesn't do anything from there. It does not monitor the behavior after granting initial access, and it lacks data protection and control. For example, if there is a device that is infected by malware, it may meet NAC requirements, but it could still pose significant threats to your organization because NAC cannot do anything in those use cases. On top of it, if you think from a remote user perspective, NAC was never really helpful. The access control policies were set on the NAC appliance for on premise. And as soon as the user is remote, you have yet another separate VPN infrastructure, and you need to create policies for that user when the user is remote. So again, NAT was not built for these remote workers and employees working from home. If you look at it, the origin origination of NAT was also to help with the IoT OT devices. What we noticed in this particular customer is they had created blanket MAC address bypass rules for protecting their IoT OT assets. And that doesn't really protect you because these manual MAC address bypass rules are really ineffective against spoofing attacks. So, essentially, you are asking the network to blindly trust these devices, which defeats the purpose of MAC to begin with. So what the customer was looking for is that unified access. They want that least privileged access. You you don't want to give that broad network level access, but application centric access no matter where the user is. If the user is remote, you get apps app centric access. As soon as the user goes on premise, you still get exactly the same application centric access for those users. So consistency is was critical. And secondly, really adding that IoT device visibility and control, so it goes beyond protecting users also to these IoT OT devices, which are in your environment. And this last use case I wanna touch on is around secure multi cloud networking. Really what ended up happening in this use case is the customer was picking firewall from our vendor and they were spinning up spinning it up in their VPC instances. And then for the multi cloud networking, that means AWS talking to Azure talking to GCP, they had yet another vendor in their network for that private network switching. And what we told them is, look, Netskope is already in the cloud. So you can get all the security from the Netskope infrastructure. What you would need is some a software that is sitting in your VPC, and then you can get one click to Netskope to help you with, you know, if if there is a server and trying to scan the traffic, you can go into the Netskope new edge infrastructure and that's where the security runs. And on top of it, the Netskope software itself can help you with a private overlay between these different cloud providers. So that way, you could eliminate two different vendors in this use case and make your deployment super duper simple. These are some of the resources, which you can you can explore more. We have a lot of resources available on netskope.com. The website is completely revamped with strong focus to consume some of these services. So we would highly encourage you to go back to our website and, look for more details. Thank you all for joining in into this webinar.