Modernize infrastructure access and implement Zero Trust security using Microsoft Azure AD and Banyan Security Zero Trust Remote

Melissa:

Hello, everyone and thank you for joining our session today. Modernize infrastructure access and implement Zero Trust security using Microsoft Azure AD and Banyan Security Zero Trust Remote Access. A few things to go over first, please type your questions in the Q&A box and we’ll either respond during the session or at the end of the presentation. We will be posting a link to our survey. Our surveys provide us with the ability to improve our processes, so we greatly appreciate your feedback. Your speakers today are Natee Pretikul, Principal Program Manager with Microsoft identity. Tarun Desikan, COO and Co-Founder of Banyan Security. A Upendra Mardikar, Chief Security Officer with Snap Finance. We’ll be kicking off today’s session with Tarun. Over to you, Tarun.

Tarun Desikan:

Thank you so much, Melissa. Good morning, everyone. Welcome to our webinar on Modernizing infrastructure access and implementing Zero Trust security. In our agenda today, we’re going to cover this in four sections. We’re going to start out with Upendra talking about Snap Finance and how they rolled out Zero Trust Network Access. And we’re going to have Natee go into more details on how organizations worldwide are deploying their Zero Trust strategy. Then we are going to go into a little bit of specifics on how you can implement Zero Trust using both Banyan as well as Azure, how other customers have done it. And finally, I look forward to a lively discussion on how people have done things and what lessons we’ve learned. With that, I’ll hand over to Upendra.

Upendra Mardikar:

Good morning. Good afternoon. Good evening guys. Upendra Mardikar. I am a Chief Security Officer for Snap Finance. For those who don’t know what Snap Finance is, it’s a FinTech company. It’s a midsize, about 1500 employees. So, we cater to the UK market and obviously the big US market over here. We are into this space called BNPL, which is buy now, pay later. Lease-to-own, and we also have products for lending. Now, we cater… We are different from the other BNPLs companies. Where we differ is we target subprime customers. And our customers are we call lovingly Alice stands for a set limited income constraint yet employ. So it’s very gratifying company where we not only are FinTech where we are disrupting the financial services and trying to make the life easy. At the same time, we are making life easier for customers like Ales. So, if you can please take us to the next slide, Tarun.

Upendra Mardikar:

So, about Snap Finance, like I said, it’s very gratifying to help customers. While we were on this journey, March 2020 as most of us know, COVID hit us. I hope you, your loved ones are safe. And we had started that particular journey and it says from office based to remote base. We already were Office 365 customers, so Microsoft helped us during this particular journey as we were going completely remote. But one of the things that happened to us during that… to all of the person in the world, right? Immediate shelter in place as shown over in the graph in 2020. We had to do social distancing, so nobody was allowed. And I will tell you what that impact was to Snap Finance and how we did it. Travel restriction.

Upendra Mardikar:

Like I said, we are UK, US and we have multiple offices within the US. Suddenly because of the shelter in place, we had lots of travel restriction. We had to do the crisis communication in a secure way. We heard lots of rumors were floating around, if you remember those days. And even now, there are lots of messages that you don’t know which one to believe and which one will come from the company and what the company enterprise policy will be during this crisis. And then change to the enterprise budget, right? So, cost became super important because we did not know what to do. And even now, obviously the stock market is going up. Delta, delta plus, all these variants are coming up right now as we speak today. So, there is still uncertainty in the enterprise budget. And just to top that entire thing, in addition to having a pandemic, we also have something called cyber pandemic, right?

Upendra Mardikar:

So World Economic Forum, as you guys know, has called two pandemics right now, right? The world is facing. So one is the COVID-19 and another one is the cyber pandemic, with all these very, very high profile attacks that are happening. And… Okay, I think… High profile attacks are happening. So, if you can please take us through the next slide. So now let me tell you. As CSOs, what were the multiple drivers? And hopefully you will resonate with this story. So, we have customer care which is the customer support call center. Now, those guys, they had to be immediately working from home. They used to come to the office and obviously for the lending products, there would be some sensitive information. So that is one of the security challenges as to the home network themselves, right? Because of the COVID shelter in place, we don’t know as CSOs how their home network is secure.

Upendra Mardikar:

There could be IoT devices, they could be using default passwords. So we did not know how the home network would be secure in the first place. The second thing, and this journey started and we are using, like I said, Office 365. Multiple cloud service providers, right? So, the cloud service providers, as we go and have SAS in the CRM for example. Like Salesforce and all that. They are in cloud. Our expense management system is in cloud. Our HR system is in cloud. So, I think we are talking about this proliferation. These systems were no longer on prem. We being a medium sized company, if you will, I don’t want call ourselves small company. We are using all these services.

Upendra Mardikar:

So, just imagine the proliferation of cloud services. So, that’s another driver that was happening. And the third thing that is very critical near and dear to our heart is DX or our employee experience, EX, right? What is the user experience going to be? Are we going to ask for 100 different passwords. 100 different MFAs, or we are just going to make it so seamless for these guys, especially when you are dealing with the computers that have been issued by the company. So, those are the three drivers. And at the bottom obviously, there is always a constant fear of this cyber pandemic that we talked about, right? So, we need to be secure. We need to enable all these different cloud services and we don’t know how the home networks are. So when we started… So next slide please. So, when we started on this journey, we created this seven step ladder, right?

Upendra Mardikar:

And I’ll just briefly go over that and how our Zero Trust Network Access journey was. So, we had to enable work from home. I mean, we had no choice. Now at that particular point, if you think about it, we obviously had VPN. Our employees were working from home. And even my previous employers, we all were working from home. Occasionally, not all the time. And there was a scalability issues. When you have VPNs, people logging with MFAs and all that. So we had those controls. It’s not that we did not have VPNs. The problem was the performance, like I was talking about. Another problem is the scalability as such. How scalable the solution would be. Very soon it was scrolling and then we were trying to log into multiple data centers. We had to have VPNs at multiple instances.

Upendra Mardikar:

And if you are in UK, okay, logging into this VPN. And if you are here, go onto this location on the West Coast or go on the East Coast. So, we had to play around and we just had to do it, right? Because of shelter in place. Then what we started doing guys is a security awareness and phishing campaigns and secure work from home. So, we started training people over there. So, go back to those days where you just had to do shelter in place. What do we do? Right? So, we enabled work from home. We started saying that, “Okay. What is the threat?” So, we did threat modeling exercise. During that threat modeling exercise, one of the weakest links was insecure modems, insecure networks, all right? Home networks. So, we started training them that, “Hey, go over here if you have this sub modem. Log in over here. Change your password. Turn off these kinds of services. Turn on your firewall.”

Upendra Mardikar:

So, that kind of training awareness, security awareness videos, we started pushing to our employees and contractors as well. The third thing that we started doing was phishing campaigns. So lots of phishing because the phishing was very high at that time. The phishing numbers overall industry-wide, they increased about 730%. Let me get that number. But I think there was… Sorry. 30000%. That’s the number. 30000% phishing numbers increased by. So, what we started doing was… Even now, we get lots of phishing. Obviously we have good technologies over here. The industry gets lots of phishing campaigns. We kept on educating our customers and there was an important element called human factor. So that’s the initiative. It started. Sure you can prevent phishing emails from coming in. Sure you can prevent employees and contractors on clicking on that link or falling prey to that phishing campaign.

Upendra Mardikar:

And you can stop the request going to the command and control center or whatever. However, that human factor, stopping that human being from clicking on that link is where we focused our energy by making sure that there is a prevention and there is for both on ingress as well as egress. When EDR and all this malware… I’m sure you guys are also looking into it. I am the security posture management. And it’s not just CSPM, it’s your entire security posture management is where was the step number four that we did. Now, the step number five is an interesting one, which is what the scope of this particular conversation is, is Zero Trust Network Access, right? So, this became a super popular in our company, especially when we had to get rid of VPN. So, no MFA, no… You just open your laptop and boom, you are connected.

Upendra Mardikar:

You know you are secure, so user experience-wise it was super head. Obviously, there were road issues while we were configuring. We had to put certificates and all that. But those were nothing compared to the friction, ongoing friction, that people were having. So, Zero Trust Network Access is where we spent lots of energy. Now, the good news is that with that particular thing, we did not have to work too much on the home networks even though people were doing their secure home network configuration. But it was less of a worry for us. We started doing UBA and then we… Step number one, we are still tweaking our AI models. We are learning as we go. And Europe, that’s how we took care of this Zero Trust Network Access. So in general, the experience has been pretty positive. We still have some work to do, a lot of work to do on the board side of the equation. So that if you guys have any ideas we would love to learn and partner. But Tarun, over to you please.

Tarun Desikan:

Maybe one question for you, Upendra.

Upendra Mardikar:

Yes.

Tarun Desikan:

Do you think that COVID actually improved the overall security of your organization? Would you have done all of these without the pandemic coming into play?

Upendra Mardikar:

Yeah. So that is a very good question. What has happened is that COVID has certainly accelerated this. Will we have done Zero Trust Network Access? The answer is yes, because as we go ahead and look at the trends, and the trends that we were talking about, cloud. All right? The 10 trend we was talking about the performance and just the general friction to our… They have lots of salespeople, all right? I mean, they go on the field. Just imagine where they have to go and VPN every time they are trying to make a sale. All right? That is going to be very kludgy experience. So to answer your question, COVID accelerated all this. Distributed workforce. Lots of companies they are very open for remote work nowadays. “Yeah, this location can be remote. You don’t have to come to office.” So, those kinds of things have happened now. COVID has certainly accelerated. My thinking is that Zero Trust Network Access is the way to go anyways, for any organization.

Tarun Desikan:

Awesome. Thank you.

Upendra Mardikar:

Thank you.

Natee Pretikul:

Right. Great timing. Thanks for sharing your story about how you drive Zero Trust during the pandemic, Upendra. I think from Microsoft’s side, we actually recently released the Zero Trust adoption report to actually understand how CSO like yourself and across around the world, thinking about, Zero Trust adoption in general, and based on the reseller outcome, we clearly see that in a hybrid workplace, especially COVID is a top motivator to drive Zero Trust because employee has to work everywhere and it’s hard to understand what’s the right strategy to put in place. As so as there’s a lot of thinking around how can organization improve the end user experience and productivity. Because imagine in the past, people might meet in person more often, but during the COVID-19 pandemic time, a lot of user have to interact via Microsoft Teams, Zoom, and different collaboration solutions.

Natee Pretikul:

So, it’s really important to have the right experience with the security in line. And if you go to the next slide here, we also learned, which is quite surprising, that around four out of five of the survey companies have or are working toward a hybrid workplace slash the Zero Trust kind of is really a big part of that strategy. So here, what we are also seeing is that many customer have been reaching out to different vendor inclusive of Microsoft around how can they put the right strategy in place. And I can give you one example of a large retail company around the world that we have talked to. The CSO also had to make a decision within a week to allow all the employee to work from home for the very first time because that had not been the case in the past.

Natee Pretikul:

And I think your journey slide opened around how can you drive and [inaudible 00:17:38] home have the right I am strategy and then Zero Trust. Those exactly what had gone through the mind of that CSO. And at the end, our team was able to help think about a driving that I am policy and integrated with Zero Trust Network Access. That had been very, very helpful because there are many private application that employees have to use and that’s why I think hopefully your lesson and share here will be helpful for many customers. I think the next slide here will also demonstrate what are the top barriers when it come down to Zero Trust, because a lot of IT leaders also have to make case to the top executive around what makes sense to drive through a Zero Trust. And what we really learned from this survey is that a top two thing come to mind. One is around resource challenges. And the second one is around leadership buy-in.

Natee Pretikul:

I mean, it might sound like simple, but getting everybody across the organization to buy-in is really the key, right? And when I talk about resource challenges here, it’s really about how can the team has the right server, has the right tool, the right processes and change management in place to drive towards the Zero Trust. And the second one, I got one example from another friend in the industry. She told me that she trying to get CEO to just turn on MFA or enable the [inaudible 00:19:13] to turn on MFA. But because CEO doesn’t like the experience and that’s it. The project is doomed. And then people use we password and a bad security poster. And once the security incident happened, then it’s become like a very rough job, right? So to me, anybody in the call here who experience this type of example, Microsoft now has a Zero Trust adoption report to also you can use this to share to your executive team, to your team to kind of demonstrate how others customer like yourself are going through this experience. And we have good stat, more in the survey. Back to you, Tarun.

Tarun Desikan:

Awesome. I know we have some questions, so let me just maybe look at them for a second and maybe bring it up for you guys to answer. We have a question here. Maybe this is starting with you, Upendra. How is a VPN different from ZTNA?

Upendra Mardikar:

Okay. So, VPN… I mean, Tarun, you can explain where I can tell you at a higher level and don’t want to get into too much technical detail. So, let me tell you the technical side and the user experience side. So, from the user experience side, for our customers, we issue… or for our own employees, we issue our laptops, right? So that is what we have done. And we have done that. One of the things team that from the user experience perspective for VPN is that when you open your laptop, let’s say you are at a hotel or you are at your home, which is not in the work environment. When you open your laptop, for the VPN, you have to go into the VPN, you have to connect to that particular VPN and then maybe you have enabled your MFA. And then your computer creates a virtual private network, right?

Upendra Mardikar:

I mean, that is what the VPN technology is. So there is a friction as you can see over here. And you are creating a virtual private network. From the ZTNA perspective, which is a Zero Trust Network Access. And I didn’t mean to give you the entire meaning of that acronym. What happens is that when there is lots of device identification from the technology perspective, that when you connect yourself to the network, you know that this particular resource or the equipment that is connecting to your corporate network is actually trusted and secure. Because that’s the ultimate goal. So the goal of VPN and goal of Zero Trust Network Access is to make sure that the devices that are connecting to your network are the right devices or not. So, Zero Trust because of the device fingerprinting and because of the whatever happens over there and Tarun can tell you exactly. We put certificates, there is some proprietary algorithms.

Upendra Mardikar:

We have a confidence that this particular device is the right device. Now, if you think about VPN, let’s say you are going to a SAS application. Salesforce or whatnot, right? If you were to really secure that particular communication, you first have to go VPN. Go and log in into corporate network, all right? And then send a request to SAS, all right? And so that you say that this particular thing is coming from your company’s employee. Zero Trust Network just eliminates that particular step so that we can configure in such a way that any communication to the SAS platform is coming from your device. So Tarun, you want to add more color to it?

Tarun Desikan:

No. I think that’s a great answer. And I think if I were to summarize, the VPN puts a lot of trust in the network. It basically connects you to networks and puts the trust in the network while a ZTNA solution doesn’t make any assumptions about the network and instead puts the trust on the device. And as Upendra mentioned, we use a device certificate to do that. Other companies might use agents. There are different techniques, but fundamentally the difference is when you’re in the office, it makes sense to put the trust in the network because it’s a physical network. You can trust it typically. But when you’re a remote culture or you have cloud services, trusting the network is hard. So instead you have to trust the device. And the second aspect which Azure AD and Banyan help with is you also want to give access to specific applications. So, you want to publish your applications either in the Azure AD portal or as a Banyan infrastructure service. And by giving the workforce access to specific applications, you don’t have to give them broad access to entire networks.

Tarun Desikan:

And that also reduces the attack surface as it were if someone were to breach a network. Awesome. That’s a great segue into this topic which is… We’re just going to spend five minutes, maybe deep dive a little bit into what Zero Trust Access is. Just kind of build on that question. So, when we are talking about Zero Trust Access in this webinar, specifically, we really focus on infrastructure that’s running in your corporate networks. So these corporate networks, as Upendra mentioned, no longer just run on premise or in your data center. Oftentimes they’re running in the cloud, in AWS, they’re running in Azure and oftentimes they may be even running a SAS. So, we’re not dealing with just one user needing to access one application. In most corporate environments, we have hundreds of different types of users accessing oftentimes thousands of different types of applications. And the traditional tools to do this as we’ve been talking about are VPNs. So VPNs, you fire up a VPN client, you authenticate your MFA, it drops you onto a network.

Tarun Desikan:

Then you might have some additional layers. You might have a gateway. You might have a bastion, you might have firewalls. You’ll have some additional tools to then grant access from an employee into this internal application. And these internal applications they span the spectrum. Sometimes they are simple websites where you upload your vacation data. Sometimes they are ERP portals where your entire organizations resource planning is done. Sometimes they are development tools. Sometimes they are SSA servers. Window servers. There’s a lot of internal infrastructure that organizations and enterprises of a certain size run. And this is how it has been done for 20 plus years. So, the idea behind Zero Trust is that you don’t need to use all these traditional appliances. You can instead use a cloud delivered system to manage access into your internal resources. And one deployment model, at Banyan we call it a global edge deployment model.

Tarun Desikan:

And so what essentially that means is in your corporate network, you just deploy a little connector. And the connector dials out. And then in the Banyan cloud command center, you manage all the policies. Who accesses what and so on, and you publish your services. And from your user’s perspective, they get the experience that Upendra spoke about, which is they just open their laptop and they have click button access into the internal applications they need. That is a Zero Trust approach to access. And the kind of the traditional VPNs and gateways and firewalls are no longer needed to grant secure access into your corporate resources. Just as a side note, Banyan also provides a private edge model. So, if you are a sensitive organization, if you have compliance requirements or you’re cloud savvy, Banyan allows you to host the data plan yourself. And that is very useful for certain type of organizations to scale out, for example if you have heavy network requirements instead of having to go through somebody else’s cloud.

Tarun Desikan:

So, for compliance and throughput, you also have a private edge deployment. Now, regardless of how you deploy the product, you get what we call a Zero Trust Security Model. And just what we are explaining here is that you have a user on the left hand side trying to access an internal application or a resource on the right hand side. Traditionally, they would turn on their VPN, jump through a few hoops and get access. Instead, in this new approach, in a Zero Trust approach, we use the components we just deployed previously, and now every single access is explicitly authenticated and authorized. So, if a user was say to try to SSH into a server, that request comes back to a central command center for explicit authentication authorization. And in our partnership with Azure, we integrate with active directory to establish the user credentials, the user trust. We also integrate with Microsoft’s device tooling, Defender, Intune and so on to establish device trust.

Tarun Desikan:

And once you know that it’s a user and device with an appropriate level of risk, that’s when you get access. And access is always granted using short lived credentials. And anytime something about the device or the user changes, the risk posture changes and that access gets revoked. So that’s what we call a Zero Trust security model. And that’s what differentiates a ZTNA solution from kind of a more traditional network access VPN solution. It is the tight integration with identity and device tooling, and not as much reliance on the network. So, you get the benefits of a fine grained access control. You get the click button user experience that we need to replace VPNs. And finally, you can roll it out at scale across the world very quickly and conveniently. And that’s why organizations typically adopt a Zero Trust to access their infrastructures.

Natee Pretikul:

Awesome. Really good. New capabilities here. Tarun, I think many customer would definitely be interested. Especially what we have seen from Azure AD side, in the past two years, we have seen significant growth of all the leading Zero Trust Network Access solution providers. And I think one key thing to also highlight because we heard from customer loud and clear, while you have really strong networks security and Zero Trusts strategy, it’s also important to think about how can you protect the front door because of all the major attack sometime when the admin or highly privileged user still use weak authentication or weak password, still allow people to go in and really do some kind of crazy activity inside. That’s why turning on MFA, using things like passwordless technologies from different vendor inclusive of Microsoft that be super helpful. And based on our stat that we have looked at all the security issue that had been prevented because of MFA.

Natee Pretikul:

In fact, does that show that MFA helps to prevent 99.9% of [inaudible 00:30:50] attacks. So it’s really important for all of you to think about how can you roll out MFA with Azure AD and Banyan Security, as well as thinking about passwordless, which is really, really important strategy moving forward. In fact, I recently read some article from leading analyst and they also recommend that now password is real, is ready. So that’s something that you should kind of adopt as part of your journey all up. And for the next slide here…

Tarun Desikan:

Natee, just a question here. Have you had any concerns with user experience as it comes to MFA? Do people complain that they’re being MFA too often or they don’t have their phones, or MFA is problematic? How do you deal with that?

Natee Pretikul:

Good question. I think it’s important to have the right policy when it comes down to MFA, right? For example, if user have device trust, let’s say they use this device for all the time, then we kind of know this is something that they’ll always do to come in and then we can use Azure AD risk or engine to determine should [inaudible 00:31:56] or not because if we prompt every time that it become a bad user experience, right? So to me, it’s come down to both setting up the MFA. Second, use the right policy and leverage risk score engine to enable the right user experience.

Upendra Mardikar:

Yeah. And just to add, Tarun, that is a good question. So when teams are going to go ahead and implement MFA, very few people…. I mean, not every company will pay for mobile phones or a Microsoft authenticator and all that. So they have to install an application which we did, right? I mean, we had an app install on mobile phone for all the employees and all that. But very few people, they might push back that, “Hey, it is my phone. Why should I put Microsoft authenticator on?” One thing, we run into that as well in full transparency, but we were very quickly able to pivot and use software consult OTP at that particular point. And for the critical ones, we issued heart token connect TPs. So, that is how we worked around that particular issue. But that was rare. And the practitioners over here who are on the call, they might run into that kind of issue to convince certain people that, “Hey, it’s boiled and why should I install it on my phone?” There are other ways that we were able to work around that issue.

Tarun Desikan:

Well, and what about SMS as a two factor authentication? Is that still approved or has it kind of, “We’ve decided SMS is not the right way to do things.”

Upendra Mardikar:

So for us, we are using continuously authenticator. So the push notification is what we get. So we don’t use SMS base. But in certain cases, right? I mean, not for the employee access, but for customer access, we’ll potentially have to allow those kinds of things because not all phones are smart phones. So for those kinds of customers, we have to allow but we prefer authenticator and those kinds of applications if you will.

Natee Pretikul:

And a few thing to add to what Upendra mentioned, what we have seen from Microsoft side is that for customer, especially in the research industry like finance is a great one. SMS is also deemed as not the strongest MFA of all. I mean, it’s already better than just using it plus password, right? So I think it’s really about the risk level you would like to protect. Plus even the MFA prompt, we are the authenticator apps. We also see that some user who might not be tech savvy, when you get prompt, they tend to go get accept on the phone all the time. And that’s not what we would like to see from the end user perspective. That’s why things like having number matching or having some kind of code matching when you have prompt to your MFA, that is another strategy to kind of mitigate that type of behavior.

Natee Pretikul:

So it’s really important think through who are the end user, what type of MFA to turn on, and then what type of strategy to put in place to not really connect with a lot of prompt to the end users, right? Which lead me to our bread and butter from Azure AD side. We have our kind of technology called Azure AD Conditional Access. And this really has been one of the top rated feature during the pandemic because to my point earlier, when people sign in and they have to find the right experience for the end user, our conditional access actually can help there because we have integration with all Microsoft clouds solution as well as third party solution to look at different risk profile from the user device application. And then we have our machine learning to determine if designing high risk, low risk, or medium risk based on all the signal that we have.

Natee Pretikul:

And then we enable IT admins and see level executive to put the policy for all kinds of action that they can take. If the risk profile is awesome, if they lock in from trusted device, then they can just join in without require MFA. But when the risk kind of score kind of go out to be medium risk, maybe you want to prompt MFA. And if the risk is high and you know exactly this is going to be hacker trying to enter your organization maybe you limit the access, or you can also request password reset if the password is weak. So there are a number of things now that we enable our customer to put policy in place during the pandemic. And we think of if you haven’t really seen it before, highly recommended to look at it as part of Zero Trust strategy all out. So I guess back to you, Tarun.

Tarun Desikan:

Awesome. I’m going to stop sharing so we can actually maybe answer some questions and discuss with the audience. Please use the chat window, the question and answer window, and we’ll get to it as soon as we can. We have a question here. How does Windows Hello work with Azure? It doesn’t work with on-prem active directory. So what does that integration look like? I think this has to be you, Natee?

Natee Pretikul:

Yes. Definitely. So, I have to first of all admit that I’m not the Windows Hello expert, but let me kind of tell you a few things that I will get back to your question after the call. Today with Windows Hello for business. Many customer use it to integrate with ADFS and Azure AD to actually enable sign in. But when they come down to passwordless, you have to connect with Azure AD only because it’s not going to come from on-prem AD or ADFS. So that’s the kind of short answer, but yeah, I think from the actual on-prem integration, I have to get back to you there.

Tarun Desikan:

Awesome. Maybe an unrelated but slightly related question is if I have on-premise AD, how do I get started with a Zero Trust journey? Maybe Upendra, I know you guys are an active directory customer. You’ve used active directory for a long time. How did you think about migrating from on-premises active directory, on-premise environment to cloud and cloud security?

Upendra Mardikar:

Yeah. So, it was for us because we started the journey when we were very small over here. In my previous life obviously we have on-prem active directory. So, my previous employers had on-prem deployments. But the way we were doing it was pretty seamless for us to be honest with you. And all our users completely on Office 365 right now. And however, I have to say that this happened before I joined. So the Office 365, that entire journey happened before my time and I did not hear any issues over there.

Tarun Desikan:

Got it.

Upendra Mardikar:

But I would be very happy to connect if anybody’s interested to have whatever experience has been so that we can have lessons learned, if you will and share that.

Natee Pretikul:

Can I add one more thing on that? I also have been talking to multiple customer over the past year about this topic really, because many customer might have AD on-prem, but they have Office 365 which mean that they have Azure AD included as part of their office suite. And they know that to enable the scale SOS leveraging our policy engine and all the kind of cloud based security, they actually decided to move to Azure AD quite a bit in the past two years. And we also have seen significant growth of the users as well. A few thing to keep in mind as you think about moving from AD on-prem to Azure AD, one is it’s important to look at kind of migration in the stages kind of angle in terms of for the customer or for the end user who already use Office 365 and maybe have the least access to all the legacy application or the mainly use Office 365 for example, that be the easiest to migrate first.

Natee Pretikul:

And the second part is how can you do all the inventory of the resources and legacy app that connect with AD on prem. Because that where you also have to find the right path to move this legacy application either to modernize it and connect with Azure AD or connect with ZTNA solution like Banyan Security and connect with Azure AD to protect those application. And at the end it’s how can you have the right change management to train end user to start using new feature from Azure AD and Banyan and different security solution.

Natee Pretikul:

And at the end, it’s basically fully might get everybody and turn it off because the end goal is to leverage the latest security solution. For example, Azure AD we just released passwordless kind of technology recently this year and this kind of thing will come from the cloud based solution. And really, I think that would be the journey where many of you should think through it. I’ll also post a link to our Zero Trust deployment guidance on how you go about migrating to Azure AD. That might be a good resource for all of you. I’ll post it in the next one minute. Back to you, Tarun.

Tarun Desikan:

I think you guys both touched on some good points. The one thing we find in enterprise environments is that most organizations have already invested in Office 365. Most people have done the… I would not say the easy migration, but the critical migrations. Leave the on premise exchange, move to Outlook online and so on. And oftentimes what we find left over is the hard stuff. It is remote desktops. It is SSH servers that are also very critical to the business but don’t lend itself to an easy migration. They’re not for example SAML enabled web applications. And that I agree is not easy. It actually takes IT initiative. And that’s where the VPN is usually used. And that’s where modern Zero Trust solutions can also come in. I think inventory, just having an idea is often a place to start. And Natee and I are working on a discovery project where… Oftentimes IT teams don’t even know what these resources are that are secured with active directory. And there are techniques that when vendors like us provide to automatically discover these resources. Discover, help you publish it and so on.

Natee Pretikul:

I think one story that… Tarun, you can remind me. I just talked to of the traditional kind of News company and I didn’t know that now 80% of the employees are developers. I thought that it’s a reporter and all those people who publish news online. And the problem there for them is that because almost all the developer create LOB app internally, the IT admin has no idea. And this is where the app discovery and inventory of all the resources and apps become key to the Zero Trust world.

Tarun Desikan:

Yeah. And we were talking about kind of on premises active directory, but if you look at even the more modern companies like the one you mentioned, they oftentimes they are cloud first in an AWS, but they often have the same problem. They might be using an AWS directory, but it’s not tied to the central corporate Azure AD. And you still have the discovery problem. You still have, “How do I manage secure access into these environments?” People call it shadow IT, but oftentimes that’s not true because that is the more primary IT now. That’s how most people are used to doing their work.

Natee Pretikul:

Yeah.

Upendra Mardikar:

Tarun, that is a right point. We also moved all over AWS then to the single-sign-on, right? I mean, with Office 365. Because Natee was talking about we wanted MFA. Single sign on from the user experience perspective. Because we are a cloud native organization, all the AWS workloads we immediately moved onto Office 365 SSO. And to your point on inventory, there are organizations that I work for where… You are absolutely right. IT cannot know what applications are because there are going to be so many different organizations, business units, they deploy their services and they come and they go, right? So it’s very difficult to inventory that. So doing whatever Natee was talking about in the sense that doing in stages. Start with what you know. Start migrating. And on prem AD you have to migrate into to Office 365, my personal opinion. We went through that journey. It was pretty seamless for us luckily.

Tarun Desikan:

Yeah. Actually that is a question that just came on the Q&A saying, do you have to migrate to Azure AD before you implement Zero Trusts network access?

Natee Pretikul:

I-

Tarun Desikan:

[crosstalk 00:45:53] a very opinionated view on the subject.

Natee Pretikul:

Yeah. I think a few thing to keep in mind, right? On-prem AD in the way like it’s not a technology that Microsoft invest in anymore because we believe that a cloud speed is a lot more important. When we launch new feature, new things, you get it almost right away. Plus when you think about when Microsoft starts to risk for trend and all the security, we apply those update almost real time. So to answer the question, I do recommend to use Azure AD as part of Zero Trust strategy. It’s hard to say you have to use this versus that to kind of go to Zero Trust. But in reality, the more you can be protective of your resource, the more you can leverage the cloud security advanced functionally here, it’ll be helpful. Actually, when we talk to most of our customer today, they talk about leveraging our Azure conditional access together with ZTNA solution to actually do a Zero Trust in a way journey and migration toward the new kind of more secure way of doing things, right?

Tarun Desikan:

Right. I couldn’t agree more. I think there are solutions that allow you to do what they call Zero Trust without migrating to the cloud, right? They allow you to use your on premise active directory. But if you think about it, the only way that works is if they connect you to the network first, which in many ways is the opposite of Zero Trust. I’m going to connect you to the network and trust the network. And in fact, that’s how the solar winds hack actually happened, is they found a compromised identity provider, they got onto the network, they were able to get identity credentials, and then they were able to proliferate. And so while you could do it, I think it’s not the best practice. It’s probably not the [inaudible 00:47:51].

Upendra Mardikar:

Yeah. So, I think the question, Tarun, if… You both are right. I think the spirit of the question is if somebody wants to do the ZTNA and start an initiative within the organization, all right? No, they obviously have to go ask for budget and leadership support that Natee was talking about. So, when you are a practitioner and when you are asked that, “Hey, before doing that, migrate this entire [inaudible 00:48:24] of AD that you have built for years together. Migrate it to Office 365 first before you even talk about Zero Trust.” I think that’s the spirit of the question, right? Is there an easy way? And I think that is what the spirit of the question is. Is there an easy way where they can get some quick wins within the organization. That, “Hey, we have enabled Zero Trust quickly.” All right? While trying to see if we can move the entire active directory. I think that’s the spirit as to how can he create the budget and what falls above the line and below the line and how can he push within the organization?

Tarun Desikan:

Yeah. We actually see this a lot because we come from the ZTNA side while Natee comes from the Azure AD side. We see this a lot where it’s not just the budget. Sometimes it’s the department. The department that wants to do ZTNA is the network team and the dev ops team. And oftentimes it’s a very different department than the identity department that manages active directory in Azure AD. And so they will have an internal initiative. And so at least in Banyan’s offering, either both our free offering and our business offering, we have a lightweight identity provider just baked in.

Tarun Desikan:

We would never call this a corporate identity provider. It is very lightweight. Username, password, but it doesn’t have all the sophistication of a really enterprise identity provider like Azure AD. So that allows these network teams to get started quickly. Do small groups. 10 people, 50 people, 100 people. So, we allow them to get started quickly but I’ll tell you if you want to do a corporate wide rollout, it’s better to start with that active directory beast. That’s where you want to start. Because you have to get identity correct if you’re really going to get Zero Trust.

Natee Pretikul:

That’s right. That’s right. That’s really important. And one thing that I also kind of learned last year, I talked to one of the customer and asked, “Oh, are you using Azure AD or not?” And they said, “No. I have on-prem’s AD and that’s the only thing I have.” When I asked, “Do you have a phase three [inaudible 00:50:32] now?” And they say, “Yes.” I mean, sometimes people are not aware that they have Azure AD in their environment. I think it’s a matter of sometime educating the broader team and then even to inventory of what you have and try to leverage what you have to be secure and achieve Zero Trust strategy.

Tarun Desikan:

Maybe one question. This might be for you, Upendra, is did you have any unforeseen speed bumps or benefits while rolling out Zero Trust?

Upendra Mardikar:

Yeah. So unforeseen, one of the things that people… I mean, it has been… I wouldn’t say we have completely smooth ride right? I mean, to be honest, there were bumps as we went on this journey. Sometimes, the certificate just would expire. Certain certificates. And then [inaudible 00:51:24] people say that, “Hey, I cannot log in.” And then even they have to they go onto this Banyan site, it’s still won… So those kinds of issues and then we’ll have to send an IT do the remote desktop and then fix those issues. So those were some of the issues. One of the things I think another problem is BYOD, right? For me. So, BYOD is where…

Tarun Desikan:

Bring your own devices. For folks [crosstalk 00:51:54].

Upendra Mardikar:

Yeah. Bring your own devices.

Tarun Desikan:

People bringing personal devices to do work essentially. Corporate work.

Upendra Mardikar:

You’re absolutely right. Thank you for that clarification. What happens team is that as we are allowing remote work, right? I mean, lots of people they want to work on their mobile phones and then what we do is we also love bring your own devices, right? So the BYOD is what mobile phones for work related activities. We wanted to make sure that those are secure as well. Within the organization, how much information should we put on personal phones? Are there any privacy implications? So there are those kinds of trade offs that we have to do without… Nobody’s interested in you, what you do on WhatsApp or what you do on telegram and all that.

Upendra Mardikar:

That is not what CSOs are all about. But people are worried, all right? I mean, they have their banking applications, they have their IOT applications on their mobile phone, private messages going back and forth. They’re worried about privacy. So educating them is one of the things. So, from the technical perspective, putting something on the BYOD, that is one of the resistances that we get. And from the privacy perspective, people are really worried about, “Hey, whether employee is going to compromise our privacy,” or whatnot, all right? So, those are some of the issues that we are running into.

Tarun Desikan:

What about privacy on the desktop devices? Is there an expectation… If I watch a Netflix movie on my laptop, a corporate issue laptop, should I not have an expectation of privacy? Should I expect the enterprise to monitor my traffic there?

Upendra Mardikar:

Yeah. So what happens is that we tell that if it is a company issued laptop, we tell that, “Hey, you should not assume privacy over there.” However, if they want to log into their banking site and all that, we obviously tell them that we are not interested in passwords or whatnot, right? I mean, we are interested in making sure that there are no malwares on the computer. That is our orientation. So we do those kinds [inaudible 00:54:15], allow for those kinds of things where those kinds of transactions, people can do the entertainment, whatever. So, it depends on the company policies. Some don’t allow, some allow. So I have seen both sides of the equation. But Tarun, I think communicating that is very important to the employees and contractors that this computer has been issued by the company and should be used for company purpose only. And then second thing is we monitor traffic that is required for security and people accept that tradeoff, actually.

Tarun Desikan:

So then coming back to the BYOD scenario, if you wanted your employees to use their phones for business, would you have to monitor all the traffic on mobile as well?

Upendra Mardikar:

So, that is where we want to communicate that we will not be doing that. And how do you do it while you are installing something for not so tech savvy people, right?

Tarun Desikan:

Yes.

Upendra Mardikar:

So that is a very different ballgame than issuing computer. So, it’s a journey. Security is a journey. Security is a team sport. I keep on saying that. But one of the issues that we as security practitioners will face and will continue to face is BYOD and how do you secure BYOD and coupled with Zero Trust Network Access.

Tarun Desikan:

Yeah. I think one thing to notice on mobile, maybe the audience doesn’t know this, but more ZTNA products take something called VPN profile. And so especially on the US Apple and Android devices, you get a big warning saying there is an app monitoring your traffic and that frightens a lot of employees.

Upendra Mardikar:

Exactly.

Tarun Desikan:

[crosstalk 00:56:04] especially if they’re not very technical employees, it frightens them and they will not use it. And so both Azure AD’s authenticator and Banyan’s app, we both have apps and they don’t do this. So we are able to establish BYOD device trust without monitoring all the traffic. We have a bunch of questions, I don’t know if you’ll have time to answer it. If you are using ZTNA and only business traffic flows to the company, the connection to my bank doesn’t though go through my company. It’s a question. And I think the answer is it depends on the flavor of ZTNA that you use. There are some vendors that essentially will take all your traffic. And as Upendra says, you can have a corporate policies that don’t monitor my bank traffic. You can have that.

Tarun Desikan:

And there are some other vendors that will only take your business traffic flows. So, Banyan is in the second camp. We only take your business traffic flows. But there are other… they call them always on VPNs. All your traffic will go through them. Maybe Natee you can take the one before. What is your take on the idea that not all companies that are looking for information protection at the end of their journey? Identity is just a mean to that goal. I think what they’re asking is companies are fundamentally looking to protect their data. How do you ensure that?

Natee Pretikul:

Yeah. I think there are multiple things here. From the Microsoft point of view first is you need to classify your information, right? Is it a high risk resources or it’s low risk? And we have our solution called Microsoft Information Protection that will help you do just that. And once you start to have risk profile of those file resources, then how do you enable each or the right user to access to it? Because for example, you don’t want to leak all the HR employee sensitive information to everybody in the organization, right?

Natee Pretikul:

So you want to restrict it in just the HR environment. Plus if there are certain super highly sensitive information and the kind of even deeper, this is where how can you leverage things like privileged access solution like PIM and PAM, you probably heard it before, to protect those type of access plus how did you sometimes even record a session, right? On how who access to it. And all those things depends on the regulation that each company has to deal with. But to me, I mean, again, it required multiple kind of strategies and solutions to kind of protect those resources.

Tarun Desikan:

Awesome.

Upendra Mardikar:

Just to add, right? I mean, information protection is a very loaded term, right? And the right anonymous is absolutely right that it’s a means to an end, all right? So there is a confidentiality, integrity, availability. We need to protect our assets. And it’s a overall strategy as security practitioners, right? Encryption is one of the things, access control, [inaudible 00:59:15]. So there are multiple… it’s a difference in depth and there are multiple security levers. So completely agree with that sentiment. And I agree with Natee as well. So, access control identity management is one of those levers.

Tarun Desikan:

Awesome. I think we’re almost upon time. Well, thank you, Upendra. Thank you, Natee. Thank you everyone for attending the webinar. We really enjoyed the discussion. I believe the team of will put it up on YouTube for folks who want to review it later on. If you want to test drive the products, you can just come to our websites. Banyansecurity.io/test-drive/. You can actually try ZTNA for free and see if it works for organization. And after this webinar you’ll also get an survey. So if you could fill it out, we’d love your feedback. With that, can I hand back to you, Melissa?

Melissa:

Absolutely. Thank you so much, Tarun. Thank you, Natee and Upendra. This was fantastic. And just as Tarun said, we’ll be sending out some assets after our session is over. Thank you, everyone.

Natee Pretikul:

Thank you.

Upendra Mardikar:

Have a good one. Bye-bye.

 

Close Transcript