The Next Generation of Secure Access with Zero Trust

Good morning everybody. Nice to meet you all. Let's get plugged in and I shall start. So yeah, thank you very much for giving me this opportunity to present you this morning. So I've been at Netscape for nine years, so I've been very much involved in understanding how organizations, you know, are migrating to a zero trust model. For those that don't know about Netscape, we have literally been in existence for 11 years now. We're perhaps a, a lower profile company, but we have some very, very large customers. And what I wanted to take you through today is, you know, what we are hearing from our customers and how we are actually addressing that. So, so let's start with, you know, some of the conversations that we've been having. You know, we know that everybody is moving to a hybrid working model. You know, there's nothing new here.
Everybody's very used to that terminology. I think, you know, some geographies have biased more towards people working from home than others, but equally what we're trying to do here is to ensure that any user within an organization has the best approach for access in the applications that they need. So we typically see, you know, we from our customers that they want to reduce, you know, the complexity, reduce the amount of hardware, ensure that the users get a better experience, they need to be able to evolve their solution, evolve their security proposition as well, and their posture. Yeah, every project that I get engaged with, the key sort of term here is that, you know, we don't want to weaken our security posture. We want to make sure that we enhance it because of the way in which we do work now remotely and accessing services within data centers as well as public cloud as well as across the internet.
But we are mostly focused here on obviously the private applications. We need to ensure that we have the best user experience and the best possible way of actually implementing that. Now, when we talk about this, what we're really targeting is remote access and replacing the legacy VPN. I think there's lots of acronyms used within our industry that sometimes just create some level of perhaps confusion, but drawing this back to the way in which we really see what's happening here. You know, we've all deployed, you know, VPN concentrators in the past, you know, setting up an IP SEC tunnel in order to connect to that concentrator to gain access into what was our core domain, our offices, our data centers. And that still exists today for many organizations, but there has been this evolution of the application. So typically that backhauling only enables us to connect to a fewer number of services, and then we have to break out at that backhaul point back out to the internet to access those servers.
So this isn't an ideal topology, it's not the ideal way of implementing security today as we move to a cloud first model and what we see is that this creates, you know, poorer performance. The user experience is not gonna be as good. We find that the security model here doesn't really focus on zero trust. You know, it is more about access and simple access, you know, access in the subnet. I think everybody, again, has sort of had the experience of this, you know, you set up your VPN to means that allows you to rather to, to exist on your local subnet the same way that, you know, this provided you with the ability to see the same type of connectivity as when you were in the office. But the model has changed. We're seeing that people need more visibility. We need to understand exactly what is happening with the user and how they're accessing these applications.
We need to ensure that this is swift. You know, I, I often sort of have to pacify my daughter. She works for a large global organization. She works from home mostly. And all I hear is this VP N'S not working dad, it's not connecting again, it's slow dad. Yeah. The internet is going slow. Again, it's not the internet slow, it's the fact that you are backhauling all the way into your network and yet you're using SAP on the cloud. So we, we know that, yeah, the user experience is typically a little bit poorer with this method and it also introduces still security risks. Yeah, we have to punch holes through our firewalls. Yeah, a way to get into that service. Then once we are on the network, we've got a pretty much a free reign to gravitate left and right across our network to understand which applications and services are there.
And of course, it's an additional component that we have to buy. We have to upgrade. Yeah, we have a responsibility for owning and having people trained upon that. But I think, you know, it's a clear message that we've got about zero trust. I think every vendor seems to have a slightly different story, but from my perspective, this is all about pinpointing precisely how are you going to provide remote access as securely as possible in the most efficient manner. So this means identifying the use of the device, the location, the target application, and only allowing users to reach those specifically targeted applications. So really sort of homing down on the true principles of zero trust. And if we do that, you know, we can identify and we can be context aware so we know who the user is and what application they're accessing. We drive the policy so that, you know, I can have a different policy for my colleagues.
They can have a different policy within the organization as well. So you're really driving that granular control of security to those users. And typically, you know, this is very much driven towards, you know, those private resources. You know, an application that doesn't appear on the internet, something that is not there publicly available that you have to gain access into a privately hosted environment. We've seen a huge adoption in public cloud in AWS in Amazon, sorry, in GCP and in Azure. And that's really where we see, you know, a lot of adoption here. We do still see, say, private data centers as well. We have one global organization that adopted our Zero trust approach about three years ago. They are a PR company. There's 80,000 users. They have about 5,000 different private applications right across the globe. And they use us to ensure that they have precise remote connectivity to those users.
So how do we do this? So it's quite straightforward. You know, we've got two target points here. We've got the user on their device and we've got the application that they're trying to access. We deploy a component called the publisher, which is the ZTNA gateway that knows about the private applications. And the user will connect to our global cloud infrastructure to gain access to that publisher. And effectively what we do is we create this connection. We use a term Stitcher, I think it's quite aptt. Yeah. We literally stitch the connection between the user and the application. And what this will entail is, you know, the application registers with the publisher. So we know precisely the application, we know the ports it's running on. Yeah, we know exactly what it is. We look at the protocol of that app. Once it's connected into the cloud, then it's an available option.
But we have to set the, the policy to allow the connectivity, user makes the connection. Obviously we have to validate that user. It's not just their user id. We validate. So there's several source criteria, the posture of the device, the location of the user, the type of device, you know, where they're connecting from. And then what we are able to do is validate that user. So we can integrate into the source of truth, the ITP, the IAM, you know, those critical components that brings their TNA together. And then what we'll have is a session establish between that user and that service. And the great thing about this is that the publisher makes a call home request to the cloud. We don't open up any ports on the firewall to allow, you know, a port scan to discover a way in. It's an outbound request only from the publisher.
It means that the applications that we are protecting are non discoverable because there's no way into this. And what it means also is that we, we shield this from unexpected or attempted exploitation. So it's a far, far sort of more stricter model and a simpler model to deploy, you know, from the purposes of deployment, the publishers, they're literally downloaded. It's a software image, a virtual image. Once it's deployed, it's as simple as giving it a, a, an address on the network and then it can call back to the cloud and you manage everything from the cloud. So what does this look like really when we sort of compare it to what we've seen? So VPNs we're all about, you know, a connection through an authentication, you know, open access to all or nothing. It was all about, you know, port visibility, identifying attacks, you know, and effectively, you know, placing the device on the IP network.
But when we look at ZTNA, you know, the zero trust approach, this is more about ensuring that we are not going to allow somebody in until we fully validated them. And then we want a very granular policy to say who is allowed to which application, and then we can control this insider activity. There's no, you know, crawling across the local IP subnet to see what other applications and services are there. You are mapped through to that specific application. Now, the only thing that we're looking at here is that, you know, this together would provide the ideal solution, you know, both ability to find, you know exactly what you want on the network and have connectivity to it per application over an encrypted connection. So what we wanna do is evolve this. So first step of course is we've got ZTNA, we can provide that. Yeah, we can provide this direct to app connectivity that I've described against this, though there are limitations because it is so precise and it does ensure only inbound connectivity to that specific application.
Where this struggles as a framework is that it doesn't allow you to achieve those server to client services. You know, remote support to a remote user, you know, si server to client access for VoIP services. So there are limitations when it comes to a complete VPN replacement. You know, it's great at reply at producing, you know, a remote access service, but a complete VPN replacement, there's gonna be some limitations here. So we need to address that as well. So we saw that weakness and what we did is we said, we need to be able to address this final piece of the jigsaw. And so the way we did this is we made an acquisition over a year ago. It's very rare for us to make an acquisition. Say I've been with the company since it was pretty much founded and everything has been in-house developed.
We've had no legacy platforms to try to adapt into the cloud like many other vendors. What we did is we, we developed everything in the cloud, but there are certain capabilities that are best given to the experts who dev, who developed them. And so we bought a company called NFI o, they're an SD WAN company. It gave us, you know, the final picture of a SASS E model. You have secure access services Edge, where we combine networking and security. This is our networking piece. And it had a fantastic SD WAN client, so it's application aware, it can do prioritization of those applications and it can provide bi-directional traffic. So what we simply did is we said, we'll take that and we'll combine it into our endpoint. And what that means is that we will overcome these limitations of the outbound connectivity between servers internal to users external.
And so effectively we introduced this into our platform to introduce one complete VPN replacement. So this is why we call it ZTNA next. It's all about, you know, bringing together all of the right components from the user experience. It's seamless, you know, it's one endpoint agent, it's a very lightweight endpoint agent. It doesn't do any processing on that endpoint. It simply does the traffic steering. We pick up the, the, the services. If it is specifically a connection outbound from the client into an application, we use our ZTNA components. If it is services such as server to client, then it will use that SSD WAN service, say from the per perspective of, you know, operationalization of this. It is a simple model because we just provide, say one endpoint, provide the connectivity, we define the policies for the traffic steering, and we have seamless connectivity. Everything connects in via the Netskope SSE platform.
This is our global infrastructure. We have over 71 geographic regions globally within those geographic regions. We have the data planes, the processing point that provides this seamless connectivity between the users and those services. So the use cases we typically see it is VPN replacement. We, we like to talk about perhaps more complex use cases, but we see more and more organizations wanting to adopt a zero trust model. And that is really driven by how do we get rid of what we've got, make it better, give us more flexibility. You know, take away the hardware that we've had to install on-prem, you know, move that into a cloud, manage it from the cloud, take away the need to scale, to update, to manage, you know, let's give that to the vendor. Let's give that to Netskope. So all we need to do is enable the service to it.
It does enable the hybrid working very, very seamlessly. If we had this at the start of the pandemic, I think we'd have sold bucket loads of it. Didn't quite have it all at that time, but you know, since then we've now got it all in place. So it's a, it's a great capability from us. It allows an organization to a, to do a true shift to cloud. You know, there's, there's no hardware. You know, this is a virtual appliance just to enable that connectivity. It's very simple to deploy. It also means that we can address, you know, lots of different sort of perhaps more complex use cases. You know, we see a lot of organizations go through mergers and acquisitions and consolidation as part of the shift to cloud. You know, most people have the same RFC internal IP addresses. Yeah. They're always duplicated across all sites.
With this, we're agnostic to that structure. We can provide very seamless integration there. New device, pre-configuration, pre login, you know, the device doesn't have to register to actually be using this upon logging the get enrolled into this for the authentication and the identification. And therefore we can roll this out effectively campus-wide in order to provide this seamless remote access service. So, so that was what I wanted to take everybody through. Hopefully I've made it clear. If there is any doubt in anybody's mind, I'll happily take any questions from you, try to address any questions. If I can't, I can get an answer for you. But yeah, open up the floor. Does anybody have any questions at all?