The world is unpredictable. For businesses to stay technologically resilient, they need the right strategies.
On this episode of Tech Deep Dive, host Max Clark is joined by Alexey Goncharov, an IT leader at Cepheid. They explore how strategic IT changes can drive global resilience for organizations navigating uncertainty.Alexey brings real-world insights from Cepheid, a global molecular diagnostics company. The conversation highlights the role of IT in building scalable, secure, and flexible systems that can adapt to challenges.
Tune in to hear practical insights on how organizations can take to fortify their IT ecosystems.
Max:00:07
Beginning to all these ones is make everybody do jumping jacks. We can get up and do some jumping jacks or some push ups, you know, 1010 burpees before we press the record button. It just it just gets started.
Alexey:00:18
So And you start usually quite early for the West Coast.
Max:00:22
Okay. That one gets interesting because I have guests everything from Asia to Eastern Europe. Then you find you're like, okay. Well, now we have to find a time. And then it's by the time you get into afternoon, midmorning, afternoon, evening, every days run away from you very quickly.
Max:00:41
And it became like, okay. People are fresher in the morning hours. The day hasn't you know, you haven't been in your email. There's no major crisis yet. There's no no nothing's on fire somewhere.
Max:00:53
So we we end up scheduling on the earlier side. Just
Alexey:00:55
Yeah. Makes make perfect sense. And it's usually worth a habit for me to wake up at 6 AM, as I had earlier morning meetings with my colleagues and partners from India due to the time zone difference. Our early morning stand up calls were at 7:30, and some early morning calls at 6:30.
Max:01:17
Yeah. Absolutely. Yeah. I it the the global gone to the good old days of, like, showing up in the office and say, hey. We're gonna have a meeting at 9:30.
Max:01:26
It's it's, time. The the time zone the time zone negotiation is, our neighbors just moved back to Sydney. And so trying to, like, remember what time I can call him is always fun because, you know, it's it's a day forward, but, you know, my brain just doesn't wanna do it. I have to look at my phone and be like, okay. What time is it?
Max:01:50
You know? And I'll text them and be like, hey. Give me a call when you're awake.
Alexey:01:53
Or when you call them and say, happy Friday. No. No. No. It's already Saturday morning.
Max:01:58
I was thinking about this of where I wanted to, how I wanted to start and where you know, what what what to really talk about. And, see, there's that, I'm gonna say a lot probably in this just because I I guess it's that that's gonna be the word of the day for me. Gonna have to make, like, a little, like, counter or something. How many times does Max say, I'd like to start really going back, let's let's say, like, presolution and talk about what was going on in the business, infrastructure, teams, people, and and and what was you know, really what was happening and what was driving change? Or what was maybe not driving change, but what's happening with the business that created an issue that then resulted in change?
Alexey:02:52
Yep. Absolutely. I joined Safit, in 2021, and it was interesting, very amazing experience as it was some sort of the end of the pandemic or middle of pandemic. We still were working on at home. And, Safid, as many other companies in the world, they switched to remote mode instantly as anyone else all other companies in the US and all over the world.
Alexey:03:35
And that led to significant, discrepancies in many areas as no one was ready for COVID. But Safit was growing, doubling and triple tripling their business, year over year at that time. And as far as you maybe know, Safid was the one who was directly involved on fighting with COVID because it's a medical organization. It's the medical device company. They produce the cartridges for the diagnostic, the PCR tests, and all that stuff.
Max:04:11
I was looking this up. I wonder how much of my diagnostics have actually gone through. I mean, the industrial design of the machines, by the way, is awesome. I mean, they they look fantastic. But, it's I mean, it's it's really it's really the perfect storm.
Max:04:28
Right? Because now you're talking about global business, because this isn't just a US centric company or operations. The introduction of COVID. So now you have remote workforce and people going home and working from home, and your, medical device manufacturing, producing cartridges and testing for diagnostics for respiratory. Right?
Max:04:52
So respiratory is one of the one of the areas. So so, COVID fits into that bill. So now you've got manufacturing pipelines, iteration, producing product. Everybody has to work from home, global footprint. That's a lot.
Max:05:06
That's a lot of strain on an organization.
Alexey:05:09
Yep. And the team was doing fantastic job to keep the company running. And, from the network side, from day day 1 when I joined, during my first interaction with my new manager, it was just, how many people are there? And he mentioned to me the number of people who were involved. I said, it's unbelievable.
Alexey:05:36
How did you do that? So because companies still was growing. They hired the emergency people for manufacturing operations, expanding the production. And, Safdie was operating, not only in the US, but also in other countries all over the world. So with the offices in, manufacturing, given offices in Sweden, for example.
Max:06:01
So how how many employees well, give me an idea of size. Right? So how many how many office locations, employees, manufacturing? Like, you can break it down whatever makes sense, you know, whatever makes sense for you. But so, like, so from a from a company, from the organization, like rough numbers, and then also from team.
Max:06:22
You know, how how big is the actual IT and the network team that was was managing this?
Alexey:06:28
So, Safiid itself was about, close to 40 offices all over the world, including sales offices, the customer care offices, manufacturing offices, labs. And, roughly speaking, it was close to 10,000 people all over the world, the employees and contractor accounts. And, one of the challenges at that time, was many things were built under the pressure, to create it as soon as possible based on the existing standards. And at that time, there was one big initiative initiated by the parent company in Danaher for the enterprise network segmentation. It was huge.
Alexey:07:23
There were other initiatives going on in parallel, because company paid very close attention and still paying close attention to security, the cybersecurity at the time where we heard in news about the ransomware attack, DDoS attacks, and, most of the companies which were attacked, big established companies in the health care area. So it was critical to pay attention to that area and start doing things. When we realized and this initiative was started, one of the problematic areas at that time was, first and foremost, many systems, many tools in our environment were either outdated, required refresh, renewal, or patching. The complexity of the environment. We had one solution for side to side network configuration, another solution for, from another vendor protecting each and every facility from the Internet attacks.
Alexey:08:37
The routing between, operation companies and the part company, which was going through SD WAN. It's another one. The each facility has local internal infrastructure, and it was primarily with its Cisco. Local area network, wireless networks, the connectivity between different segments, It was little bit outdated, I would say. And, the complexity in of the environment led to the number of tickets.
Alexey:09:15
So we would just act acting as firefighters.
Max:09:19
I think that's easy for people to not really understand or to glaze over. 40 offices with 10,000 people. Right? So easy to say probably 15,000, 20,000 endpoints. You take a a computer and a mobile device or a tablet or, you know, plus printers, plus access control.
Max:09:37
I mean, there's a lot of now you have a lot of devices attached to your network. And from a top level, you say 40 offices with redundancy just on a network and firewall and SD WAN infrastructure. Now you've got lots of devices just just at the very top of the stack just connecting to network interfaces. And for people that haven't been involved in any sort of change management or or process or risk management process for change management, you say, okay. You have 40 offices with 80 firewalls we'll just I'll just make this simplistic.
Max:10:13
Right? Forty offices with 80 firewalls. Now you wanna apply a firmware update, or you wanna make a routing change, or you wanna bring a new VPN configuration into it, and you have to roll that across 80 to a 100 devices. That itself becomes a planning exercise. It takes a long time to to implement and to to roll out.
Alexey:10:30
And on top of that, we need to add, another 100 devices for SD 1.
Max:10:37
And then you turn around and you'll and you say, okay. Great. And then not to mention your internal switching infrastructure, internal routing infrastructure, access points, and everything else that connects. Okay.
Alexey:10:48
So this is where we all started. So we started to analyze, what is the biggest challenge we need to address first?
Max:10:57
Mhmm. Now did that come from I mean, you you said and you mentioned that part of this came from, enterprise segmentation from the parent company. And so there was awareness and really a push into cybersecurity and presence from the parent company that pushed into, into your company and and then into your teams. How much of this was a result of that, I don't wanna say pressure, but that mandate, let's say, of what are we doing here and how are we actually approaching this? Or and how much of that was just was was organizational nimble nimbleness or change?
Max:11:35
What it takes a lot to change infrastructure and to make a a a big movement in a company. Right? You need to have a lot of you know, you've got equipment on different life cycles, different support contracts, different, you know, depreciation, you know, is is a I mean, there there's a lot of moving pieces to this. So what what was the, I don't wanna I don't wanna say, like, the, like, the the the tipping point, but how much of this was just an overarching actual enterprise risk and resilience and cybersecurity posture? And how much of it became how do we just manage this and scale this and keep the organization moving forward and actually achieve other business goals?
Alexey:12:20
It it's right. Absolutely. So the ENS Enterprise Network segmentation program was not the main factor, 100%. It was the opportunity for us to highlight what challenges do we have in our environment before we come to the enterprise network segmentation, which could because enterprise network segmentation is big, and it's usually, micro segmentation. But before you start to paint walls, build windows, put nice jealousy on your window.
Alexey:13:02
You need to make sure that you have foundations foundation built for your house. You need to make sure that you have a roof on top. You need to make sure that the walls are properly built and you can, put windows in it. So we started from the foundation. What is our biggest challenge?
Alexey:13:22
So we assessed before we start micro segmentation or micro segmentation. Yeah. How we can get the full visibility of what's going on in our internal environment? Because without visibility, you can start building segmentation. That was the number 1.
Alexey:13:45
How we can control what is the biggest risk? Let's assume, with a zero trust approach, what is the biggest risk to get ransomware? With the flat network, it will spread across the entire organization in minutes. So that was the biggest one. How we can control traffic which flows through the our internal network from site a to site b or from site d to our cloud data center.
Max:14:18
As you're working through this, what was the interaction like between the technical teams and the other business units? And I find I'm I'm I always find this to be interesting to talk about because, you know, typically, if an IT team goes to this to the finance team and says, we wanna do x, y, and z. Right? Now you have to figure out how to find a common language to talk to each other in. Why should we do this?
Max:14:51
Why are we spending the money on this? What are we replacing? What's the return on investment? What's the total cost? How do we measure this against something else we're doing?
Max:14:58
How do we allocate this? You know, how how do we decide to spend money here versus spending money here? Right? And so now you have, most organizations, maybe IT is rolling up in in part of the finance function. You know, a lot of it's still typical for a lot of IT departments to report up into the CFO.
Max:15:15
And it's a support function for the enterprise, plus not a stand alone business unit, you know, versus now you have a marketing team, you have an r and d team, you have an operations team, and, you know, and and and, you know, resources are are finite. Right? Like, a company can only spend so much money based on its revenue on different things. Now risk in ransomware and being in the in medical devices, intellectual property, probably a lot more in manufacturing and COVID, lot more awareness probably as an organization into what you're trying to protect and why it's important to protect those things. But you still have to go through, we want to do something, and this is why we should do this thing and then and then getting buy in from non IT executives.
Max:16:07
What was that process like, and and how, how involved were they? How did you get you know, were was there a buy in process? Was there, you know, was this going and talking and dealing with manufacturing and and r and d and and what their operations were like and how, you know, limitations that they were having? Was was this project did this project widen in terms of actual, you know, goals and and stakeholders and what stakeholders were getting out of the projects as well?
Alexey:16:33
Absolutely. It's a great question. Actually, this particular project, the SaaS, was part of the 3 year strategy. So the 1st 2 months, we worked on the 3 year strategy. What we're going to do, why we're doing this, in what what sequence, how many things we can do in parallel, what problems we're trying to tackle, address, who is our customers.
Alexey:17:04
So we work very close with r and d folks because the r and d, they were the ones who were on the frontline bringing innovations, bringing new products, new business, new business demands created by marketing and sales organizations. We still need to deliver the new product, but, r and d was on the front line of delivering those products. Working with scientists, with lab people addressing their challenges. So first, to understand what those big challenges are. As an example, it's nothing to do with SaaS platform.
Alexey:17:47
One of the challenges was how to get the data, the, the testing data from the computer systems to laptops used by scientists for data analysis. They usually connect their laptops to Wi Fi if they are in the office. If they are not in the office, they do it, remotely through VPN. And at that time, we had only 3 VPN gateways, 1 in Asia Pacific, 1 in Europe, and 1 in North America. Can you imagine the traveler accessing the data?
Alexey:18:24
So that is just part of this problem. So the in the wireless network, the infrastructure, historically, was built about around the Microsoft technologies. And one of the servers was about, 14 years old, out of support. And it looked like a network issue while in reality, it was the server infrastructure issue. And they there was no subject matter experts to fix it.
Alexey:18:56
So the problem was much more complex. But which one do we need to prioritize first? 1st, we need to build a strategy. How many different projects we combine to one program? What is the biggest risk we need to address?
Alexey:19:12
What is the biggest challenge for the expanding manufacturing in China, manufacturing in India, manufacturing in Sweden, manufacturing in the US? R and d, they have their own challenges. Repair centers. If we cannot support customers who have our product, the customers will stop buying our product. So and the repair centers, they were connecting to one database, which was hosted at AWS.
Alexey:19:41
We cannot ignore them. So we started thinking. And as I mentioned in the beginning, during the COVID, how many users do we have working remotely worldwide? Do we have enough capacity on our VPN gateways? Who can provide this data?
Alexey:20:00
Can we monitor it? Simple question for information security, requesting. We want to get the ability to analyze not only the IP address of the device connected in a particular time through firewall or through VPN gateway, but, how we can protect the intellectual property data. And, the simple question was, oh, we have the IP address, we have the device, but we want to see the name to trace the act the suspicious activity. Maybe this account was hacked, maybe compromised password, and someone else is using that.
Alexey:20:45
How we can do that? And at that time, most of our internal systems historically built were connected to Active Directory. And Active Directory with a, it's LDAP connectivity. Can you imagine 100 firewalls trying to send queries for just to capture the traffic? It's impossible.
Alexey:21:10
So all those challenges were connected together. So we started to build okay. What we can address first? What is the biggest risk? What is the biggest benefit for the business we can deliver faster?
Alexey:21:26
And this is the area where we started. Okay. We cannot operate the same way where we introduce new changes, and the team who runs the show, who runs the network is not capable to support it because they are not involved to the design, architecture, and development process. And that gives us an opportunity to introduce DevOps approach. Those who design and build run it because they are interested to automate the process, do routine tasks faster rather than doing tickets responses.
Max:22:14
I'm gonna regurgitate a few things here that you just said. So the the, you know, key touch points. Right? So, of course, aging technology and support and access to support aging technology or technology being out out of service. Right?
Max:22:29
So you you mentioned Microsoft server based. I'm assuming that's like a network access controller for your Wi Fi. Remote access, so region based VPN concentrators. Inter integration between an IDP and your remote access, not only for access to resources, but then for, logging and reporting. So that way you can, you know I mean, go figure.
Max:23:03
Right? At some point, you have to run an audit and figure out what people have accessed and why and when. And then of and then the last one on that list was, giving access to your network team to move faster and have ownership over the actual environment in the process. So now we have a we have a we have a good overview of a requirement list. Here, you start talking probably into mapping this to technology.
Max:23:31
What technologies, what approach, what infrastructure, how do you solve these problems?
Alexey:23:36
Before that, we started what is the biggest benefit for business we can deliver we can deliver faster? Because we cannot do everything at once. But what is the biggest challenge and what is the highest risk? And then along with the business, we agreed what will be the first step, what they want us to address first, and what they are going to sponsor. So two things.
Alexey:24:13
Network reliability was number 1. It just should work because network connects application systems, manufacturing, controlled access to the buildings, everything goes through network. It's a number 1. Number 2, they address the biggest risks. So we cannot address it for across the entire organization immediately.
Alexey:24:40
So one day or another day, someone can bring their own device and plug it to the network and get the reservoir. But at least, we want to make sure that that incident will be isolated to that particular network segment or that particular office at maximum. So it does not spread across the entire organization. And, the next one, it was remote access. Improve the productivity, efficiency, and the performance Because the performance degradation, was not right answer of just, oh, yes.
Alexey:25:25
You will get this, but it will be secured, but maybe performance will be impacted by 10, 15%. So those three things. This is where we started.
Max:25:38
So you go you go from really, like, resiliency. So enterprise resiliency, reliability and risk management, and then performance and the ability for people to work.
Alexey:25:49
Absolutely. That was not negotiable. And the next one was, okay, before we start building the second floor of the building, we need to make sure that the foundation is built and the first floor is done. We can at least be inside the first floor of the building. And this is where we decided that we need to reevaluate what and how we're going to do.
Alexey:26:20
At that time, we had long term contracts signed with the primary vendors. So what we can what we can do right now and how the end state will look like 3 years from now? How do we envision IT infrastructure? How we're going to run it in the future?
Max:26:41
That in of itself is a challenging process to go through because figuring out what you have, what your contracts, what your interactions are, can you add things? Can you overlay? Can you underlay? Are you talking about replacing? There's a lot of moving pieces into that decision process.
Max:27:01
It's easier to augment with an existing vendor than to replace that vendor in a lot of times. Right? If you have a and and, also, most of the vendors in market are trying to figure out how to be a single source vendor for their customers and to bring additional technology and capabilities onto it. Now that becomes an interesting friction point that I've, of not wanting you know, innovator's dilemma kicks in. You know, you've got an existing business line.
Max:27:29
Maybe you have existing an existing strategy with your hardware that you don't wanna displace with a different technology. So so, you know, balancing that and, you know, some I've some vendors try to acquire and bring technology in and slap it into the picture and be able to say, yeah. We check these boxes now. But that becomes a complicated process to go through and understand and and make decisions around as well. Right?
Alexey:27:55
In my previous experience, in other in our organization, it was a traditional IT where if you have a particular challenge or problem you need to address, you just bring tool and technology or new vendor. If you have another one, you bring another tool, another technology. If you have security, you bring the firewall solution. Who is the best in the market? Best in bridges, Palo Alto, letter 7 firewall.
Alexey:28:29
Oh, great. It's safe to implement it because it's best in the market. Then you need a traffic compression because of the huge traffic across your MPLS network. Who's the best? Oh, Riverbat.
Alexey:28:41
Okay. Let's do the Riverbat for the traffic compression. You, need to connect, 2 sides over the Internet as the one who is the best is Viptela or Cisco. Okay. That comes at a cost.
Alexey:28:55
It's not free. Yes. It's the best technology. Maybe today. What about tomorrow?
Alexey:29:03
Do you have right people with right skills to run it? How much will it cost to integrate to 2 systems to talk to each other to work seamlessly, or you need to invest additional resources to maintain it? So all those questions never been addressed. And instead of doing best in red, how we can minimize? I can give you one example.
Alexey:29:37
We had network operation center where people had limited skills in one technology, but knew very well, for example, the SD one. And then SD one need to go need to bypass traffic through Cisco and through Palo Alto firewall. You need to get another group of people who are familiar with the firewall rules and how to do that properly or side to side VPN connectivity. For that, you need to have another group of people who are familiar with Cisco and etcetera etcetera. So each new technology you bring to your portfolio at a complexity, and that comes at a cost because you need to have right people to connect it all together.
Max:30:29
I liked your earlier analogy. You're talking about, you know, in the phrase of, like, building a house. Right? You know, You have to you have to figure out your walls and your doors and your and your windows and paint it, and then, you know, start working on your 2nd floor. But as you're doing that, you have to design your ground floor with the idea that you're putting a 2nd floor on it.
Max:30:47
Right? You know? If you don't have the right foundation underneath the 1st floor, you can't slap a second floor on really easily. So how with within this, you know, you've got a key set of deliverables now that you've identified for the business. Right?
Max:31:01
You wanna you wanna you wanna, address resiliency and you wanna improve performance and, you know, remote access and and end user experience. I'll just use that phrase. Right? Like, your actual internal customer's ability to do work and for the business to function. How, walk me through the process of of, you know, really going through and and the evaluation and determination of solving for those initial business requirements and and looking into the future, you know, a year, 2 years, 3 years, you're you're talking about a 3 year project earlier of understanding what that in state was gonna look like and how to actually phase that deployment down.
Max:31:47
At what what what point did you really, you know, have a clear vision of where this was going and the and and starting to make recommendations for that foundational work that was leading towards, you know, a a longer strategic plan?
Alexey:32:02
So, the vision for the company similar to Safi's sides site size was maybe 2, 3 years before I joined Safi when I first started looking at SASE. What is the SASE is all about? Initially, my first impression was, oh, there is nothing new over there. It's next generation firewall. Okay.
Alexey:32:37
We have very good firewall, Palo Alto. So it's SD WAN appliance. Not not very impressive. There are plenty of other SD WAN vendors available on the market.
Max:32:50
The idea
Alexey:32:52
of unlimited scalability. The biggest challenge is when you design your network infrastructure or any other infrastructure, You always put a required capacity for future growth, but it's difficult to predict exponential growth. Let's say today we started the site just with 20 people. How big the site is? It's maybe 2 network switches, so, like, wireless success points.
Alexey:33:33
But what if tomorrow you get 2,000?
Max:33:35
Or what if tomorrow you find out that 6,000 people are gonna start working from home?
Alexey:33:40
Exactly. So from the LAN perspective, you can you always have enough resources to add a capacity. You just stack different switches, you get added additional wireless access points, you call your ISP, please increase my bandwidth. You cannot do that with the firewalls or SD WAN appliances because you usually need to replace them. If tomorrow that will become your primary data point for connectivity, you cannot simply add enough capacity or licenses on the firewall device because you need to, usually, to replace the device to more powerful.
Alexey:34:29
If you need to bring additional capabilities, it usually requires to upgrade the device, upgrade the software, and in 90% of cases, replace the device to more powerful model. And when you get it replaced, what what are you gonna do with the old one?
Max:34:49
Well, in my case, I have a whole bunch sitting on my bookshelf behind me.
Alexey:34:54
Oh, the same here. Yeah. But for the company with close to 100 firewalls, It's a waste of money, waste of resources. With one second. With a SASE model where it's a cloud native, you have unlimited scalability.
Alexey:35:28
If you want to add another capability in tomorrow, let's say, or if 5,000 people will start connecting through a particular poll, it's not a problem. They can scale it instantly. So the idea came, if it's so dynamic environment, and Safid is not IT infrastructure company. It's not our core business. Our core business is to manufacture medical devices and the PCR tests and other type of diagnostics.
Alexey:36:11
This is where our intellectual property. This is where our primary market is. This is where we are focused on. We're not focused. We're not building infrastructure.
Alexey:36:23
All these components support the business.
Max:36:26
It's not just a shift to Sassy in your case. Right? Because, Sassy is a just a smash of a bunch of other acronyms into into a thing. Right? You you know, and if you've if you've spent time trying to understand what Sassy is, it's like, basically, take every network and security acronym you can think of and just smash them together and call the whole thing SaaS y.
Max:36:50
There's a lot of vendors that have SaaS y SaaS y solutions on the market, but but still push and enforce this older idea around on premise compute and resources. It still has a firewall on premise. It still has an SD WAN appliance on it's still it is still implementing, it is still implementing portions of that Sassy infrastructure still run on-site. And so you still you so now you're Sassy, but you still have the same previous issue that you're talking about getting away from, which is, is our firewall big enough that our traffic has to flow through in order to implement these features that we actually wanna receive because those things are important to us. So it it's a little bit more than that because what you're talking about is not just this idea around Sassy and and having more capacity into it.
Max:37:42
It's changing how you're leveraging infrastructure and what infrastructure you're deploying and where that infrastructure is sitting in order to take advantage of that and to, to to really move where the resources are that you're consuming and how you consume those resources.
Alexey:37:59
Not only that, I would say. Primarily, Syfy was the cloud first company. So most of our, systems were transitioned to cloud. We are not the data center company anymore. And the idea was cloud systems can scale exponentially any more point of time.
Alexey:38:25
So if you need more resources, done. One of the challenges, if you still keep your firewalls or SD WANs or any other systems on prem and you maintain it there by yourself, you still need to have people. You still need to have systems to manage these tools. Right? Like, automatic patching of firewalls or putting these, I don't know, new signatures.
Alexey:38:59
You need to make sure that all the SD WAN or firewall appliances are up to date. With SASE, specifically, it was one of the items we checked against when we evaluated different vendors. Because, yes, Cato was in my mind, but Netskope was another very, very solid product from the security point of view. We evaluated the Zscaler because all vendors also started talking about SASE when Gartner announced the this new abbreviation.
Max:39:42
Thank thank you, Gartner.
Alexey:39:43
Yeah. And, Fortinet and, Palo Alto and even Cisco Cisco Umbrella. All these vendors.
Max:39:52
That's 6 vendors just off the top of your head. I mean, how many vendors did you look at when you started this evaluation process? I mean, do you know
Alexey:40:00
So the entire evaluation process, actually, we had, 7 vendors, but we haven't had an opportunity because we're not big enough to evaluate each and every vendor and do do the POC. So we evaluated those, and we have very specific criterias. We first identified what we want to have at the end of this journey, how the infrastructure should look like, what, challenges we will be able to address, so which items will be left behind and maybe we'll address this later. So, primarily, we will focus on significant simplification. Get the full visibility on side to side, side to our parent company, to SaaS, to Internet traffic, including, remote users connecting to Internet resources, and firewall is demand as a service.
Alexey:41:05
That was the number 1. Ability to distinguish corporate traffic versus and person sorry. Corporate cloud services versus personal cloud services. Some people just may connect to Microsoft 365, but it's not our Microsoft 365. It's their own personal.
Alexey:41:25
How we can protect the intellectual property data? Because Safid was innovating, Safid, e, and still in is innovating. How we can protect that and prevent the database? So, does the vendor has the required capabilities to achieve that? Also, the consistent and secure user experience with using the, 0 trust network access approach.
Alexey:41:58
How we can reach and what does it mean? Because it becomes as a buzzword. Oh, we do is it unit. What does it mean? And, honestly, even, when you talk to different people, even with engineers, it's a well known acronym, but each group then present it from their perspective.
Alexey:42:24
If you come to the identity engineer, oh, it's everything authenticated. If you come to user endpoint management, from their perspective, oh, it needs to have a BitLocker of, disk encryption and so SSO enabled. When you come to network, it's different stories. How we can combine it all together and, how the what is the definition of DAN? When you when we complete everything, what will, the zDNA look like in our environment?
Alexey:43:05
And, of course, the high availability is not negotiable. So we wanna make sure that we don't need a network engineer to go back, connect to remote console to rebuild the site to site VPN because this route is not available anymore. We don't want network engineer to go back and upgrade the firmware because the z, there was a new vulnerability found, and he needs to make sure that he goes to each and every, firewall and update the firmware or update the SD WAN appliance. And last but not least, we wanted to be prepared to answer the most important 2 most important questions. Why now, and how much will it cost?
Alexey:44:02
So predictable cost for global network and security as a service was highly important. And these were our criterias for the assessment.
Max:44:20
How many people did you end up going into a POC with?
Alexey:44:23
Approximately so we had, with a POC, let me even check. So our POC included, we connected the team in India. We connected not full group, but this small group in India. We also had our, one of the primary site establish the secondary connection in, AWS Oregon, where our cloud data center is stored. We had a secondary site in India, a repair center in Malaysia, our manufacturing facility in China, and, one of our r and d offices in Sunnyvale.
Alexey:45:07
It was pretty big. The idea was to make sure that when we start rolling it out, we will not get the roadblocker that, oh, it doesn't work in this business critical area. And, usually, the one of the biggest risks was China. Oh, if if if it works everywhere all over the world, but China sorry. The Sunnyvale, it's a business critical side because it's our huge presence in the US, the biggest one.
Alexey:45:45
The Malaysia and India, those 2, Malaysia, it's the Asia Pacific region and repair center is quite important. And India was growing as our long term strategic, area for growth. So we need to make we need to make sure that it will work over there, and they have very specific regulations.
Max:46:09
Netskope and Zscaler, for example, fantastic platforms, do very interesting things, but they don't provide the access component of it. How quickly was that a primary evaluation criteria for having a single single vendor solution end to end, so access including the SSC? Or was that something that you were considering separating and splitting and having a different access component and and and effectively at that point, buying an SSE interfacing with the, with whatever the SD WAN would have been?
Alexey:46:41
So you're absolutely right. At that time, at the time of the evaluation, Netskope, for example, provided SSE only, not full stack of SASE. Now they do. They they have full stack SASE from the single vendor. At the same time, with the Zscaler of the Palo Alto, Palo Alto even had 2 SD WAN solutions, but they were not fully integrated.
Alexey:47:13
So if you need the SD WAN configuration, you need to go to different console. And, I mentioned, you remember that simplification because the best in breed solutions create a complex doing of the in our internal environment. Mixedity in the environment, usually lead to increased management overheads, and management overhead leads to cost increase.
Max:47:44
So is it also right to say that, as part of this, you would you would determine pretty early on as well that preserving existing infrastructure wasn't a key consideration of trying to maintain your firewalls or your SD WAN that you had in place or your routers or your you know, all these different components that were there that keeping them wasn't going to drive a purchase decision, but actually achieving the goals of the business and and serving the, you know, resiliency, risk performance, costs, simplicity would actually drive that process more than, oh, we've got this box we've already invested in. Let's keep it because we wanna run it for another 3 years.
Alexey:48:23
My approach, actually, when people start talking about tools, in most of the cases, it's not a solution. You can bring plenty of, great tools. Yes. They are great tools, but if they cannot communicate with each other no way. You always need to start with people and process first, not with the technology.
Alexey:48:56
It was great to hear from the leadership team at Safi that they supported this approach. Let's talk about the people and processes first. Do we have even if we have great tools with the best of the best in the world, but we don't have right people to manage it, There is no way we can be successful. So the number one was if we have, let's say, Palo Alto Engineers, high quality experts, and the company which support this environment has the right skilled people, onboard it. Yes.
Alexey:49:40
We can support it, and we can continue to grow and continue working with that. Plenty of companies working with the Palo Alto in the world, and they are successful companies. So that was not a decision about going to Cato, going to Netskope, or just replace to, for the replacement. It's it was not about the tool. How we can make it simple and more efficient?
Alexey:50:12
So get the right people and build the process. Who will is going to do what? If we need to continue hire people to maintain the environment, it's probably not the right approach. So once we identified the maintenance of the socket, it's called, Cato socket devices, is the responsibility of a provider of the vendor. I don't need to keep high quality resources just to update the firmware and security patching of those devices to do it securely and efficiently.
Alexey:50:54
It's the responsibility of the vendor, and they will take care of it. So my engineers can be focused on could be focused on something more exciting or focusing on delivering value to business users, working with manufacturing, r and d, operations, customer care, how to bring value to those users.
Max:51:18
It's amazing how often that gets, like, just completely glossed over for for companies and for teams where it's the value the value isn't keeping the device running. That's the that's, like, the baseline table stakes. Right? The real value comes from creating leverage for the business to move forward and excel. Right?
Max:51:38
Like, keeping the lights turned on, you know, like, that doesn't that does that's not the value creation. So you you build out a a real I mean, a a big POC. Global global presence, all the core infrastructure. How I mean, walk me through the POC, like, you know, surprises that came out, things you weren't expecting. I mean, at what point at what point in the process did did the team start having this, like, this is really interesting.
Max:52:15
You know, it's you know, that there there's something here. We we you know, let's let's focus on this. Let's spend more time here. Like, how do we actually, what was what was that process like for you, and what what surprised you along the way?
Alexey:52:28
So I would say when you go to POC mode, the decision on 90% is already has already been done because the POC requires internal resources to start working on it, engagement with the vendor, resources from other teams to conduct the POC, especially when the POC is so global. So we need to ask our colleagues in other offices, in other sites, bringing devices, connecting to internet, reconfiguring a routing table, make sure that it works in parallel. So before you go to POC mode, you need to make sure that you are making the right decision. So the POC is to say to identify certain things which may help you to say no rather than to say yes. Because if you went to the POC mode, you're already saying yes.
Alexey:53:40
Before that, you need to convince to to get a buy in from your leadership team. And, we've got amazing, leadership team at Safid, including my boss, my ex boss, my, our CISO, and, of course, our CIO. I remember the time when we we just went to the conference room with a CIO, no PowerPoint, no projector, whiteboard, people around the table, and we were drawing what we are going to do, why why doing it, why we do it now, How that will address certain challenges? Just the whiteboard and the c o CIO in front of you.
Max:54:26
What a fun engineering meeting.
Alexey:54:29
That was our experience. We'd also, we went through different interactions with our parent company because they were specifically focused on stable environment for all locus. And I completely agree the standardization makes perfect sense, Especially, if you get something rolled out successfully and worked for 1 operation company, it may work for another one. And then you just copy and paste and repeat the same. So it's very good.
Alexey:55:01
It creates resilience and resilient and stable environment across the entire organization. At the same time, it does not allow you to move forward. The technologies you implemented today will become a legacy for tomorrow. With Safi, with our specific use case, it was an opportunity for us to envision how the future may may look like from the infrastructure perspective, how we can improve user experience. And that was the primary focus because improving user experience, improving productivity, increasing the security, that was what we were focused on.
Alexey:55:42
And during the POC, we will I I can't say that we were close to say no. No. But the POC helped to identify some areas for improvement. For example, the certificate device validation was limited to trusted certificate authorities only, and the CRL or SPF was not unavailable. So if you revoke the certificate, gate is still accepted, which was some sort of we cannot go with that because we wanna make sure that we zero with a zero trust approach, 0 trust network access, we want to be able to revoke certificate and limit access to our resources.
Alexey:56:37
So and it was a pleasure working with Cato R and D team. They took it immediately to their r and d folks, included a road map to address it. Also, the, for example, the BGP workflow, the dynamic routing, it was limited to 6. Then they increased the DNS, forward this to 8, and, access to data flow, was limited, but they included through their road map, and they provided a commitment to deliver these capabilities. That was great, honestly.
Alexey:57:20
And, again, from the business perspective, the support from CSO, support from the CIO, and support from the leadership of the IT infrastructure and operations team was amazing. Because once we convince them, this is the future, and this is how the future may look like. These all the capabilities which will be available to us, and this is how we are going to address the risks of literal movement, the segmentation or limiting the any ransomware or any other malware spreading across the entire network, they were the one who, attending meetings with our parent company and doing all the secure right security wording around our infrastructure design, putting all the, proper conversation in place with, their peers, Danaher, and Danaher finally gave us yes. Okay. Did I answer your what was the initial question?
Alexey:58:30
We went to the story.
Max:58:32
No. I I I love I love I love hearing these things from a nontechnical perspective. Right? Because we could talk about we I mean, we haven't gotten into, like, the widget talk here, which I'm actually happy that we haven't really gotten into the widget talk because it's it's good to hear about these things and to really talk about to have this conversation focused on the business and what the business actually needs. Because if you lose sight of that, everything fails.
Max:58:58
You know, like, the the the best, most well meaning people I've encountered in IT that can't communicate and have a conversation with a business can never get anything accomplished for the business because they can't speak to the business and what the business actually needs. So it's it's really it's nice it's nice having and being focused on that and really talking about that.
Alexey:59:17
I can give you even more example. It was my first few months, at Safed, and I had few first meetings with, my peers, with my internal customers. And I took notes, during my conversations with business stakeholders, and one of the notes was we always have a challenge. We when we connect to Microsoft Teams meeting and I need to present some documents, we just stored stored in our Atlassian stack, which is on prem. I need to connect to VPN.
Alexey:59:55
And when I connect to VPN, that impact the quality of the audio, video services, so I need to switch back. And, also, some r and d folks, they reported that they quite often work from home. But if they run certain tests, it take time, and, they run the test. They go to take coffee or take care of kids at home. They come back.
Alexey:01:00:20
They see, oh, time out. You are disconnected through VPN. You need to connect back again to VPN. You need MFA. And they said, just, oh, every 15 minutes, I need to reenter it and reenter my username, complex password, my MFA, 8, 10 times a day.
Alexey:01:00:39
It's so inefficient. How we can impress it? And with the SaaS solution, it was one of the things. You need to be focused on what you are doing. We will take care of the rest.
Alexey:01:00:56
Focus on how you do your tests, and we will securely connect you. Focus on what do you want to present during a meeting. Note how you were connected to this meeting. We'll take care of the most efficient way you to present certain things in your teams because the reserve all the resources will be available to you on your fingertip.
Max:01:01:22
You sit down with this in your case, a scientist doing research, and they're talking about a problem that they're having when they're running an experiment that they can't complete the experiment because the system times out and kicks them out, and then they have to start over again. Right? So you have you have a
Alexey:01:01:41
Not really. They they run it on the remote machine, but they periodic periodically need to check whether the testing is completed. Some tests take 14 hours. So some tests take 2 hours. They don't know How long will it take?
Alexey:01:02:01
So how many times do they need to connect to VPN just to check the status? It's one thing. Of course, the re we can build the automation, the automatic notification. But, if it's not reliable, then you they need still can to connect to VPN, to connect to a remote machine, to see the results whether they can grab the data and and transfer it. It it
Max:01:02:25
so in that scenario, right, that's an ex an example of a a really bad user experience. Like, that that person, that team, they're having a really horrible user experience. Taking that information and then going and saying, okay. We wanna solve this user experience by spending money. Right?
Max:01:02:43
Like, ultimately, we wanna change something. We wanna do something differently. That always presents and I've noticed that this becomes a very this is like the, what do we say? Like, the layer 8 issues start now coming up, which is how do you how do you take a, you you know, a, an expression of a user experience, not necessarily raw data or or a, oh, we know where latency is at this number or we're having this may time out, you know, TCP resets or we have you know, you know, we're trying to shove this much bandwidth across the network, and we can't because we don't have the capacity. Like, those things are really easy to quantify and put onto a spreadsheet and say, okay.
Max:01:03:20
You know, here's our chart. But when you get into, like, user experience and what the user is, you know, having oh, I have to re log in. I have to I have to put my MFA in 15 times. I have to, you know, reconnect. I have to do this.
Max:01:03:33
I have to sign into VPN and download the thing and then sign out of VPN in order for teams to work properly. Right? Like, these these become, like, real big problems because the users don't like, you you know, like, like, their experiences. It's terrible, which then leads to other issues of morale and, you know, hiring and retention and, you know, productivity. How but how do you translate that?
Max:01:03:55
How do you guys go and say, okay. We've got these experiences, and we know we have a problem here. And then regurgitate that back to the business in a way that says, you know, we are we know we have these problems that we want to solve, which are affecting our business in, you know, these ways, and this is what we can get by solving these problems. Let's go spend some money effectively. Right?
Max:01:04:17
Like, let's let's devote our resources. Let's take time. Let's put this on our plan. Let's allocate budget. Let's commit, you know, a lot of other you know, we have to go through testing.
Max:01:04:27
There's a lot of process that goes into this, so it's a big commitment. How do you go from this the the beginning of that and that that note that you take talking to somebody all the way through that process to buy in across the organization to say, yeah. Let's go let's let's solve this problem.
Alexey:01:04:45
So, I probably was lucky as usually not usually, but quite often, what happens, you may have ideas in your mind how to address this problem, but you first need to get a buy in from your own team. And, honestly, my own team was just the champions. They were the one who just was so excited, and they were so energized to, you know, you can I saw the, the fire in their eyes? Like, they they wanted to get their hands on these new tools, new capabilities to make it happen. That was amazing.
Alexey:01:05:40
So, honestly, I expected that, oh, I need to sell it to my team first. But in some cases, my team were the one who might try to slow down a little bit because let's do this, let's do that, let's implement it. So hold on. Let's build the foundation first. Let's make it.
Alexey:01:06:04
So with the team, it was amazing. The team was so energized, so excited to move forward with new modern technologies. Even the the engineers with 20 years of experience, one of the engineers in my team, brilliant person, brilliant guy, and, great engineer. So he he was the go to person. It's David Brown, from the East Coast.
Alexey:01:06:32
And I had 1 on 1 with him and, shared with him this is the vision of how we can make it happen, with how we can bring the SaaSy technology. And and 2 weeks later, our next one on one, he just Alexei, let's do that. I wanted. And, honestly, big part of my team were not the full time employees. They were contractors.
Alexey:01:07:01
And, Shekhar is my senior IT manager in my team. He shared with me the story. When he had 1 on 1 with 1 of his team members, contractor, and that contractor shared the story where when he got an offer from another company, to join another team and provide support to another organization, not to Safit. But even the compensation was higher there, he decided to stay with us because at Safiid, we are doing modern tools, innovative technologies. And he decided to stay with company where he can learn all these great things, and he can leverage that in the future, the experience he gets here.
Alexey:01:07:59
That was amazing. So and because we were focused on the bringing not just tools and technologies, bringing innovations and driving efficiency through innovations, driving user experience improvement through innovations. So we'd, as I said, bring the team to the same page. That was the number one. That led not only just network.
Alexey:01:08:34
I can give you one example. In order to get the consistent experience, we need to make sure that all the user endpoints are configured accordingly, properly, patched to the the same level. Otherwise, each case if you have 5,000 laptops and each laptop is a different patch version, it's impossible to troubleshoot it because each time it will be different experience, different error, different it's impossible. And during the COVID, you know, when people started working remotely in one day, no office anymore, no network anymore, no consistent patching anymore. So bringing the, SDP client with Akito was just like, oops.
Alexey:01:09:30
Your client is always on. It is always connected, and it will get all the patches at the time when you push them. So we not only addressed one problem, improving network, we also help to improve other areas by doing modern technologies and implementing SASE. The next level was to convince the leadership team. So the, for example, information security, they came to their problems, their program, their road map, addressing the security risks, intellectual property theft theft.
Alexey:01:10:16
So and we presented our solution to them and, in a partnership with Infoset, then we started working towards the CIO and, CEO and Danfurn, company, how we can bring all these pieces together because that was not about the network firewall SD WANs only. Many different pieces, different components as part of the bigger program all came together. And SASE was just one of the components.
Max:01:10:50
I'm gonna maybe preempt or lead you a little bit in this question because I'm curious about something. Your 3 priorities, reliability, risk, remote access. Cato has, for the most part, a relatively simplistic deployment. You know? We we you have a socket.
Max:01:11:12
You have a hardware device. You have the STP client that gets installed on the endpoints. You have a virtual version of the socket that goes into a cloud environment. Right? So you have a physical or or virtual socket, and you have a an agent that gets installed.
Max:01:11:25
Now there's there's more to it. Right? You've got configuration, and you've got, are you doing private connections and gateways? And and and there's more things to be configured here. But for the most part, the actual deployment of Cato is the deployment of the physical sockets, the virtual socket, if you need it, and the STPs on the device.
Max:01:11:47
As you go into and you looked at and then and then you have features that you enable. Right? You know? Or do you want this feature, this feature, this but that those features then don't require different things to be deployed on on the devices or the network. Right?
Max:01:11:58
It's it's when you when you do it the first time, it's pretty amazing. You're you're you the way you smile is exactly reaction. So going back to, like, okay. We wanna roll out this foundation and then implement these features then layer and then layer them on. How how what was the approach for deploy I mean, you go through POC.
Max:01:12:18
You identify issues. You know? Can you address these things? Sounds like the re the answer was absolutely we'll take care of this for you. And and and you and you move from that to, like, okay.
Max:01:12:33
Now let's start talking about deployment planning. Right? I mean, you still have to go through I mean, there's other pieces. Right? Contract negotiation, legal procurement, you know, like, there's there's some organizational stuff here, but let's just skip that fun stuff and just talk about deployment.
Max:01:12:45
When you go into deployment planning, how did you decide to, stage the deployment and then and and turn these different things on? Like, what what became the, like, let's get this thing out this part out first and then or or, you know, in some cases, I see people just say, hey. Let's just do everything at the same time. I don't you know, like, we can we can talk about those philosophies later.
Alexey:01:13:16
Yeah. We haven't had the luxury to just turn the light off for the existing systems and, then switch to the new tool, then play with the configuration. No. It just was we need to keep our business running. That was a must have.
Alexey:01:13:39
So the most importantly, we scheduled we aligned our schedule with the maintenance contract for existing tools and technologies we had in place. That was the number 1. We wanna make sure that in any circumstances, business cannot be interrupted. That was the number 1. Number 2, with the VPN, it's most visible for customers.
Alexey:01:14:10
But there was a desire. Let's do it immediately because it's some sort of the low hanging fruit. Take it, and we can report the success. But there was a risk to create very bad user experience. Before you get all your sites properly connected to the environment and all the routing between those sites properly configured to make sure that the, global service desk, network team, identity team is not then overwhelmed with the number of, tickets from angry customers.
Alexey:01:14:53
We cannot do this. We cannot do that. This system is broken. So we started laying out the what is the must have to keep business running. That was the first one.
Alexey:01:15:05
And how to align it to the end of the maintenance contract with, existing tools and technologies. And we had 2 tools, the SD WAN, the firewall, and, also, before we introduce any new capabilities like the TLS inspection or CASB, we need to make sure that we implement the existing capabilities.
Max:01:15:24
So what I'm hearing you say is start with physical deployment of sockets to replace SD WAN and firewall.
Alexey:01:15:30
Based on the maintenance contract with existing vendors. So prioritizing, for example, the our site in Kenya was the last one. It was not even in the initial schedule, because it was out of the initial scope. But the most important one were, the sites, the business critical sites where we had a maintenance contract coming in the nearest four to 6 months. So we align it with this, with our rollout schedule of data.
Alexey:01:16:04
That was a number one.
Max:01:16:05
How long I mean, so sites, data center cloud. Right? Not data center. Cloud cloud environment. You get to the point where you've got enough of the sites where you've got all your critical applications are now behind or, you know, you have a Cato infrastructure in place for those things.
Max:01:16:24
And is that become the trigger for rolling out the SDP now to users to start displacing the VPN?
Alexey:01:16:29
So we started the POC for SDP VPN, with a small group in IT organization long before we started rolling out SDP for our business users. We will focus to complete, all sites and cloud migration to Cato before end of our last maintenance contract with the existing vendor. And our deadline was 12 months.
Max:01:17:00
From the start of first deployment?
Alexey:01:17:03
No. From from signing contract. Not just We signed the contract in 2023, end of April. And in 12 months, we completed all the sites.
Max:01:17:20
It's a lot of work.
Alexey:01:17:22
We it's a lot of work. With Gator, as you mentioned, it was much easier. It's not just like implementing standalone firewalls, copying firewall rules, or reconfiguring SD one appliances.
Max:01:17:38
It's a little boring at at in some cases. Right? I mean, it's you know, there's a lot of physical work and coordination and and that, like, take the one thing out, put that other thing in, make sure it still talks to the old you know, like, that requires a lot of coordination, and there's a there's a you know, the orchestration and the dance that you have to do with it. But but then, you know, it's I I mean, I think back to doing network engineering, you know, 20 years ago where it was like remote site frame relay configuration, and you had to reboot something. And then you're just sitting there and you're, like, waiting.
Max:01:18:09
You're like, is it gonna come back on? Does it turn back on? Does it not turn back on? Did I make a mistake?
Alexey:01:18:14
Connecting to serial port console.
Max:01:18:17
So then it comes back online. You could ping it, and you're like, oh, yes. I did this one right. You know? You have that moment.
Alexey:01:18:23
Yeah. I got it. And that that was a fantastic job done by the network team. They were doing amazing job. So and, team was excited.
Alexey:01:18:34
So we were doing the 2 weeks, sprint planning. So for each and every sprint, we had we scheduled the what size do we include to this sprint, what size we include to the preparation for the, migration, on the next sprint, etcetera. So 52 weeks, 26 sprints a year. And, over at least 26 sprint, sprints, we immigrated the entire company to the new set Cato Cloud environment.
Max:01:19:08
As the sockets are coming online and you're start now you're getting traffic routing through them, you're starting to see more data is coming out of your locations. That's also gotta be a a huge win for the organization as well. I mean, infosec plus network team plus I mean, not because there's a lot of data collected even without having the SDP on the device that you start having visibility and and insight into.
Alexey:01:19:30
Probably can share, from a little bit different perspective. Yeah. The data collection is very important. We also had the exercise for the integration of the, gate environments and the data collected by Cato to our Splunk, the centralized logging platform. The most exciting piece was how it happened being the organization.
Alexey:01:19:55
When you have a compliance, you have audit and security team or compliance team need to get some reports or provide some evidence. What is usually happens, they send request to service desk, and service desk send it to network engineers. Network engineers get it from their internal tools. They extract the data. They take screenshots.
Alexey:01:20:18
They extract the logs, pull them to Excel files, send it back, and then in case of any questions, folks come back, Infosec or compliance or auditors, they come back. In our case, with Ktor, it was different. Infosec and network DevOps, they work through the same console. They had different level of access, but they had the same level of visibility. So we network team is unable to report, oh, we have 99.99 percent uptime.
Alexey:01:20:59
Anyone can go there and see. No. It is not. It's 99.98 because you get the same data. If you have 20 1,000 applications registered in your application catalog, which is passing through our internal network, you cannot say we have only 1,000 because infosec can see the same data.
Alexey:01:21:23
So that was the beauty of the solution that we created a collaboration between the teams. And, infosec team started talking to network engineers asking questions, how I see this, how I can translate to that, or I have the business my objective is to restrict this particular how we can do that? So that collaboration actually created, more tight relationships with between 2 teams. And, also, we had an opportunity to work with other folks, so even within the IT organization when, it it's usually, you know, the, have you attend if you attended the Cisco Live in the past. In last few sessions, it was the t shirts, very famous.
Alexey:01:22:21
Okay. Go ahead. Let's start blaming network.
Max:01:22:23
I had a side in my office for years. Don't blame me. It's a network problem.
Alexey:01:22:27
Yeah. Yeah. Yes. Yeah. And Cato provided us great you remember the first we started the conversation?
Alexey:01:22:38
Limited visibility. With Cato, we've got full visibility. Everything, what is going on. So if we had any traffic conjunctions, latency increase, Keto provided everything. We were able to see, oh, one Internet, socket went down, oh, Internet service provider went down.
Alexey:01:23:02
Yeah. But the service was not interrupted. The traffic was flowing through the network, or, we had few cases. 1 one port became unavailable, and we saw that it's socket was automatically connected to a different port. Yes.
Alexey:01:23:16
There was a 10% latency increase, but it does not directly impact on the performance of the application. The the performance of the application impacted by 200%. So that created the environment where application team can work collaboratively with the network team, with the EUC team, with the IAM teams to see, okay, what is going on? Because it was easy to point a finger of it's a network issue where the conversation usually stopped. Oh, network need to convince it.
Alexey:01:23:48
It is not. With the full visibility, it helped to troubleshoot even the applications, troubleshoot the security, troubleshoot the connectivity in different sites, and even convince the, business stakeholders. I can give you one example. When we had in Sunnyvale, one of the offices, we had about, roughly speaking, 20, 30 people coming to the office were coming to the office during the COVID. And, there was always some sort of the perception that the, network is not good enough or there are some performance issues.
Alexey:01:24:28
And it was usually just with a question. Yeah. We don't have enough bandwidth. We need to increase the bandwidth. Come on, guys.
Alexey:01:24:38
There are only 20 people in average in the office. Yes. But we have more than 1,000 devices because it's r and d. Can you imagine when they run tests on hundreds of devices simultaneously, it generates huge amount of traffic? And Cato provided that visibility to show, yes, during the day, at nighttime, it's approximately most of the devices are turned off.
Alexey:01:25:11
But when, those 20, 30 people come into the office, they turn on all those devices, and we have more than 1,000 devices. And we saw that through the CMA console, the number of hosts. That was amazing because that helped us to create a case for bandwidth increase for that particular office for the, performance improvement and, to get the service quality of the service better for our internal customers.
Max:01:25:41
Conversation I have a lot. That's it's not surprising to me, but I I I wanna I wanna get your feedback on this. Companies as they're pushing into and looking at Sassy and start and make and make the jump to say, we wanna put an SDP on our devices. And we understand and they and they wanted to implement, you know, the SSE functionality. Right?
Max:01:26:03
You know, they want a secure web gateway. Maybe they want RDP or sorry, RBI. Maybe they want, you know, CASB, but they're gonna want DLP. And and it becomes very just device centric. Right?
Max:01:26:12
There's the rest like the z t and a solution around, like, policies and entitlements we haven't we haven't even glazed over. But that becomes just, like, device centric approach. We're gonna have this running on all the devices. We're already gonna roll this out. We wanna have a you know, why should we put in this case, we'll use a a Cato terminology.
Max:01:26:31
Why should we have the Cato? We don't we don't need the socket because we've already got it running on the device, and we're just gonna turn the office into a Starbucks. You know? It's just gonna be a place where people can come and sit down and and have a fast Internet connection, and it just it doesn't matter. Like, there what's what's the value in us having the socket here?
Max:01:26:48
Because we've already got the STP and all the devices. And in your case, you you know, you you're very inverted to this because it was, let's deploy the sockets first and then roll the sockets out and then deploy the STP. And and the value that you got out of the socket was was monumental. I mean, we you talked briefly about application catalog. And we even talked about, like, application catalogs and and, you know, shadow IT and and actually seeing what applications are really being used inside of an organization.
Max:01:27:19
It's it's pretty in incredible just how many applications the average user touches in a given day. But what would you say to somebody that that's looking at that now and thinking about, do we just deploy the STP client? Just make a device centric strategy? Do we need the socket? Do we need the access component at all here?
Max:01:27:39
Is it worth it? Is it not worth it? Like, how would how would you, like, what would you say to them?
Alexey:01:27:46
So, if we look at that holistically, what we are trying to protect? We're not trying to protect a device. We're trying to protect data resources, which sit either on the device or in our internal network. If I have office, just open space, nothing special, Few conference room devices connected, I don't know, to Zoom, Google Meet, or Microsoft, to Teams, Cloud. Do I really need Keter socket for that device?
Alexey:01:28:41
The answer is no. But if I have manufacturing facility with the temperature sensors, with the manufacturing device, how I do how do I protect that environment? I cannot install SDP client on manufacturing device, on IoT device, OT network. What about the customer care center, repair center. So we build a framework how to identify what we're trying to protect and whether we need or don't need to have socket for each particular side or device with SAP clients.
Alexey:01:29:39
So this is how we distinguish it. So if we have data or resources which needs to be protected in that particular site, we need to have a socket. Otherwise, we treat it as just you mentioned Starbucks. Yeah. It's open Wi Fi.
Alexey:01:29:58
Give me Internet access, and I can work from anywhere. I can give you one example. We were what we were working very close, and, actually, it was a privilege to work with many stakeholders across the organization, learning from them, and we appreciated they were very, very vocal about the issues and the problems they had, not only specifically to Cato. It's it was even, about the Wi Fi coverage in manufacturing. And one day, I met one of the leaders in the office, whom we had, the pleasure working with, and she was very vocal about the network issues experienced in by her team.
Alexey:01:30:49
And and she said, oh, you are going here. You're, you're visiting the office. As usual, you're speaking with people. I'm really glad to see you here. Okay.
Alexey:01:31:00
How things are going? Alexei, no network issues since last year. I haven't heard about anything. I said, okay. Very good.
Alexey:01:31:08
Thank you very much. And, then I asked her, what do you think about Cato? And she didn't expect that it was done by our team. I said, is it the network team who was doing that? I said, yeah.
Alexey:01:31:26
It was part of our 3 year strategy, and we're at the end of the year 3, so we implemented this SDP client. And she just literally said, what? I love it. It just works everywhere whether I am in airport, I am at home, I am in another office, I'm visiting another facility, I love it. So and that was the most important thing just to hear the feedback from the users.
Alexey:01:32:01
And, honestly, I can share with you, internally, we had a review and we sent the survey. 85% of users responded either positive or extremely positive. 85%. The feedback. Some people haven't even even realized that the they are there is a performance improvement because their traffic is not going back either to the US or to the another gateway.
Alexey:01:32:37
They are connected to the nearest end point all the time whenever they travel, inside the US or outside of the North America time zone. So and it was just, like, mind blowing. And that was the most important feedback for for us. Whatever we increase the latency here, there, we increase the bandwidth, it's irrelevant if people still have issues. When internal customers telling us we love it, that was the highest, highest score for me for the work done by the team.
Max:01:33:13
What a great response. And it's so unusual to get that when you start talking about, like, network infrastructure. I would say in a lot of cases, probably the best, you know, scenario for most people when it comes to network is just people don't even realize it exists. Right? Like, the average person inside of a company is just unaware that the infrastructure is there because they don't if you're thinking about it, it's usually because there's a problem, not because it's great.
Max:01:33:41
So it almost becomes like invisibility is the actual goal of, like, you don't think about it because it just works all the time. But to have the, you know, the flip of it of, like, this is fantastic, and it works for me, and it's great. And I can be in the airport, and it works. And, you know, I mean, it's you know, what a what a fantastic, you know, result.
Alexey:01:33:56
And on top of that, it's not just only connects you transparently. We need to keep in mind, it secures your connectivity. You can safely connect to the open public Wi Fi, and it will automatically secure a traffic because it will reroute the traffic through the gate, gate or pop and we'll analyze all the threats immediately.
Max:01:34:23
Did you have any problems replacing the existing VPN solution with the STP when you're rolling it out?
Alexey:01:34:29
Oh, yes. We had few use cases. I can give you a few examples. For example, the we had few cases in China when people build their own testing environment, their configuration by connecting through Google services And to overcome the Google services and availability in China, they just managed it through the VPN back to the US. With Cato, it connects to Shanghai or to Beijing, pop.
Alexey:01:35:01
Therefore, Google services are still not available because they are blocked on territory of China. So that was there was a need to overcome that. Another example is when you had internal teams which may require access to certain sites blocked by our policy rules. And, we need to allow them because part of their job is to evaluate, investigate, or get access to those sites and those resources, to conduct their part of work. So that was, easy fix addressing by creating the special rules or, like, the OpenAI platform.
Alexey:01:35:47
We wanted to make sure that the, the intellectual property is not leaked as it happened with the case with the Samsung. You saw that in use. So we blocked that on the data, and, that helped to achieve even if you are at home, you still cannot go and open, OpenAI and start leaking, accidentally leaking, any data by leveraging OpenAI. So we, the team implemented the access to OpenAI through the Microsoft agreement to secure and private version of the OpenAI platform. But with Cato, it allows you to protect whether people are at home or in the office or when they are, on the road somewhere connected in the airport.
Alexey:01:36:38
That was the beauty of the solution from Cato in comparison with our legacy, platform we used with just VPN. Most people are connecting to Office tools don't require VPN. You can connect to Microsoft SharePoint side, Microsoft Outlook, Teams without VPN.
Max:01:36:57
It's a very big technology transformation to go through this in terms of capabilities and and other interactions inside of the organization. Right? So you talk about, like, infosec now having access to the same information, different access levels, different permissions, what they can do, but getting the raw data at the same time and having access and visibility to that. The other side we see as huge wins come into identity and HR. And HRS platform is now being able to do provisioning and provision users and perm and permissions and access without necessarily involving IT.
Max:01:37:36
Have you guys have you gotten into that? Are you seeing that push?
Alexey:01:37:42
Yes. From a little bit different angle is those are, from my perspective, little bit different pieces, components. The HR system is the primary source of truth for all HR related data. Identity is connected to HR. Network access is connected to identity and to endpoints.
Alexey:01:38:08
So it's not just one step, it's 3 steps process. In our specific case, you're absolutely right. So in it from the network perspective, you can guess how many accounts we'll provision to cater cloud platform by network team? 0. It's all automated through scheme automation, HR provisioning to identity, to IDP.
Alexey:01:38:49
IDP is leveraging scheme based provisioning to Cato and integration with the custom attributes and many custom attributes on the endpoint management platform, which automatically issue the certificates to the devices. And the certificate issued for the device allows the device to be connected, and then user authentication with MFA allows access to k two network platform.
Max:01:39:15
I feel like we could probably, like, just talk for another 2 hours just about this, but the if you if you haven't had exposure to this, the amount of process and and and, like, tickets going back and forth for onboarding and separation of of people coming in and out of an organization and what that has to actually mean to be able to actually to make the statement you just did, which is that the network team isn't actually configuring users on these platforms, and it's all flowing down from the HR source of truth is is incredible. Right? Like, you you know, your HR team 5 5 years ago, I'm sure loved dealing with the IT processes in order to bring people in an organization. And there's, you know, I mean, there's a certain amount of churn. A 10,000 person company has a certain amount of people leaving and coming every month.
Max:01:40:05
It's just a natural, you know, state of how, you know, things work. And and to take that and go into a completely automated platform that then HR controls and has ultimate you you know, I don't wanna say, like, authority over identity, but effectively. Right? I I guess that's the right terminology to use where that is seamlessly integrated. I mean, that's a that's a another pretty big win for the organization.
Max:01:40:33
Right?
Alexey:01:40:34
There are certain things between, there are certain companies between, HR system and, our identity system at Safiid because, there is a prod, there are certain other subsystems and tools managed by our parent company, which is not part of this conversation. But from the identity perspective, identity management, so once the account is identified and the there is a device assigned to the user, those two pieces automatically comes together and automatically provisioned with accounts creation, with their role profiles creation. All this stuff is done. So network team created 0 accounts for end users on a data platform manually. 0.
Alexey:01:41:22
So we have not touched that. And that was one of the goals in the beginning of our conversation. Decrease the complexity which lead to decreased management overheads through agile and automation, infrastructure as code, configuration as code, policy as code. The next step, how to get that through Bitbucket, Git, or infrastructure s code with just pushing it through graph API to Cato and get the data response to the workflow, which is integrated with the ticketing system and the company IT change management process. But that will be the next step of in this journey.
Max:01:42:18
And in the meantime, deliver deliver reliability, risk mitigation, and performance improvements, and better end user experience where people actually tell you that they like the platform you deployed because it works well for them, and they can they can do their jobs, and they don't have to think about it. I mean, what a it's a great story.
Alexey:01:42:46
I I don't believe I can that will be the secret. So, well, few times we even try to test it. You know, when you, when you are boarding, to an airplane and you try to connect to Internet, you can buy for $10 on Delta or Southwest Airlines. So sometimes if you are the T Mobile customer, you can get free of charge, Internet access on board. And usually for the first disclaimer you get is the audio video, YouTube, audio video conferencing are not supported, VPN are restricted or not supported, and will not work.
Alexey:01:43:28
And, we tried Keto, and it worked. Not everywhere, not always, but few cases when I just was connected, I didn't I took the screenshot in the middle of my flight. I'm connected to Keto. My status is green. And, the one of my colleagues, he even attended the meeting.
Alexey:01:43:50
Yes. No video, limited audio, but he was able to chat when he was flying over the Atlantic Ocean, from the US to Sweden. You know, this is one of
Max:01:44:00
those things that's like, it's cool, but I don't know if it's good. You know? Like, it used to be you got on an airplane and you couldn't do anything. You were just kinda stuck there for a few hours and and and you just had to read a book. You could work on your laptop, but you couldn't actually connect anything.
Max:01:44:14
And now with so many of these airliners converting over to Starlink I mean, I don't I don't know if you've been on any Starlink flights yet, but it's a completely different world because all you say, like, limited video. I mean, I was on a plane, and there was there was a guy was on a a video meeting. Like, he would have a full like, he was sitting there with his headphones on, like, having a conversation with full video on his thing. And he's very obviously on an airplane. You know?
Max:01:44:38
And and it's just it's just like, you know, I have that moment. Like, it's cool. And as as a person in tech, like, I appreciate it, like, how cool this is. But do we really want this? I don't know.
Max:01:44:49
You know, is it a good thing or not?
Alexey:01:44:51
But But if you go back to 2,006, before the smartphones, this way smartphone is introduced, do did we want to have ability to communicate with our friends and family members, over Teams, Zoom, or live FaceTime, video.
Max:01:45:12
That's true. I I I I it's a really good point.
Alexey:01:45:15
It's not new. It's a combination of different tools and technologies in the way it revolutionize our the way we work, and we look at the technologies. The same with iPhone. There was a browser at that time. There was a Messenger at that time.
Alexey:01:45:36
There was a BlackBerry connecting us to email. IPhone just brought it all together and changed the way we think about new technologies. And I believe SASE is one of those things which revolutionizing the way we communicate, collaborate, and build infrastructure, and deliver the real business value to companies.
Max:01:46:01
Lexi, I really appreciate it. Thank you for sharing your story with me. This is, you know, I I I, I really enjoyed it. It's great to talk through this and to hear it from, you know, start from finish. Somebody who's done this recently and and at at the scale that you guys pull off.
Max:01:46:17
It's, and it's really impressive to hear end user results and how positive this change can be for a company.
Alexey:01:46:28
Yeah. Thank you for inviting me. It was my pleasure to share this experience. And most importantly is for end users, some users haven't even noticed, like, with the cater SDP. We reduced the number of agents installed on each and every laptop for end users, which definitely decrease the complexity and increase the performance for end users.
Max:01:46:55
I love it. Well, thank you again. Thank you.
