Search
Follow me:
Listen on:

Day Two Cloud 094: Essential Concepts Of Zero Trust

Today’s Day Two Cloud episode aims to pick apart the marketing fluff around Zero Trust (there’s a lot of it) to uncover a workable definition, discuss the rationale for this approach, and develop a framework for how to think about zero trust.

The essential idea of zero trust is to treat an entity (a device, a user, an application) as a potential risk and then take steps to reduce that risk. These steps could include limiting access, enforcing segmentation, intercepting and scanning traffic for threats, and applying and enforcing policies based on context such as user role, device type, and location.

As you might guess, there are lots of ways to mix, match, and implement these controls.

We discuss:

  • The concept of Zero Trust and Zero Trust Network Access (ZTNA)
  • How it relates to, and differs from, other security approaches
  • A zero trust framework including identity management, policy, and enforcement
  • Different vendor approaches to zero trust
  • More

Sponsor: CBT Nuggets

CBT Nuggets is IT training for IT professionals and anyone looking to build IT skills. If you want to make fully operational your networking, security, cloud, automation, or DevOps battle station visit cbtnuggets.com/cloud.

Tech Bytes: Gluware

Stay tuned for a sponsored Tech Bytes conversation with Gluware. Gluware is a network automation platform to automate and orchestrate multi-vendor network devices on premises and in the cloud. We explore the latest features and capabilities in the Gluware platform, including an API-based controller to work with SD-WAN, and integration with Terraform to support infrastructure automation in the public cloud. Our guests are Michael Haugh, VP, Product Marketing; and Olivier Huynh Van, CSO, Co-Founder.

Show Transcript:

[00:00:00.940] – Ethan
[AD] Sponsor CBT Nuggets, is IT training for IT professionals and anyone looking to build IT skills, if you want to make fully operational your networking cloud security automation or DevOps Battle Station, visit CBT nuggets, dotcom slash cloud. That’s CBT nuggets. Dotcom slash cloud. [/AD] [00:00:24.840] – Ned
Welcome to Day Two Cloud and, you know, on Day Two Cloud, one of the things that we try to focus on is cutting through the marketing fluff and getting down to the core of what something is, because marketing likes to abuse terms and we like terms to, I don’t know, mean something. So today’s conversation is going to be me and Ethan trying to pick apart what zero trust networking is. You’ve probably heard, the term zero trust. It’s been splashy on all kinds of websites and marketing fluff, but it needs to mean something.

[00:00:53.190] So we’re going to try to figure out what that thing is. And then after that, stay tuned for a sponsored Tech Bytes conversation with Gluware about automating your cloud networking. So, Ethan, zero trust. I’m going I’m going to start with the big question. Are you ready?

[00:01:08.110] – Ethan
I’m ready.

[00:01:09.120] – Ned
All right. What is it?

[00:01:13.300] – Ethan
That is the biggest question of all, Ned. What is zero trust? So zero zero trust ZTNA. Zero Trust Network access. Well, OK, it’s it’s been a term that’s come up a lot recently. And to me it’s it’s an evolution of micro segmentation. Do you remember what micro segmentation is that you run into that?

[00:01:31.260] – Ned
Yeah, definitely ran into that when I was still working with VMware a bit because that was a big thing with NSX, was the ability to segment your network down to smaller micro segments, if you will. And that was done through like a distributed firewall mechanism. And then you have the same functionality in the cloud. You know, if you’re in a VPC, you have security groups, if you’re in a Vnet, you’ve got NSG. So there’s just these ways of cordoning off portions of the network and deciding who can talk to who on a more granular basis than just a big honkin firewall that everything has to fly through.

[00:02:02.910] – Ethan
And that whole concept came from the idea that we no longer have an edge where we’re going to have guardian firewalls. And if you make it through the firewall rules that we trust you now and it’s okay and everybody can just run around inside the data center and do whatever they want. No, no, no, that’s no good. Any more micro segmentation. So these hosts in the data center, this east west traffic as hosts are chatting with one another.

[00:02:26.130] We’re going to have, as you gave the NSX example, this on a host by host basis or maybe a hypervisor switch by hypervisor switch basis, some sort of filter that’s going to limit who can talk to whom within the data center about what zero trust network access, I think, is even more than that.

[00:02:46.410] It’s really an evolution of this this idea of micro segmentation. So if we if we say we don’t trust host. Right, like micro segmentation, we don’t we I don’t care who you are. I don’t care if you’re in the data center in the rack. Right next me. I don’t trust you. If we go take that and then we go even further, I don’t trust the various network level conversations that are on host. So now I’m I’m at a host level now.

[00:03:11.310] I’ve got even more granular down to the network level. We’re still kind of micro segmentation here. Well, micro segmentation is letting different conversations happen on different ports like, oh, we’re going to talk SQL. Oh, we’re going to talk web, whatever we’re going to talk about. What if we ratcheted that down and say, I don’t even trust that if you’re on a trusted port, that you’re saying things that I’m going to completely trust all the time?

[00:03:36.120] So I don’t even when we’re on a port that we agree is something that we should be talking on. I don’t agree. I don’t necessarily trust that everything you’re saying to me on that port is is trustworthy. So you’re getting it. I mean, as granular as you can imagine at this point.

[00:03:55.320] – Ned
Right? Right. So it would be the equivalent of having a Web application firewall between each application or host in my network that does that maybe layer seven inspection of things. Not only am I going to check that it’s OK for you to talk to me on port 443, but I’m also going to look at what you’re actually the commands you’re sending the requests in HTTP you’re sending. Are you allowed to send a request on this path? Are you allowed to ask for that information? I got to imagine that’s that’s got to be part of it at least.

[00:04:24.960] – Ethan
That. Yeah, that that is part of it, as I’ve been reviewing different zero trust solutions. Now that the joke here, Ned, is that not every vendor that’s got some solution, they’ve branded as zero trust or ZTNA does the same thing or works in the same way or has the same scope. Some are focused in data center. Some of these ZTNA solutions, of course, include anything that’s on the network that that could include remote workers at home. You know, that could include your workloads that are up in the cloud. That includes what you still got on Prem. All of these things needing to to talk to one another.

[00:04:57.450] A zero trust posture means none of those things that are included in your sphere of the network. All of these places that are under your control are trusted at all. So we’re trying to get to a point where those those communications can be trusted. And so how do we do that seems to be what the solutions are about.

[00:05:16.200] – Ned
OK, that’s my core question. Like, if we start with zero trust, then there has to be a way to establish trust or no communication happens at all. So I assume there’s a couple of different approaches for establishing that trust to begin with.

[00:05:29.540] – Ethan
A couple? I wish that were only a couple. Yeah, but but there’s several there’s several different approaches that are going on here.

[00:05:37.470] And I think if we break it down into a series of problems that need to be solved for these solutions, it gets easier for us to then understand why the different approaches are the way they are and why we’ve got these little subsegments and chunks of technology that fit in the under the umbrella of zero trust network access. So so the first problem that I think we’re trying to solve, Ned, is the one you just alluded to, the identity management problem. Who are you and how do I know you are who you say you are?

[00:06:06.030] That’s that that’s one one big problem there. The next one would be policy management. All right. Now that I know and believe that you are who you say you are, well, what policy is going to govern your access? I’ve identified you. What what are the boundaries? What are the rules for you as you access the network? And this gets really granular and and pretty hard to manage? Um, who is going to create this policy? Because, let’s back out a second Ned, I mean, if you’ve never done any firewall management and had to build rule sets that can get fussy right?

[00:06:41.250] You’ve got a firewall that’s kind of the choke point in the network. Can you put these rules on it so and so hosts can talk to so and so host on this port. You know, those five tuple rules, as we say. Fussy, tedious in a big environment, can get to very quickly thousands of rules or even tens of thousands or more where it becomes, you know, a monster for a human to manage.

[00:07:01.830] Well, that’s where you’ve got just a firewall that’s kind of in the middle of the network somewhere. Governing flows. What now? We’ve gone from that model to an any to any model where we need to have almost an infinite number of rules. And so the policy management problem is a huge one. How do you actually create the policy that governs this zero trust network access?

[00:07:26.010] Does a person, a human, create it? Uh, no? That it’s kind of impractical, right? I mean, how could a human actually come up with this? So so another approach then would be a set of rules that are observationally created.

[00:07:41.700] Some piece of software is looking at what’s going on, on the wire, or looking what’s going to and from the host and then using maybe machine learning and then applying an artificial intelligence algorithm to that machine learned data set to determine this seems like good behavior. Here is a policy that I think will work based on what I’ve been observing and then maybe a human reviews it at that point and blesses it. And then you enforce that policy at that point.

[00:08:11.790] So that, again, that’s the policy management problem. How do we create the policy and then and then put it into production? Tricky when you’ve got this granular ruleset. So the next problem Ned, we’ve got identity management. Who are you? Policy management. What can you do? And now we’ve got enforcement, how do I actually enforce I got the policy I built, where do I stick the policy so that if someone violates the policy, I can tell them to shut up, basically go away.

[00:08:38.650] You’re bad. How do you do that? And usually the way you’re going to do this is by dropping packets somewhere on the network. But where do you do this? How do you do it? You could do it at the kernel level, say, you know, the Linux kernel. If you’re working with Linux hosts, you could run a local firewall, something on your host, like you got the Windows firewall, right? Or you’ve got IP tables on on a Linux box. Let’s say you gave the NSX example earlier so we could have a firewall that runs, I believe, the way the NSX model is, the hypervisor switch.

[00:09:08.780] You’ve got the vSwitch sitting there and you can drop packets there as packets flow in from the virtual host and hit the virtual switch. You could have a middle box of some kind, which is a little old school, right? Like, oh, like a firewall or a proxy server or something like that. That’s governing flows and then you can throw things away. So that’s another problem here. And we’re going to get the specific models Ned. But I’ve got to set it up this way, because this is these are the things that percolated as I talk to these different companies and their ZTNA approaches.

[00:09:39.500] All right. So one more major problem that I see in this whole ZTNA thing Ned, the policy distribution problem. So I’ve got a policy. I know where I want to enforce the policy. Now, how do I get the policy from some central controller or something out to these endpoints where they’re going to where the enforcement action is actually going to happen?

[00:10:03.380] Well. They’re like local management plane. Is that what I’m going to do? How would that work for if my the place I need to do enforcement is some VPN host out on the Internet somewhere?

[00:10:15.950] – Ned
You know, that reminds me a lot of when I used to deploy config manager for Win, well mostly Windows environments, but config manager, SCCM used to be SMS. There was always the problem of endpoints that were going to be on connected to the Internet but not connected to your internal networks. How did they get the updated policies from these the SCCM server? And there was a way to do it. You had to make an Internet accessible point and that required a lot of plumbing and certificates.

[00:10:48.170] And it was it was not fun. Yeah, but you could do it. The better solution was just get them on the VPN every once in a while to get a new cycle of the SCCM server. And that was usually how you handled it.

[00:11:02.270] – Ethan
Or you take an out of date client to dump them into some VLAN where the only thing they have access to is an update server or I believe I ran into this a month or so ago. Cisco’s got some kind of a if you can stand up a VPN tunnel, but you’re not authorized. It gives you like a back channel, like like I couldn’t figure out exactly how it worked. It was just an access list of was a secondary tunnel or what.

[00:11:25.130] But it was like this management backdoor so that that remote client via that VPN connection could get get the updates that it needed. It was a subtly different sort of a thing, this management idea. But but yeah, this is a this is a challenge. How do you do this distribution? Where’s the box? Where’s the controller sitting on your network or very commonly now it’s up in the cloud. The controller that is distributing policy out to all of your endpoints are hosted up in the cloud, is that is that OK?

[00:11:57.210] Are you OK with that? What’s your what’s your data governance policy? Well, there’s not really any data. It’s just a control plane, not a data plane. So is it fine that it’s up in the cloud? What about multitenancy? What if you’ve got a bunch of different tenants that you were building policy for? Does the management plane support multitenancy? And what does that look like? So.

[00:12:19.470] All right, Ned. So we just talked about a bunch of problems that I see in the ZTNA space. So now, yeah. Now I think we can talk about some some companies and their zero touch approaches, at least at a high level.

[00:12:31.880] – Ned
OK, OK.

[00:12:33.150] – Ethan
This is kind of like it’s kind of like analysis, right? You know, we’re not like, you know, we’re going to deep dive into all the details of every company because but let’s go at a high level and just see how some of these companies solve this one company Ned Tempered networks. If you heard a tempered?

[00:12:50.640] – Ned
No

[00:12:50.640] – Ethan
Yeah, they’re a bit of a niche company. They were, you know, full disclosure, they’ve been a packet pusher sponsor. We’ve done some work with them to talk about their solution. They build a fabric of tunnels based on a protocol called HIP Host Identity Protocol. Have you heard a hip Ned?

[00:13:08.220] – Ned
No. But I’ve been told that I’m hip, cool and with it.

[00:13:12.960] – Ethan
Yes.

[00:13:13.630] – Ned
Does that count?

[00:13:14.400] – Ethan
C’mon. Man, that was was that a dad joke out of you? I think it was, yeah.

[00:13:18.780] – Ned
It’s all I got man.

[00:13:20.930] – Ethan
So, so host identity protocol has been around for a while and HIP accomplishes that goal of identity for us. I know you are who you say you are. A tunnel gets stood up based on HIP. I don’t know all the HIP protocol details at this point, but it’s sort of like IPsec where when you stand up an IP sec tunnel between two end points, there’s a certificate or pre shared key, some way that the two ends authenticate to one another to prove they are who they say they are.

[00:13:52.590] Then they establish an encrypted channel, security associations that they are going to use to chat to one another in an encrypted way. It’s it’s a similar kind of a model to that, but it happens on a host to host basis. So every host that is participating in the HIP fabric can talk to any other host in the HIP fabric. And if you are looking at what’s going by on the wire, it’s it’s a HIP packet or, you know, whatever encryption methodology that they’re using, it might look like like an IP sec packet or something like that.

[00:14:23.880] The trick then with HIP and what Tempered’s really bringing to the table is that policy management piece. If you are trying to build a HIP fabric, any mesh sort of environment is like it’s just nasty because you’ve got to you got to do all this configuration to stand up all the endpoints that they can talk to one another. Right. You’ve got that N times N, plus one problem where it’s just the more endpoints you have that might need to talk to each other, the more you’ve got to build.

[00:14:52.020] And it’s unmanageable if you do it by hand. So Tempered, leveraging HIP, has software that does all of that for you and the zero trust part comes in and that they’re managing those identities of all these endpoints for you so that you know who and what is trusted out there.

[00:15:12.110] [AD] We paused the episode for a bit of training, talk training with CBT nuggets, if you’re a Day Two Cloud listener, you are you’re listening to the podcast right now, then you’re probably the sort of person who likes to keep up your skills, as am I.

[00:15:25.490] Now, here’s the thing about Cloud as I’ve dug into it over the last few years, it is the same as on Prem, but it’s different. The networking is the same, but different due to all these operational constraints you don’t expect. And just when you have your favorite way to set up your cloud environment, the cloud provider changes things or offers a new service that makes you rethink what you’ve already built.

[00:15:42.740] So how do you keep up? Training. This is an ad for a training company. What did think I was going to say? Obviously, training and not just because sponsor CBT nuggets wants your business, but also because training is how I’ve kept up with emerging technology over the decades. I believe in the power of smart instructors telling me all about the new tech, so that I can walk into a conference room as a consultant or project lead and confidently position a technology to business stakeholders and financial decision makers.

[00:16:10.490] You want to be smarter about cloud CBT Nuggets has a lot of offerings for you, from absolute beginner material to courses covering AWS, Azure and Google cloud skills. Let’s say you want to go narrow on a specific topic. OK, for example, there is a two hour course on Azure security. Maybe you want to go big. All righty then. There is a forty two hour AWS certified SysOps administrator course and there’s a lot more cloud training offerings in the CBT Nuggets catalog.

[00:16:38.060] I just gave you a couple of examples to whet your appetite. In fact, CBT nuggets is adding forty hours of new content every week and they help you master your studies with available virtual labs and accountability coaching. And I’m going to I’m going to shut up now and get to the part that you actually care about, which is the special offer of free stuff that you get from CBT nuggets because you listen to this entire spot, you awesome human. First visit, CBT nuggets, dotcom slash cloud.

[00:17:04.250] There you will find that CBT Nuggets is running a free learner offer. They’ve made portions of their most popular courses free. Just sign up with your Google account and start training. This free learner program is a great way to give CBT nuggets a try. Now, as a bonus, everyone who signs up as a free learner will be automatically entered into a drawing to win a six month premium subscription to CBT nuggets. So this is a no brainer to me. Just go do it. CBT nuggets, dotcom slash cloud. That’s CBT nuggets, dotcom slash cloud. And now back to the podcast that I so rudely interrupted. [/AD] [00:17:40.910] – Ned
Is that an agent based solution where you have to have the agent running on each host and that’s how the trust is established? Or is it more like you have to have that pre shared key or certificate infrastructure already ready to go?

[00:17:53.360] – Ethan
Oh, now you’re asking me hard things. There’s a gateway piece, if I remember right. Dude, this is embarrassing. I just recorded with them like a week ago and I’m trying to remember the full architecture that’s leaking out of my middle aged brain.

[00:18:07.950] I so so the issue here with the agent is that not all the endpoint support an agent of any kind. So I believe there’s a middleman that can do this for you in the Tempered environment. In fact, one of Tempered’s verticals that they support really well is industrial Iot. So you can have a SCADA box up on a wall that doesn’t know much about much, but it’s a target. It’s a high value target because it’s sitting at a wastewater treatment plant or electrical production, something like that.

[00:18:36.890] To protect that from the Internet, you Tempered becomes the layer in between and so that all that’s happening between these endpoints are is the HIP fabric. All the communications has to traverse that HIP fabric in order for that communication to happen. A lot of those boxes. There is no agent that you’re going to be loading on them. So I just don’t remember if this like a proxy sitting out there. It’s not a proxy. I don’t think. Anyway.

[00:19:03.600] – Ned
I imagine for stuff like SCADA boxes that’s going to go in line to sit between the SCADA and the rest of the network is the only way that you can handle it, because those boxes were never designed for security. And that has become very evident given some recent news about water treatment plants.

[00:19:21.550] – Ethan
So let’s move on to another company I had a chat with was a Araali network’s, Araali spelled A R A A L I, Araali network’s. Their zero trust play is accomplished on this is a Linux for Linux only environments, that’s that’s where they look. They do hook into Kubernetes pretty easily, but their whole play is to use eBPF extended Berkely packet filters. They’re effectively they’re hooking into the Linux kernel with code. That’s what eBPF gives you the ability to to plug into the Linux kernel with code and then.

[00:19:59.960] Watching the processes, we’re not talking about packets, we’re talking about processes, and they gave an example that really stuck with me where they showed, yeah, we could see that a process that was coming in to this Linux box that we were defending was running curl. And it wasn’t just that they ran curl, it was that we could see the entirety of the command and they can get that granular down to a command and what the parameters are of the command, whether or not it should be allowed to run. Because they’ve got that deep, deep visibility because they’re hooked right into the Linux kernel.

[00:20:35.300] – Ned
Right that that’s very low level. So I got to imagine they’re slapping some policy engines or some abstraction on top of that because they can’t expect consumers to be writing eBPF code to deal with it.

[00:20:47.900] – Ethan
Exactly. You don’t have to write any eBPF code at all. They provide that for you. There’s a lovely UI that sits on top and shows you in a very straightforward box diagram style where there’s a box on one side, a box on the other, and an arrow in between. Each box has got a bunch of metadata about the communication, the host, the IP addresses, the processes, what was being said. And then the arrow indicates directionality coming from one side to the other.

[00:21:15.920] So you can very quickly visualize what the communication is and they build a policy based on observation. We were talking about observational policy formation before they’re doing it at the Linux kernel level, observing everything that’s going through the kernel, coming up with a fairly detailed policy, and then you as the human go through and approve or deny all the things that are in there. Pretty you know, it’s a lot to get through on the front end, but then, you know, it’s much easier to maintain as you go forward.

[00:21:47.640] When a policy violation occurs, the Araali system using eBPF again will then get into the flow and drop packets at that point, if it sees something bad happening, something that violates policy. Other than that, they’re actually off to the side, out of flow. So there’s no like it’s not like all the data is getting shunted off to some other process. We got to copy from kernel to userspace, do some processing, think about it for a while, and then send it back to the kernel. There’s none of that happening. That’s part of the eBPF magic is there’s really minimal CPU load or performance hit that happens here.

[00:22:25.440] – Ned
And interestingly, that solution could definitely be deployed on cloud based instances because it’s just looking into the Linux kernel and whatever virtual machine you’re using. And it’s not trying to talk. Some esoteric protocol between hosts is just looking at the processes that are happening on the host that you’re working off of. So you could deploy this kind of anywhere.

[00:22:45.390] – Ethan
You could. And it solves the the enforcement in a pretty interesting way. But again, it is really for Linux shops.

[00:22:55.350] – Ned
Right.

[00:22:56.280] – Ethan
Now for Kubernetes, they were like, yeah, we’re we’re a CNI provider. You can just add us as an additional CNI provider. Here’s the YAML file. Go into Kubectl and add it and you’re done. That’s they claim it’s as easy as that to stand it up and make it begin working in your Kubernetes environment.

[00:23:16.210] – Ned
That sounds about right. Yeah, yeah.

[00:23:18.480] – Ethan
Yeah. So that was again, interesting way to go. And the granularity was crazy. In the demo they walked through that curl example that I was talking about, they were actually highlighting how they tracked down some Russian or originated hack attempt where the the kernel command was actually trying to retrieve something from some remote server and it was failing. But anyway, you they could see all of that stuff happening. That was that was nuts.

[00:23:46.900] Here’s another company, Ned. We talked about Tempered, Araali. Here’s Prosimo, Prosimo networks. Just came out of stealth. What Prosimo has built? Well, there’s a few things Prosimo’s built, but one component of it that is tied to ZTNA. I don’t want to limit Prosimo and this is all they do because they actually do more. But the one component that I want to talk about here, ZTNA related, they have built an HTTP proxy fabric. So we know what a proxy is and we know what HTTP is.

[00:24:14.190] And what they’re doing then is saying, hey, if you’ve got HTTP going through the network, you’re going to terminate that on our proxy. We’re going to do the WAF thing, kind of deeply inspect everything that’s going on in there. And then we can re-encrypt it and sent it on its way if everything’s OK. In a Prosimo network, because there’s more to the story here than just this. They can give you kind of some SDWAN functionality they’re giving you.

[00:24:39.870] It’s got a broader solution with a zero trust aspect is for one, we’re assuming we’re talking HTTP, which that is seems to be the vast majority of applications today. You’re dealing with a lot of that stuff, their proxy is in the middle then you need to be able to see what’s inside of an encrypted session. Right. You’ve got to crack it open somehow. If it’s just encrypted flying by between client server, there’s not much you can do with it. From a security perspective, you can make some inferences based on packet flows and a few other things you don’t really know too much, which is the point of encryption. Right?

[00:25:16.050] So their whole thing is that with the proxy model, lets them actually see what’s inside, deeply inspect all of the HTTP session information and then make their decisions going forward from there. And you get your zero trust that way.

[00:25:35.770] – Ned
OK, so they’re cracking open the transaction and seeing the data inside, which could I mean, that could raise some red flags when it comes to data protection and privacy. So you got to make sure you really trust the inspection engine. And like, I don’t know if it’s storing that data long term anywhere, but that’s like the first question I would ask is, what are you doing with that decrypted session once you’ve decrypted it? Is it going anywhere or is it just being re encrypted and sent along its merry way?

[00:26:03.990] – Ethan
The model that they showed was of some box that you as the end consumer own. And it’s a it’s a small box. It’s not some monster with a bunch of hard drives on it. The intention isn’t storage. The intention is Real-Time inspection and decision making on that transaction as it goes forward, not make a copy of it stored forever and so on. Of course, there’s always going to be logging and so on. And so, yes, obviously there is going to be some use case considerations whether or not a solution like this is viable for, again, going to data governance kind of challenges.

[00:26:37.620] But that that that’s how they’re pulling it off. It’s funny you bring that up, Ned, because we would have this problem, the privacy problem with anything. You’ve got it with Araali as well. Really, they’re sitting way up above the network step, they’re sitting way up above the any encryption on the wire happening, you know, Araali could have the same complaint against them. You know, in theory, Tempered could as well. You know, they’re seeing data before it’s encrypted with with HIP.

[00:27:05.520] They’re they’re they’re in the packet flow there. So that’s yet another question that comes up based on what are the rules surrounding the data flowing around your network. So.

[00:27:18.510] – Ned
Mm hmm.

[00:27:19.050] – Ethan
So one more I’ll bring up here now that I’m actually trying to get scheduled for a briefing is Zscaler’s Zscaler workload segmentation product. They bought a company called Edgewise and I didn’t even know this existed. But there was an article or, actually a short, very short podcast I recorded about Araali and someone asked me in the comments, hey, how does this compare to Zscaler’s acquisition of edgewise, dug in the edgewise technologies become a part of Zscaler workload segmentation.

[00:27:51.150] That whole pitch is about cryptographic fingerprinting. Oh, and again, I haven’t been briefed by Zscaler on this one yet. I’m trying to get that scheduled. I think that’s going to happen. But what I gathered from looking at their website and white papers and such is they’re taking a bunch of information about a host and processes, running some cryptography against it, coming up with a fingerprint based on that cryptography. And then they have a known good or a known bad knowledge of that data flow based on the fingerprint that was computed.

[00:28:28.320] So, you know, the one big question that I have is how do I know what’s good or bad when I compute that fingerprint? What’s my authoritative source that’s telling me that? I’m not clear on how all of that works yet, but they are very strong putting out the idea that it’s the cryptographic fingerprinting. We’re taking all these things, things like the hardware host and CPU ID, plus the process, plus user information, plus a bunch of other metadata to compute the fingerprint.

[00:28:59.610] And then if your communications is outside of a known good fingerprint, you’re determined to be a bad actor. That’s how they’re protecting you and giving you that that zero trust, which I thought was mathematically heavy, maybe CPU intensive, maybe depending on how they’re actually doing it, if it’s all real time packet by packet or if it’s just a one time thing or I don’t know how they do it exactly Ned. Like I said, I’m missing that briefing, but.

[00:29:25.630] – Ned
Yeah, OK.

[00:29:27.340] – Ethan
But cryptography, I mean, it’s math Ned fills, it fills me with confidence and nerdy excitement.

[00:29:33.640] – Ned
There’s there’s two types of cryptographic keys, right? There’s the symmetric and the asymmetric keys. Symmetric means that you use the same key to do the encryption and the decryption. And generally speaking, it’s less CPU intensive.

[00:29:46.330] – Ethan
Yes.

[00:29:47.140] – Ned
Whereas asymmetric keys, you got your private and your public and you’ve got to use one to decrypt the other and vice versa. So that is more computationally heavy. I bet what they’re doing is they’re generating asymmetric keys based off of unique traits of the host and then using data symmetric keys for the packet by packet encryption. So it lowers the CPU threshold for that.

[00:30:12.160] – Ethan
And I’m you know, there’s an assumption there that there’s even cryptography or even additional cryptography that’s happening once the fingerprints been computed that there’s more than just the fingerprint computation or something else.

[00:30:25.090] – Ned
That’s true. It could be simply signing it.

[00:30:27.730] – Ethan
It could be simply signing it. But it could be, like you said, that they’re imputing trust by doing kind of what Tempered is with host identity and a host identity protocol where there’s end to end encryption added on to whatever is happening, which is tricky if they’re doing that, because it gets if you’re if you end up encrypting an already encrypted data stream, that can be problematic and slow and add overhead.

[00:30:56.140] So this is Zscaler, I’m sure, however they’re doing it, they’ve thought through all this stuff and they’re doing it right for some definition of right. They’ve thought through the trade offs and are coming up with the best answer. That’s the best fit for performance alongside of security. But again, yet another approach for this that’s kind of different from the other ones. And this is just me scratching the surface on ZTNA, man.

[00:31:18.100] There’s a, we recorded with Palo Alto Networks a bit ago. They have a ZTNA, a solution that is part of a larger security solution. SASE Secure Access Service Edge is just one piece of that. How do you get into the entirety of this Palo Alto Networks fabric that connects you to the cloud and on Prem and to your remote workers? Well, to gain admission to the SASE fabric, part of what we’re doing is ZTNA. It’s a secure access fabric after all, by golly. So it’s a big topic, man.

[00:31:51.940] It is a it is a big topic. And I feel like us talking through this and 30 minutes here is just. It’s just the surface. Yeah, I got so much more reading and and so on, reading and writing I want to do on this topic because it’s really fascinating.

[00:32:06.440] – Ned
I do like the framework that you’ve put together of the various problems that ZTNA needs to solve to be an effective solution. Again, that was identity management, policy management and enforcement and policy distribution.

[00:32:19.790] Those were the four key key points. So I really like that framework. And it’s a good way. If somebody else is thinking about evaluating one of these products for their deployment, that’s probably a good framework to go in with.

[00:32:31.390] – Ethan
Yeah. And again, maybe this framework needs to be expanded a bit. It’s just me trying to find the commonalities across the different solutions. And those are the four that I spotted so far. But yeah, I think there’s going to be more of us talking about this issue Ned because it affects cloud. It affects it affects cloud deeply and in a complicated way here. Here is we are in the covid world. Well, Ned, I think we’re done talking about zero trust right now.

[00:32:58.760] So next up, Gluware, you know, Ned, you don’t know Gluware particularly well, right?

[00:33:04.100] – Ned
I don’t. I heard the word terraform, so it piqued my interest.

[00:33:06.860] – Ethan
Yes. That terraform may be part of the Gluware conversation we’re about to have, but we’re going to do a 15 minute tech byte with Gluware. Gluware is a network automation platform. They’ve been around for a long time. I’ve been talking with them about their solution since before they were Gluware when they were called actually Glue networks doing something else a bit ago. They’ve built one of the I think it’s fair to say, one of the premier network automation solutions, their vendor agnostic, and now they’re in the space of doing cloud network automation as well.

[00:33:37.190] So imagine Ned, that you’ve got the challenge of a network that you want to automate, but now that network extends into the cloud AWS and Azure and so on. How would you automate those connections as well? It’s not just some switch router firewall sitting on your network now. It’s the VPC components and the various firewalls and stuff. Well, Gluware has well, this is what we’re about to find out, isn’t it? They’ve got some some answers for us and how to automate that.

[00:34:04.370] So enjoy this tech byte with Gluware.

[00:34:07.880] – Ethan
Welcome to the Tech Bytes portion of our Day Two Cloud episode today, and we are chatting with Gluware. So let’s just jump right in with with you, Michael.

[00:34:18.440] For those in the Day Two Cloud audience, maybe we don’t know who you are. Give us the tight elevator pitch of who Gluware is

[00:34:25.130] – Michael
Sure great to be on the channel. First time on this channel, but long time packet pusher veterans here. Gluware is an intent based network automation platform. So we bring a powerful layer of layer of intelligence to automate and orchestrate multi vendor, multi domain and now multi-cloud which we’ll get into. So for some of the largest enterprises out there in the pharma and finance and we are code free and very scalable platform.

[00:34:50.030] – Ethan
OK, a lot of buzzwords that we’re going to dig into there. And as you said, Gluware has been a packet pushers sponsor for a long time. In fact, I was digging back through the archives. I find you as early as 2016 that you’ve been sponsoring shows and doing work with us. And if you’re listening and you want to know more about Gluware again, go dig through our archives, find those shows. You can do a search of packet pusher’s dot net for Gluware, G L U W A R E, and then go to our YouTube channel. We have an event we did with Gluware back in twenty nineteen the Gluware event series, there’s a playlist there you can watch a bunch of info there.

[00:35:22.760] Well Michael, now that everyone knows all about Gluware give us what’s new.

[00:35:26.810] – Michael
Yeah. I think what why people would care on this channel is the net new of Gluware just recently we announced our support for automating through API and the focus of that has been we’ve on boarded Cisco’s SDWAN. So that’s automating the vManage and SDWAN technology. We’ve also automated Cisco’s Meraki. So in both those cases we automate through the controller and enable that and we add an abstraction and intelligence to really simplify the user experience. And we’ll talk a little bit about how SDWAN ties into cloud.

[00:35:56.660] I think a lot of folks are seeing SDWAN as a site to cloud type of technology. The second piece we announced in December with our Gluware 4.0 release, and that’s the fact that we onboarded the TerraForm engine as an underlying vendor adapter component. And along with that terraform technology we’ve on boarded three of the providers for the public cloud: AWS, Google Cloud and and Azure. And this gives us the ability to automate the public clouds, which obviously is a hot topic these days.

[00:36:26.310] – Ned
Well, you know, my ears just perked up because you said terraform, right, Michael? So I’m going to ask you about that in a moment. But before I talk about that, I want to do a quick level set in comparison, because I know there’s some other solutions out there that do like cloud networking as a service or they do like a big overlay network across all your clouds. Is that kind of what Gluware is doing or is are you doing something else that’s different from those types of services?

[00:36:51.290] – Michael
Yeah, Ned. I think that’s a really important distinction because as you mentioned, the cloud network as a service and the overlay networking, the kind of these technologies there, there’s a lot there are some similarities in the fact that they are automating a component and they’re they’re automating a piece of the network. But in both the cases of that cloud network as a service or an overlay, those technologies are usually inserting a virtual router or a gateway and providing some sort of transit capabilities as well and really kind of abstracting away and just integrating a little bit.

[00:37:25.490] Well, from a networking standpoint, with the native cloud components. That’s different from what we’re doing, what Gluware is doing is through TerraForm, we’re automating the native cloud components so you can think about what AWS delivers natively. So Transit Gateway and other components. So we’re we’re automating the spin up or the instantiation of the environment in the cloud and the networking associated with it. We’re not inserting any proprietary or virtual routing and we’re not providing the transit, we’re automating the native cloud constructs. And for the customers we’re working with, that’s what they want.

[00:38:00.350] – Ned
OK, that that makes a lot of sense. You’re you’re not abstracting all that stuff away, but you’re providing common tooling across clouds to consume those native services. And it sounds like Terraform’s the tool to do that. So can you tell me a little more about how Gluware where is leveraging terraform and complementing what TerraForm can do?

[00:38:20.000] – Michael
Yeah, I’ll just add one piece to that and then I’d like to invite Olivier, our chief science officer and co-founder, into the conversation in that you’re exactly right. We’re instantiating leveraging terraform for the for what we’ll call, the heavy lifting of what it’s able to do with abstracting on top of the API calls of the native clouds. And terraform is very good at that infrastructure as code. And so we leverage that. We build on top of that. We’re able to make native cloud API calls as well.

[00:38:46.730] And we’re actually even able to automate third party VNFs that are inserted into your VPC. So like a Cisco CSR 1000v or F5 or Palo Alto. But I’d like to invite Olivier into the conversation and he can talk a bit about why we chose TerraForm, how we complement TerraForm and how it’s. Provides advantages to our our end users Olivier?

[00:39:09.840] – Olivier
Thank you, Mike. This is undeniable, the value that terraform brings, especially for managing cloud infrastructure. But when you’re choosing to Terraform CLI, the open source version, the free version of TerraForm, literally, they give you the bare metal command line utility and that’s it.

[00:39:29.880] So your tool, the tools that you need to use that it’s literally notepad plus, plus textedit or VI. I mean, this is, and you’re on your own. So what Gluware brings to to you is the infrastructure around Terraform. Terraform, using terraform means, having to deal with hundreds of files and directories and TF files, state files, even more files and directories if you’re using modules. So our customers are using Gluware config modeling ,can use Gluware where to abstract their network configs. They already do this for all the vendors that we support and they could do now the same with terraform configuration files.

[00:40:12.030] And you can make those different blocks of terraform files that could be more reusable. Let’s say you want to share the same block across different files that you want to make these blocks dynamic. Let’s say you wants to make REST calls in order to go fetch some IP addresses into an item system. You want to Gluware to go fetch these IPs or you want to make REST calls to Gluware so that it gets automatically into these TF files.

[00:40:45.780] So this is this is what we do. The you know, the approach that we try to to offer is like an architect can create a library of reference designs of Terraform reference design. A design could be, for instance, a model for a standard part in AWS made of VPCs, TGW, VPN Gateways, Internet Gateway, etc, etc. and then model could be handed to operations, you know, as opposed to just give the giving them a big zip file and with a, oh use that to deploy the pods. Right.

[00:41:24.150] So learning Gluware, you know that modeling, that templating is the same for all vendors that we support. So now you can apply that to to terraform. And this one thing I’d like to add is that we’re talking clouds here because Terraform has providers for cloud providers. Well terraform, has also providers like VMware vSphere or NSX-T. Right. So we can extend those we can extend the exposure to those additional providers within Gluware config modeling, like it doesn’t have to be just for for for for cloud.

[00:42:01.440] – Ned
Right. And I know they also have some providers for stuff like F5 some of the Cisco gear. So are those also supported are you in the process of adding more provider support as as it goes forward?

[00:42:13.050] – Olivier
So when it comes to specifically the example you’re talking about Cisco and F5 natively we can do more than what the Terraform providers can do.

[00:42:23.640] OK, so it really depends sometimes. For instance, we have our engineering team using the Docker provider for TerraForm because I mean, you can really do what whatever you want to do with the Terraform provider, the vSphere and the NSX-T providers are very, very complete as well. So it really depends. I mean, it’s it’s we we spend some time looking at the value of adopting a particular provider. And if this is if it’s rich and it’s most importantly maintained as well.

[00:42:56.490] But because there’s also a lot of community providers and some are just attempts, not necessarily something you would want to use in production, then, yes, we spend the time in looking at those providers and see if if they are worth integrating.

[00:43:12.630] – Ethan
So, Olivier, with this capability, what do your customers I know you have a lot of large enterprise customers in the fold. What are they asking you for when it comes to the cloud network configurations?

[00:43:26.250] – Olivier
I mean, we have requests coming from all verticals. But one example would be, like you said, you were saying, I like this example for a large enterprise customer. They literally like to deploy their applications in standardized pods with specific requirements and each application have their set of requirements. And they’d like to deploy those pods either on AWS, on Azure, depending on the application. And they want to ensure that when they’re deploying, they’re using the correct routing policy, the correct security rules, you know stick with compliance with their BGP redistribution, et cetera, et cetera. So that’s the first thing. It’s about, you know, checking all the all the check boxes.

[00:44:14.280] – Ethan
Is that configuration that you’re describing, is it. Like AWS, Azure, GCP they don’t have all the same networking capabilities. So is it you come up with a model that looks as same, same as it can across the multi-cloud, or is it kind of unique per provider?

[00:44:29.490] – Olivier
That’s the ultimate dream for customers, is that we’ve heard that multiple times, that usually they start with AWS, they create this very complex design and then when they move to another provider, they offer different sets of capabilities and so they have to redesign. So some are lowering the specs of the pods so that they are alike across cloud providers or some just have different pods. They have one standard design for this particular cloud provider and another type of design for these other providers. And they just put their application depending on what the pod can do.

[00:45:10.980] – Ned
Now, in addition to Multi-cloud, there’s also the issue of connecting your existing sites to the cloud. I know that’s also a challenge. How are enterprises looking to solve that particular challenge and how are you assisting with that?

[00:45:25.980] – Michael
Yeah Ned, I’ll jump in here, Mike, here. This has been an evolution and I’d say back in like the twenty six time twenty sixteen timeline when they were really just dabbling with the cloud they were content with to go with like maybe a VPN into the cloud and then as as more, let’s say applications move to the cloud. And we had certain examples of customers having, you know, getting hit by ransomware and other things, really accelerating the move to the cloud where they were going to direct connect.

[00:45:54.180] And they’re pretty content, kind of back hauling everything to one or two data centers and then using that direct connect up to the cloud and that role Gluware’s automating the network, the traditional on prem network, getting QoS right and backhauling that traffic, getting it to the cloud. What we’re seeing right now is a pretty significant move. I think driven by the pandemic and other things. People have really accelerated what they’ve deployed to the clouds and moving workloads to the cloud.

[00:46:19.890] And now it’s more about optimizing site to cloud. We’re hearing this kind of buzz of site to cloud and leveraging more intelligent mechanisms to move traffic directly. So using SDWAN is one of the one that comes up a lot, as well as in the AWS environment, leveraging the transit gateway and and introducing networking that they’re either connecting SDWAN directly to the transit gateway. So I’d say, in short, what we’re seeing is the benefit of Gluware is they can automate their on prem network, including now that Cisco SDWAN and automate the networking in the cloud and kind of unify that policy.

[00:46:58.200] But I think the key to it here is what we’re hearing is it’s a migration and it’s slow and it’s eventual. And we’re helping customers move from legacy, Cisco, DM-VPN networks, and we’re trying to move them towards more advanced, more modern SDWAN technologies as well.

[00:47:15.190] – Ethan
Well, Mike, one of the things you didn’t say was multi-cloud or cloud to cloud connectivity. It seems focused on more on prem and site based connectivity into the cloud?

[00:47:25.140] – Michael
Ethan, right now what we’re seeing when we really look at the customer use cases. Applications reside in a single cloud and they need VPC to VPC type networking. But rarely we haven’t once yet seen like where the front end is in one cloud in the back ends in another. So we’re hearing the requirement from Multi-cloud and they want, like Olivier was saying, they want to do a similar design.

[00:47:46.710] To host applications in different clouds. But we’re so far not really seeing the cloud to cloud requirement. And I think we’re talking about a little bit in the intro around where those overlay networking technologies come in and really stitch together, cloud to cloud that may become more of a requirement. But for now, we’re seeing really automating the network from on Prem and SDWAN or like the branch sites to cloud is the most important component we’re working on.

[00:48:13.500] – Ned
Yeah, that makes sense. And I feel like there’s so much more to dig into here. So can you give the folks who are listening a few links or some places to go so they can get more information and so I can get more information?

[00:48:26.040] – Michael
Yeah absolutely. Obviously Gluware dot com sorry, Gluware dot com. And we even have a dedicated portal for for our packet pusher episodes. And you can go to Gluware dor com slash Packet Dash Pusher’s from our Gluware site. You can request a demo, you can request a test drive. And we even have a dedicated portal to our Multi-cloud site. So from there you can even request free Gluware we’ll spin it up in AWS and you can begin to automate your on prem network right away for free.

[00:48:53.190] – Ned
Thank you to Gluware for this sponsored tech byte. If you want to follow them on Twitter. It’s at Gluware Inc and you can also find them on LinkedIn and Facebook.

[00:49:03.390] Thank you to our guests Gluware for appearing on this sponsored tech byte on Day Two Cloud and hey, virtual high fives to you for tuning in, if you’ve got suggestions for future shows, you know what? We want to hear them. You can hit us up on Twitter at Day Two Cloud show.

[00:49:19.270] And hey, if you haven’t heard enough of my mellifluous voice, you can catch me every day on my daily check in podcast. We’ll include a link in the show notes, but you can also find it on anchor. Just search for the daily Check-In with Ned 13 13. You’ll find it there. That’ll do it for us today. Until next time. Just remember cloud is what happens while IT is making other plans.

Episode 94