Symantec by Broadcom Software is relentless in its efforts to improve network and cloud security. Recently, I had the opportunity to sit down with the product management team that leads our network and cloud security solutions. Nate Fitzgerald is Director of Product Management, SASE Core Services, and Alex Campbell is Director of Product Management, Cloud Management. What follows is an edited version of our “fireside chat”.
AH: At Broadcom Software, we’ve moved our cloud SWG solution over to Google Cloud. Can you refresh our memory on that effort and the results?
NF: Over the last couple of years, we’ve consolidated all our cloud platforms onto Google Cloud. Not only has that made us more agile, it's contributed to the stability of the platform. It allows us to adapt to market conditions faster. And considering the struggles of many other companies, it's completely insulated us from supply chain issues. We’ve never been denied a “core” in Google Cloud.
AC: It’s a great partnership. Speaking of its value to Google as well as ourselves, I think it’s worth pointing out that we are the Google Cloud Customer of the Year Award recipient for 2021. Earlier this year, in April 2022, we were also honored to receive the very first Google Cloud DevOps Award.
AH: What are some of the other real-world customer benefits of the Google Cloud transformation?
NF: Oftentimes, a new feature or product offering will require additional infrastructure or capacity before it can be released to customers. In the legacy model, I like to call it “DIY Cloud,” this means the team has to execute on physical hardware procurement for dozens of data centers, which can take months, or even over a year under current global conditions. The speed of that process is severely constrained by the supply chain, shipping, logistics, lockdowns, political instability, and even customs delays. That list includes a lot of factors that cannot be controlled by the vendor.
You are at the mercy of a global system that is failing at an epic scale. So under the DIY Cloud model, customers will have to wait before they can realize new value in all regions. In Google Cloud, that same process takes a fraction of the time. There is nothing for us to ship, no parts for us to wait on, no congested ports, no racks to assemble in a factory, and no logistics.
Commissioning infrastructure is a one-click activity that we control. A great example of this in action is a new feature coming out soon that allows our WSS Agent install base to access their private applications using our ZTNA technology. Once the technology is ready to go GA, it will be rolled out to the entire world in a few weeks. In truth, we could go much faster, but we use a slow-roll deployment process to ensure quality. And I think that’s where you want to be: You don’t want procurement to be the long pole because it’s almost completely uncontrollable. Google Cloud allows us to control our infrastructure destiny. Imagine working for a SASE vendor using the DIY Cloud model. It’s a complete guess as to where, and how much, infrastructure they will need 6 months to a year from now, because that’s how long it might take to get it. That’s like predicting what the weather will be like in Denver, Colorado May 1, 2023. No one has any idea. There could be a foot of snow or it might be sunny and 80 degrees. But those are the sorts of predictions that you have to accurately make if you are operating a DIY Cloud. It’s a fool’s errand.
AC: Another is that if Google Cloud expands its footprint to regions and countries around the globe, our footprint is also expanded. Google spends billions on their infrastructure so we don’t have to. It’s great to see new regions pop up on the map. We can adopt them very quickly, it’s a simple business decision - again - something we control. It relieves us and it relieves our customers of the responsibility to have to worry about those things.
Symantec by Broadcom Software is relentless in its efforts to improve network and cloud security.
AH: What about the results of this in terms of customers moving to the cloud?
NF: Anytime we discuss speed and agility factors, you're touching on delivering the road map faster and on-boarding customers quicker, because we’re not talking about customers with 500 seats. We’re talking about onboarding customers who, in many cases, have hundreds of thousands of users. Workloads like that don’t fit into the overflow envelope that everyone maintains to some extent. You’ve got to have a faster way to spin up very large workloads very quickly. No one wants to hear that their on-demand cloud, for whatever reason, doesn’t actually have an underlying ability to scale elastically.
AH: Can you share your top two or three most significant additions to our cloud SWG solution?
NF: An important trend for us to address is endpoint agent consolidation. It’s normal for enterprises to have over a dozen endpoint agents. The overhead to maintain each is significant. It seems that one source of agent spraw is the practice of best-of-breed vendor selection where you could easily have separate cloud SWG, CASB, and endpoint protection agents, possibly more. Increasingly, we hear customers talk about pivoting to a “best-of-suite” procurement strategy, which is to say, they’re starting to prefer one vendor that is “good enough” vs. multiple vendors that are “perfect” across a product spectrum. With Symantec, customers can keep the product depth that they’ve come to love, while still getting the benefits of vendor consolidation. So a key value that we bring with our platform is the ability to use one agent to solve for multiple -- and growing -- use cases. Currently, those use cases are obviously setting up endpoint protection, and you add the traffic steering for cloud SWG, and within that, CASB, CASB Gatelets, and cloud DLP, so there’s four workloads there right now, and we’re about to add a fifth and sixth, which is the zero trust network access (ZTNA) agent capability and digital experience monitoring (DEM), thanks to our acquisition of AppNeta. That’s a lot of value coming from a single installer. Every customer I’ve interviewed in the past two years is interested in reducing the number of agents on their devices without sacrificing critical security controls. Symantec Cloud is a great way to do that.
NF: Localization zones. Localization zones provide an end-user browsing experience in countries where, frankly, no SASE vendor has a POP and probably won’t for years. This means that websites will come back in the native language instead of in the language of the country where the nearest data center is located. That’s a very important technology for our global organizations because it reduces potential resistance to adopting the technology. We believe the technology should be invisible to the end user up until the point it protects them from harm. Apart from that, In recent months, we’ve added new compute-POPs in Delhi, India, Toronto, Canada, and Melbourne, Australia, and we’ll continue adding more as Google expands.
AC: The ability to tie the SSL encryption in our cloud to their own root certificates. To make that a cloud-native solution which ties it into Google or into AWS is the purpose of our key management service (KMS). It allows users to use the encryption keys already installed on their laptops or workstations. This saves the organization from having to create and deploy another encryption certificate in their environment. Not only is it a security feature, but it also gives them full control as they move to the cloud by giving them certificates their browsers trust.
With Symantec, customers can keep the product depth that they’ve come to love, while still getting the benefits of vendor consolidation.
AH: What are some of the other developments that network security customers should expect to see in the coming months?
NF: Almost all our enterprise customers access a varying number of business partner websites that restrict access to IPs controlled by the customer. For some customers it’s a few dozen sites but some have hundreds of websites that authenticate this way. I’m not saying this is a good way to perform 2FA, but until these 3rd parties evolve to better methods (something we don’t control), our customers need a cloud solution that can handle this type of traffic. Today, these workloads cannot be handled by our multi-tenant platform because we use a single pool of IPs shared across tenants. This architecture provides the fastest, most efficient scalability for our customers, so we wanted to find a way to keep that model in place, because it works really well, while still offering dedicated IPs. We’re happy to say we’ve solved that problem and we will start testing it next month in production. Once we’re done, customers will be able to move those IP-dependent workloads to our cloud knowing that the IPs they egress from are unique to their organization. The solution is entirely cloud native, there is no backhaul and nothing for the customer to maintain in a cloud VPC or in their own data centers.
NF: For years we’ve had the leading agent-less ZTNA capability which is great for both managed and unmanaged devices. To complete the offering, we’re adding an agent-based ZTNA capability so we can support a broader variety of private applications and non-standard protocols. Agent-based ZTNA will also, as a general rule, be quicker to implement, especially if you have already deployed our agent. WSS Agent 8.1.1 seeds this technology on the agent side in preparation for the service side update. Currently, it’s in public preview, meaning we have several real enterprises using the technology on a limited basis right now.
AC: That same capability is also coming to the Symantec Endpoint Security agent. At that point, there will be no difference between the WSS Agent’s capabilities and what’s in the Symantec Endpoint Security or endpoint protection agent. So, I think that’s great for customers as well.
NF: Something I would add is our digital experience monitoring (DEM) capability which will quickly differentiate itself in the market. Our customers are looking for a way to get more knowledge and control over the user experience, especially with the continued proliferation of remote work. Customers want a solution that scales well and that’s what we want to deliver. Again, we deal with customers with tens of thousands or hundreds of thousands of users, so monitoring a few hundred endpoints is not good enough. The recent acquisition of AppNeta will play an important role in this capability.
AC: The remote user is complex because they are typically working from their own home networks. It’s a different ballgame. This new feature gives their organizations a lot more visibility and better troubleshooting tools to support their remote user populations. It starts with just being able to validate a user’s performance complaint, and then goes further to understanding the root cause. Obviously, the endgame here is knowing there’s a problem and having a solution in progress even before the user opens a support ticket.
At that point, there will be no difference between the WSS Agent’s capabilities and what’s in the Symantec Endpoint Security or endpoint protection agent.
AH: So, to wrap-up, what do you see as the long-term vision for Symantec network security?
AC: Continuing our delivery of a best-in-class Security Services Edge (SSE) portfolio. Moving to Google Cloud builds upon that. We’ve moved our cloud DLP platform to Google Cloud so customers can have a pure cloud solution. Customers can now have a secure DLP and Symantec Web Gateway with the ease and scalability provided by a true hyperscale platform.
We continue to expand our solutions around integrated CASB, which already include the ability to reference 45,000 CASB app definitions in your secure web gateway policy.
NF: Continuing to make it easier for customers to migrate to the cloud. That often means bringing hybrid technologies to bear. Most large enterprises are not going to do forklift migrations, in fact, almost none of them will. Continuing to support their security needs through on-premises solutions that are unified with their cloud security, is still key.
AC: Things that encourage customers to reduce vendors where it makes sense, not only from a cost perspective, but to improve economies of scale and simplify operational complexity.
NF: And certainly, keeping the agent count as low as possible. That is going to be huge going forward.
AH: Finally, speaking personally, when it comes to network and cloud security, what are you both most passionate about?
NF: I think I’m most passionate about the stability of the platform. When you outsource internet access, you’re putting a lot of trust in your vendor. We have made huge investments in stability and they have paid off. If uptime is a concern for you, I think you will be challenged to find a more passionate team when it comes to uptime.
AC: On my side I’m driving for a seamless cloud transition. As some of our Proxy, DLP, and Endpoint customers have been using our tools for 20 years they have invested in workflows and processes built around key capabilities of the products. Those customers want to adopt Cloud and we are going to provide them all the goodness of Symantec without a need to completely redesign their policy and processes.
AH: Thank you both for taking the time to talk with us today.
Kicking your VPN to the curb with ZTNA is easier than you think!
Cloud SWG and CASB are securing user's web activity and use of cloud apps. They are both critical components of an effective SASE framework. Zero Trust Network Access (ZTNA) adds the final piece of innovative technology needed to get rid of the traditional VPN.
So You Want to Get Rid of Your VPN....
Zero Trust Network Access (ZTNA) can help, but there’s even more to consider! Software Defined Perimeter (SDP) or Zero Trust Network Access (ZTNA) is all the rage...And rightfully so. ZTNA can be a very powerful tool as organizations move to the cloud -but many are still stuck using VPN. Why is that?
We encourage you to share your thoughts on your favorite social platform.