A

You're listening to the Cyberwire Network powered by N2K.

B

Welcome to Threat Vector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior director of thought leadership for unit 42.

A

So we believe the real opportunity is in making security invisible yet powerful. So it has a very deep meaning. The security is invisible yet powerful so that people can work freely. This consists of user satisfaction, user experience. So this is, this is something what I will tell and this is what we practice.

B

Today. I'm with Harish Singh, Vice president and global head of infrastructure and application management at wipro. Harish brings decades of leadership experience across financial services, tech consulting and infrastructure strategy, most recently helping wipro clients modernize and secure their environments for a hybrid first app centric world. Now today we're going to talk about security complexities that emerge AS organizations adopt SaaS at scale re architect infrastructure and, and try to support dynamic workforces, all while balancing user experience, automation and emerging risks like gen data leakage. Harish Singh, welcome to threatvector. I'm really excited to have you here today.

A

Thank you, David. I'm also very excited to be part of this.

B

Talk to me a little bit about your journey through banking tech services and infrastructure leadership and how that's changed your approach to cyber security.

A

So that's a, that's a very good question. And to be very frank, David, I've been in banking for last 20 years, that's two decades and I have, I have seen a bank from greenfield to becoming a brownfield bank. So that was a, that was a journey, what I have done with the banking. So I know how unique that experience was, how I managed all the risk, the compliances, the regulations and the resilience for the organization being always part of the infrastructure side of the domain. Having led large scale digital transformation along regulatory environments of banking, I have firsthand experience how secure compliant foundation enabled both growth and innovation. Today in my experience, my approach to cybersecurity is balancing protection, agility, user experience and regulatory adherence at an enterprise scale.

B

Oh, I really like that, that idea of finding that balance between what you need to deliver for the business, what you need to do to protect the business and your customers, but also thinking about, you know, what's the engineering challenge and what's the end user experience. And if you don't get those mixed in just the right way, any one of them could be the thing that stops you from success, stops you from Growth. So it's, that's a big range of things to think about. You've said 20 years and you went from Greenfield to Brownfield in that time. Have you noticed a shift where one of those ingredients, one of those things that you're considering in your strategy has really gone from sort of the back burner to, you know, to the forefront or have things changed around or has it always been balanced?

A

So David, to be honest to you, back at my banking journey there was something which banking, Indian banking sector actually believed in, something called fail fast. So we were very enthusiast of looking at latest technologies and the greatest technologies, trying them and not living with them. And we could fail fast because we know because of the technology it carried a direct link to customer trust. One misstep could ripple into compliance issue, reputational issue or even financial stability of the bank. Correct. That environment taught me to see risk and security not as a control gate, but as an enabler of confidence. Even today in wipro, our global infrastructure, I carry that mindset and that helps me build resiliency and try more new products.

B

Not too long ago I interviewed our CIO here and she talked about how she trusts our security team to act as a strong break so that she can go fast and she wants to drive innovation as fast as possible. She needs to be able to rely on, on, on that strong break. And it sounds like you have some of the similar mindset of how do you go fast? Well, I have great security around me. We've thought about this, you know, and I think that's a great way of looking at security and its relationship to innovation. I'm curious if that's the number one lesson you've learned over the years or if there's, there's something else that you've learned working in the financial sector that influences your approach to risk and security today.

A

So if you, if you talk about Financial Institute is always user experience, the compliance, the regulatory compliance. Basically these two play a major role when you talk about banking and the belief in your customer is maintained by delivering both security and user experience. So those are in the forefront and that's the same thing. The same philosophy helps me in Wipro where we serve more than 1400 offshore development centers.

B

So let's shift to talking about your work with Wipro and how you're helping your customers re architect their infrastructure as those organizations are accelerating to SaaS adoption. How do you support a more dynamic and app centric workforce?

A

So if you, if you talk about, purely from a wipro perspective, we are helping our Client to modernize. So the, the first principle, what we apply is we decouple security from the network. That's the most common mistake what, what other organizations are doing and what we are making. Important thing is identity driven. So policies follow the user wherever they work. It's not the other way around. I don't know if you have seen a Vodafone ad. It's very common in India where a pug, a dog, is always following a user, a user, a Vodafone user. So it shows wherever you go that pug will be with you. That means the Vodafone connectivity will be with you. In the similar way in today's identity driven zero trust framework, that's the same case wherever you go. It's like your corporate ID badge. Your access remains the same whether you go to hq, branch or any other place in your organization or to a hotel or to your home. So it has become very embedding. SASE at the edge has become a core.

B

You know, from the infrastructure perspective what are some of the big security blind spots that you see a lot of organization tending to overlook.

A

There are three main blindfolds. What I could talk about right now, the one we talk about is the unmanaged device in our organization, or in any organization for that matter, where we have contractors coming in, they're getting access to the sensitive data, we have customer related data, we have customer related unmanaged devices, we have VPNs running through it, we have VDIS running through it, and so on, so forth. So it becomes very paramount on, on the unmanaged devices. That's the, that's the most important I believe for any organization. The second one is always about identity governance. The inconsistency in ID governance is a killer, is a no, no kind of a thing. The final thing, what I believe is what you spoke about on the SAS usage, the application sage. If you look at the, the old and good times where it was more of a build rather than a buy, today SaaS environment is more about buying applications. So lack of visibility on those applications becomes a major hindrance. It's like you say you lock the front door but you forget to close the side windows.

B

So you're talking about SASE gaining real traction. And in the state of workforce security there was a stat in there, 34% increase in widespread production development developments year over year. What are you seeing as the biggest gains in sase? And you know, maybe what are some of the early pitfalls to avoid?

A

So David, SASE is a very big Word. When I say SASE, it consists of multiple products, multiple vendors, multiple OEMs, which makes a SASE technically. So the early pitfalls come when SASE is treated as a network upgrade instead of identity led transformation. So giving a very lame analogy is like building a skyscraper without a foundation kind of a thing. Correct. So we are seeing strong gains in our hybrid work enablement where SaaS protection and simplifying cloud security operations is paramount.

B

Haresh, how do you see secure browsers completing SASE strategies particularly in extending zero trust to unmanaged endpoints and SaaS applications?

A

So if you look at a secure browser closes a very critical gap and we recently have deployed a PAB browser which is Palo Alto Access browser. So I'll take a step back. I'll tell you David, the prima facie reason for getting a secure browser. If you look at our application stack or any application stack in a brownfield kind of environment, in the brownfield kind of organization, you'll see n number of legacy applications being there, the new SaaS based application coming in. So there's a mix and match, there's a confusion in and then security becomes very important because these applications, they contain user data, they have client data, they have PII information, GDPR information, etc etc, so and so forth. To fix this problem in core will take at least five years. If you look at the number of application an organization has runs into hundreds, it's too long into hundreds. So to fix it you can't fix it at the source because that will take five years. So the secure browser helps you to create that extended zero trust directly to the endpoint which helps in managing all the security related at the core of the endpoints. So after deploying Endpoint secure browser all CXOs will embrace that. They will get a good night's sleep because their worry of people accessing applications from anywhere anytime will no more be there. That's my take on the Secure browser.

B

Only 13% of organizations report full visibility into data shared with Genai tools. What's at stake if this visibility gap isn't addressed?

A

So we all know Genai is no longer about future, it is happening here and it is now. So it becomes very important to Genai. We all know that JNAI is the new frontier of productivity visibility. And if you look at without visibility, organization risk, data leakage, compliance breach and erosion of trust with customers. With gen AI adoption surging, the stakes are high as losing intellectual property without even realizing it. So there's a plenty of thing if we talk about zna, do you think.

B

That the browser is going to play a key role in stopping those risks?

A

Yes, definitely. If you look at from a browser perspective, there is something called browser level controls which we can enforce so that the smart browsers level control can be key to providing real time visibility into AI tools. Capturing images, text code, to generation the dynamic DLP in the secure browser, enforce blocking sensitive content to be taken out. Keyword blocking is there. And from a business view perspective, this is about trust with regulator, customer and partner. So yes, definitely.

B

You know what strikes me is that the browser is such a common and useful tool that we all have and we don't necessarily think about it, but it can provide that leakage, it can provide that risks on one side or you can flip it 100% and it can provide that security. And it's also the interface that so much work is getting done. So when you're able to make that shift, it feels like in a space where gen AI is moving so quickly that the browser gives you the opportunity to not only catch up, but to actually wrap that security around. Going back to your analogy of before with the TV commercial, right? As you use that browser, that's what travels with you. That's the first thing you pop open. You know, I'm sitting here talking to you through a browser. I've got a couple of tabs open. I'm sure you've got a couple of tabs open. Our listeners do too. And you think about wrapping security around all of those things that we're trying to do through the browser. It's just wild that you wouldn't want a secure browser, especially when you're interfacing with these, these spaces that leak your data, leak your code without necessarily intent. You're not malicious, you're just trying to get your job done with these better tools. And they are better, right? But they come with that incredible risk right now. So it's interesting to see where the browser has an opportunity to play in this space as we, as we race forward. I want to get back to the report for a second where I saw that it emphasizes SASE as a way of unifying networking and security. What benefits are you seeing or expecting from implementing SASE architectures?

A

So Wiplo is a very large organization. We have 96% of our servers and server workload running on our cloud. So we have big clouds like Microsoft, Google aws. Now we have Oracle also. So if you look from their perspective, SASE plays a very important role where they become the gatekeeper. So anything coming inside from a Hub and spoke perspective. The SASE helps, the SASE architecture helps in the hub and spoke environment. So that is from a, from a cloud perspective. But when we come to the end user and endpoint, it is about defining unified policies and enforcing them across the environment, reducing complexity, managing multiple tools and improve user experience. That is almost always a key thing, if you ask me. User experience is one of the key thing. What I always believe SASE should deliver and SASE should improvise on.

B

So Haresh, I don't know if you know this about me, but I spent the first 20, we'll just call it 20 years of my career building software, building websites focused on ux. Can you give me an example? Can you delight me with one of those user experience that you've delivered that you think it hits or exceeds your expectation for that end user to be delighted, to have something that they didn't expect and they're able to pick up quickly and get out of the way, let them do the work that they're looking to or have the experience that they deserve to have.

A

So David, if you look at, if I'm right, if I understand your question correctly, if you look at Covid taught us, and if you look at users were pretty happy that they could work from anywhere. Before COVID it was always a dream, which I believe when I used to talk to the CXOs, they always used to say, how can Starbucks work? Why can't we have a Starbucks? Kind of an environment where Internet is available, people are using it, there is no east, west traffic, nobody's bothered about what the other person is doing, while if you take a cut, you come to your organization when you're sitting inside. You know, anybody can hack into your machine because the next person sitting may have a malicious intent, whether it's employee or whatever. So we talk about internal risk as the most, most critical kind of a risk. So with sase, that is my. The SASE helped us to change our mindset from a network driven to a point, policy driven state. Correct. So this, wherever you take your machine or wherever your mobile phones, wherever you want to access your applications, it's available, just click of a button so you go anywhere. That's the beauty of sase.

B

No, I love that example because you're talking about that moment of inspiration or that moment when you need to get something done isn't a drop everything, get back to headquarters, get to a machine that's, you know, locked down and secure and do your job. You're talking about the ability to basically flip open Whatever device, make sure that that browser security is wrapped around you, make sure that that identity that you're talking about, that that individual security is there and you're able to knock out your work. So that is a better user experience. You know, as somebody who's been remote for quite a while, I can tell you it delights me that we have architectures and leaders like yourself working on making this just a seamless way that we go about, go about our lives. As I was looking through the report, I saw that 76% of leaders say that user experience is a top priority. And I think that you would agree with that. Alongside security, how do you measure or evaluate solutions that aim to balance those two specific goals?

A

So I'll give you a use case, David. When we deployed a PAB browser, it was not about how much incident that the PAB browser is reducing, but what is the adoption rate Today adoption has become a most important factor and along with adoption came the satisfaction score. How people are leveraging this particular browser to safeguard them to ensure their work is happening was very paramount. And I'll tell you, if security is invisible and employee can work without friction, we know we have stuck the right balance.

B

I like that. So you're able to see adoption and therefore you know that the security is there and it implies that if they're adopting the tool, right, like we all move towards the thing that's going to get us the best experience. And that's actually very elegant. I love that answer, David.

A

If you look at it, if you look at it, if there is no adoption, see, we have seen, as I told you in banking, we used to fail fast because when we see the adoption is not happening, we used to understand why it is not happening. There used to be a satisfaction survey which calls out why it is not happening and whether this is suited to our organization or not. Because it's not about the product, it's about the policies, what your organization carries. Sometimes some products are the best product. So that plays a, from a product perspective, that plays a greater role.

B

Do you ever face pushback from teams when security controls affect their workflows?

A

Absolutely, David. That's a pain area. When you head the infrastructure that is something which is very common. But yes, security can feel like a hurdle. Correct. People can feel suffocated and choked. But the key is to what we do is we involve end user at an early stage, ensure there is a org wide change management. We have our teams who run change management or wise and we frame controls as enablers and those are not something which will block our people from doing more business or being more productivity. It's like you can always say that much like seat belts, what you used to. What we wear in cars. Correct. Initially everybody used to reset it, but now for safety, there's no question, there's no question asked. As soon as a person sits in the car, he looks out for a safety seat belt. Correct. So it's something very similar. It's about habit, it's about how much time you can give them and how we improve, do a continuous improvement.

B

Yeah, I think you're absolutely right on that seatbelt and the strong brake. Mira talked about that on an episode before. You want those things and once you don't have them, I think that's when you start to feel exposed. So you got to get used to it. But then it seems awkward not to have it. I'm curious if you could talk about the role of automation and what it does in securing infrastructure at scale.

A

So automation is no longer about options. So obviously automation came before machine learning or AI, so it's no longer option, it's become a DNA and it is a foundation for scaling. Correct. You talk about patch management, you talk about threat response, you talk about society. By the way, we use your product demi store for automating all our SOC alerts. Correct. So automation allows security team to move like machine speed rather than human speed. So with all the automation going in, our SOC team is much more agile and nimble and the rest of the thing is done by your tool.

B

Yeah, I know. I've talked to our team here about the wide deployment out of Xor in our own SOC and the number of things that it takes care of so that they can keep up. It's a relatively small team and the comment that really comes back to me was the team doesn't think about it until something doesn't work and they have to go back to doing it manual and they're moved off of those highly strategic tasks, those threat hunting exercises that they're in. Some of these things that they do to protect the business, to move back towards something that had been automated away. And it is, you know, wild to me to look at, you know, what you can do with an automation tool to move to that next level of speed. So Harish, I want to look ahead, you know, let's move, let's move into the future. And I'm curious what role you see the enterprise browser playing in say the next three to five years in reshaping how organizations deliver secure work experiences.

A

So, David, maybe I will repeat what I said for Gen AI Correct. So it's no longer about future. The enterprise browser is happening now and here so there is no second thought. It's a new security edge so enabling policy enforcing DLP identity control, everything is very critical and call to every organization. In many ways it's like a control tower for modern workplace. So you can't there's no five years or three years. It's happening here and it's now. That's why Wipro embarked on it in such an early stage.

B

So if I hand the mic over to you to talk to all of your counterparts, those that lead infrastructure security leaders, is there one mind shift that you recommend as they prepare for the next wave of digital transformation? And while I think I know what it is, what would it be?

A

David, I will suggest that move away from castle and moat mindset to one where identity and data are the new perimeter. Most of the people are still of this old mindset where they feel firewalls of the perimeter, but it's a left shift which has already happened, correct. The shift is simple but powerful.

B

Haresh, thank you for this awesome conversation today and for sharing your insights on UX, on hybrid work on SaaS security and the evolution of the enterprise, which isn't coming in three to five years. It's already here. I really enjoyed this conversation.

A

Thank you so much David and the entire Palo Alto Network team. It's been a great discussion and I look forward to continuing our journey of making security simple, trusted and user first.

B

That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your reviews and feedback really do help me understand what you want to hear about and if you want to reach out to me directly about the show, email me at threat Vector Palo Alto networks.com I want to thank our Executive producer Michael Heller, our content and production teams, which include Kenny Miller, Joe Benecourt and Virginia Tran, original music and mix by Elliot Peltzman and a special shout out to Monique Lance for all of her work on this episode. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

A

SA.