Building SASE That Actually Works: What Everyone Gets Wrong | Vishal Goyal | EP 106 Artwork

Musings from the Cyber Trench

Musings from the Cyber Trench Podcast is where cybersecurity gets real. It’s for leaders battling red tape, tech debt, and chaos, looking for straight answers, not vendor fluff. Each episode goes deep with people solving the hard problems others avoid.The vision? Bring clarity to complex, high-risk environments. Guests are sharp thinkers and operators from agencies, universities, nonprofits, and regulated industries. This is not selling; This is sharing what it actually takes to protect systems that matter.

All Episodes

Musings from the Cyber Trench

Building SASE That Actually Works: What Everyone Gets Wrong | Vishal Goyal | EP 106

January 30, 2026 • Vishal Masih • Episode 106

0:00 | 1:02:35

Send us Fan Mail

Welcome to Musings from the Cyber Trench, the podcast that goes beyond surface-level conversations to explore the real-world challenges shaping public sector cybersecurity.

In this episode, host Vishal Masih is joined by Vishal Goyal, Vice President of Enterprise Architecture, for a deep dive into enterprise architecture, Zero Trust, and the realities of securing complex public-sector environments. With nearly two decades of international experience across consulting, engineering, and operations, Vishal Goyal shares how architecture decisions directly impact resilience, scalability, and security outcomes.

The conversation explores how cybersecurity strategy has evolved, why Zero Trust must be practical rather than theoretical, and how organizations can better align cloud, network, and security architectures. This episode also touches on stakeholder alignment, decision-making at scale, and what it takes to modernize legacy systems while maintaining trust and continuity. If you work in cybersecurity, enterprise architecture, or public-sector technology — or you’re navigating complex security transformations — this episode offers grounded insights from the front lines.

⏱️ Timestamps

00:00 – Welcome to Musings from the Cyber Trench

00:25 – Podcast mission and focus on public sector cybersecurity

00:41 – Introducing today’s guest, Vishal Goyal

01:28 – Vishal’s role and scope in enterprise architecture

02:43 – Career journey and international consulting experience

05:12 – Evolution of enterprise architecture in cybersecurity

08:34 – Why Zero Trust matters in public sector environments

12:06 – Practical challenges implementing Zero Trust

16:18 – Cloud, network, and security architecture alignment

20:47 – Managing legacy systems in modern environments

25:31 – Stakeholder communication and architectural consensus

30:02 – Balancing innovation with operational stability

34:18 – Lessons learned from large-scale transformations

38:56 – Advice for architects and security leaders

42:10 – Closing thoughts on resilience and future readiness

👉 Subscribe for more conversations with leaders shaping cybersecurity strategy.

🔗 Share this episode with your architecture or security team.

Responsible for ICAM, Zero Trust, or identity security in a federal agency, prime, or large regulated enterprise?

If you’re trying to move from strategy to execution, start with Zephon’s Zero Trust Readiness Assessment: zephon.tech/zt

Questions or guest ideas? Email defend@zephon.tech

SPEAKER_03 0:43

Okay. Hi everyone. Welcome to another episode of Musings from the CyberToured. My next guest today currently serves as the vice president for enterprise architecture at MLEW. Oversee critical domains, including information security, hosting, network, and cloud service. He is an accomplished leader with over two decades of international experience in IT consulting, specializing in developing and executing successful global uh technology strategies that consensus delivery results. This proven escort expansion the entire system from architecture and engineering to delivery and operations. Known for his effective communication and collaborative approach. He excels at engaging stakeholders across organization levels and functions. With that, everybody please mute my guest Vishhal Boyal. Welcome to the music from the Cyber Transfer shop.

SPEAKER_01 2:11

Thank you so much, Vishhal, for hosting me. So it is now Vishhal Vishal, Vishhal Square.

SPEAKER_03 2:17

So there's only one uh one Vishal Boyal, you know.

SPEAKER_02 2:23

And yes, and the same goes with me. One Vishal Masi.

SPEAKER_03 2:28

So uh uh Rishal, uh we are going to talk about you know, and there's a lot of communic uh I would say misconception and uh and conclusion on exactly what uh I know people who still still say who still call it SASE, who still call it SASE. So for the folks who are confused or what in the dark, please uh shine some light on and explain to us all what exactly sassy is.

SPEAKER_01 3:05

Yes, so I think you're a spot on. I think um when Gartner came with this term sassy in 2019, I think uh people start uh looking at this as uh, oh, there is something new has come up. But let's start with the the full form of sassy, which is secure access service edge. So where everybody gets confused and they don't understand whether it is sassy, what is sassy, there are new terms. So people start getting confused with the products, right? But when Gartner came with this word sassy, again, secure access service edge, the main idea behind that was to converge the network and security into uh something called SASI. And SASE was defined as actually an architectural framework. So if I go into the details of what actually consists of SASE, you'll be surprised. And I'm pretty sure people across network and security uh community, they might be using all those services in one way or the other way. But let's say why Gartner first of all came up with SASE. What was the need, right? So if you remember that 2019 was the time, I think, where the cloud adoption, I can say, right, that it is definitely going on for a long time, but it it is what like as a peak on the cloud adoption, where um on-prem data centers, people are trying to move off from and going to cloud, right? So what do you need? Do you you need a flexible way to access your cloud applications, whether it is your applications or your vendor applications, right? And similarly, if you see that 2019, I would say 2020 was that time where this remote work was at this peak. And I you know what I'm going towards, that that COVID era, right, where everybody was working from home. So that remote work was at its peak, right? And the other part of the architecture framework, zero trust principles, and I think you must have already heard about your from your clients, that was also kind of picking up. So people were already confused that now what Gartner came up with, SASE, right? So let me tell you what SASI is. Actually, SASI consists of network and security, as I mentioned, right? But what from security? You will, right? So security, first of all, let's say about secure web gateway, which is uh people know about as a proxy, right? When you are accessing anything from your company or your even laptop that you use a proxy. So I think you agree that it is not new, right? People are using proxies for a long time, right? The the second of this is uh Casby. So what is Hasbi, right? The that cloud access security broker, which you use to access your cloud applications secure, right? With proper uh identity policy permissions, context awareness, and everything like that, right? The third thing in this um the whole SASI was the firewall as a service, right? So though people already have firewalls in their uh perimeter, uh their uh data center perimeter or office perimeter, but this this brings up a new term called as I would not say new term, they they they brought fireworld as a service in in this. And then what else came in? So I think you must have used VPN, which was just yesterday uh invented, right? Now, unless VPN is the people are using VPN for a long time. So, what this SASE converted that VPN to? ZTNA, zero trust network access, right? And one more important feature in this, they added was WAN. No, not at WAN, actually SD Van, software-defined van, right? So if you if you hear these different terms, right, I think you will not say that any of this is something very new you have heard. If you're working in the IT industry, especially on the infrastructure side, I think these terms are being used for a long time. But what Gartner did is they tried to bring all these together as network and security services at the edge so that their users have access to the applications in a secure way. So shift your security near to the users. Use cloud applications because you cannot have your own services expand to that where the cloud services can bring point of presence near to the users, anytime, anywhere, access to your users in a secure manner. So I think I I replied to your questions in a very long way, but I wanted your users or your listeners to understand that that Sassy was brought in, and even today, as you mentioned, users think like, oh, it is some magic word which has come, and oh my god, how will we do? We are behind uh implementing Sassy. So I wanted to make you aware that this is where the confusion comes in.

SPEAKER_03 8:38

So uh most uh most uh organizations today see SARS as a product, you know, this let's go and buy SARS. But you were saying it's more of an uh uh an uh architecture design or a framework. Yes. Okay, exactly.

SPEAKER_01 8:57

Yes. So this is this is where this whole confusion starts because I would uh uh tell you, like right now, when when this term came in 2019, there were very few vendors who were using all these products in a packaged manner. But as the time progressed, that this this whole SASI hype cycle picked up. So vendors started coming up with the products, right? So that is why people think SASI is a product. Any big vendor you go, which is already in the security and network and cloud uh area, they will all sell SASI products, right? And that's where it gets into the mind of an uh even the architects in a company who are security architect and network architects. Oh, we are talking about a product which needs to be implemented, which is so complex, which we don't know, right? But as I earlier mentioned, right, in my definition of SASI, SASI is actually when when Gartner came up with SASI as a word, their whole mindset was to bring it as an architecture framework, not as a product. People looking at it as a product because they see there are there are products available in the market, vendor, vendor-driven product. But this is actually a framework. If you if you see all those uh things, you need proper policies, you need proper identity, you need proper uh technologies, which comes later. But unless you have defined your framework, architecture framework, what are you trying to accomplish, first of all? That that's how I look into my day-to-day job. If somebody is coming to me, oh, I need this tool. The tool, tool can solve a purpose, but what problem are you trying to solve? Can I expand that and solve other problems along with that? So if people are trying to solve these in that mindset, so this is why we say it as a framework, not as a product. The moment you start going into product, vendors will start selling you the product. I'm not saying that they are not they are selling you the wrong thing, but if you don't understand your requirement, you don't come up with your architectural framework, why do you need it? When do you need it? What is your plan to implement it? How do you want to be measured your success criteria? Just buying a product will not help you.

SPEAKER_03 11:19

Okay. So based on what you said, you know, like uh if uh say would be one of the various sort of uh for us to uh maintain our goals of uh of having uh uh zero trust architecture, right? So what groundwork should we lay before we even start thinking about SASI?

SPEAKER_01 11:49

Yeah, so uh zero trust framework. So this is actually one of my other favorite uh topics, which which I really like to speak about. So again, this zero trust framework, zero trust principle, oh, we are zero trust compliant. People again start jumping in because uh not just the team members, even CSOs and CIOs, they love to say that, oh, my company is zero trust compliant. And I'm not saying again they are wrong. They are right, but they're they're right to some extent. Yes, because zero trust, if somebody asks me, I say zero trust is a journey. And it will be a journey for your organization forever. To me, you cannot say that you are zero trust 100% compliant ever. And I can tell you why. I see zero trust. What is a zero trust? Zero trust, in simple words, it's least privileges. Okay. Authenticate one where uh once and validate always, right? But if you go with this, even this principle, least privilege, do you think you will be able to do least privilege everywhere in your company on every application at one moment where you can say that I'm zero trust compliant? I don't think so. I don't think your listeners will agree that they cannot, because it is ever going in progress kind of implementation for you. So, and zero trust is where you are identity-driven, context-aware, access to your resources you are providing to your users, right? So when we when we combine zero trust and sassy, so sassy is one part of zero trust implementation. So that is exactly where you were going, right? Can I achieve zero trust when I say SASE? Yes, but not fully. Again, as I mentioned, right? If I see zero trust as a this big circle, SASE is a circle smaller inside where you are using SASI to achieve your bigger goal in that. So you can start with SASI, but you cannot say that if I implemented SASE, that I am 100% zero trust compliant. No. Because again, whether your uh the identity policies are mature, are you able to integrate all your SASI into your zero trust policies everywhere where also you're not trying to come commit your resources in the network and security only area? So that that is very important for you, for you to know there.

SPEAKER_03 14:32

Okay. So uh you mentioned uh uh you mentioned uh ID multiple times. So would you say that we should start with making sure that we have the right uh INP security in place and then move to network security and SASI and so on?

SPEAKER_01 14:54

Yes, yes, I I would definitely say that we and anybody looking into the SASI, you need to have the identity framework uh first uh in your company uh implemented well. And when I say implemented well, it it consists of your multi-factor authentication, your adaptive authentication, your context-aware authentication policies, how you are doing. I think that is very important because in the end, your SASE implementation is going to you the same. As I can give you one example, right? So uh in SASE, we say uh ZTNA, zero trust network access. And this this is nothing but the expansion of VPN, where VPN users look that you once connect, you get access to your uh the resources in in the company's network, right there. But ZTNA goes very granular, right? Where which application, what type of access, where you are coming from, which device you are using, there are all sectors that come into picture. And it is like point-to-point connectivity, not giving access to the whole of your network. So think of that, right? If you don't have your identity framework rightly implemented, can you achieve this? The ZTNA for your users? I don't think so. Right. The similar is the case with Cash B, right? If your data policies are not well defined, right? Your classification of data is not there, along with all the identity uh uh identity things which we discussed earlier. You cannot give your users access to your services, or you cannot download if you are on a particular device in a particular network. Or you cannot take print when you're sitting at home accessing an application from your home laptop, right? So all these identity is definitely the foundation for moving into SASI. SASE will look into your coarse grain, but identity in the foundation service will try to bring it in your fine-grained uh access permissions, whatever you are looking for, your applications.

SPEAKER_03 17:10

Suppose I have my 100D security policy defined. What would be the next step if I want to roll out SASI? I focus on the edge first, I focus on cloud, but I focus first on uh the loan and substance.

SPEAKER_01 17:27

Right. I think that is a very good question, Vishard, you have, right? So this is again going into the step-by-step kind of what should be my next step, right? Instead of trying to get everything together, how I can move, right? I think that's what your your question is about, right? So I think I would like to emphasize another uh exponent which Gartner came up uh after two years of SASE, it is SSE, right? That security services. I think you must have heard about it. So the main idea by bringing that um difference from SASI was that, as I earlier mentioned, that SASE has network and security both together. And people were finding it very difficult because if you see a typical big organization or even a medium-sized organization, they have a very uh verticals in the infrastructure team. A network team is a network team, infosecurity team is an info security team. They are looking in their uh different domains and they work like that, right? But FASI's is kind of convergence. So people were finding it very difficult to start going with all the implementation of whether it is SD-WAN, whether CASB, whether ZTNA, whether DLP policy is difficult, right? So what happened that, okay, how should we look the implementation so that we are not failing in the end? So how you should start looking into it. So if your identity foundation is solid, right? My take is that you take the van or SD WAN part as last. Just keep that in mind. And that is one of the reasons uh I, as I mentioned, right, SSC talks about security capabilities more versus the network capability. So think of let's keep the SD-VAN part, which is giving you the flexible connectivity as a last thing, right? And what you will do is you will start with your other implementations. And the the implementations on uh now you can start with uh CASV, right? Are your cloud applications secure enough? Are you using the adaptive permissions to access that? So that is one where you can start with Casving and in your applications. You can uh have your secure web gateway in a manner where the security for the end user is moved closer to that. You can look into that. And all this is I'm trying to tell you that it could be based on the product or the tool you are buying. There are specific steps that you go to first secure web gateway, and then you go to CasB. But these are something I'm trying to tell is these are not like um tied tightly to each other. And this is a this is what exactly uh uh people need to understand, right? So you don't need to stick with one product. If you start looking into your architecture, oh, I I'm already using a secure web gateway today or my proxy services, right? So for SASE, what do I need? Your security web gateway, when we so in a typical old uh security web gateway, you were only looking for your AT443 traffic, suppose the web traffic, right? But because now you are moving your security edge in the cloud, the services which were deployed in your on-prem before, you which used to look into all traffic, now needs to move to cloud. So, first step you can take look into your security web gateway, that's how it can start looking into my all traffic, not just 8443, FTP, or any other traffic going out. How I can increase my inspection with that security web gateway. So that is like first step for you, right? Now, Casbi, you all everybody has the SSO SAML implemented to access their uh SaaS applications, right? But so far, those SaaS applications are integrated in such a way where if you are using a SaaS application uh as a consumer, you have very minimal control on that SaaS application. And you can ask me now, what does it mean? What does it mean is that you in you go through your Own identity provider, you authenticated the user correctly, authentication, authorization, everything happened. Now SAML token is handed over to your SaaS application. Correct? Now, once you hand over the SAML token, control is at the SaaS providers, right? You can definitely talk to them. Okay, I want to keep my session to 30 minutes or all other things, but still, the control is in the hands of your SaaS provider. So what Casby brings you, CashB brings you that control in your hand, right? Though you are still doing the SSO integration, but you will have more control going through the proxy service that you can put a conditional policy saying that when Vishal is accessing this office site from his home laptop, he's not able to take a screenshot, he's not able to take any printout, or he's not able to take uh download any data, right? But when I'm an office network office laptop, I can do all those things because that is a controlled environment versus my home laptop. So that that comes as a second thing, right? So now you can expand it to, as I mentioned, like DLP, which is optional in SASE most of the time. But your data classification, which will again, you will relate it to how it can uh be integrated into this CASB, right? If it's um suppose a public data, why do you care whether I'm downloading it in my home laptop versus office laptop, right? If it is confidential data, definitely that will so for that you need to have that labeling correctly, right? What data, what place, what device, what network, right? So you can think of these ways to go into, but again, I will emphasize that it is not, you don't need to stick to one tool or product to look into all these capabilities. You can use secure web gateway from somebody else, Cash B from somebody else, and you can go best of the breed in the markets. I think everybody knows there are different vendors. You can have one product from one vendor and then the other. And in the last, what I mentioned to you, the SD van comes in. Now, in the old architectures, what used to happen? You used to backhaul all the traffic from your different offices, locations, and all at one location for the obvious reason because you want to inspect the traffic, right? You want to do uh uh sandboxing on your traffic so that you can identify the issues, right? So the the SD WAN can give that flexibility where you don't need to bring all the traffic back. You have your cloud implementation of your WAN now, choose your ISP or whatever you want to say, and they can send that traffic to near point of uh point of presence for those vendors, right? If you're using, suppose Casby for a vendor, you can use that. You can you are using secure web gateways from another vendor, you can use your SD-WAN policies to go with that way. So, this is how if you go step by step, understanding your architecture more, I think that will help the users to make their uh program successful of implementing SASE in the right way. I hope that helps you uh on your question.

SPEAKER_03 25:23

Uh uh from what I heard from most of the SASE vendors is that one of the key things that they push for is that going with them, you will get uh uh you will get uh uh product uh UK product uh uh consolidation. So less products to manage and maintain, less license cost, you know, less uh protection, so on. You always think it's that we have the pretend to use different products. There is a balance there, you know, you get the there are benefits to using one stack, but there are also cons of that because like you have you're putting all your eggs in one bar. You know, like how do you wear that?

SPEAKER_01 26:14

Yeah, so I think this this is another uh very good question, Vishal. And that is where I think um uh most of the companies get into this whole idea of that, oh, if I have one vendor, I think my uh issues are gone, right? Let that vendor come in and they will do the sassy and then go away. And I'm I'm not saying there are not products or tools or technologies which can handle your whole of sassy, but you brought out a very good point, right? When you are going with a single vendor, you need to always think, right, are you locking yourself in with a vendor, right? So maybe you will get a good deal for the first contract, but when the renewal is coming, are you are you stuck, right? So again, I'm not publicly saying that you should not go to a one vendor. All I'm saying is you need to make your uh decisions uh accordingly, right? What again, what is your goal, right? Most of the companies are again using an as WG secure web gateway, right? Just talk to your vendor, current vendor, that are they providing the SASI capabilities where they can go beyond the 80443 web-only traffic, what kind of inspection they are offering, right? The the users uh you uh companies are you already using VPN services today, right? And uh in the old world, I if I see VPN was provided by a very different company from where VPN is uh the the web gateway services are provided, right? So you can ask your VPN providing services that do you provide ZTNA now, right? What is your uh uh offering? How can you help me? The similar way you can go to your CASB vendor, right? You're you might not be using CasB today. So if you're not using any of those services, you can always fall back to your uh vendor, which is already there in your company. I'm not saying you need to stick with that. All I'm saying is that if you have your requirements, your framework, your architecture design rightly done, you don't need to depend on a single vendor. But I also say that you don't need to choose five different vendors for five capabilities as we discussed. Yes, definitely I am not in favor of doing that. You don't need to go for best in breed for everything. My rule always at my side is 8020 rule, right? What does that rule mean, right? I could have one tool which is doing excellent in one of the areas in security, networking, infrastructure, and all, right? Now, my requirement comes as in supplement to the existing requirement. Now, should I start looking best at breed? Or if the existing vendor is already able to meet my 80% of the goals, can I have enough controls on my rest of the 20%? Or are those so critical that I really need to look into the best of the breed? But I also say that at least go with two vendors if you are going with the SASE so that you have a backup plan, right? Next renewal is something comes up in a contract where you don't like some terms, whether it is uh increased licensing fees or uh getting lesser features and all those kind of things. So you have an option. And I think the market is so competitive, we shall nowadays in this area, where due to this whole cloud adoption, every vendor will try to get your business, right? So don't worry that if you go out of one vendor's product, you will not be able to find anything because that is best in the world. No, I think there are almost every big company in today's world, they're all looking for this whole connectivity and security in a manner where they're all saying that their products can meet all of your requirements. So you don't need to worry about a single product for this for sure.

SPEAKER_03 30:23

Yeah. Would you say SAST or even uh SAP is mainly applicable if my team is remote or if I have uh like if I have multiple uh branch offices? So if my team is all coming to the office, I am only one office. Uh would I is there still a use case for using SASE or SSE?

SPEAKER_01 30:50

Absolutely. Absolutely. It it is a use case, but again, your requirements could be different, right? So your requirements could be different, so so you can go with a different licensing model, but why it is still uh useful, right? So again, see if if if I am owning a company where I'm saying that, okay, I just have one office and users are coming, then why do I need it? But I still need inspection, right? I still need to secure my edge, right? Where uh people who are sitting here even in the office, what are they accessing? What data is going out, what data is coming in? That still needs to be uh inspected, right? So if you look from that perspective, Sessies is essentially putting everything in cloud. Now, as an owner, do I really need to worry about that I have enough of the capacity to inspect all the data? Am I updating my patches at the correct manner? Am I upgrading my product for the new features? Versus if I'm going into the cloud with a provider who has these services in the cloud, I don't even need to know when did the patch was. Do they have enough capacity? Because I'm already running with an SLA. Nowadays, vendors are giving you four nines or even five nines actually of SLAs. So do I really want to have that infrastructure burden on myself? No. But do I need to have knowledge in my company with people who are going to manage it? Absolutely, yes. So even if you are small versus big, I would say even when you are a small company, actually you should go with SASI because that is where you will be, you will be able to take help from those big vendors who are investing billions and billions of dollars into their security products. So this is absolutely a case that if you are a small company or even have a one office versus five offices.

SPEAKER_03 33:03

Right. So is the things has that been a concern in terms of like uh you getting hit when you hit their uh their uh uh bandwidth thresholds or bandwidth charges?

SPEAKER_01 33:22

Yes, so that is where I think uh Vishal planning comes into picture, right? How are you doing planning before jumping into this whole Sassy C? How how do you see your requirement? That's why I keep on uh emphasizing on the requirements, right? So definitely you need to have your requirements for the capacity, not for just today, maybe next three years, based on the projects coming in your company and the growth your company is looking at. You definitely need to have those kind of things. And then you can talk to the vendors and have this in your contract as tier conversation, right? So suppose if I am at one terabyte bandwidth, right? So this is their cost. Talk to them and say that, okay, if I add 150 GD more, what will be your pricing? If I go to the second tier of two terabytes, what will be your pricing? And again, I'm I'm I'm saying that today, vendors are so keen on taking your business, everybody is going into this model because this is a subscription model today, right? Now it is not like on-prem. Cloud is all subscription model. You will easily get all these kind of uh the quotes when you're signing the contracts, have that in there, right? Today I'm this, but okay, next six months when I go, how do you do the averaging par now, right? When will be the second tier kick in? What will be the pricing of the second tier? If you go by this, I think you will never see an issue because you are going informed into this contract. Number of users also, right? Every company knows that what will be their growth path, right, in at least next three to four years. Correct? So you can again get in that contract. Today I have 5,000 users. What if tomorrow I have 6,000 users? How the tiering will work? 7,000 users, 10, 20, 15. Everything is possible. If your team who is negotiating the contracts with the vendors, they have this information from you. So you will never go wrong. You will never see that, oh my God, I invested $1 million and that's all I had. What will I do now? It's if you have this planning, you will know, right? If next year I'm looking at this dot, I'm putting aside this money for that growth.

SPEAKER_03 35:46

What I am hearing is that you have to start with the buy, have your uh your uh your requirements figured out. If I want to start negotiation with uh Sassy vendor, what information should I have in hand before I give a preacher?

SPEAKER_01 36:08

So you um so what information you should have, right? In in this, actually, again, it the planning goes, but you need to really also know that uh along with your requirement, what are your policies, right? What kind of vendor you are looking for? Does that vendor meet your organization's policy requirements, right? Uh most of the places we call it like vendor risk assessments, right? Is that vendor, uh, what I'm going to choose, uh, do they have enough financing, right? What is their financial health versus what is their client base, right? If they're listed company, what is their image, right? How how much uh market cap they have, right? So this is this is about the vendor, which you definitely need to know along with your requirements. I'm I'm not emphasizing on, I think we have already discussed that definitely you need to have your requirements and everything. But when you are going to your vendors, first of all, also these things need to be very clear in your mind that what level of policy requirements you are going to ask. Now, one critical thing in this, Vishal, is that as long as I was hosting any technology or tool in my data center, right? I had full control, right? I can have my firewalls, edge, the box where I'm hosting, uh, all control, right? Now all is moving in cloud, right? So when it was with you, you know that, okay, I'm putting two boxes for resiliency. I can put three, four, five. Now it is going in cloud. So you look for SLAs, right? What is your SLA? I don't care if you have 500 boxes versus not. What is your SLA? What is your performance? I have my user in US. I also have my users in Hong Kong. I also have my users in UK. How you provide those services as localized, right? So the user sitting in UK doesn't need to come to US to access that resource. Do you have the local point of presence there? Right. So these things are very helpful when you start thinking of because now you are moving to cloud. This is a totally different thing what you used to do. Now you are handing it over. It definitely comes with a peace of mind that you are not handling your uh servers or resources, but also this pre-work is very important. You need to have in your company uh policies well defined for your vendor. I think you must have heard now with this whole AI and all, most of the targets are the SaaS providers, not because of the SaaS providers, because the data they host there. So are they doing the data classifications correctly? How is your tenant hosted? Are you a multi-tenant environment versus they are hosting your application in in a single tenant environment? So while going into the SASE, all these considerations will come and you will move your focus, shift your focus that what questions you need to now ask the vendor, which is vendor-related, along with the requirements. I think requirements you will still come up because again, none of these the capabilities we are talking in SASE are just came up as a brand new VPN, you know, your resources, you know, your SaaS applications, you know, but this vendor shift is very important to know.

SPEAKER_03 39:49

There's some really key parts. You know, I think honestly, if you write a smart checklist and like make it public because you're sharing such uh such good information that most uh uh most uh uh organizations often overlook.

SPEAKER_01 40:07

Right, right, right. And that that no, definitely I think there there there is a checklist. And if you want, I can connect with you later and I can provide you a checklist which you can help. But definitely, definitely. I think and that that's how I have done, because unless you have the clarity, I think um uh it it can easily go the other way, which you don't want. It could become very costly if you're again uh fingers crossed, in case you're when the the Sassy vendor is hacked, all the data is is there, right? That is a very big deal. That is a very big concern nowadays because everybody is shifting into cloud, everybody is shifting uh their their things in the the outside of the edge. So, yes, I I definitely there there can be a checklist which can be a guiding list also for the companies or for the users who have not gone into this, and yes, we can definitely talk about that.

SPEAKER_03 41:03

Awesome. Okay, so uh you mentioned this, like I'm sure you you may have seen or heard of SASI deployments come wrong. So, how do you define success for uh for uh sassy deployments? Like, what is your definition of success?

SPEAKER_01 41:27

That's uh uh a loaded question, I would say. And and why I'm saying that, I'll I'll tell you why I'm saying that, right? So I think some of that is already we have discussed, but um how what what success looks like to me when I'm talking about uh SASE, right? See, when I'm going into the SASI program, that is again, I'm kind of decentralizing my network and security, right? I'm I'm trying to go to cloud, which is not like you are just sitting in a Boston in one data center, right? You will go to cloud because you are looking at the availability. So your success matrix could be that how good is the performance uh for accessing some applications, which before versus now, because as we discussed, right, before you used to backhaul all the traffic from your different offices, different locations, so that you can inspect in one location and send it. So, what is the increase in performance, right? Resiliency, right? If you were doing it yourself before, you must be not going beyond three nines. And I can definitely say that, right? But now what is the resiliency uh architecture of the vendors? If you ask me, you should actually go in detail with your vendor who is selling you the product, looking into their uh resilient architecture, right? What is what is their presence overall in the world, right? How many locations, what is their fillover policies, right? If they are down today, what is the impact to me? And what can they do to mitigate that for me? Is there a bypass policy? Is it is uh I can run locally without before they are up? Or if they are down in US, can the business uh start accessing their UK sites? Um at and I'm just making it up right now. But what I'm trying to emphasize is that um success metrics could be in all these parameters, specifically shifting into that, okay, you have 30,000 users. What is your vendor can provide if within a month you become 40,000 users? Right? Bandwidth increases. So what is this? All these success criteria could be measured in this manner. Today, your implementation could access only 10 applications purely on internet, but all The other applications you were getting into the own network because you could not apply the policies of data download, the printing, the screen sharing, and all. So that could be another like how you are making your applications easily accessible over internet, but in a secure manner, more secure than what they were before. So all these could be your success criteria when you are going through this probe. If you want, we can also go through uh specifics if you have uh written like so different companies can go with their different KRIs, KPIs, right? How they measure that. And one of the measuring parameters, as I mentioned, right, the performance improvement. It could be the same, right? In one year of time frame, what was my downtime? Right. And if you're moving through the vendor, then you can see what is their uptime, right? In last one year, how many uh outages they have uh gone through in their locations. So this could be another parameter for their uh thing. So you can definitely define your your uh parameters, how you want to see it as a success. And again, don't see it as a success that you want to achieve everything 100% today. No, it it the SASE is again going to be a journey, but it is not an endless journey. As I mentioned about zero trust, definitely, definitely you can achieve this project in one year, two year, three-year time frame based on the size of the deployment. But definitely take your time. Do all the homework first before jumping into the the implementation.

SPEAKER_03 45:41

Yeah, I would worry a finish journey. Like you don't need many besides uh just being on zero on a side. So uh uh sometimes I have seen companies would want to encrypt their data before they let it on the so they don't want their vendor to be able to take it for their sending back and forth. Does that defeat the purpose?

SPEAKER_01 46:19

Yes, it does. If you the mindset you are going through the says is that you can you want to 100% inspect your traffic, then definitely this this uh defeats your purpose, right? Without decrypting, how would you do the inspection? Without decryption, you can just look into the headers, right? Though headers can give you some information, but that will not solve all of the purpose, right? So uh that is where uh I was mentioning, right, that uh your data classification and what kind of connectivity, where you are going, which uh service you are accessing, that is very important so that you can define these. Because if you are going with the with the one single rule that all my traffic needs to be inspected, I don't care. No, that will not work. Because I can tell you, even some of your um if if if you have a SaaS partner which is hosting the application for you, even they don't like uh man in the middle kind of uh things, right? Coming in there. So they might say, nope, if your sassy implementation is decrypting the traffic, it will not work for me because that will break all the things and man of the middle, that transaction gets failed, right? So so there are different parameters that's how you need to see. Now, what I usually say again, that traffic which can be decrypted and the the vendors are are cooperating with you and they can do just take that, right? Take it through your SASI implementation, your secure web gateway, who can um which can actually decrypt and and and uh inspect and go through there, right? But traffic which cannot, there there could be other things you can do, right? As I mentioned, at least you can uh inspect the header, right? You can have a firewall where you are trying to at least put in your traffic that, okay, if it cannot go through my encrypted uh tunnel, then let me go through this firewall. So, what I can do with next generation firewalls, now you can do at least IPS policy down there, right? You can at least make it very point-to-point that okay, you can just go to this location, that traffic I'm saying, right? So all those things you can do if you have that restriction. But yeah, you you cannot say that, oh, I want to 100% inspect and that by decrypting because things are not, all the things are not your in your hand, because you are going to vendors which have their own policies too. So, so yeah, I think I think again, just just think that, and I don't think everything needs even decryption for you or inspection, right? The the vendors you are working for years and you know they are big vendors there, they they are again investing so much in the security, you have to have some trust. You have already done the vendor risk assessment. So that also plays a very big role into your trust factor with your vendors. I see you are smiling. I think there's something going in your mind.

SPEAKER_03 49:22

Uh we just uh just uh uh uh you don't trust the noise and them should trust the vendors.

SPEAKER_01 49:31

Okay. So what I'm trying to say, I'm I'm not saying that you are blindly trust the vendor if you heard my words, right? Because you will still have the access policies there. You still have the the data classification so that you are defining if the user is accessing that particular um resource from where, right? Device, location, user, everything plays, right? So traffic movement is one part of it. That is why zero trust is bigger and sassy is a smaller subset of zero trust. So I'm I'm I'm not saying that you are blindly trusting anybody in that. So I think I now I understand your reason of smiling there.

SPEAKER_03 50:12

Uh so now let's shift gears a bit and uh let us get uh to know you a bit better. So tell us about uh when you grew up.

SPEAKER_01 50:24

So I grew up in India, right? And uh I I grew up in uh Delhi. Uh the it's it's part of the North India region. Yeah, and um I I did my uh schooling uh from Delhi, but then for my engineering, I went to Punjab. So my actually parents uh come from Punjab as a background, and my father shifted to Delhi because of the job. So we have roots in Punjab, so I did my engineering in Punjab. So I I've I've I I would say I have enjoyed my two different versions of my education because Delhi is a metropolitan, all advanced, everything is going so fast, and then all of a sudden I went for engineering in a location where life is very slow, which actually, if you ask me, I I liked a lot because maybe I I have I've seen that all the rush, all my life to I did my 12th grade, but in engineering, when I saw, like, right, what what what is the fun of just running in the feeds for miles and miles, right? Just go there and and get that sugarcane and then just eat yourself, right? Directly from the fields. So this is this is my my background from education and and uh okay.

SPEAKER_03 51:50

Um do you have any Xivolix? Do you have any civilix?

SPEAKER_01 51:53

Yeah, I have uh two sisters, both are elder. Okay. Yeah.

SPEAKER_03 51:58

So uh did they both spoil you? Be the youngest and only brother?

SPEAKER_01 52:04

Uh I don't know, but I can definitely say that I had advantages being the youngest. So definitely when you are younger, after some time, when when you get your senses right, you know how to get the things from parents when you are the youngest, right? So definitely that was there. And uh we definitely had a very good bonding among three of us, and it is still there. Though we live in very different parts of the world, my one sister is in India, one is in Canada, and I am in the US, but uh we we we still are connected well.

SPEAKER_03 52:44

Uh that's very nice. So uh while growing up, so uh would you say you were a good kid in school, or did you or did you get into trouble?

SPEAKER_01 52:56

I was actually a good kid. So and the reason could be it is not that because I wanted to be a good kid, it is because my father was a teacher. Not not in the same school, but he was actually a teacher uh there there in in back in Delhi. So probably that is why I had to be a good kid. Though I didn't want to be, but yeah.

SPEAKER_03 53:21

Well uh that's a good motivating uh motivating fact.

SPEAKER_01 53:26

Yes. Of course, there was very small uh chances of error.

SPEAKER_03 53:33

Yeah. So in uh Punjab, where did you go to?

SPEAKER_01 53:39

So you I in Punjab actually I went to you will be very surprised, Firospur. Firospur is actually a border area. Was it the border? Yeah. Yeah, yeah, it is a border area. And um uh now don't ask me why I chose that location and all those questions, right? Because sometimes just life just gives you something and you just need to take it, right? So, and I'm I tell you when I first went there, um first 15 days were very difficult for me. And you can understand, right? I'm I'm coming from Delhi. The life is so advanced, fast and all. And now I'm going to a region which is like a border area and all. But after 16 days, I think I I started uh gelling well because I already had some background in in that area. Because as I mentioned, my parents come from Punjab and my cousins and everything. We used to go to Punjab in my summer vacations. So actually, one interesting fact I tell you. So though when I went to Punjab for studies, I could uh speak Punjabi because of my parents, but I never uh studied Punjabi, so I cannot write or read. So, you know, I I bought a small book which had that translation from Hindi to Punjabi or English to Punjabi so that at least I can read the bus titles, right? Because if I need to travel within Punjab, I need to at least see. And all the local buses, they only put their destination in the local language, right? So actually, I spent one month word to word reading and understanding that this word will mean this and how I need to read and uh not get lost in while I'm traveling within Punjab.

SPEAKER_03 55:22

That was pretty cool. I can understand Punjabi, but I can't speak it there well. Reading and writing is just uh I don't want to even go there.

SPEAKER_01 55:34

No, I I I I think I can say that I can speak uh good Punjabi. I can understand for sure. Yeah and uh now I don't know if I'll be able to read it now because I had so many years I have already lost. Yeah.

SPEAKER_03 55:48

Uh so I uh like life has the same view and like brought you where you are. What has been the biggest uh influence on your life that has brought you to where you are?

SPEAKER_01 56:10

When you say influence, is it like a person influence or situation?

SPEAKER_03 56:16

It can be uh some kind of event a belief saying something to you.

SPEAKER_01 56:28

So I can say that when I did my graduation to first five or six years in my job, I was kind of that person which like used to like flow with the flow, right? Whatever is coming, you just do things. Definitely there are moments of uh joy and sorrow, ups and downs, but I was of that very um uh kind of um thought process that okay, as things are coming, I'm taking and I'm going. And if if at that point of time somebody used to ask me, what is your plan for next year? I used to say, I don't even know what is my plan for tomorrow. How can he tell you that's very small plan for next year? But I think when I moved to states, um my uh we were actually waiting for our first kid, right? So when we moved to state and and there was nobody here because we are the first generations, and I hope you understand. I think you must have gone through the same thing. Um that that realization, right? When where you grew up and where you used to take things for granted, but now you are in a situation where you need to do all the things yourself. I think that changed a lot. Um that changed me a lot, right? Uh and especially when you're married and expecting your first kid, right? All of a sudden it was like a big change for me. I think that changed a lot. That that Vishhal, who used to flow with the flow, I thought I need to start planning. I need to um look for things, right? Uh two years in advance. Though I was able to do that or not, I don't know. But that that mental thing used to start rolling in there. And I would say that um from then to 16 years now, two years back, when I looked back, when I used to flow with the flow versus I'm trying to control, I saw I think I was not able to change much. Though I was thinking that I have a control, but I was not able to change much. Two years back, actually, I had a few health issues with my back and all, which changed my whole thought process. That I think when I was flowing with the flow means that you are expecting you are happy with what you have. You are giving thanks to the Almighty that where you are, what you have is all good. I think that that mindset was already there within me when I used to be in that college or school days or even the initial days, which I somewhere lost it. So this this two years back again, I I think I I got that realization based on that concerns I I developed, that I don't think I achieved much with my control. Things are still going on, right? There are people to help me, my family's there, my my wife, my kids, my friends. In fact, like we have been known to each other for so long, right? So it is not like you control everything, it is it is the people who are there. Your good deeds, your thankfulness that that helps. But that is my my story. I don't want to go uh into the philosophy anymore, but I'm just that that that there are these two different things which are which I I I still realize that I think that was the better movement when when I used to say thanks every moment, right? And now I'm trying to change again. I think and that that that's a big um thing these days I'm working on.

SPEAKER_03 1:00:14

Just coming back full thirl uh full circle almost. Okay, yes. I think somebody told me about like to just have it have the mindset of do your best uh and lead arrest.

SPEAKER_02 1:00:27

Exactly.

SPEAKER_03 1:00:28

Yes, all we can do. Okay, yes. Well, uh it's been uh it's been uh pleasure speaking to GB Shah today. And I'm sure our listeners will love our uh uh our conversation uh not just what theory but also how to go with the flow. And uh yeah, I just thank you for being on the show, and yeah, I look forward to uh other uh episodes with you.

SPEAKER_01 1:01:03

Absolutely, Vishal, and uh I definitely thank you for giving giving me this opportunity to top up uh talk on this topic and especially connect with you. I think um after 20 2004, this is the longest we have talked. I I can say that for for sure once we left uh our uh previous company, right? So I think I definitely I enjoyed uh talking to you, Ishal, on your podcast. And I would love to come back on any of the topics. And please feel free to reach out if you need any help or any of your listeners need any any guidance or suggestions. I I think I can help my best, whether they like it or not. But uh, I think yeah, definitely I'm open uh too.

SPEAKER_03 1:01:48

I'm going to follow up with you on the whole chapter store too.

SPEAKER_01 1:01:52

Absolutely, absolutely, any time we shall.

SPEAKER_03 1:01:55

Well, this brings us to an end of another episode. I'll see you on the next one.