Episode 138: Is Consuming SaaS an Information Security Faustian Bargain? w/ William Eshagh

May 17, 2024

John Verry (00:00.206)
I’ve forgotten to do this before, don’t ask. Is hit the record button, so we’re good that way. S-Hawk, okay. Cool, all right, if you’re ready, let’s get this thing on the road. Sounds good, man. Hey there, and welcome to yet another episode of the Virtual Seesaw Podcast. With you as always, John Ver, your host, and with me today, William S-Hawk. Hey William. Thanks for coming on today, man, appreciate it.

William Eshagh (00:11.534)
Let’s have some fun.

William Eshagh (00:24.1)
Hello, John, hello.

Yes, great to be here.

John Verry (00:29.942)
I always ask before we get going, what’s your drink of choice?

William Eshagh (00:33.592)
Drink of choice. John, I hope that this is the most boring answer out of our session today. I am a cold water man. I realize that there’s not a lot of drama in that. Over the years, when asked similar questions, I’ve found that it’s more effective to say, I don’t drink anymore rather than I don’t drink. That seems to elicit a different response. But long story short, I’m a cold water man.

John Verry (00:43.814)
I realize it.

John Verry (01:03.114)
Yeah, you know, and there’s not a lot of questions, follow up questions to ask on cold water. I mean, do I go ice, no ice or something like that? I don’t know. Yeah, I mean, I could ask you like Stanley Thermos guy, maybe like would be a good like, you know, cause obviously to keep that water cold.

William Eshagh (01:06.646)
Ha ha

William Eshagh (01:11.093)
That’s right, that’s right exactly depends on the region of the world

William Eshagh (01:20.984)
Some of those things can really, they really last a long time. I’ve been very impressed. Uh, yeah, you wouldn’t expect it.

John Verry (01:25.623)
They’re insane. Now my wife and my son are always carrying one around. My daughter occasionally as well. And like literally like two days and there’s still ice. Yes. Yeah. In the summertime, 130 degrees in the car and you bring it in and you still got ice in your thermos. It’s crazy.

William Eshagh (01:36.832)
Yeah, I’ve left it in a hot car and it’s still cold when I come in later. Yeah. Crazy.

William Eshagh (01:47.928)
It’s wonderful. It’s a modern miracle.

John Verry (01:52.351)
So, you know, it was very interesting to me. The genesis of this particular podcast is a blog that you wrote that I thought was very thought provoking. It was on the impact of SaaS on an organization’s security. And I think you referred to it as the Faustian bargain of SaaS. I’m embarrassed to admit that I had to look up Faustian, but now I know it means this.

William Eshagh (02:01.258)
Mm-hmm.

William Eshagh (02:11.608)
Yeah.

William Eshagh (02:15.648)
And maybe you realize why I chose that word rather than maybe a more easily recognized articulation of the concept.

John Verry (02:22.714)
I loved it. And for those of you who are listening, so you don’t have to look it up, it means you’re selling your soul to the devil. So first, like I said, I love blogs that make me rethink things that I’ve stopped thinking about, which is a bad thing. But I think some of us do it. I’m guilty of it. Second, I would argue that it’s a bit controversial, right, given that SAS has become.

William Eshagh (02:46.933)
Mm-hmm.

John Verry (02:48.226)
the prevalent option, if not sometimes the only option for many critical business applications. How many of your thoughts on what got you there and that blog in particular?

William Eshagh (02:51.308)
Mm-hmm.

William Eshagh (02:57.46)
Yeah, you know, and controversial, it’s such an interesting way to characterize it because I think it’s controversial only as a result of us all falling into this bargain. It’s controversial to the sense that what is the alternative? And when you stop and take a look around, we’re starved for alternatives. And so that’s why my co-founders and I said about working on Bowtie is because we believe that you shouldn’t have to make this deal. You should be able to do it.

forgive me for these analogies, but you should be able to have your cake and eat it at the same time. You should be able to get the best of breed of software without requiring that you place all your faith in someone that you’ve likely never seen, don’t know how they operate. Perhaps they’ve got a certificate. That’s our cure for this problem of trusting someone else is that we look to certificates and frameworks and audits. But

When you really take a moment, and I’ve been through many of those, and there’s value in it, don’t get me wrong. There is value in professionalizing your thought process in terms of security and subjecting yourself to review as an organization. But if you take a look around, some of the most stunning breaches, breaches that will have made it to your inbox, occur to organizations that have every stamp imaginable. And so what happened? What happened? Is it necessary but not sufficient?

Um, are we placing too much stock in the idea that if we hand over our jewels to someone else, that they’ll keep them safe. Um, and so it’s controversial in the idea that there aren’t really great alternatives. What we’re working on is delivering software that gives you all of the ease and advantage and benefits of a SaaS managed experience. And, and they’re, they’re real, right? If you sign up for a SaaS offering.

It’s typically you fill out a form, maybe two, you swipe a credit card or PO, and you’re off to the races. The time to value is low. What if you could have that same experience, time to value being low, but also retain full control of your information, your systems. I believe fervently that is a necessary future state. And we’re working on with our product and the very specific features that were the

William Eshagh (05:24.624)
the market segment that we’re going after, that it’s actually ripe for achieving that value proposition. SaaS-like user experience, hands-off ease of management, full control of everything that’s flowing through the system. Should be real, it should be possible. It should not, frankly, it should not be controversial.

John Verry (05:38.838)
Yeah.

John Verry (05:44.878)
I agree. So I’ve long held that one of the…

least recognized but most important things that you can communicate to a client is a true understanding of the shared responsibility model of infrastructure service, platform service, software as a service. I think they fail to truly understand that. So if there is a solution that can tilt that shared, at the end of the day, all you can do is move the shared responsibility model a little bit more in the favor of the people consuming it.

William Eshagh (06:01.618)
Mm-hmm.

John Verry (06:19.658)
You know, so if we can find a way to do that, I’m on board. So let’s talk about that. I thought, again, in your blog, I thought you did a nice job. You walk through it in a very structured way, right? So the first topic you brought up, let’s walk through each topic one by one, because I think it’s interesting the way that you did that. Let’s talk about the concept of autonomy.

William Eshagh (06:34.98)
Sure.

William Eshagh (06:42.488)
Absolutely. So, as I was just saying, with the standard practice, if you go and sign up for a third party application, your ability to conduct your business and operate is conditioned upon, and I’m gonna be a little glib, okay, John, stick with me, it’s conditioned upon someone else having a good day, or at least maybe we can say someone else not having a bad day.

John Verry (06:52.526)
Thank you.

William Eshagh (07:12.176)
Um, and typically you have very little ability to affect that outcome. I’m going to point to the brightest example of this. And I hope your audience will forgive me. I’m sure there are others and maybe there are even counterpoints, but the brightest example of this. And I, I should add John, so I’m the co one of the co-founders of Bowtie, but I came to Bowtie, um, from a company called Planet Labs where I was a VP of security. Uh, and, and these, these issues that we’re discussing.

I mean, they really plagued me. I was in the position to be responsible for the successful delivery of value and operations and systems for the company. And in many cases, my hands were tied. So this idea with autonomy, I think it may be how much time has passed at this point, but some of your listeners may be familiar with the incident that occurred over at Atlassian, where their cloud managed product, and particularly their Wiki product, went down not for an hour, not for a day.

day, but like two weeks. And so when we talk about autonomy and handing over your systems to someone else to operate, when, not if, but when something occurs, now that could be in terms of availability, it could be a breach, when those things occur, your ability to react and recover and provide alternatives and restore service is dependent upon someone else. Someone else whose phone is ringing off the hook and

and your queue and their line of who to get back to is based on factors that really should have nothing to do with your business being successful. Does that make sense? The autonomy and the limited…

John Verry (08:49.946)
Yeah, yeah. No, no, it makes sense. Yeah, it makes sense. And, you know, if you really want to take that to an extreme, I can’t remember the name of the two companies, the Scandinavian hosting companies from this past August, uh, last week, August were, um, they were hacked. And whoever hacked them just wanted to destroy them and literally deleted every piece of email and everything that was hosted by these companies for hundreds of companies. And those hundreds of companies, to your point,

from an autonomous perspective, there was nothing they could do, right? They could know there was no recovery possible. So autonomy makes complete sense. And autonomy ties into, right, that availability, which was the second concept.

William Eshagh (09:31.552)
Yeah, availability and they’re closely coupled. It’s hard to remove them. Autonomy and.

John Verry (09:35.052)
Absolutely.

But you can have systems be available and still there’s other elements of autonomy. But autonomy is by definition negated by lack of availability.

William Eshagh (09:44.164)
That’s right.

William Eshagh (09:50.46)
Yeah, exactly right. I’ll give you another example of maybe the autonomy storing. We can talk of it. We just availability is fairly straightforward. The system’s offline and you don’t have an alternative. You’re down. You’re done. There was a couple of months ago, maybe time is a blur for me. I hope you forgive me for not maybe having exactly my timeline right. But you’ll be aware of this incident. Microsoft’s cloud email service was hacked. I think it was.

they attributed it to the Chinese. There was something about token reuse inside of their public, private environments became a problem. One of the most interesting things about that, I’m not sure it was got enough attention is that. Microsoft has tiers for their products, right? Low, medium, and high. Let’s keep it simple. Cause I can’t keep track of their naming conventions, low, medium, and high on everything other than, um, I, other than high, you couldn’t even get the log data.

John Verry (10:22.894)
Mm-hmm. It wasn’t that long ago, I recall that.

William Eshagh (10:47.672)
that would have allowed you to know that something has occurred. This is not uncommon, right? We charge a tax for security because that’s one way to extract more value out of a customer. The availability, sufficiency of information and access so that you can even know something has occurred. And then another dimension that we have a sliding scale on is, well, how long will we make that information available to you? If you don’t record it yourself,

the provider will delete it and then information is gone and you have no basis upon which to even begin these. And this is presuming that they make these facilities available to you at all. With Microsoft, it was only on one tier. Many product offerings, this isn’t part of the conversation that you would be able to attain the information that’s necessary for you to have autonomous independent assessment of what your status is and whether things are normal for you or not normal for you in this moment. And so, yeah.

The autonomy thing is multifaceted. Availability comes right there after it. If there’s a, if a provider who has many eggs in one basket has a problem, all of the eggs get impacted at the same time, right? And then your availability is contingent upon things that are outside of your control. And frankly, I don’t think that’s acceptable. There’s, I encountered this concept.

I’m sure you have, I’m sure your listeners have experienced this as well as if we outsource this problem, outsource is not the right word, but if we move this problem, we transfer the risk, we transfer the risk to this other group, then we’re clean. It’s not our problem. But the reality is you are still responsible for those things that are necessary for you to be successful. You can’t just completely wash your hands and say, it’s someone else’s risk.

I just wait for them to deal with it. Can your business survive that? It shouldn’t be that you depend on someone else working in order for you to be able to service what you need to do and the customers that depend on you.

John Verry (12:52.994)
Yeah, I always tell clients you can out-source a service, but you can’t outsource a risk. You still own that risk, and you have the responsibility to manage it.

William Eshagh (13:02.196)
And I’m sure you’ve seen people who just, it’s much closer to, I’ve washed my hands of it. It’s now someone else.

John Verry (13:09.286)
Or it’s a, no, you don’t understand. I mean, a lot of big companies do work with them and they must have us and no, no. Right. Yeah.

William Eshagh (13:15.584)
Oh, that’s the best one. That’s the best one. They’re in a better position to be able to deal with it. And you know what? I was thinking about that as I was thinking of preparing to have our conversation today. At the extremes, I think it’s true. At the extremes though, like when you are at Google level, their security team alone is larger than most of their organizations that depend on them, right? But the level of investment that you have to achieve in order to crest that threshold is at the extremes. And I think most of the…

When I reflect back on my portfolio and my last seat of all the various service offerings that comprised the enterprise architecture, very, very few of them fall into the extreme category where it’s a credible statement that the provider has more capabilities than you do. And even then, I still struggle with just washing my hands of it. At the end of the day, it’s my responsibility. I choose who supports me, but still my responsibility.

John Verry (14:14.634)
Yeah, and I don’t think most organizations truly understand. We do a lot of work in the SaaS space. And I’m a SaaS believer, conceptually. But the bulk of the SaaS products that you work with have much smaller technical staffs and security folks than you probably realize. You can be a fairly name brand SaaS service and have 50 or 70 people in your total organization.

William Eshagh (14:43.22)
I’ve worked in those environments and I know exactly what you’re talking about. And then that’s the basis of, I shall say, my skepticism. And I don’t want anyone to look at us and look at what I wrote or bow tie and what we’re trying to achieve and say that the message is that SAS is bad. No, no, that’s not it at all. It’s that there’s better way to deliver the value that people are.

John Verry (14:50.958)
Mm-hmm.

John Verry (15:05.666)
There may be a better way to deliver science, is I think the message.

William Eshagh (15:11.728)
enjoying with the SAS model, ways that don’t require the blind spot. That’s the key.

John Verry (15:20.558)
So the third thing that you talked about in the blog was privacy.

William Eshagh (15:28.521)
Mm-hmm. Yeah. And all these pieces link together so tightly. But let me ask you, John. I’ll ask you and I’ll ask… I know, but let me ask this question as if… So you sign up for a product, you put your information in it.

John Verry (15:35.342)
Wait a second, I’m the podcast host. I get to ask you the hard questions. You don’t get to ask me hard questions. You don’t understand the equation here, do you, William?

William Eshagh (15:49.304)
Who is going through that information?

Why are they going through your information? How are they exploiting your information for their benefit? Now, those are some abstract questions. We can get more specific. But if you have a SaaS provider who, you know, there’s a very simple, let’s call it, a shortcut to this thinking to say if that you’re not paying for the product, you are the product. I’m sure everyone’s heard this. But even when you do pay for the product,

Service provider has every incentive in the world to try to obtain more value from you however they can. The most recent example, I’m sure you’ve seen this headline. So GM was collecting analytics and telemetry from their electric vehicle fleet, at least their electric vehicles, but perhaps their full fleet. And then through data brokers, that information landed in insurance companies’ hands. And all of a sudden, premiums are spiking for, you know, down to the individual basis.

maybe aggregated over a group of drivers, but like this is how it flows. And this is what I’m trying to say is when you have placed your information in someone else’s trust, you can’t know down to a daily basis on each record what they’re looking at, whether, you know, it’s a common refrain. We use aggregated metrics. What does that mean? Is my name in there? Is my face in there? Yes or no? Did you put a blur over it? I guess…

What I’m trying to articulate is that if you can’t control access to your information yourself, you put it in someone else’s hands, you shouldn’t be surprised when, not if someone else has trolled through your information for a reason that you didn’t anticipate. There are agreements in place. There are terms and conditions saying we will disclose to you what the purpose is and, uh, you know, updates go out on like an hourly basis. I just saw one pass my screen for Venmo privacy policy.

William Eshagh (17:51.832)
How many of you are reading those? How many of you are really diving into deep on these and understanding they’ve now asked for a new way to use your data? Are you aware of it? Are you surprised?

Structurally, it’s flawed. You’ve given your information to someone else and you’re trusting that they won’t use it for a reason that you didn’t intend. This is a structural defect. We can structure our systems such that this is not a possibility. I tend to wax philosophic, John, so you give me a wink if you think I’m running along, but give you a counterpoint to this. Confidential computing in the public cloud. That is a structural facility.

that allows you to place your information in someone else’s systems and be absolutely sure that they’re not reading it, they’re not running through it, they’re not exploiting it, they’re not processing it. Why is that not the norm? I’m not against SAS. What we’re advocating for are structural features that make trust

Optional, trust, not necessary. Trust, you know, a nice thing for two nice people to share between each other, but not necessary for business and for baseline transactions.

John Verry (19:06.838)
Yeah, I did a fascinating podcast last week. I don’t think it’s been published yet. And the concept of privacy and if you’re not paying for something, you are the product. And it was on the concept of using distributed ledger technology as a solution to that with some clever off-blockchain storage of things.

and giving people on the concepts of Web 3.0, giving people a lot more control over that data. So I thought that was really interesting. I think it works probably a little better, generally speaking, in the B2C world than the B2B world. But that was interesting. Then on the B2B world, I think you would probably be an advocate as I am for many of our clients with the concept of customer managed encryption keys.

William Eshagh (19:54.756)
structural features that take trust out of the equation. That’s exactly what that is.

John Verry (19:58.931)
Yep. Yeah. C Mac is C Mac is a exceedingly valuable for the right client with the right risk profile.

William Eshagh (20:08.212)
And what, but those qualifications, okay, those qualifications that you just described, risk profile opting into the premise of the qualifications is that this is the harder thing to do.

John Verry (20:22.262)
not the default thing to do.

William Eshagh (20:23.948)
Not the default, because why? And we can all speculate as to why. It’s more complicated. They have to understand what they’re doing. If they lock themselves out, I’m scared of that outcome as the operator. I don’t want to have to tell someone, I’m sorry, I can’t. All of those things are true. What we need to do is build systems. At Bowtie, we’re building systems where you don’t have this trade-off, this idea that the easy thing to do is not the more secure thing to do. That is a false dichotomy. What we need to do is make.

the secure thing to do, the easy. Now that’s the holy grail. In security, that’s the holy grail. Make the easy thing to do the better thing to do. Hard to achieve, but if you can, if you keep that as your center line, you’re focused on that, then your product decisions hang off of that, you get better outcomes.

John Verry (21:09.31)
Yeah, you know, I think that much the same way. Early stages of things like Windows Server were non secure by default, and then we found religion and they became secure by default. We have to disable something. My suspicion is that SAS will find follow a similar model where more and more companies because at some point we see these significant cloud breaches and at some point the value proposition people are going to be looking for that and you can lean into that conversation as a vendor.

with the secure by default argument. So I do think ultimately the market will drive itself in that direction, perhaps not fast enough.

William Eshagh (21:49.716)
Yeah, and I think you see it. I mean, B2C, B2B, there’s an increased consciousness of this. I told you about my time with Plant Labs. It’s an aerospace company. One of the more interesting things with aerospace is you work with the government, and the government is keenly aware of some of the risks that they face. Some of the folks I remember, I was talking to

folks, whether they were contractors, I forget where they were, but they were government associated and they had a quixotic statement for me. The cloud doesn’t exist. I was like, I’m sorry. Can what? The cloud does not exist. I’m like, you realize they’re like, no, we recognize that there are offerings out there, but as far as we’re concerned, it doesn’t exist because we cannot.

extend our risk profile into these environments. We’re not willing to tolerate it. And so you have that as an extreme, right? Then you have the other extreme where someone just doesn’t care at all. But there’s a growing awareness, whether it’s due to the headline grabbing breaches or just a general awareness of who has my information, what’s using it. There’s a growing awareness. I agree with you, however, that for two reasons. One, you said it’s not happening

that there are not good alternatives. And I think they’re closely related, right? One of our core theses at Bowtie is, if there was an option, all other things being equal, that covered and addressed these issues, still easy to use, but safe and secure, and wouldn’t require so much more from me or my staff, all other things being equal, you would pick the better option.

And so as an industry response to some of these issues, yes, it’s slow, people are picking it up and we need better options.

John Verry (23:54.142)
All right, so let’s go to the last, and to me, arguably the most important of the four sections of your blog, security. And what I thought was interesting about security, and really what made me sit with a bourbon one night and think this through, is this idea that zero trust architectures, at least aspirationally, are the rage. And is true zero trust

security possible, extensively leveraging SAS in your organization.

William Eshagh (24:32.732)
Well, we certainly believe that with the right approach, with the right design choices, that it should be, it is. The Bowtie product is our manifestation of that desire and outcome. But it requires an awareness on the behalf of people who are signing up and using these systems. We talked about confidential computing. I love that example. You can operate in a public cloud.

and be completely secure as secure as if the computer was hidden in your basement bunker, you know? Because structurally, the technology exists. We talked about customer managed keys. That’s a great way of bridging the gap for some of, it doesn’t help you with availability, but it does help you with someone trolling through your records. And, you know, the question of security, I don’t know how often we try to just define that concept.

John Verry (25:18.498)
Captain Charlie.

William Eshagh (25:30.136)
What does security mean? In large part for me, security is certainty as to outcome. I am looking for certainty as to outcomes. I do not want my information to fall outside of my control. I do not want it to fall into third party hands. Look at what’s happening with UnitedHealthcare. An outcome has occurred there that they did not want. It’s essentially a failure of security. And I do believe…

that with the right structural approaches, you can have secure SAS. But it’s certainly not the default. You’ve got to go out of your way. And we need to work collectively to make it the right choice by default, the easy choice by default, the first choice by default. Otherwise, these headlines are just going to expand. It’s going to, it’s the,

Sometimes I think, is it possible for this rate of failure to accelerate? Certainly not. And then it does. And then it gets more public.

John Verry (26:27.37)
Yeah, it’s amazing. You know, you think about it logically, we’re, I don’t know, a dozen years into this SaaS revolution. And as you said, increasing, and it makes sense in some way that increasingly breaches, or what was the number last year? 74% of all breaches or something crazy of that nature, 90% you’re different numbers, but some incredibly high proportion of breaches that occur, occur through a third party.

William Eshagh (26:55.02)
Yeah, blind spots.

John Verry (26:57.398)
Yeah, so question for you then. So obviously you work for Bowtie, you’re a technologist by heart, you’re not a lot height. So I guess what you’re about to tell me is that Bowtie is at least part of the solution to this problem. I know on your website, there’s two predominant things that you talk about. You talk about zero trust network access and secure web gateway. Can you define those two terms for folks?

William Eshagh (27:26.688)
Yeah, yeah. Zero trust network access. I like to think of it, maybe we start with an analogy and then we can tackle the term. If you imagine a network as a house, has a bunch of rooms in it, each one of those rooms is some resource that you’d like to access. The traditional model, the historical model is you get through the front door, unlock it somehow, and then you’ve got free range.

John Verry (27:27.15)
Thanks for watching!

William Eshagh (27:54.784)
when you’re in that house, all the doors are unlocked because they assume you wouldn’t have been able to access the room if you didn’t get past the front door. Zero trust is a principle where we are eliminating assumptions, setting them aside and just being very specific about what should and shouldn’t occur. And so with our house analogy, the front door is locked, but also all the interior doors are locked. And who can go to what room is specified explicitly. I know who the guest is.

I know everything there’s to know about the guest or as much as possible. And then I make informed decisions about what they may access, when, where, and I have perfect visibility into when those things have occurred. So zero trust network access is setting aside assumptions, being very proactive about what should be able to happen, and then building systems that enforce those outcomes, only those outcomes, security, certainty as to those outcomes. And then secure web gateway was the second one. The interesting thing about

web gateways, every network has a gateway. For all of everyone who’s listening, who’s dabbled in networks, professionally a hobbyist, every network’s got a gateway. You’ve got a door to get to the rest of the world. Most of those gateways usually just are trying to get you out, get to where you want to go. When we say secure web gateway, what we’re saying is the gateway is going to try to enforce some policy or to provide protections that ordinarily would be

William Eshagh (29:24.464)
access, we don’t want our machines reaching out to known hostile web servers, payload servers, command and control servers. If we know about them, why would we let our machines talk to them? You can imagine other things, no gambling or things of that sort. Secure Web Gateway is the internet with a view to setting aside certain threats and certain policy objectives.

and enforcing that at the gateway level, at where you reach out and connect to the internet.

John Verry (29:58.574)
Gotcha. And again, looking at your site, it appears though like a considerable value prop of both ZTNA and Secure Web Gateway is that you’re not, I’ll use the term hosting, proxying, middlemaning, whatever we wanna use as a term there, the access and filtering. Hence, I think the argument would be your solution doesn’t require this Faustian commitment.

William Eshagh (30:24.312)
We don’t require you to trust us. We don’t require you to send all of your information to us so that we can protect you. We provide you the technology so that you can achieve those outcomes easily, but without that blind spot, without the bargain. When I think about the Bowtie product, there’s two things to say. One is first, we are trying to build software that looks and functions just like a SaaS managed environment but…

doesn’t have centralization and doesn’t have us in the middle of every conversation. And then second, we are applying that distributed delivery model, that platform, that no single point of failure, no person, shall we say person in the middle approach for networking in particular. And we chose networking. One is because I’m a network security person. It’s what I know best. But I also think it’s best suited for this model.

Your network is you. It’s as close to you as you can be. And if you have to start Sharing your network with someone else does and if there’s a failure that cascades it to you at a very low and deep level Networks were designed to be autonomous. We call them autonomous system numbers If you look at the design of the internet, it wasn’t meant to be Two three people running services for everyone. It was meant to be a number of distributed systems collaborating

The network is a beautiful place for us to deliver this vision of decentralized SaaS, if you will call it, and for us to build what we view as the next step in enterprise networking.

John Verry (32:03.65)
Gotcha. So how does that in practice work? Right? I understand the concept of SWG and I understand network access control and all those fun things. So how are you taking yourself? I mean, are you deploying the, like the client’s infrastructure control plane with an agent on each machine? You know, because at some point, right, that…

that individual on that machine going somewhere, that policy needs to be enforced. You know, that policy has to be distributed to that machine, that policy has to either exist on that machine or it has to do a dynamic lookup to the machine. How does it actually work in practice?

William Eshagh (32:41.368)
You’re exactly right. Well, so there’s two ways to try to pick this apart. One is to say, well, how is it being done before you showed up, before you try to step out and do something different? If you look at the incumbents in the space, an organization, you know, I’ve got a lot of respect for what they did and how they got to where they are. Organization like Zscaler, there’s two components to this product offering this value proposition. One is the server side, one is the client side. With the solution,

from like Zscaler, they’re running the servers for you, the data centers all over the world. So the control plane, they manage for you. They are the control plane. And then you install software on your client, you send all of your network traffic to Zscaler, and hopefully they do the right thing. With our solution.

John Verry (33:25.122)
So they’re effectively proxying, like in a sense, like if I were to follow, you know, a trace route. Yeah, if I was to trace route, it’s literally leaving my machine, going through them. It’s almost replicating old style network architecture, right, where you’re creating, instead of the gateway being at the edge of your actual network, the gateway now sits in the cloud and I’m going through the same gateway. Is that how their model works? Okay.

William Eshagh (33:31.908)
Follow the packet.

William Eshagh (33:48.212)
Yeah, and that’s right. And to offset that, to make that better is one is you don’t have to manage it. And two, they have many more points of presence sites, if you will, then you could ever possibly manage as a standalone business, even the largest businesses, because it wouldn’t make sense for a large business to have so many network connections all over the place. But you’re right. They are still moving it. It’s still inside of their control. Our model.

The control plane is distributed where you already have resources. It’s in your VPC, it’s in your data center, it’s in your factory. Wherever you have set up a collection of computers, you place our software there. Each copy of our software meshes out with every other copy of it, forming the control plane inside of your own resources, as close to you as it’s possible to be. And then that control plane is the clients, their software installed on the client connects to the control plane.

distributes policy, allows access. And the benefit of our model is, you don’t have to go to someone else’s, it’s right under your fingertips, as close to you as possible. And then perhaps more importantly, to the theme of our conversation today, you’re not sending me anything. None of your packets come to my house. I don’t look at any of them. That’s not true with the others. They by definition, their whole product offering is, we will look at your internet traffic and then do the right thing.

What we’re saying with Bowtie is you can have that outcome of your internet traffic being inspected and protected, but without handing it off to someone else to do it for you. It is done by machines that are under your control as close to you as possible, makes it more performant. We talk about autonomy, availability, privacy, security, all of those elements structurally occur because you’re not sending them anything. It’s all in your hands. But

Importantly, structured so that it’s not difficult. You’re not installing databases. None of those things that a traditional application deployment may require. We manage those elements through software. There’s another blog post on our site that I would encourage you and your listeners to read. The title of it is, Our Databases from the Future. How exactly are we able to provide a SaaS-like experience without requiring you to send me everything into a centralized deployment?

William Eshagh (36:15.832)
which is essentially what SAS is. It’s centralized deployments managed by someone else.

John Verry (36:20.366)
So it’s maybe an overly simple analogy. It sounds a lot like old school active directory replication. You know, I owned all of those servers and what would happen is that I taught each of the servers about the other servers, and there’s just a mechanism by which we keep those things in sync.

William Eshagh (36:31.937)
It’s.

William Eshagh (36:43.556)
Have you ever managed to act with directory, John?

John Verry (36:46.291)
Yes, long, long time ago.

William Eshagh (36:47.424)
Yes, OK, you’re guilty. You’re guilty of that. OK. I imagine many of your listeners hire as well. That was not an easy thing to do. There was a tremendous amount of expertise necessary. And expertise, maybe experience, hard-won lessons. Don’t change the schema if you can avoid it. So the deployment model is similar, but the stark difference is the management complexity. The benefit of SAS, if you look at Azure,

became Azure. You can achieve the value of, or I think it’s called Entra ID now, something like that. You can achieve the benefits of the directory service without deploying Active Directory controllers, right? That’s the promise. They take care of the management of it. Bowtie is saying Entra ID experience, Active Directory of yesterday’s positioning in the network

John Verry (37:23.341)
Yeah.

William Eshagh (37:46.804)
and control profile. You can have both of these things at the same time through technology, through the database of the future. You can do it if you’re intentional about it and are razor focused on having that.

the benefit, the SAS experience that everyone benefits from, the time to value and ease of use.

John Verry (38:09.806)
Gotcha. Yeah, I will say, you’re gonna hate me for this, but I will say that it would be, it would behoove you to kind of blend your technical content on your website with that particular blog and the way you just communicated it, because I may think I’m a little bit smart, but I didn’t, like you’re making connections for me chatting with you that I didn’t get just looking at like your spec sheets and things of that nature.

William Eshagh (38:39.308)
Yes, yes, we have a story that needs to be told and perhaps in a different way. I accept that. We’ve, it’s, you know, it’s…

John Verry (38:47.63)
It’s not an easy story, right? Because you’re changing the parameters of the story, if you will.

William Eshagh (38:53.036)
You know, it’s perhaps not naturally intuitive to say that you can have your cake and eat it too. And frankly, building it, it’s not easy. If it were easy, everyone would be doing it. So the vast majority of my energy and our energy has been delivering on that message, but you’re right. I need to tell it in a way that connects those thoughts a little clearer.

John Verry (39:17.218)
One last thought. So you’ve fixed, Bowtie in theory, has fixed the challenge that we talked about, the Faustian dilemma for your Zero Trust Network access and Secure Web Gateway. Can using Bowtie correct that Faustian dilemma with other SaaS products I’m using in any way?

William Eshagh (39:25.901)
Hmm.

William Eshagh (39:44.228)
Um, to an extent. So bow tie as if, as I said, one, there’s, there’s two pieces of the story. One is how the software is distributed and managed and experienced. The other is that we’re focused on, on the network layer. Um, we, we have it in our.

our plans, shall we say, to make it such that access to SaaS products depends on some of the bow tie protections. This is not a new concept. It’s just how we’re delivering it would be new for something like a cloud access broker. But once information goes into those environments, how it’s held, who uses it, whether you have customer managed keys, whether it’s confidential computing types of guarantees,

If I think of a way to extend the bow tie product into providing those guarantees, I think I’ll be doing great, but I haven’t figured that one out yet.

John Verry (40:38.55)
Yeah, I know because it would be, it would be remarkable if there’s a way to do it. I didn’t think so, but it sounds like you guys are having an interesting perspective on security that I like. So I’m gonna keep my fingers crossed. I’ll keep paying attention to what you guys are doing.

William Eshagh (40:57.005)
And hopefully we can spread because I think if more products put these ideas first and foremost, we’d be seeing slightly different outcomes. Slightly is not the right word. We’d be seeing different outcomes with some of the issues that are happening. Organizations are suffering from large complex environments that are difficult to understand, difficult to secure.

and they need better tools. They need structural foundational approaches that move the needle forward and put us into new territory because the threats are just swallowing us right now.

John Verry (41:33.794)
Did we beat this up pretty good? We missed anything?

William Eshagh (41:40.684)
I don’t think so. I think we’ve got it.

John Verry (41:42.97)
Cool. Give me a real world fictional character you think would make an amazing or horrible season one.

William Eshagh (41:50.468)
How about I give you a character that is both of those things? Horrible and amazing. I’m a Star Trek fan, John, and the person that comes to mind for me, oh, I know, I know.

John Verry (41:53.829)
Okay.

John Verry (41:58.53)
What a shock. A technology… You know how many Star Trek, Star Wars… I mean, it’s amazing. What percentage of… When I ask that question, what percentage you get one of those answers.

William Eshagh (42:11.088)
Isn’t that awesome though? Those, whether it’s George Lucas or Gene Ronberry, had such a profound effect. I had the pleasure of speaking with Gene’s son, maybe a couple months ago about something that Planet Labs was doing with the Gene Ronberry Foundation. And I told him at the beginning, I am one of those people, your father’s work.

changed the course of my life. And he’s like, there’s astronauts that tell me that. I’m like, yeah, astronauts do that. But it also impacted me, you know, it impacted so many people. And anyway, the answer to your question, it’s gotta be security Lieutenant Commander Worf. Because, you know, he’s a security guy, he always was expressing risks, but there’s at least one meme that goes around. You should search for this. The number of times that Worf was shut down, he suggests something, immediately. No, we’re not doing that. So.

Amazing in that he’s there. He’s thinking about the risks. Horrible in that almost completely ineffective when it comes to actually getting his points across and act it upon almost, I’ll say almost.

John Verry (43:16.19)
So which, now I’m going to show, I’m not quite, which of the, is that next generation was

William Eshagh (43:23.94)
Oh, oh you wound me deeply John. Yes. Well, so wharf is a multi

John Verry (43:28.339)
I know who it’s gonna be. I know who Wharf is, I thought, and I just wanna make sure. Like my wife was a Trekkie, but my wife was an old school Trekkie. I mean, James T. Kirk, and then she really liked Picard as well.

William Eshagh (43:36.012)
Ah, yes, understood. Yeah. Of course, yeah. So Worf was Picard’s, not first security officer, but the most long-lived, at least on the series. And then he went on to take a different role on a space station, and the hardcore Trekkies will recognize Worf’s long, long career in the universe.

John Verry (44:05.112)
Well, this has been fun, man. Thank you, I appreciate it. If folks want to get in contact with you, what would be the best way to do that?

William Eshagh (44:10.572)
Bowtie.works. And we’re intentional with those words. Bowtie works, gotta work. Bowtie.works, that’s our website. Take a look, we’d love to hear from you.

John Verry (44:21.326)
Thanks, Wayne. Appreciate it.

All right, so we added this new thing called the lightning round. And what it was that our marketing people were trying to cut down conversation into little snippets. So we’re trying a new approach where I’m just gonna give you, just ask a question, you’re gonna give me a 30 second to one minute sound bite, and then we kind of move on, right? And I’ll just do three of those, and they’re hoping that’s gonna make it a little bit better for some of these things they like to put on like LinkedIn, things in the whatnot, right? Cool.

What is Zero Trust Network Access?

William Eshagh (44:57.348)
Zero trust network access is taking zero trust principles where we stop making assumptions, stop relying on this is probably good enough for it’ll work okay if it’s in this area. No assumptions knowing what’s in your network, who’s accessing it, what the information flows are for network connectivity. Typically for private resources, but also for public internet. No assumptions when it comes to network access.

John Verry (45:25.344)
What is a secure web gateway?

William Eshagh (45:28.416)
Secure Web Gateway is just like a regular web gateway. It gets you access to the internet, but it also protects you by filtering out common threats, websites that may cause you damage or steal information from you, annoy you, spam you, transparently such that you don’t have to worry about it. The internet is just delivered to you, but a little bit more securely.

John Verry (45:51.094)
And then what makes Bowtie the quote unquote modern network security platform?

William Eshagh (45:58.848)
When you think about networking, there’s particularly enterprise networking, there’s a lot of things you have to tape together in order to get to the right result. Network access, secure web gateway, cloud access brokering, and you usually have to piece these things together and maybe supply some tape. Bowtie is a platform provided inside of your environment with no information sent back to us that brings all these functions together, gives you one network product that allows you to

build the modern future enterprise network that every business needs in order to protect against the threats that we’re looking at today.

John Verry (46:36.59)
Cool. Hi man, that was good. I appreciate you coming on. I think Justin is on your marketing team, so I’ll make sure that we, you know, typically these come out in four to six weeks. We’ll make sure Justin knows about it. He gets copies of all this stuff. We write a lot of blogs that go along with it. You know, we’ll coordinate promotion, all that kind of fun stuff with him.

William Eshagh (46:58.564)
I’m glad we were able to pull this together. It’s great to meet you. No, no, not at all. Ha ha ha. Hopefully we get to talk again.

John Verry (47:00.374)
Yeah, and again, apologies for me being a just a schmuck the last week.

John Verry (47:07.863)
Hold on one quick second. I’m gonna hit stop here.

Pivot Point is now part of CBIZ. Click Here for more information.

Episode 138: Is Consuming SaaS an Information Security Faustian Bargain? w/ William Eshagh

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

What Privacy Roles Does My Business Need?

What is a Secure Web Gateway and How Does It Support Zero Trust?

18 US States Have Now Passed Privacy Laws – Time to Start Building Trust

Risk Tolerance: To Avoid, Transfer, Mitigate or Accept—That Is The Question!

10 Most Important Steps to Build a Data Privacy Program

What are SaaS Providers Doing with Your Data?

The Problem with Zero Trust Network Access is Trusting the Service Provider

Considering ISO 42001? Here are 5 Recommended Guidance Sources

Top Ransomware Defenses You Probably Don’t Have in Place

What is Ransomware and How Has It Morphed in the Last Decade?

What is ISO 42001 and Why Should We (as an Org that Develops and/or Uses AI) Care?

The Crucial Role of Cybersecurity in IPO Preparation

ISO 42001: What are the Key Elements of an AI Management System?

ISO 42001, ISO 27001 and ISO 27701: Is This the New “Big 3” for Provably Secure and Compliant AI?

Local Storage Versus Cookies: Which to Use to Securely Store Session Tokens

Does My DIB Org Need a SIEM for CMMC Compliance

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

CMMC Rulemaking Changes Again—What’s the Timeline Now?

Virtual CISOs and Community Banks—Perfect Together

How can we help you?

Services

Compliance

Insights

Pivot Point Security