Welcome to the tech in 20 minutes podcast where you will meet new tech vendors and learn how they can help your business. At Clark Sys, we believe tech should make your life better. Searching Google is a waste of time, and the right vendor is often one you haven't heard of before. This is Tech in 20 Minutes. I'm Max Clark, and I'm with Jim Anthony, VP of cybersecurity for AppGate.

Jim, thanks for joining.

Thanks for having me, Max. Well, AppGate as a company is a cybersecurity software company. We were spun off from Zixtera on January 1st this year. And we've got products that play in various spaces, including something around 0 trust and software defined perimeter called AppGate SDP.

So let's talk about the SDP and and 0 trust. What is 0 trust for somebody who doesn't have any exposure to it?

0 trust is a concept more than anything. It isn't a product or a thing that you can go buy. It's really a concept that's being defined by Forrester and Gartner. And the idea behind it is that they they have their own definitions, by the way. They're a little bit nuanced, a little different between the two companies.

And really, it's open to a little bit of interpretation as well. But the idea behind 0 trust is that nothing on your network, no user, no device, not even a network itself, should be inherently trusted because of what it is. You should build trust with those things every time you see them pop up on the network. And so that means that because a user is on a corporate issued device, you shouldn't automatically trust the user. You should decide in real time whether that user is trustworthy and the device is trustworthy.

Because the device is on your corporate LAN doesn't mean that it should automatically be trusted. You should build that trust as that device comes up. And so that's really the fundamental thing about it. And then if you think a little deeper, these things, whether they're humans or devices or PCs or laptops or whatever, they change over time as well. So you could trust it in one instant, but then something might happen and you might wanna make an adjustment to that trust level, in real time.

And so zero trust incorporates some of those concepts as well. So when you say not trusting any devices, I mean, you're talking about a device inside of an office location, a device traveling,

a device at somebody's home, a device on a cell phone connection or cellular network somewhere in the world. So this isn't a, you bring your laptop in and plug into your desk, and now you get access to a server. This is you have to do something else regardless of where that laptop actually sits.

That's right. I mean, you know, there are certain technologies out there that are a little more traditional in the way that they do things that would have you believe that you need to control every single thing that gets plugged into your network. And that's one way to solve some security problems that that companies have around corporate assets, corporate networks, applications, and things like that. But the problem with that that simple model is that you can't control everything that's on the network. You can only control what it knows about and then try to bucketize or or isolate the other things.

And and so then what happens when when those things that you do know about what happens when they leave the network, but yet they still need access to the network? And so how do I get those devices effectively back on the network and build that trust all over again? It's just a wrong way to do it. It's a very complicated way to do it, and very specifically, I'm talking about a NAC. NACs in general will have you believe I have to control everything on the network.

And when something that's controllable goes off the network, I have to bring it back on the network and then apply that control again. What software defined perimeter is really all about is control the things that you care about and ignore everything else. Don't grant those other things any access to anything. Isolate them. Send them to a black hole.

Don't even let them see the other things on the land. And that's what software defined perimeter helps you accomplish. I'm kind of the king of analogies around here with some of the things that we do. And so this this little this whole concept comes up to this approach. Right?

So we all drive on the roads, on the highways, and we use toll roads. Right? So the the NAC would have you believe that that you need to control everything on the road like a toll road. You gotta control the entry points. You gotta control the exit points.

You gotta control the road itself. It's a very expensive proposition to use this road, to build this road, and to maintain this road. But that's what the NAC is trying to sell into the world. On the AppGate, side, on the other hand, it's more like the interstate system that we have and that we know and we love, the free interstate system built by Eisenhower in the fifties. Right?

Anybody can use this interstate system. But when something important goes down that interstate system, we want to manage that something that's important. We you know, whether it's a first responder, with sirens on, right? We want to give that first responder a lane to use. We want to if it's a dignitary that needs an escort, we provide the escort for the dignitary.

And that's really the difference, between a NAC and a software defined perimeter solution. The NAC would say, control everything, make no exceptions. And then the software defined perimeter would be like, control what you have to control, what you need to control, and ignore everything else. If you wanna let it use the the infrastructure, let it use the infrastructure. But if you don't, then don't let it use the infrastructure.

And that's kind of the way we look at it.

So AppGate works by installing a client on the end user's device and then a a gateway that the device can authenticate with and pass traffic through. And then you establish trust by some policy or set of rules. On a high level, you know, what's some basic examples of of rules or conditions that you're checking or or can be checked, you know, with the SDP?

Yeah. That's a that's a really good question. And very specifically in AppGate, we call these policies. Then a policy can be built on a number of different things, both included in the product by default and things that you can create as a as an owner or a user of the product. Generically speaking, we call these claims.

Claims, you can think of them as variables. Every single time a user connects to a corporate network, there's a couple of different things that are true about that connection. First of all, there's a user and an identity. That identity is managed by some identity management system, say, Active Directory or Azure AD or Ping Identity or Duo or Okta, whatever. But that identity management system also contains attributes about the user.

And here's where our first set of claims come from. So you can take any attribute from that identity management system about the user and store it in a user claim in AppGate and use that to build a policy. You can also combine it with claims from the user's device and the network that that device is connected to. Obviously, we call these device claims and network claims. Things like, what is the laptop's default gateway IP address?

Is the laptop's hard drive encrypted? Yes or no? You know, true or false? Are certain processes running on that laptop? Where are the geo coordinates of the IP address that's being used as the default gateway?

Things like that are captured by the AppGate client when the user is attempting to log in and, again, sent to the controller, stored in variables that we call claims. And all of these claims are available to be used to define policy. So now I can literally make a policy that goes something like, if the user is a member of the finance group, as defined by Active Directory, and the MAC address that's stored in Active Directory for their corporate issued laptop is the same as the MAC address of the device they're on, and the corporate issued certificate is on the device, and the device is connected to a network whose default gateway is inside the boundaries of the United States, and it's Monday through Friday, and it's regular working hours, and his antivirus is running, etcetera, etcetera, etcetera, you get the point. You can use any of these variables. Then I might wanna grant that user access to the apps it takes him to do his job.

So I'll give you because I said finance as the group, maybe I'll give you access to the finance server, a couple of finance file shares, you know, an application running in Amazon that's a finance oriented, like a reporting tool. And those are the things that you get access to to do your job. And then AppGate will actually serve those entitlements down to the end user. And his AppGate client will establish secure encrypted tunnels to all the data centers where those apps live. And this is a multi tunneling concept that we have built into the product.

We hold a patent on that that really, begins to really change the dynamic of how you think about users accessing applications in a multi data center environment.

So 20 years ago ish, the precursor to 802.1x hit the market, which is my network device is aware of this, you know, this computer, and it's allowed access. And and this model has matured a little bit. And then Google released a paper, which ended up becoming 0 trust for a lot of people, are the foundations for it, and Google has has extended into BeyondCorp. We look at corporate networks. What is this is a pretty big shift to go from existing infrastructure network design into a zero trust model.

I mean, what is if if a company doesn't evolve into zero trust, you know, what's what's the negative? Why why is 0 trust important to them, and why should people be taking this seriously?

That's a that's a good question, and and, probably a very opinionated oriented answer would would be what comes out of me here because I don't think there is a right answer to that question. But, so look, I I think if you if you're not thinking about 0 trust and adopting newer technologies, newer ways of protecting your assets, your corporate applications, then you're gonna be left with using traditional IP based technologies. We all know IP addresses have had a shift over the last few years from IPv4 to a heavier and more frequent adoption of IPv6. The point here is that IP addresses are typically pretty static. However, when users move around with their devices, even even their mobile devices, they'll pop onto different cell towers, different partnered networks, if you will, if they're really traveling across the country.

And next thing thing you know, they've got different IP addresses all the time. So the source IPs vary dramatically as the users become more and more mobile, more and more independent of working in the office. And that's the fundamental issue with IP based access controls in the first place. The IP based access controls are really all about, do I trust the source of this traffic? And the source is defined by the IP address of where it's coming from.

Well, that IP address is is becoming less and less predictable from an end user perspective. Yeah. You can probably predict, you know, the IP address of their work from home location, but you need to ask them to get it for you and document it for you and send it in. You could certainly use that as an attribute to validate that they're actually at home. But but that that side of the equation becomes more and more scary as users become more and more independent of working in the office.

The other side of the equation, how do I define the destination? That's becoming more and more fluid as well. Of course, we have DNS that we can use to resolve IP addresses in real time. So that's, you know, that's one way that you can start thinking about how do I how do I tie a name, a static name, to a different set of IP addresses, a a revolving or changing set of IP addresses. And that certainly works in one regard.

But now cloud, AWS, Azure, GCP, even VMware and OpenStack, give us the capability of programmatically building and destroying applications on demand. So we can auto scale stuff. We can we can execute scripts that will build new applications and build them temporarily and then destroy them later. Here's the problem that we're starting to run into. This building and destroying starts to use and reuse IP addresses in different ways in the same network.

So today, I might press a button and build a new finance server, and it's got a 10 dot 1 dot 1 dot 5 IP address. Tonight, I might destroy that finance server, you know, back up the data, whatever, destroy the finance server so I'm not paying for the resources overnight. Tomorrow, build a new one. Well, that that finance server might end up with a new IP address, which is entirely possible. DNS would help us solve that problem.

But I might also turn around and build a new QA platform. And that 10.1.1.5 IP address is now part of my QA environment. Well, how do I make a rule that allows my finance people to reach that finance server no matter what the IP address is and vice versa? When when QA is allowed access to 10 dot 1 dot 1 dot 5, and all of a sudden the next day, 1 dot 1 dot 5 is associated with my finance server, now my QA people have access to it because the rule is built around IP addresses. That's a disaster.

Right? It's it's a complete complicated disaster that you've gotta figure out how to solve. With AppGate, we've added another capability that allows you to define applications based on metadata. It's a very unique capability. So now I can go and tag those instances as a finance instance.

And it doesn't matter what the IP address is, whether it's 1.1.5 or something else. When that thing is tagged a certain way, I can associate that tag with the IP address and grant access to the end user based on that tag value. So we can do that in AWS, in Azure, in GCP. We can do it on VMware. And, we're working on ways to do it with OpenStack, Kubernetes, Hyper V, and other platforms as well.

But we've got a majority of the platforms covered where that dynamic application concept exists today.

This has to take a lot of load off of an IT department in terms of managing and supporting resource creation and access controls and just inventory management. I mean, what what does this look like for for people after deploying?

It that that's an interesting question too. When you hear me describe what AppGate does, if your head is oriented around the traditional way of thinking about solving these problems, I tend to make your head explode, right? I tend people on the other end of the on the speaker end of the microphone, they tend to say, Wait a minute. This is way too complex. I'll never be able to get my head around it.

I'll never be able to understand how to make this thing work completely. But the answer is, it's actually so much easier. Because we can control the endpoint with a client and we can control the entry point to the network with gateways, we're actually controlling all the outbound traffic from the end user side and all the inbound traffic to the data center side and, frankly, vice versa, and that's a whole another aspect of it, it it becomes an easy way of thinking about using these, attributes that I was describing earlier to help define those policies. I don't have to go in and manually program individual switches or individual appliances or even individual user devices. I can do it all centrally.

I can do it all through the use of this tagging, through the use of the metadata. I can do it through the use of these attributes that are coming from the identity management system, the end user's device, and the network that he's connected to. It makes it it makes it so much easier. We've actually got real case studies out there where we've got certain entities in in North America, in fact, that are handling tens of thousands of connected users. And they've literally got 1 or 2 admins that are dealing with issues or making modifications to the platform.

And they do it all from a central command console. And they're managing these AppGate appliances that are deployed in 5 different data centers. And they're doing it with a very small crew in a very small amount of time every day. So it's a pretty easy thing to do once you start to really understand the power of the multi tunneling and the use of these attributes that I'm talking about.

So now in in a post COVID world, companies are scrambling to have a remote workforce, work from home, or actually really just distributed workforce in general. That seems to play right into what you're telling me AppGate does and your strengths. So can we talk a little about what your customers have experienced now post COVID and and and what this has been like using AppGate if it was already there or if they're onboarding now post COVID?

Yeah. We we've I could I could answer that in 2 different directions. Right? So, obviously, with COVID 19, there's a a major shift in work from home attitudes across the world and across every industry. If you're a knowledge worker that needs to work on a computer a good part of the day, and you're not, you know, you're not dealing with packages or or individual things that you've got to move around.

If you're if you're a knowledge worker on a computer, the idea now is that you're probably working from home. And and most of our existing customers, they've handled this transition very smoothly. With AppGate, you know, all of our stuff is all software. It's all based on, appliances, virtual appliances that are deployed to protect assets, software that's deployed on the end user's device. It's self-service.

So they've handled it easily. In some cases, they've called us for upgrades. Right? They they originally spec the system out for a 100 users or for 200 users, and they've called us and said, hey. We need to double that or we need triple that or quadruple it.

Easy enough for us. We issue a new license file. They upload it to their system. No downtime involved. And that gives them the ability to add more capacity, whether they're end users, more end users connecting into the system, or more gateways to handle the load.

Very easy to expand, either side of that equation. Then you've got another answer to the question, how about non AppGate customers? How have they been handling, this shift? Well, from our from my perspective from our perspective, we have seen a dramatic uptick in interest in AppGate. A lot of prospects that aren't customers have been using traditional VPN technologies.

One of the first things they figured out is that VPN having a single tunnel going into a concentrator, the the concentrator is typically overwhelmed immediately. That's the very first thing that falls over. And so now they're scrambling around saying, hey. You know, hey. I need to upgrade my concentrator.

I've gotta buy a bigger one. And that's typically a hardware appliance. I need to also buy licenses because I can't handle it going down now. That means my whole business is, you know, effectively offline, so I gotta buy a second one. I gotta get licenses to go with it and activate that.

That's that's a little more complicated. And then they start looking around after they get that problem solved, and they say, well, now that I've got the ability to have the concentrator handle the users, the the pipe from the Internet that's feeding the concentrator isn't fat enough, so I gotta upgrade that. Right? And because everything's coming through that single pipe. And then they get that solved, and they look around, and they're like, okay.

Well, wait a minute. Now everybody's, you know, VPNing into corporate, and all these users used to be working in different places, different branch offices. And now they're all using the same pipe to get out to the Internet or to get out to some other data center that I have, and that pipe's not big enough. So it's a cascading domino effect of things that are just running out of steam. AppGate obviously solves this with this multi tunneling concept.

There isn't a single entry point into the network with AppGate. You actually as a user, if you're granted access to an app that lives in a data center, you will have a an encrypted tunnel to that data center. If you're a company that has 10 data centers with apps deployed in all 10 of them, then as a user and I'm granted access to 10 apps and 10 data centers, then I'll have 10 tunnels running to all those locations. So I have no single entry point, no single point of failure. My traffic is split across all those internet connections or all those direct connections.

So I distribute the load across all the infrastructure. In fact, I also remove AppGate removes the end user traffic off that data center to data center connectivity link, leaving it for that critical server to server communication that's necessary to make stuff work right.

You mentioned license key for users and gateways. Can you run me through how AppGate SDP actually prices, what are the components, and and how do we actually scale this, you know, to match into a an environment?

That's a that's a good question. Two simple answers. There's 2 components to the pricing model. The first component and the predominant component is users. So as you have people that are trying to authenticate and and get into the environment, they consume a user license.

And so as a human, I might have a laptop. I might have an iPhone and an iPad, so 3, 4, 5 devices. And my company might allow me to use any of those devices to connect to the network and do my work, that's still one user license from an Appgate perspective. So it's an easy way to think about, you know, I've got a a 500 employee company, and 400 of those employees are now work from home employees. I need 400 user licenses for my AppGate deployment.

The second component, and it's a minor component, is the what we call a site license. You can think of a site as a data center, a traditional data center. You can think of it as a region in the cloud, like an AWS Northern Virginia region. You can think of it as a more detailed description of what a site really is, is a collection of subnets in a location controlled by a single entry point from the outside world. So think about a traditional place where you might have a data center with a bunch of different subnets that are all fed from a DMZ, and that DMZ is protected by a single firewall and router combination.

Well, that would be a site in our licensing model. And so as a company, you know, most companies will have 3 or 4, maybe 5 sites. Not a problem. We can we'll add those 3 or 4 or 5 sites to the license. There are a few exceptions to this, where some companies, in adopting cloud, they've come back in and said, you know, we wanna make our cloud adoption really tight, really secure.

So we're gonna have a completely different account for every single application that we deploy in the cloud. And so now if you have a 100 applications, you have a 100 different accounts. Well, those accounts, if they're in different regions or whatever, now you got potentially a 100 different sites. The great thing about AppGate is that we don't we don't actually delineate between accounts within within the AWS or Azure GCP world. So you can actually have a site span multiple accounts.

There's another workaround as well. You can AWS, about 2 years ago, came out with a concept called a, a transit VPC. So with a transit VPC, you can establish trusted connectivity from a transit VPC to multiple other VPCs that might be in the same region or maybe in different regions. If you're using an architecture like that, then that still becomes one site. That transit VPC becomes the entry point from the Internet.

And then you're using AWS networking to get to the other locations that you've got apps deployed. And so that's still just one site in our world. So there's a lot of different little nuances there. And like I said, it's a minor component, the major component being end user identities.

Alright. Last question for you, Jim. Actually, 2 questions. Give me an idea of the pricing per user. And if somebody wants to kick the tires and test this before they deploy, do you have an eval or a demo program as part of your presales engagement?

Absolutely. So pricing model per user, the list price is, about $140 per user per year. Obviously, there's discounts associated through partnerships. There's discounts associated with quantities of users. There's discounts associated with years of commitment.

Site licenses are around I think they're around $3,000 per user, or $3,000 per site. And then, obviously, there's other options with AppGate, too. We can sell you physical appliances. Those have a price. We can sell you implementation services.

That has a price. We usually include a starter pack that gives you about a week's worth of services to help you get started, those kind of things. So those are some of the pricing price points. The, the answer to your second question, things that people can use to get started, lots of things that are out there. Right?

So first of all, in all 3 major cloud platforms, AWS, Azure, and GCP, we have the AppGate appliances in the marketplace. And a special version of that appliance is a free 14 day trial. So if you're already a cloud customer using this infrastructure as a service concept on one of those 3 providers, pop out to the marketplace, search for AppGate, find the one that's labeled 14 day free trial, download it, off you go. Right? There's instructions there, how to build it, how to deploy it, how to make it do what you need it to do, do some testing.

All the clients are available on our download page. So you can just search for AppGate downloads, and you find the various clients for Linux and macOS and Windows. We even have iOS, Chromebook, and Android clients as well. You can find all of those there on our download page. Another way that you can experience AppGate is through something that we call the test drive.

So we've we've actually taken time to build a global AppGate deployment. There's components that run-in North America as well as in Europe for this test drive environment. You can go to a URL. It's called test drive. Appgatedashsdp.com.

That's test drive. Appgatedashsdp.com. Register for an account. It'll send you an email. You follow a link, go back in, complete the registration process, and you'll have full access to a deployed AppGate environment as both a user and an administrator.

So you can experience the user side of the equation. How does this work? You know, what's the user gonna do? How do they interact? And then on the admin side, now that I've logged in as a user, what does that look like to the admin?

What was that user granted access to? What are some of the attributes associated with the user? And, of course, it's all video oriented, so you can watch videos that explain step by step exactly what to do and how to get it done.

Awesome. Jim, this was fantastic. Thank you very much for your time.

Max, thanks for having me. I had a great time.

Thanks for joining the Tech in 20 Minutes podcast. At Clark Sys, we believe tech should make your life better. Searching Google is a waste of time, and the right vendor is often one you haven't heard of before. We can help you buy the right tech for your business. Visit us at clarksys.com to schedule an intro call.