Home » CHANNEL NEWS » Decoding Application Security with Dhananjay Ganjoo, MD, F5- India & SAARC

Decoding Application Security with Dhananjay Ganjoo, MD, F5- India & SAARC

Dhananjay Ganjoo, MD, F5- India & SAARC explains the evolution of application security and its increasing importance in the current scenario.

What are the solutions and services currently in the F5 portfolio?

F5 has been traditionally in the business of application load balancing. We started off as an application delivery controller and we have led a large part of our life as an ADC company. We are closest to the application, we accelerate the application and over the last couple of years both inorganically and organically we protect those applications. There are two domains we operate in — application acceleration and application protection. Our application security portfolio falls in the second domain.

We offer this service in a multi cloud environment or on-prem environment. In fact it does not matter where the application could be. It could be on your customer’s cloud or it could be on a private cloud, public cloud, or a data centre. We provide visibility, management, information about the health of the application and then we help to protect. This is the largely the portfolio that we drive.

Traditionally we have been very focused on the NetOps and the SecOps personas given that the products we had were mostly meant for NetOps and SecOps. With the acquisition of Nginx, we now address the DevOps persona too. Now it is a completely well-rounded product portfolio as far as application is concerned.

What are the verticals you are witnessing maximum traction and what are the prevalent use cases?

Over the last couple of months and maybe over the last year we have seen a huge traction with the likes of banking, finance, insurance companies, telecommunication companies, large Enterprise, as well as IT/ITES companies. These have been traditional buyers and over the last couple of months during the times of COVID these companies have continued to invest in our technology.

We have seen a large part of our discussions revolve around CISOs now as security becomes even more important. In January 2020, F5 acquired a very significant fraud protection company called Shape Security that brings us closer to the application when it comes to web and mobile fraud detection and protection. With Shape we protect about a 100 million credential staffing attack daily.

How does the technology from Shape Security work in a typical manufacturing setup with IoT and RPA installations?

First of all if it is an RPA or IoT installation which is internal to the organization we do not get to see it at all. We are looking and listening to the traffic which is coming from your Internet. We are listening to traffic which is coming from external sources. If you are not connected to an external source and if you have your own Island of information in which you are transmitting data that you know is good, then there is no use case for Shape Security at all. The use case for Shape Security happens when you are talking to an external world. You require these technologies typically when you have traffic coming from an external source that you are not aware of. The Shape technology recognizes symbols which are bad bot signals quite distinctively.

What have been the perceptible changes in F5’s GTM strategy over the last few months?

Most of the engagements are digital in nature and the CISOs have tech savvy teams. Physical was never a boundary or a problem for tech companies. So we did not have to tweak our model in terms of go-to- market at all. I do not think any tech company had to do it. We have a regional PoP in India which provides web application firewall services in a managed service environment. There are two options for a client. Either I want to take WAF and deploy it to protect my application inside my own premises or I can take that WAF as a service from F5. We are seeing a lot of companies now taking it as a service model.  This gives them two advantages. First is the cost, where it is a subscription model and you do not own anything. We provide the whole technology as a service to you.

Secondly, in India it is very difficult to find relevant skill sets. WAF is a complex technology to deploy to protect your most important asset, i.e. your applications. We take care of both the things in terms of skillset as we run a  SOC from where we operate as a service as well. This is cost effective because it is a subscription now and you do not have to pay money. We have offered both WAF and DDoS and now eventually with the Shape acquisition, it will also be available as a service as well as on-prem.

How many customers are there for managed security services and from which verticals?

Over the last four months, we have quadrupled the number of the number of clients we had over the last entire year. The good part is that very recently we have seen one of our clients is a bank. We have seen banks also come out and are ready to accept technologies such as WAF, bot protection as a service model where they do not have to share with us any data. It is all meta data that we examine and provide signals to the bank in terms of what to do.  Telecom, banking, IT/ITES, government, consulting companies all of these have been our clients in the past and continue to remain so.

What sort of companies are shifting towards managed services?

The technologies that F5 sell is not meant for a particular vertical. We are the closest to the application and we accelerate and protect that application. Applications are pervasive, they are with everyone and they are the most important asset for any organization irrespective of which vertical we talk about. Protect your application and provide a great experience to the end user who is using that application.

There is a change in the whole application structure itself. The way applications were written in the monolithic fashion in the underlying are all moving into a containerized fashion. It does not matter where this application resides. We can provide visibility even if the applications are across different clouds. How do I automate some of my processes that were very much human dependent is the new trend.

How does F5 manage regulatory compliances especially across multiple sectors?

First of all India does not have a Data Protection Bill. RBI has a framework that all banks follow. Everybody else outside of RBI forms their own and interpret their own way of protecting data. Once the Data Protection Bill comes then everybody will follow the framework with data protection. No data will be allowed outside our country boundaries.

Today there are several banks in India that have applications running on public cloud. There is absolutely no problem for banks to allow companies live cast to study the single telemetry and provide intelligence that will save thousands of rupees.

How are enterprises looking at security in a predominantly WFH environment?

There are multiple levels of security. No organization plans for 100% its work force to work from home. When people started working from home, first organizations had to buy the right side of licenses to securely allow end points to come into the network. Then they have to ensure that the endpoints coming into the network are secure. We are in the business of providing that secured tunnel for an endpoint to come into the network of security. We have seen a spike in our business for remote secure access.

How would you differentiate F5 from most of your competitors?

When I see competitors it will be mostly from the view of an application. Where we are headed as a company is the vision of an adaptive application. We consider the applications to be like living organisms. Your application is growing, shrinking, multiplying, finding itself in different places and it has viruses and hackers trying to come and attack it and that is exactly what we do. We are in the business of adaptive applications where your applications will scale up, scale down and we provide solutions to protect them. You may write the best app in the world but it has to traverse through 13 different technologies before it reaches your mobile phone.

How is the changing nature of engagement with the CISOs?

The position of CISOs was always there and given that we have been in the business of application protection we have always been engaging with them. The job of the CISO is not just to protect the application but provide an all round protection to the digital infrastructure that is in place. Application plays a larger part in it because that is an asset which needs to be protected because all the information about the company is all very application-dependent. The dialogues and protecting applications and making application safe and their access secure suddenly have taken a newer dimension.

Does F5 work in a consortium mode with other end-point security OEMs?

There are many vendors that we have tested and inter operated with. We have a list of several OEMs. Our journey starts where the firewall journey ends. Therefore, we are working very closely with all the firewall vendors, for example, for load balancing the firewalls. There are several symbiotic relationships and interoperability testing that is happening. Our journey starts from there onwards and underneath that interoperate with almost every provider that we have.

How is it working with the government on the security front?

We have a government vertical in F5 that addresses government needs. The government is as sensitive in protecting the data and they have deployed cutting edge technology pretty much like any other large enterprise or bank to protect citizens’ data. It is wrong to interpret that the government lacks in this department. Their job is to govern and not to hire highly skilled IT individuals. All of that is provided to them as a service directly by the vendors like us in a managed service scenario or by the partners. They have enough skilled engineers that can go, deploy, manage and configure. It is not government ownership to have ‘ponytailed’ engineers and hire them for their service.

How is F5 balancing between retaining existing clients and acquiring new clients?

Our year ends in September and the new fiscal year starts in October. So this is the last month of the year. 22% of the business that we did this year is net new to F5 in India which means we acquired a significant portion of our business. Literally one quarter of our business was net new.

In terms of engagement, all our engagements over the last 5 months have been digital. Nobody is expecting vendors like us to walk into their office soon but their need to provide secure application services is not going away. The engagement with our set of clients that needs our technology has grown. For us it has been a very significant engagement irrespective of whether it is COVID or not.

Check Also

Redington and CrowdStrike Announce New Distribution Agreement to Accelerate Cybersecurity Transformation Across India

Redington and CrowdStrike Announce New Distribution Agreement to Accelerate Cybersecurity Transformation Across India

Redington selects CrowdStrike to meet growing demand in India for stopping breaches and consolidating cybersecurity …

Do NOT follow this link or you will be banned from the site!