Extreme Networks Security Leader: Automation Taking SASE to a New Level

Years after secure access service edge (SASE) brought security and networking functions together, automation is joining the party.

So says Extreme Networks security strategy leader David Nuti, who has been working in the channel trenches on SASE since the inception of the term in 2019. Nuti joined Extreme in August, at a time when the company is making investments in its Universal ZTNA application and network access solution. Nuti, who came over from Exium and previously worked at Nord Security and Open Systems, pointed to Extreme's capabilities in networking automation as something that helped draw him to the company.

"SASE rolled out and said it was converging networking and security. It didn't really even touch artificial intelligence, and that is now the third party in the room. That's an enormous part of that ecosystem as you look into the future," Nuti told Channel Futures. "Not only making sure policy doesn't conflict with policy and that you don't have conflict between capability silos within that framework, but now, 'How am I leveraging high-end automation that is giving me guidance, if not given complete agent control over making decisions, to continually maintain that environment for me?'"

Nuti sat down with Channel Futures for a conversation about zero trust, SASE and MSPs. We've edited the transcript for length and clarity.

Related:Beyond Identity Debuts New Global Channel Program

Channel Futures: Why did you want to go to Extreme? What was the pull for you?

David Nuti: A third-party recruiter gave me a job description for a company looking for an expert in security; in particular, the convergence of networking, security and automation. They didn't provide me with the company name, but the job description was extremely compelling to me because it described a networking provider that was a recognized global leader in the category around automation, certainly customer volume deployment. And the next thing that I needed was the name of the company. From there, Extreme and I did an intensive interview of each other to determine that our conviction and energy matched well regarding going to market with a converged networking and security solution. At every corner of the company that I looked at, from CEO Ed Meyercord down, everyone showed absolute commitment, strong energy and a passion to win and dominate in that category of security and networking convergence. For me, that was extremely enticing. As you know, I've been in the middle of this convergence to SASE, as defined by Gartner in 2019, every day of my life. I always describe myself as an old man in SASE years. As old as you can possibly be in SASE, I am that guy. I brought it to the channel first in the form of Open Systems at the time, and it's been an all-day, everyday part of my life. Coming to a company like Extreme, evolving further into that category with Universal ZTNA being the tip of the spear, was just too enticing to pass up.

Related:Tenable CEO Amit Yoran Dies from Cancer

CF: What has the road map for Extreme been over the years? How has the company evolved and changed?

DN: There's as rich a history around networking, as you could possibly imagine. Extreme over the last decade or so went through a series of six acquisitions and has been working diligently to integrate those solutions and begin to expand ... not only to excel at a world-class level [with] traditional networking capabilities, but dramatically expand into cloud-native services and cloud-managed services, to the point now where there are literally millions of devices under management and endpoints under management worldwide by ExtremeCloud across tens of thousands of customers that include the MLB, the NHL, financial markets and higher education. There are areas of everyone's everyday life that actually have underpinnings on networking and network access that are being operated by Extreme.

Related:10 Cybersecurity Predictions for 2025: Mounting Ransomware, Growing AI Risk

CF: How do you frame ExtremeCloud Universal ZTNA within what you're talking about with SASE? Is the SASE slotting underneath the ZTNA, or is the ZTNA within a larger SASE framework?

DN: If you go back to the original rollout of SASE as it was defined and literally drawn in imagery by Gartner in 2019, traditional ZTNA was a feature of SASE. And along the way, it carved itself out as a separate conversation. But from day one in the SASE definitions, ZTNA was a part of that framework. I always reiterate that SASE is not a product. You don't go buy a SASE box. You're actually just operating within a framework where networking policy and configuration works in concert with security protection and policy, because they dynamically respond to one another. You don't have separate NOC and SOC. You have a single operating plane, and you break down the barrier between those operating areas. For Universal ZTNA, there's a differentiator there. Within SASE, the cloud-native service where policy enforcement ultimately lives in the middle mile, it needs to be there because that's the center point between the diversity of where users are and the diversities of application endpoints. The middle mile is the most sensible place to have your policy enforcement.

Universal ZTNA allows you to extend in the ZTNA category, bringing policy enforcement down to the campus edge simultaneously with cloud-native enforcement. This provides some key edge advantages for an end customer. It's able to reduce their expense – in cloud expense, compute bandwidth, throughput – by having everything (even from a campus edge) being policy-enforced in the cloud. But I also have awareness at the edge of who my users are at any given point in time at the edge and what applications they are allowed to access or even see across the network. There are operational performance advantages that come in for the end customer as well. While SASE is certainly a cloud-native solution, there is a requirement to be able to deliver certain functions of SASE to the edge of the customer network, where you're able to derive additional performance, security, visibility and monitoring enhancements. Universal ZTNA, being really network-embedded security and microsegmentation for Extreme, was an extremely natural first step. The opportunity to deliver that as a Universal ZTNA solution is an area now where we feel we are leading in that conversation. And as our CTO and others have said, it's really just the beginning for us in this security conversation.

CF: What are you hearing from the IT decision makers whom you're running across? Do they have solid knowledge of these trends? Do they know that they need these things? What's the level of awareness around ZTNA and SASE?

DN: I like what you said there in, "Do they know this is something that they need?" Because that is the reality of the market right now. I encourage our partners to have a conversation around zero trust backed up by their requirements around compliance, industry certifications, government compliance, consumer data protection, etc. They have these obligations to execute on data protection and intellectual property protection. They have to deliver that outcome, and the No. 1 piece of feedback that we get from our customers on Universal ZTNA is the simplicity and the scalability of the deployment. So for our partners, as they talk to their customers, I always tell them that this isn't about finding a customer that says ‘yes’ to doing zero-trust. This really is just about a moment where you're daring them to say no. In the wake of all of the third-party pressure that they have delivering these requirements within their own enterprise environment, to say, 'No, I'm not interested in doing a zero-trust framework,' is actually very much against the grain to, as you put it, something that they know they need to do.

Whether it's delivered from within a larger platform or whether it's executing directly with a specialist (those still exist in the marketplace today), if I'm directing an IT environment, I know I need to have a zero-trust framework. It's hard for me to build an argument that says, 'Nah, I want all of my users to have access to every application in my environment,' versus saying, 'I know I need to make sure that my sales team users at an identity level only have access to the applications that they need to have access to do their job.' We know from the Verizon DBIR that almost 90% of breaches begin with someone's credentials being compromised. When those credentials are compromised, I have an internal policy attached to that identity that doesn't even allow for that user's identity to be able to explore the entirety of our environment. If you come into my hotel, you're going to check in at the counter, you're going to go to an elevator, and there's only one door. When you get in the elevator, there's only one button for your floor, and when you get to your floor, you're only going to see your door. It doesn't impede you, and it doesn't negatively affect your user experience in the environment. This is an internal protection that makes sense to have in place, because you don't need to be able to go into everybody else's room, and you don't need to be able to explore every floor of the building.

CF: Could you talk a little bit about Extreme’s approach to selling security? What has that go-to-market been like?

DN: The security conversation has always been a part of the Extreme DNA. When you look at our fabric networking solution, that is a rich conversation around network segmentation for security purposes. Imagine a university, in which we do so well in higher education, kind of as a parent organization with a bunch of sibling companies underneath it, in the form of all of the various education departments that they have. There's absolutely no reason that there should be wide open data-sharing across the board between the economics department and the psychology department. We have that segmentation conversation where the tighter you can do your segmentation within networking means that a compromised segment of your network doesn't have to mean a companywide compromise across the board. You have the ability for containment and control and investigation and lockdown within the networking layer. We've always aggressively been in that part of the conversation. Where we're now starting to take steps is in the monitoring of ingress and egress of traffic flow, for what happens coming in and out of the internal network. That's where we're building our acumen out, leveraging our global cloud footprint that we have. That's just a way of saying that as a strategy we know we need a richer set of solutions at a first-party level to deliver to our customers. We are wide open. We have a tremendous number of technology alliances with our peer service providers in the market, and are very neutral in allowing our customers to work with whomever they want. But we do know that our customers, our partners, are asking for more of that capability from Extreme and we intend to deliver on that.

CF: How has Extreme leveraged channel partners in the go-to-market for security historically, and how are you doing that going forward?

DN: We've always had a fully committed multi-tier sales model and a rich set of distributors, managed service providers and partners that work through that model to deliver Extreme services to their end customers. That is across the board for us. We have transitioned more toward cloud services and subscription models. Our chief product officer is also our general manager of subscription services. While we have an unbelievable portfolio of edge hardware that is largely cloud managed, it's now anchoring additional cloud and subscription services into ExtremeCloud, and for our partners, that is a very exciting path for them to take with us into those subscription models. You've been surrounded by those over the years as have I for the last decade-plus in many of the same channel ecosystems. As we make these moves, our partners are only asking for more. I just did a tour of our partner advisory councils in the U.S. and in Europe, and it's nothing but validation in every single conversation that I have, that we've excelled and really led the way in network and cloud-managed networking automation and our customer and user experience. The simplicity and the automation that's involved is really second to none. And partners are very enthusiastic about seeing security solutions that keep in mind all of that automation that exists, and not delivering something that's siloed and disparate and a broken user experience, but is actually tightly integrated in.

CF: How do you see convergence between partners? How do you see the swim lanes blurring?

DN: I think the analysts kind of set the table for this a few years back when they started really identifying and calling out not only that it was happening but an increased desire for the convergence of services. When you look at the landscape of 5,000 different suppliers out there and an outcome that you need to deliver as an IT leader, there are very few organizations that have the bench depth and the expertise and the 24-hour operation to do those things. So the responsibility for simplifying and converging that has really made its way to the actual supplier – the provider of those technologies – to begin to manage out the complexity through converging, security, networking and automation. If you're a traditional MSP the management component of it for your end customer actually starts to reduce, because the solutions that you're bringing in front of your customer at the supplier side are already starting to manage out the complexity before it even gets to the MSP delivering it to an end customer.

Now, what's exciting about that is, as an MSP I can now handle more customers. I can grow my customer base now, potentially with fewer internal resources required, as some of the complexities being managed out through convergence, and when you layer in artificial intelligence and you have some of the ongoing management and some of the guidance and recommendation being driven through artificial intelligence. We're three to four years out from that, but that's going to pick up a lot of the slack of traditional management of solutions, which gives an MSP an opportunity to expand their footprint across customers. There's still a lot for everybody to learn. Nobody's losing their job to artificial intelligence. But as our CTO put it on stage at an event recently, you may not lose your job to AI, but you will lose your job to someone else that's using AI to their advantage. It's something to pay attention to in the marketplace. SASE rolled out and said it was converging networking and security. It didn't really even touch artificial intelligence, and that is now the third party in the room. That's an enormous part of that ecosystem as you look into the future, not only making sure policy doesn't conflict with policy and that you don't have conflict between capability silos within that framework. But now, "How am I leveraging high end automation that is giving me guidance, if not given complete agent control over making decisions, to continually maintain that environment for me?" That's going to be really exciting to look at over the next three or four years.

CF: Are there any initiatives going on at the partner level to recruit or expand?

DN: We've always been very strategic about the partners that we work with. There hasn't been an approach to boil the ocean and try to bring on 30,000 MSPs to anchor our services; but rather, work directly with the MSPs that directly align with the ideal customer profile that we engage with. That ICP has to match between the two. At the same time, you've seen the arrival of providers to the TSD channel that previously would never even consider engaging. And the reason was, they were built to move downstream into SMB categories, because it was a heavy lift, and the amount of engineering that was involved and time involved with a small customer just didn't justify it for so many suppliers. I used to say at one of my previous roles that, as a supplier, you're almost building in the ability to say, "You know what? I really don't care anymore how small or large the customer is. I don't care if you're if you're 50 or 100 seats, or if you're 50,000 or 100,000 seats. If I'm truly delivering a cloud-native service that's anchored from the cloud, I now have that infinite scalability in either direction."

That's why I've told the traditional MSPs that use these large cloud service aggregate marketplaces that you're kind of being forced to add that second "S" into your moniker. Whether you like it or not, MSP, you need to be an MSSP, because these services have now become so much easier to be consumable and delivered to your customer. Because that complexity and much of the management piece of it has now been taken on by the supplier, and you're able to just deliver an outcome to your customer.

CF: Is there anything else you want to say directly to the small to midsize MSP reading this?

DN: Keep an eye on our space, our push toward cloud-native services and how that's going to expand our footprint. We have been looked at over the decades as one of those traditional box shipping networking companies. As a company, we've evolved so tremendously in cloud and subscription-based services, and you're seeing more of that come from us. And at the same time, the convergence of all these various partner modeling that's taking place is inevitable. I always encourage our partners to be industry first and product second. Pay attention to your industry. Be aware of these trends that are taking place and how security providers are desperately trying to build out their networking acumen, while networking providers are now layering in security subscription services. There's a meeting in the middle, and that dynamism, I think, is going [take place] over the next decade. I think most aggregators in the TSD space recognize that cybersecurity and AI automation are without a doubt the biggest opportunities over the next 10 years for partners.