 From our studios, in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hi, and welcome to theCUBE studios for another CUBE Conversation, where we go in-depth with thought leaders driving innovation across the tech industry. I'm your host, Peter Burris. Every enterprise has to concern themselves with how they're going to go about ensuring the appropriate access to those crucial applications that run the business. This is especially a key question in domains where the applications are a seminal feature of the operations. How can we set up IT so users see what they should see, can access what they can access, and that we have control overall about how these systems work? Now to have that conversation, we're here with Tony Ferguson, an IT infrastructure architect at Man Energy Solutions. Tony, welcome to theCUBE. Yeah, thank you. So Tony, before we get into this crucial question about the appropriate level of visibility and the need for security between people, users, and applications, tell us a little bit about Man Energy Solutions. Yeah, so we're a German-based company. I'm working out of Copenhagen, but we're part of the Volkswagen Group. We have 16,000 users globally across 100 locations. Our company, we make large diesel engines. We also make smaller versions in our German factory. And yeah, in our company, we have a course, a lot of IOT on the actual engine. And of course, we have corporate IOT. And my job is to secure it of this infrastructure. So specifically, some of these big diesel engines, as I understand it, are being placed in locations and use cases that have an absolute requirements for security. For example, driving a ship is a major feature of the way that your engines are being used within the world. Have I got that right? Yeah, yeah, that's correct. And then the scale of this, the number of engines and the number of vessels we need to access and the data we collect. It is critical infrastructure. We also have power plants. So it's really important that we secure this infrastructure. So it's an infrastructure that has very interesting physical characteristics, but also has very interesting security characteristics. As you went into thinking about how you're going to improve the applicability of the overall infrastructure that you use to drive your business use cases, what were some of the issues that you find yourself struggling with? Yeah, so yeah, a lot of issues actually. What one of the first things is that we wanted to authenticate the actual engineer and we wanted to make sure that the right people got to the right assets and we wanted to make sure that authentication was strong. So like the two factor, multi-factor authentication. And we wanted to ensure that all the data between that engineer and the vessel was encrypted. And another big problem for us is scale. We need to scale the solution and one of the things that ZScale have brought for us is name space routing. We had the ability to really scale the system without using IP addresses or actually networking. So this solved really a lot of problems for us in trying to get those engineers to all of the assets and the IoT on the engine. Now one of the things that you noted in your, as you move forward was this notion of a black cloud where you could formalize the types of relationships you wanted between your engineer users and other users and the applications you were running on a global scalable basis to actually ensure the reliability of the product you had out in the field. Tell us a little bit about this notion of black cloud. Yeah. So it ties into a little bit around zero crust but how I see black cloud and how I sort of describe it is everything is dark, right? So if there's an attacker and he bought scans in my infrastructure, he won't see anything. So basically we reduce their tech surface that means that there's no answer back. And by doing this, we remove all these vulnerabilities, all these zero day vulnerabilities, we remove this. And in the same time, we still allow that engineer to connect to the assets. Now, how does that work in an environment that is as physically constrained as integrating or networking, networking with seagoing vessels? Yeah, so of course a lot of this connectivity is over satellite and of course it's across the internet. So it is important that we encrypt end to end and it's important that we allow the right engineers to the right customers and we're able to access all these resources and to do federation and make sure there's strong authentication for our customers. We can really tell them that all this infrastructure is completely secured, dark, and it's extremely difficult to come into this black cloud. So you've got a challenge. The challenge that we've set up here is that you've got a use case that is constrained by the characteristics of the physical infrastructure where the security needs are absolutely paramount and still has to scale and very importantly be evolvable to allow you to be able to provide future classes of services that will further differentiate and improve your business. That suggests that these decisions you had to make about the characteristics of the solution was going to have an enormous impact ultimately on what you could achieve. Tell us a little bit about the thought process you went through as you chose a set of technology suppliers to help you build out this black cloud and this application set. Yeah, so we looked at a lot of different solutions but a lot of these solutions were based around the old network style, right? Around VPNs, around having firewalls and around having ACLs. And a lot of this is really network-centric and what we were looking for is something that was more application-centric, something that moved up the stack and started to look at policy around what the user would want access to. So putting those users and applications together and creating meaningful policy based on the DNS rather than on the IP layer. And this was really important for us to be able to scale and really make meaningful policy. So in many respects, it allowed you to, not to necessarily de-emphasize, but refocus your network design, engineering and management efforts from device level assets and perimeter level assets to some of the assets that are really driving new classes of value, the applications, the users and the data that these engines are streaming and the models that you're using to assure optimal performance of them. Have I got that right? Yeah, that's exactly right. It's extremely important that we don't have electrical movement. You know, we look today, there's all sorts of wormable malware attacks, ransomware, and you know, you can imagine if something got into this cloud that you wouldn't want to electrically move. So it's not just about the products, but it's also about making sure that all these assets are designed from the ground up that are dark as well, right? That even on the engines that they can't speak to each other or there's very limited connectivity there. Tony, this has been a fascinating conversation about how you've taken this notion of a black cloud and applied it to a really crucial business case within man energy. But I got to believe that this sets you up for a range of other use cases that the investments you've made here are going to offer new classes of payback in a lot of different use cases. How are you going to roll this black cloud concept using Zscaler out to the rest of the organization and the rest of the work that's being performed? Yeah, it's a good question. So when we first looked at this technology, we thought it was perfect for consultants because we could have very specific access policies and just allow them to the assets we required. But then we also saw that there were so many other user cases here, for example, we are moving our applications from our data center to AWS and to Azure. And as we move those applications, the users need to connect to this. So we're able to have this black cloud and have the connectivity to it, but we're not opening this to the internet. So as far as you're concerned, I don't even have any resources or servers in AWS because it's black, it's dark. So there's a huge amount of security that we can add to this. And then there's also a lot of other user cases like company mergers, we had to buy a company so we could use this technology to merge another company together because you don't need to worry about the network anymore. You just worry about getting applications to users. So I think there's a number of great applications for this technology. And I really see that this technology would really grow and I'm really excited about it. So moving away from a physical orientation of the network to a more logical application and user-oriented, services-orientated vision of the network has opened up a lot of strategic possibilities. What's been the cost impact? Yeah, so what's quite interesting when you move to the cloud and move to a company like Zscaler, they're a software company. So forget about all the hardware. You can imagine we have a hundred locations globally. So we don't have to install all the hardware. We don't have to have VPN concentrators. We just have to have some software on the client, some software connectors in the cloud and then Zscaler do the magic. So for the business, they really love this technology because it is very simple. It's sitting in the background. They don't have to log on to the VPN all the time. So it's very seamless for the user. And for us, we save a lot of money on buying hardware and appliances. Excellent. Tony Ferguson, I want to thank you very much for being on theCUBE. Tony Ferguson's the IT infrastructure architect at Man Energy Solutions. I'm Peter Burris. Once again, until we have another CUBE conversation.