Make it Easy to Do Right and Hard to Go Wrong: BlastWave’s Product Strategy

In his last blog, Vince discussed how customers love BlastWave’s usability. A prospective customer pressed me on this issue in a meeting recently. He explained that their network had hundreds of devices, tens of firewalls, and several VPN servers for many remote users they used across their IT and OT networks, including site-to-site VPN’s. His question was, “My network is very complicated, tons of configuration, and we are not even segmented like we should be because it is too much work. How can you possibly replace this, improve my security, AND make it easier to use and manage for my team?”

My response: “Challenge Accepted”

What did we recommend to the user? I can tell you this: It was not to “Copy all of your existing configurations, convert them to a BlastShield configuration, install our system in your network and replace all of your user’s clients with ours, re-architect your network, then conduct a hard switchover.”

If you make change hard, no one wants to. “Make it easy to do right and hard to go wrong” is a good piece of advice BlastWave has taken to heart as part of our product strategy. This is how I made money as a professional poker player—I gave my opponents opportunities to make mistakes and kept my decision-making as simple as possible so I would avoid them. Network migrations, especially security ones that involve Remote Access, can be very hard on IT/OT staff.

So, how does BlastWave migrate our customers?

Our first customer rule at BlastWave is that we must adapt to fit your security architecture. We do not want to require any changes because IT changes are hard, and OT network changes can sometimes be impossible. Many OT devices simply cannot change their IP address without massive operational disruption. We also do not want to force a hard cutover because continuity is mandatory for OT networks.

So, we start by creating a “side door” for OT staff to enter the OT network. A few users install the BlastWave client and can use the newly installed gateway (which only requires a firewall pinhole to operate). These users can use BlastWave to access the existing OT network without disrupting operations. If desired, the OT administrator can set microsegmentation (which can also be done without re-addressing or new VLAN configurations) and import all the existing OT devices into the BlastShield Orchestrator to create groups and policies. As the users adapt and the OT network administrator becomes comfortable, the rest of the users can be switched over, and the OT VPN and Firewall devices can be turned off.

Without significant changes or disruption, the customer has a new secure OT network that is protected from AI-powered attacks, is cloaked from hackers, allows only PKI-authenticated users, and is segmented as much (or as little) as the OT administrator wants.

Installing a new OT Cybersecurity solution can be as easy as 1..2..3: