Karissa Breen [00:00:16]:
Welcome to KB On the Go. And today, I’m on the go in sunny and hot Las Vegas with Zscaler, and I’m reporting on the ground here at the Bellagio for the Zenith Live conference. Zenith Live is the premier learning conference where experts converge to share the latest in zero trust networking and AI security to protect and enable organizations. I’ve got a few executive interviews up my sleeve, so please stay tuned. Joining me now in person is Kavitha Marriapan, EVP, customer experience and transformation from Zscaler. Kavitha, thanks for joining, and welcome.
Kavitha Mariappan [00:00:47]:
Thank you, Karissa, for having me, and, lovely to see you again.
Karissa Breen [00:00:50]:
Okay. So couple of questions for you. So maybe let’s start with, can you explain how Zscaler works with businesses of all sizes and sectors to help them grow, particularly in cybersecurity? I mean, I’ve been listening to the keynotes in the last few days, so obviously people have spoken about, you know, different sectors, etcetera, but it’d be good to sort of hear your thoughts of your perspective.
Kavitha Mariappan [00:01:11]:
Yeah. Happy to. So one of the ways Zscaler helps our customers grow is by reducing their IT and security overhead. One of the main benefits of cloud solutions as we know is agility and their efficiency. The same goes for cloud security. By routing traffic through Zscaler Security Cloud, customers eliminate a lot of the overhead and the costs associated with maintaining upgrading their own security stack. Also, having users connect directly to the Internet becomes a very viable option, essentially turning branch offices into Internet cafes. So this really helps customers cut down on their need for expensive MPLS connections and other networking costs.
Kavitha Mariappan [00:01:53]:
If you heard in Jay’s keynote yesterday where he had one of our customers from FedEx share how much they have cut in, you know, in terms of MPLS backlinks and costs associated with that, that has really helped them reinvest that money into the type of technology and solutions they need, putting money back into the business and while really maintaining a very high fidelity security posture. We’re helping our customers succeed is also by reducing costs associated with cyber incidents and data breaches. There’s data that shows about companies spend about $219,000,000,000 globally on security solutions. But still breaches are happening. Alright? Why? You ask that question. What we’re doing is helping to eliminate solutions like VPNs and firewalls, which can be really expensive to own and operate for customers. Right? And yet they still enable breaches through 0 day vulnerabilities and configuration issues. By eliminating these point products, by eliminating VPNs and firewalls and the like, we are really able to help our customers, you know, maintain a very sound security posture and, like, cut out costs.
Kavitha Mariappan [00:02:59]:
One thing we often say is that complexity is the enemy of security. The Zscaler simplified architecture actually shows that organizations can become more secure as they cut costs associated with IT and security. A testimony to that, we, I know statistics from, you know, just July 31, 2023, we expanded our operations to over 7,700 customers across major industries such as finance, health care, public sector, etcetera. And these we’ve got users that, you know, span over a 185 countries. So going back to the complexity side
Karissa Breen [00:03:36]:
of things, do you think that’s just been something that we’ve built a road for our own back a little bit, like creating this complexity?
Kavitha Mariappan [00:03:44]:
Well, I think part of this is well, interesting question. Right? I don’t think people go in with the with the motive to create complexity. You’ve got changing workloads. I mean, if you just think about what a security IT team have to grapple with right now, they’re grappling with users in the office and users who are remote. You’ve got users in all types of locations. Right? Seagoing vessels, etcetera. You in remote locations, you’ve got active, you know, users who are in active military. You’re also trying to manage multiple devices between phones, laptops, devices, IoT, OT devices, electric cars.
Kavitha Mariappan [00:04:20]:
You are also dealing with factory and a lot of other factories and other devices, OT devices. While you’re doing that, we’ve also had an explosion of applications and data that’s been, you know, needs to be managed, needs to be stored, needs to be secured. And we’ve had mega trends come in such as obviously we’ve talked about mobility, the cloud, AI. Right? IoT, OT. So while all of this is happening, business is running. Right? So naturally, as the mega trends have hit, people have continued to invest to scale. However, by investing to scale and by not thinking about actually deploying something that is cloud native and mobile first, they’ve increased a lot of the complexity in their environments. So I think one of the things one of the premise of, you know, what we did and have done at Zscaler is to not reverse engineer our solution and our technology and our platform, but to take a clean look at what a mobile first and cloud native world would look like and engineer that from, you know, from that perspective.
Kavitha Mariappan [00:05:24]:
So, yes, I mean, removing complexity is critical to ensuring that you have less points on the Internet that can be breached. Right? And your crown jewels are protected and that you’re really preventing, 1, the breach, 2, the lateral movement of said threat actors, and 3, obviously, ex exfiltration of, you know, critical data in the crown jewels and, you know, valuable credentials and data being stolen.
Karissa Breen [00:05:51]:
What does a mobile first and cloud native world look like to you? Well, I think we’re living it every day. Right?
Kavitha Mariappan [00:05:57]:
I mean, you and I are sitting here in Las Vegas, mobile phones, laptops, recording what we’re recording. They’re going to, you know, create the material from this interview and you’re going to send it back to your team in Australia, you know, across the hotel’s, you know, Wi Fi network and, you know, your your organization is gonna access this information. I mean, you are mobile, you know? We’re we’re accessing very critical information. You’re storing, you know, very valuable information. You’re monetizing. This is part of business. Right? So if you start thinking about what that looks like, we are doing business today in a in a very fast moving, agile, mobile first world, and the cloud is a very critical part of day to day functioning. So, I mean, if you really think about it today, the cloud has become the new data center and the Internet has really become the new network.
Kavitha Mariappan [00:06:48]:
Right? By which we all not, you know, do business, work, play, socialize, and and the likes of or entertain ourselves.
Karissa Breen [00:06:56]:
So from your point of view with your role, what are some of the challenges that you sort of face in speaking to customers? What are some of their reservations, would you say, when it comes to everything we’ve just discussed in terms of mobile first plan velocity of how we’re operating within our businesses?
Kavitha Mariappan [00:07:12]:
I don’t think necessarily that folks have reservations so much as cutting costs, right, and managing costs and managing resources. And also, I think when you think about, you know, these these mega trends and and then you think about digitizing an environment. Right? That’s a massive undertaking. And so there’s sometimes inertia that sets in where folks are there’s a trepidation in terms of moving to making these major changes. Right? Because it is risky undertaking and all undertaking those challenges or or on sorry. Not challenges, but undertaking that as an initiative can be folks can be quite risk averse not knowing what the outcome can be like. It’s also a major lift within the organization. It changes it’s not just a technology decision.
Kavitha Mariappan [00:07:58]:
It’s a cultural decision. How the organization functions and works will change. But I think the other the other challenge is also proving to upper management this is the right way to do things. I think the other element of it is people are very comfortable deploying or working with what they’ve worked with. Like, you know, a lot of people deploy firewalls. It’s the way we we we know people have traditionally done things. Use VPNs to connect remotely. And so when that sort of comfort sets in or, you know, and people don’t want to make changes.
Kavitha Mariappan [00:08:25]:
You know, there’s also a little element here of protecting what I know versus what I don’t know. Meaning, will I not have a job if I move to something different because I’m not skilled to do those things. But the benefits far outweigh these perceived negatives. Right? Because the benefits of moving into a cloud, more cloud friendly world more, you know, gives you the agility, gives you the cost cost benefits, allows companies to be highly innovative, allows them to be more profitable.
Karissa Breen [00:08:53]:
So maybe let’s focus on a little bit some of the cyber trends that you’re witnessing in the ANZ region. Obviously, you haven’t based in ANZ, so I think it’d be great to get some insights from your point of view.
Kavitha Mariappan [00:09:04]:
You know, recently had a discussion with the security leader in New Zealand, actually, and you might have watched the the LinkedIn live with a recording from a major insurance company that serves, I would say, Australasia. And, you know, one of the things he said was we’re I I love this quote from him, and he said we’re all strung together with little pieces of fiber. There’s really little difference between New Zealand, Australia, the the region. And while I love that sentiment, I think there’s also a lot of truth to it if you look at Australia today. I mean, looking at that Medibank breach that happened in 2022 really opened a lot of Australians’ eyes and in the region, right, to how dangerous a data breach could be. And this is one of the largest instances that we’ve seen to date, definitely not the only one, where threat actors were so selectively releasing information that they thought could pressure the company into paying ransom. Doxing famous people and, you know, even women who had sought reproductive care for instance. Right? If you flash forward a few months to a few months ago in May, was another large insurer who was caught up in a ransomware breach, in in the region.
Kavitha Mariappan [00:10:10]:
And I think this really tells us a couple of things. One is that security has not improved in a meaning meaningful way across the board yet. Even though there’s a tremendous amount of user awareness and a and and the Australian government’s willingness and in in commitment to really stepping up to say that, you know, if the country as a whole does not address this problem, then the government’s going to. Right? And it’s it’s going to be something that, like, has to be focused on. And I think the other thing we’re seeing is that ransomware actors are well aware of how lucrative this type of data is, like the health care data, etcetera, and what they can fetch right out in the dark web. And so they’re willing to hold, you know, a lot of these organizations ransom. So I think one thing is, you know, witnessing by you know, what we’re with we’re all witnessing in the region is that we’ve gotta learn and act on this. Right? And and it is a responsibility both in our trifold between the government, the private sector, as well as user awareness.
Kavitha Mariappan [00:11:09]:
And I think one of the regions that I’ve seen so much cyber literacy being pushed down to not pushed down, but pushed across to its citizens has been, you know, the Australasian region, right, especially Australia. So there’s a lot happening there. There’s a lot that needs to be done. I think it’s still still a a huge gap in terms of making sure we’re ready to mitigate some of this or or at least be proactively able to predict these threats before they even occur.
Karissa Breen [00:11:38]:
Do you think it’s trending in the right direction? I get your point. You said use your awareness, breaches. I think you are getting there, but do you think it’s increased since the 2022 sort of Medibank breach?
Kavitha Mariappan [00:11:48]:
Well, I think we’ve seen quite a few since 2022. Right? I mean, we’ve seen Medibank synopsis, you know, seen quite a few. Look, I think it’s a global problem. It’s everywhere. But in Australia, I think, like, specific to the geo and the specific to the cadence of what’s happened could be isolated. But, you know, I I have to say I think it’s trending in the right direction just because of how how committed the government, both at the state and the federal level have been. Just a lot of campaigns and strategy that they’re putting together as well that’s that’s been at least showing or cleared from a directionally going, you know, in the right direction, right, for for what needs to get done. I don’t know.
Kavitha Mariappan [00:12:29]:
I can’t predictively say, look, it’s all improved, but I think it’s a lot of work to do. Lots of work to do. But it’s going in the right direction. Awareness is key. Commitment is key. Companies, organizations between government and private sector actually embracing 0 trust and actually digitizing the environment and really trying to move in that direction is key, but I think we need them to go faster, if anything.
Karissa Breen [00:12:52]:
Do you think there’s
Kavitha Mariappan [00:12:53]:
a bit of a geopolitical element here as well? Absolutely. I think, you know, by virtue of where Australia is located geographically, we’ve always been in the center of a lot of geopolitical focus and movement. Right? I think a lot of many analysts consider this to be a very strategic region. I think we also see cyber as a way of keeping those one would presume to be adversaries in the back foot. But just at the end of last year, ACUS believed to be working on behalf of China attacked 4 Australian ports along with other critical infrastructure assets. So there’s clearly an instance of sort of probing critical infrastructure for cyber weaknesses in the region. Now should those become useful later? We’ll see. But we saw the exact same thing happen in the US recently as well.
Kavitha Mariappan [00:13:36]:
So definitely based on the region, I think a couple years ago when you and I did an interview, we talked about media in Australia. Right? Like, you know, why that was interesting. Couple of media companies that were getting breached, but absolutely, I think the proximity makes Australia quite vulnerable in that sense.
Karissa Breen [00:13:52]:
So a couple of questions before we wrap up. I’m then curious to know, again, with your role, speaking a lot of customers at the coalface, so what are some of the insights about customer behavior that you can sort of share with us? Like, what are people sort of saying? What are their thoughts?
Kavitha Mariappan [00:14:04]:
Yeah. I have to I mean, one of the things I’d say the trend that I’m most excited about is, like, the growing awareness around zero trust security that is more and more a proven paradigm for for IT and security. Right? A framework, a proven paradigm, and organizations seeing that this is helping them maintain a high cyber risk level of cyber risk posture. Right? So when a select group of technologies are getting together back in 2009 to discuss the possibility of a perimeter less security environment, it wasn’t really on the radar for a lot of companies. And then when the term 0 trust was coined, a lot of folks were quite spec skeptical about this. Like, what is this? Is this marketing, or is this actually real? Right? But you fast forward now, 2024, we’re seeing so much momentum behind zero trust. It’s it’s clearly, you know, an embraced framework by many IT and security leaders both in, you know, the private enterprise as well as the public sector globally, and I think we’re seeing that momentum growing. And I see that with the customers, you know, and and that we’re working with.
Kavitha Mariappan [00:15:13]:
I think as well as the Google partnership that we just announced here at Zenith Live yesterday is is, you know, further evidence to that. Right? By integrating Google’s cloud offering, we’re ensuring that 100 of millions of users around the world will automatically connect based on zero trust principles without the need for VPNs or any new enterprise browsers just, you know, by them using Chrome right now. And, of course, our enterprise customers today are very excited about AI’s potential. Right? For IT and security, capabilities for recognizing and responding to threats will greatly be enhanced by a lot of these new and this new partnership we also announced with NVIDIA. But even prior to that, we were using AI in a kind of formidable data capacity with what we have and with our security cloud. You know, we’re able to inform many insights to advise IT leaders on risk quantification and business insights, like how many software licenses are gonna be unused, which is sort of really helping their departments cut spending. Sometimes that resonates very well with the rest of the business. So as I said earlier, this isn’t just about a technology solution, but this really is about a business solution.
Kavitha Mariappan [00:16:27]:
Right? The business outcomes.
Karissa Breen [00:16:28]:
Then for 2024, I know we’re midway through. What sort of your focus? What can people expect? Yeah. Look, I think I think one of the
Kavitha Mariappan [00:16:37]:
things you heard yesterday. Right? I mean, tongue in cheek, you know, and and during the keynote, Jay, thank you so much for not, like, plugging AI so much and then right? But we and and and Jay said, yes, but I’m gonna have to mention it now. Right? We are gonna see start to see a battle where we’re fighting AI generated threats with AI solutions. Right? AI security. And we’ve been focused on AI as an asset for, you know, like, for defenders. But in reality, we can also definitely expect these threat threat actors to make use of these capabilities to create even more nefarious, perform more nefarious acts. So as Jay pointed out yesterday, you’re gonna start seeing, it’s gonna be trivially easy, right, for these threat actors who have large language models like chat gpt to do the dirty work of discovering common exploits or even construct sort of malware variants with them. So we’re gonna have to build, and you’ll see, you know, building more, you know, leveraging AI to build more predictive threat detection solutions and the ability to understand patents and infer, correlate, and and and and sort of we can do better predictive analysis and also mitigation.
Kavitha Mariappan [00:17:53]:
So you rather than just flagging threats. Right? It’s knowing that this is really gonna happen. We’re seeing some trends. We’re seeing behavior. You know, bringing things like identity, posture, all of that into play, and being able to, like, make better decisions that will, you know, make these types of threats a nonevent. That’ll be 1. I reckon the other thing you’re gonna see is we’re gonna see more often 2024 is gonna be the rise of 0 trust leading to a firewall free enterprise. I think we’ve seen this.
Kavitha Mariappan [00:18:23]:
Right? You know, just the recent sort of Ivanti, vulnerability that just happened, another one. Firewalls have proven to be ineffective. Like, legacy firewalls have been proven to be ineffective in shielding companies from 0 day threats. Security leaders are searching for new methodologies for protecting their their organizations, and I think, like, we’re gonna start seeing more and more of that. So that’s an you know, as you’ve known, we are committed to to, you know, in that direction, always have been, and you’re gonna see more and more of a firewall free enterprise. Another one, another area we made a couple announcements, we talked about a couple of things this time around was, around network segmentation. One major acquisition that we’ve done just recently is the Air Gap acquisition. Right? And I think as we’ve sort of talked about, the problem with that free zero trust type thinking in the legacy world is if you’re on a network, physical network that you’re trusted, well, we’re not all sitting in an office or in a building, like, tethered, right, to our desks.
Kavitha Mariappan [00:19:24]:
So this notion of physical security or this notion of the network in its, you know, legacy construct does no longer exist. The 0 trust trust segmentation ensures that is no longer the case. Right? So we can segment access to resources to a much greater degree and much finer granularity. I would say that means criminals can no longer access the crown jewels of the organization just by overcoming sort of the weakest points in the in in your network and or or weakness of the network security solution implemented. Important thing to say is network security is not equal to zero trust security. You have a much higher level of security and protection from zero trust security. I’d say one other thing you’re gonna see also is around zero trust SD WAN displacing traditional SD WANs. So when software defined wide area networks first came along several years ago, they were quite amazing for the ability to connect your organization’s assets at a sort of fraction of the cost of MPLS.
Kavitha Mariappan [00:20:31]:
Heard it again yes let know yesterday around high cost of these MPLS backlinks. Right? But today we know that, yes, they may have been helping cost optimize, but they’re also plagued by so many common security issues like that that really have enabled a lot of lateral threat propagation across, the the environment, right, and and movement. So what we found is that by applying the very same principles of 0 trust secured, 0 trust the 0 trust framework principles to the SD WAN branch connectivity, we can just make them as secure as any traffic flowing through the Zscaler of 0 trust exchange. So I’d say those are, like, the 4 core areas, predictions, and, you know, that I see making significant movements and momentum in in 2024.
Karissa Breen [00:21:22]:
Joining me now in person is Daul Shaba, SVP and GM product management from Zscaler. So, Daul, thanks for joining and welcome.
Dhawal Sharma [00:21:29]:
Thank you.
Karissa Breen [00:21:30]:
So you’ve presented today at Zedaph Live. So maybe share with me what you have discussed first, and then I sort of want to get into a little bit more of the specifics.
Dhawal Sharma [00:21:40]:
There were 2 broad areas that I’m talking about in my keynote. 1 is around our platform innovations. How z’s the platform has been evolving over the last few years and, new capabilities and experience that we are introducing as part of it. And the second part of my keynote is around innovations in the 0 cross networking stack. So platform innovations tried to key platform services like how our customers use our platforms like administrative experiences, automation and programmability, identity and access, and very interesting capabilities around Copilot as well. And then, in zero trust networking, we’ll be able to talk about innovations on introducing more capabilities on our private access service and new innovations in cloud and branch connectivity.
Karissa Breen [00:22:30]:
Okay. I wanna get into the innovation zero trust. So, would you say zero trust is like becoming one of those phrases in the market that people’s eyes are starting to sort of glaze over and their eyes are sort of rolling back in the back of their head. So, when you say innovation, what does that actually mean for people? What what do we get?
Dhawal Sharma [00:22:49]:
So, I kicked off my keynote with explaining how Zscaler has been first to the market with many innovations like introducing a cloud based secure web gateway, 0 trust network access or z t n a market did not exist when we introduced ZPA product into the market. And over a period of time, I think it’s a strong validation that the industry is using some of these, acronyms like ZTNA and private access. To us, 0 trust is all about not putting trust in the network, but tying trust or tying the access to the identity and the context of identity. So, taking network away from the access layer, all the technology innovations we keep doing are tied to the fact that we started by taking users out of the network and over a period of time extended the same platform to build 0 trust architecture for workloads and critical infrastructure and assets running on the branch and factories as well.
Karissa Breen [00:23:45]:
Do you think from your experience people really understand 0 trust? Because for someone sitting in my position at the coalface of interviewing people at your level, multiple organizations right around the globe, it seems that there’s different versions of 0 trust. So would you mind sort of giving your version of it just so people understand in detail in that way we’re sort of seeing from the same hymn book?
Dhawal Sharma [00:24:08]:
So, 0 trust is not about a single product or a zscaler’s version of 0 trust. It is built using an ecosystem of, capabilities and products. And this is where, in addition to what technology zscaler build, we believe in ecosystem of partners. For example, identity plays an important role in in, 0 trust. We work with every identity provider to get the identity of the user. But what we have also noticed is that identities are static. Identities can be stolen. But the rich context or attributes that are tied to, users are things that we are seeing in line in real time all the time, and we are using them to determine the policies.
Dhawal Sharma [00:24:50]:
So those signals become very important in addition to identity. Likewise, understanding the context of user’s device is very important. Coming from a corporate versus non corporate device might mean different kind of policies in organization. So, our integration with EDR vendors come very handy in that space. So, going back to your question now from our perspective, 0 trust really means that not putting implicit trust in network or any hard asset, but understanding which source which is typically a user is trying to connect to what destination and then having dynamic conditional access based policies that could be applied to that traffic.
Karissa Breen [00:25:28]:
Talk to me about conditional access. What do you mean by that specifically?
Dhawal Sharma [00:25:31]:
Yeah. So, one of the thing that I talked about in my keynote is the concept of adaptive access. So, there are multiple attributes that we see in Zscaler world or signals that get generated based on which access could be regulated. For example, there are some raw signals like I’m sitting right now in Las Vegas here, but if our company starts seeing my traffic coming from China at the same time it means that there’s something wrong with my identity. So, a lot of my privileged access that I have to certain system could be revoked based on that signal. There are also more complex aggregated signals like risk score, which looks at multiple attributes and we are computing this risk score in real time. Every 2 minutes we compute it. So, if all of a sudden my laptop starts making lot of botnet calls or let’s say I’m doing some anomalous behavior downloading large volume of files middle of the day, which I never do normally.
Dhawal Sharma [00:26:27]:
So, my access profile could be changed. So, all these conditions are based on the access of the users and signals that we are seeing. So identity systems have a list of, attributes like user belongs to a certain group or department in the organization or do they have risky behavior on their device or tied to their identity. Bringing this additional context is very important. And in addition to z score context, we are able to leverage the context signals that come from our partners like Google Chrome partnership that we announced where we are able to get device signals from a BYOD from Chrome instead of running a zscaler client on it.
Karissa Breen [00:27:03]:
So let’s keep going with that example. So hypothetically, I’m from Sydney, Australia. I’ve now traveled to Las Vegas. How would could it be like, hey, that looks suspicious. Carissa is not really in Las Vegas. How does it sort of know based on your conditional logic that they’re not false positive? Whereas, in fact, I’m actually here.
Dhawal Sharma [00:27:19]:
So, all the policies typically are tied to users. Right? So, there’s a policy for Carissa which says Carissa has access to x number of SaaS application, let’s say Salesforce and WordPress, and, then access to certain private applications like maybe your internal file upload in server for example. So, in a typical world, your access is tied to your identity. Right? Now, since Carissa moved here to Las Vegas, our policies are also geo location aware. We can see that your traffic is hitting our US West Coast data centers. But, we are also seeing at the same time your profile is being used somewhere else. Let’s say your identity got compromised and someone is logged in as Carissa into your Salesforce account as well. So, we can say Carissa cannot be logged into the same account at the same time.
Dhawal Sharma [00:28:04]:
So, this generates the alert And even if you have access established, one of the big challenge we see in organization especially with private applications is that users connect to applications and these applications have long lived connections, which means you authenticate once a day or sometimes once a week. And that access is there. So, with this adaptive access framework, if I see such anomalous behavior, I can revoke your access even for established connections. And another capability that I talked about or innovation that we are introducing is the concept of step up authentication. Now, step up authentication already exists, in industry. Right? We have integrated with every identity provider to support step up bot. The challenge we see, especially in large organizations, is that they have many legacy applications that do not support modern authentication frameworks. For those applications, things like MFA and step up authentication do not work.
Dhawal Sharma [00:29:02]:
We being in line platform, we can bring the same step up authentication behavior for critical assets that are not modern, authentication compliant and still work with your MFA platforms like authenticated apps, etcetera to bring additional security and access controls for your legacy as well as modern applications.
Karissa Breen [00:29:22]:
So, going back to the alert. So, how quickly would that happen? So, that would raise an alert and then automatically just revoke all my access. Then does someone so, obviously, that’s AI related based on my activity, but then what happens if it was legitimate and I was like, hey, I’m actually here. Does someone then go and manually review it?
Dhawal Sharma [00:29:39]:
So, there are a couple of ways to do that. You can have policy automation around these kind of use cases. One of them is to say, I’m not gonna evoke Carissa’s access, but I’m gonna push a type of authentication signal which says, hey Karissa, prove it. It is you who’s coming from Las Vegas. So, we might ask you to input your authenticator app, a code that is shown there to continue having your access. If you input your code, you continue to have your access to the application. If you’re not, then probably you’re not creating who’s accessing that application anymore. But instead of revoking access, you can also create a alert of that that could go to your service desk or could be sent to your, like, security team saying we are seeing anomalous behavior tied to this user.
Dhawal Sharma [00:30:22]:
So it is very organizational, I would say, policy and security posture driven configuration that we can support.
Karissa Breen [00:30:29]:
So going back to the policies, some of these things in my experience as well, working on an enterprise side, historically in security, like policy schmallicy because it’s very easy to write a very long document about these all the things trying to get people to adhere to it, then trying to implement security controls against that is hard. What would be your advice to doing that effectively?
Dhawal Sharma [00:30:49]:
This is a very good question, first of all. I see a lot of customers who come to Zscaler from legacy appliance based world and they have built very complicated policies over decades, and then they want to replicate the same thing in Zscaler. Though we can technically support it, but it’s a good time to for them to rethink how they have traditionally done policies. Right? So instead of doing very, very hard coded network or URL filtering based policies or hard coded application based policies, in the private access world, it’s opposite problem. You with VPNs, you typically connect to a network and you have access to everything. It is the job of the network team to keep reducing the network blast radius or doing more segmentation with network segmentation. We instead would have customers come and identify who needs access to what. Right? And at that point, your first goal should be that any name space exposure or external attack surface that you have should disappear.
Dhawal Sharma [00:31:50]:
So, the moment you start using our product, your external attack surface comes behind Zscaler. But the internal attack surface or the internal exposure still stays there like a over privileged user or a compromised user. So, in order to reduce that attack surface, you should leverage ML based capabilities we have in our product where we understand who’s accessing what application. They belong to what group or department in the organization like marketing accesses these 10 applications. So, we can recommend policies with machine learning and with a click of a button you can build fully automated policy. So, take a crawl walker approach. Simplify your access policies. Reduce your external attack surface.
Dhawal Sharma [00:32:31]:
Then go to build more granular policies for your credentials applications.
Karissa Breen [00:32:34]:
Requires a lot of time to do that and head space that people don’t have. Trying to keep their head above the water, trying to do all of the things and it’s like policy is sort of the back of people’s minds.
Dhawal Sharma [00:32:43]:
So, again, the way to think about that is you do not revoke any access on day 1. You give people what they had entitlement to using their traditional appliances or firewalls as well. In this case, what we are doing is we are reducing the external exposure. So, everything keeps working the way they are working. Right? You know what are your top 10 Chrome dual applications are. So, you build access policies for them. Every company has tons of shadow IT applications. They only have handful of real enterprise apps.
Dhawal Sharma [00:33:11]:
So build broader policies for them from an access boundary perspective. And within a couple of weeks time frame as our customers start sending their traffic through us and we start understanding who’s going where and doing what, then our ML engines kick in. We can start recommending more granular policies to you where for very large organization it is not possible for human beings to heal the policy framework. So, this is why it is important to start at a broader access level than go to crown jewels and then build a broader segmentation policy framework.
Karissa Breen [00:33:44]:
Just sort of zooming out for a moment going back on this zero trust, what do you think people just don’t get about it still?
Dhawal Sharma [00:33:49]:
One of the key challenge that I’ve seen is especially there is a lot of confusion around what zero trust means. If you look at traditional network security appliance vendors, they are trying to build zero trust with the same network appliances by trying to taking those in a virtualized form factor to the cloud and calling them 0 trust. Or sometimes they are still building those trusted, untrusted network and connecting networks and putting boundaries around the network to call it 0 trust. In my opinion, the challenge that customers face in those architectures is while they are able to shrink their attack surface with a lot of manual and complex configuration, but you still have the network paths open. A legitimate application needs to talk to another application and a certain port might be open. If that asset gets compromised, then the text will move laterally. So the confusion in customer’s mind is, can I build segmentation with network? Just remember that network security based tool. So you are still segmenting networks in that scenario.
Dhawal Sharma [00:34:51]:
You are not creating a real zero trust access policy tied to the user. Most of the network security vendors still take the user identity and map it to a IP or a network layer or network construct. We are not doing that. That defeats the purpose of doing 0 trust, segmentation or 0 trust policies.
Karissa Breen [00:35:09]:
So I’m curious then to understand. So if you look at a bank, so I’ve worked in a bank before, like you’ve got legacy systems, super old, you know, critical systems. How does this sort of approach work? I mean, it’s easy for like more of a modern company that’s cloud based and it’s, you know, relatively new to implement something about what Zscaler does. But for these companies, we remain for 100 of years and they’ve got all these old records and who knows where. How does this work for these types of organizations?
Dhawal Sharma [00:35:34]:
The good thing is our solution is application agnostic. We have many many large banks who still use mainframes. We have manufacturing companies with 30, 40 year old infrastructure applications. In fact, I have still we have healthcare customers who still have a lot of Windows XP in their environment. So, we we try to stay agnostic of what application is running. Think of it this way. Like, I am trying to give customers a gateway to applications, but that gateway is not taking any inbound request. Because if anything can connect to to you inbound, that creates a exposure or attack surface.
Dhawal Sharma [00:36:12]:
In fact, the the connectors or gateways that we deploy in order to give you access are only calling outbound to Zscaler Cloud. And they are doing it with the identity of that appliance that we understand. And then we establish the connection from the user or whatever is trying to initiate the connection. And application on the behind that could be a mainframe application, could be a legacy application. In fact, most of our large customers have, started by putting, especially in manufacturing space, using ZPA to protect their legacy application first. To your point, for modern application, they still have some form of zero trust that they can get in the cloud from the hyperscalers like AWS or Google. But, the legacy application is where there’s a real pain point. Like, one common scenario that I’ve seen in banking, is that there are and also in manufacturing is there are many third party contractors maintaining your applications.
Dhawal Sharma [00:37:07]:
Right? And they get network based access through VPN or through firewall. And, you do not know what is the security posture of your partner or the contractor who is giving you that service on their devices or on their network. So, you are basically connecting an unknown entity to your network, traditionally called extranet, but plumbing it is third party network to you. And a lot of ransomware attacks that we see happen by compromising a contractor or a third party and getting into your network. So, our goal is that even in that scenario, we can build a 0 trust architecture where we take the identity of that source either, by connecting to their directory or the enterprise directory or even replacing the need for a site to site VPN with our newly introduced branch offering. Right? You can deploy a branch appliance to establish zero trust connectivity even without the user context. And, that really shrinks your attack surface from that attack vector very significantly. Why do
Karissa Breen [00:38:04]:
you think it’s primarily contractors in terms of your ransomware example you said before?
Dhawal Sharma [00:38:09]:
So, there are a few problems we have seen. I’m not saying everyone has the same problem, but third party contractors might not use a hardened laptop or a asset like you will give to your employees. They could be coming from anywhere.
Karissa Breen [00:38:22]:
The BYOD.
Dhawal Sharma [00:38:23]:
BYOD or they could be having their employer provided assets that you don’t know what is a security posture on them. Also, third party contractors sometimes have multiple shared VPN profiles. Right? So they will have connectivity coming for into your network from multiple VPNs across the globe, and you’re not doing strong identity validation. We also have seen, especially in manufacturing world, where is a PLC provider or a third party hardware provider who has a VPN profile that was created 10 years ago. You don’t know which user is using it. Some employee moved on. They still have the credential, but other employees are using it. So, this is this becomes a very tough problem to solve for our customers.
Dhawal Sharma [00:39:02]:
And, again, what we have seen is customers get to your question that you asked earlier, they get, very confused when the same appliance vendor says, now I have a virtual appliance in the cloud. You can come to my cloud instead of deploying that virtual the on premise firewall or VPN appliance. But, what they fail to realize is that it’s still creating a network connection. Now coming via cloud instead of coming directly into your network.
Karissa Breen [00:39:26]:
What do you think about the future of VPN?
Dhawal Sharma [00:39:28]:
I think VPN has no future that needs to go away.
Karissa Breen [00:39:32]:
Do you think people would agree with that? Like in terms like if you look at customers, a lot of people still talk about VPN and that’s that’s how they operate. I mean, I know, you know, companies like yours are saying like there is no future, etcetera, and then become obsolete, but how long is that gonna take? Because you’re saying before, people still running windows XP. That was ages ago. We’re talking about VPN. It’s not going to just sort of phase out overnight.
Dhawal Sharma [00:39:52]:
So we have seen a significant uptick, during COVID time frame and most companies have some form of hybrid working arrangement, whether employee come one one day a week or 4 days a week. They have some flexibility to work. In fact, most of our large customers who move to ZPA for remote work, they’ve started bringing employees back to work. They immediately started telling us, we do not need to connect these users to our network because they are coming back to office. So, they started building cafe like branches where user gets access to application even when they are inside the network, or inside their office building without connecting to the network. So, they are building it inside out or, universal zero trust architecture expanding to users even sitting on premise. So, while some VPN will continue to exist, but the use cases for VPN, keeping in mind the level of vulnerabilities we have seen on firewalls and VPN coming in last 2, 3 years. The vulnerability that we saw with Ivanti, we saw with Palo Alto, which was a critical vulnerability at CVE ten level.
Dhawal Sharma [00:40:56]:
These kind of things are making security, take more corrective action. And another big thing that I I personally observed, which is making customers retire their VPNs faster, is traditionally, VPN was owned by networking team because it was seen as an access mechanism not as a security mechanism. Zero trust is a broader CIO and a CISO initiative. So networking and security is working together to retire these VPNs and we think over a period of time the same fate will be met with firewalls as well.
Karissa Breen [00:41:27]:
So he would own that then? And I know you said to blame between and Saizo. Mhmm. But sometimes there is a little bit of conflict between those two areas that are trying to work together in unity. Mhmm. So how would you advise people to do that effectively? Who sort of owns it then?
Dhawal Sharma [00:41:42]:
Typically what we have seen, again, not naming any customers, but large customers who are doing very successful zero trust deployments. Security teams own the policy, but the infrastructure is owned by the networking teams. And CIOs are the forcing function functions, and CSOs and CTOs are head of networking and infrastructure are owner of their respective areas.
Karissa Breen [00:42:06]:
And there you have it. This is KB on the go. Stay tuned for more.
