Episode Transcript
[00:00:16] Speaker A: Welcome to K beyond the go. And today I'm on the go in sunny and hot Las Vegas with Zscaler. And I'm reporting on the ground here at the Bellagio for the Zenith live conference. Zenith Live is the premier learning conference where experts converge to share the latest in zero trust, networking and AI security to protect and enable organizations. I've got a few executive interviews up my sleeve, so please stay tuned. Joining me now in person is Kavitha Maryapan, EVP customer experience and transformation from Zscaler. Kavitha, thanks for joining and welcome.
[00:00:47] Speaker B: Thank you, Krista, for having me. And it's lovely to see you again.
[00:00:50] Speaker A: Okay, so a couple of questions for you. So maybe let's start with can you explain how Zscaler works with businesses of all sizes and sectors to help them grow, particularly in cybersecurity? I mean, I've been listening to the keynote to the last few days, so obviously people have spoken about different sectors, etcetera, but it'd be good to sort of hear your thoughts on your perspective.
[00:01:11] Speaker B: Yeah, happy to. So one of the ways these scaler helps our customers grow is by reducing their it and security overhead. One of the main benefits of cloud solutions, as we know, is agility and efficiency. The same goes for cloud security. By routing traffic through Zscaler security, cloud customers eliminate a lot of the overhead and the costs associated with maintaining and upgrading their own security stacks. Also, having users connect directly to the Internet becomes a very viable option, essentially turning branch offices into Internet cafes. So this really helps customers cut down on their need for expensive mpls connections and other networking costs. If you heard in Jay's keynote yesterday where he had one of our customers from FedEx share how much they have cut in terms of mpls, backlinks and costs associated with that, that has really helped them reinvest that money into the type of technology and solutions they need, putting money back into the business. And while really maintaining a very high fidelity security posture, we're helping our customers succeed. It's also by reducing costs associated with cyber incidents and data breaches. There's data that shows about companies spend about $219 billion globally on security solutions, but still breaches are happening, right? Why you ask that question? What we're doing is helping to eliminate solutions like VPN's and firewalls, which can be really expensive to own and operate for customers, right? And yet they still enable breaches through zero day vulnerabilities and configuration issues. So by eliminating these point progress, by eliminating VPN's and firewalls and the like, we are really able to help our customers maintain a very sound security posture and, like, cut out costs. One thing we often say is that complexity is the enemy of security. The Z scale simplified architecture actually shows that organizations can become more secure as they cut costs associated with it and security. A testimony to that. We know statistics. From just July 31, 2023, we expanded our operations to over 7700 customers across major industries, such as finance, healthcare, public sector, etcetera. And these. We've got users that span over 185 countries.
[00:03:35] Speaker A: So going back to the complexity side of things, do you think that's just been something that we've built a rod for our own back a little bit, like creating this complexity?
[00:03:44] Speaker B: Well, I think part of this is an interesting question, right? I don't think people go in with the motive to create complexity. You've got changing workloads. I mean, if you just think about what a security it team have to grapple with right now, they're grappling with users in the office and users who are remote. You've got users in all types of locations, right? Seagoing vessels, etcetera. In remote locations, you've got active, you know, users who are in active military. You're also trying to manage multiple devices between phones, laptops, devices, iotot devices, electric cars. You are also dealing with factory and a lot of other factories and other devices ot devices. While you're doing that, we've also had an explosion of applications and data that's been, you know, needs to be managed, needs to be stored, needs to be secured, and we've had mega trends come in, such as, obviously, we've talked about mobility, the cloud AI, right? Iot ot. So while all of this is happening, business is running, right? So, naturally, as the mega trends have hit, people have continued to invest to scale. However, by investing to scale and but not thinking about actually deploying something that is cloud native and mobile first, they've increased a lot of the complexity in their environments. So I think one of the things, one of the premise of, you know, what we did and have done at Zscaler is to not reverse engineer our solution and our technology and our platform, but to take a clean look at what a mobile first and cloud native world would look like and engineer that from that perspective. So, yes, I mean, removing complexity is critical to ensuring that you have less points on the Internet that can be breached, right, and your crown jewels are protected and that you're really preventing, one, the breach to the lateral movement of said threat actors, and three, obviously, exfiltration of critical data on the crown jewels and valuable credentials and data being stolen.
[00:05:51] Speaker A: What does a mobile first and cloud native world look like to you?
[00:05:55] Speaker B: Well, I think we're living it every day, right? I mean, you and I are sitting here in Las Vegas, mobile phones, laptops, recording what we're recording. You're going to create the material from this interview and you're going to send it back to your team in Australia across the hotel's WiFi network, and your organization is going to access this information. I mean, you are mobile, we're accessing very critical information. You're storing very valuable information. You're monetizing. This is part of business. So if you start thinking about what that looks like, we are doing business today in a very fast moving, agile, mobile first world, and the cloud is a very critical part of day to day functioning. So, I mean, if you really think about it today, the cloud has become the new data center and the Internet has really become the new network by which we all do business work, play, socialize and the likes of, or entertain ourselves.
[00:06:56] Speaker A: From your point of view, with your role, what are some of the challenges that you sort of face in speaking to customers? What are some of their reservations, would you say, when it comes to everything we've just discussed in terms of mobile first cloud velocity, of how we're operating within our businesses?
[00:07:12] Speaker B: I don't think necessarily that folks have reservations so much as cutting costs and managing costs and managing resources. And also, I think when you think about these mega trends and you think about digitizing an environment, right, that's a massive undertaking. And so there's sometimes inertia that sets in where folks are. There's a trepidation in terms of moving to making these major changes, right, because it is frisky undertaking and undertaking those challenges, or, sorry, not challenges, but undertaking that as an initiative can be, folks can be quite risk averse not knowing what the outcome can be like. It's also a major lift within the organization. It changes. It's not just a technology decision, it's a cultural decision. How the organization functions and works will change. But I think the other challenge is also proving to upper management this is the right way to do things. I think the other element of it is people are very comfortable deploying or working with what they've worked with, like a lot of people deploy firewalls is the way people have traditionally done things, use VPN's to connect remotely. And so when that sort of comfort sets in or, you know, and people don't want to make changes, and there's also a little element here of protecting what I know versus what I don't know. Meaning, will I not have a job if I move to something different? Because I'm not skilled to do those things. But the benefits far outweigh these perceived negatives, right? Because the benefits of moving into a cloud, more cloud friendly world, more, you know, gives you the agility, gives you the cost. Cost benefits, allows companies to be highly innovative, allows them to be more profitable.
[00:08:52] Speaker A: So maybe let's focus on a little bit some of the cyber trends that you're witnessing in the ANZ region. Obviously, I'm based in ANZ, so I think it'd be great to get some insights from your point of view.
[00:09:04] Speaker B: You know, recently had a discussion with the security leader in New Zealand, actually, and you might have watched the LinkedIn live with a recording from a major insurance company that serves, I would say, Australasia. And one of the things he said was, I love this quote from him. And he said, we're all strung together with little pieces of fiber. There's really little difference between New Zealand, Australia, the region. And while I love that sentiment, I think there's also a lot of truth to it. If you look at Australia today, looking at that Medibank breach that happened in 2022, really opened a lot of Australians eyes and in the region. Right. To how dangerous a data breach could be. And this is one of the largest instances that we've seen to date. Definitely not the only one where threat actors were so selectively releasing information that they thought could pressure the company into paying ransom. Doxxing famous people and, you know, even women who had sought reproductive care, for instance. Right. If you flash forward a few months to a few months ago in May, was another large insurer who was caught up in a ransomware breach in the region. And I think this really tells us a couple of things. One is that security has not improved in a meaningful way across the board yet, even though there's a tremendous amount of user awareness and the australian government's willingness and commitment to really stepping up to say that if the country as a whole does not address this problem, then the government's going to. It's going to be something that, like, has to be focused on. And I think the other thing we're seeing is that ransomware actors are well aware of how lucrative this type of data is, like the healthcare data, et cetera, and what they can fetch right out in the dark web. And so they're willing to hold, you know, a lot of these organizations, ransom. So I think one thing's, you know, witnessing by, you know, what we're with, we're all witnessing in the region is that we've got to learn and act on this. Right. And it is a responsibility both trifold between the government, the private sector, as well as user awareness. And I think one of the regions that I've seen so much cyber literacy being pushed down to not push down, but pushed across to its citizens has been the australasian region, especially Australia. So there's a lot happening there. There's a lot that needs to be done. I think it's still, still a huge gap in terms of making sure we're ready to mitigate some of this, or at least be proactively able to predict these threats before they even occur.
[00:11:38] Speaker A: Do you think it's trending in the right direction? I get your point. You said use your awareness, the breaches. I think people are getting there. But do you think it's increased since the 2022, sort of Medibank breach?
[00:11:48] Speaker B: Well, I think we've seen quite a few since 2022, right. I mean, we've seen Medibank synopsis, you know, seen quite a few. Look, I think it's a global problem. It's everywhere but in Australia, I think specific to the Geo and the specific to the cadence of what's happened could be isolated. But I have to say I think it's trending in the right direction just because of how committed the government, both at the state and the federal level, have been. Just a lot of campaigns and strategy that they're putting together as well that's been at least showing a cleared from a directionally going, you know, in the right direction. Right. For what needs to get done. I don't know. I can't predictively say, look, it's all improved, but I think there's still a lot of work to do, lots of work to do, but it's going in the right direction. Awareness is key, commitment is key. Companies, organizations, between government and private sector, actually embracing zero trust and actually digitizing the environment and really dying to move in that direction is key. But I think we need them to go faster, if anything.
[00:12:52] Speaker A: Do you think there's a bit of a geopolitical element here as well?
[00:12:55] Speaker B: Absolutely. I think by virtue of where Australia's located geographically, we've always been in the center of a lot of geopolitical focus and movement. Right. I think a lot of many islandists consider this to be a very strategic region. I think we also see cyber as a way of keeping those, one would presume to be adversaries in the back foot. But just at the end of last year, hackers believed to be working on behalf of China attacked four australian ports along with other critical infrastructure assets. So there's clearly an instance of sort of probing critical infrastructure for cyber weaknesses in the region. Now, should those become useful later, we'll see. But we saw the exact same thing happen in the US recently as well. So definitely based on the region. I think a couple of years ago, when you and I did an interview, we talked about media in Australia. Right? Like, you know, why that was interesting, a couple of media companies that were getting breached. But absolutely, I think the proximity makes Australia quite vulnerable in that sense.
[00:13:52] Speaker A: So, a couple of questions before we wrap up. I'm then curious to know, again with your role speaking a lot of customers at the coalface. So what are some of the insights about customer behavior that you can sort of share with us? What are people sort of saying? What are their thoughts?
[00:14:04] Speaker B: Yeah, I mean, one of the things I'd say the trend that I'm most excited about is like the growing awareness around zero trust security that is more and more a proven paradigm for it and security. A framework. A proven paradigm. And organizations seeing that this is helping them maintain a high cyber risk level of cyber risk posture. Right, so when a select group of technologists are getting together back in 2009 to discuss the possibility of a yemenite perimeter less security environment, it wasn't really on the radar for a lot of companies. And then when the term zero trust was coined, a lot of folks were quite skeptical about this. Like, what is this? Is this marketing? Or is this actually real? Right, but you fast forward now, 2024, we're seeing so much momentum behind zero trust. It's clearly, you know, an embraced framework by many IT and security leaders, both in the private enterprise as well as the public sector globally. And I think we're seeing that momentum growing, and I see that with the customers that we're working with, I think as well as the Google partnership that we just announced here at Zenith Live yesterday is further evidence to that. By integrating Google's cloud offering, we're ensuring that hundreds of millions of users around the world will automatically connect based on zero trust principles, without the need for VPN's or any new enterprise browsers, just by them using Chrome right now. And of course, our enterprise customers today are very excited about AI's potential. Right, well, IT and security capabilities for recognizing and responding to threats will greatly be enhanced by a lot of these new and this new partnership we also announced with Nvidia, but even prior to that, we were using AI in our kind of formidable data capacity. With what we have with our security cloud, we're able to inform many insights to advise it leaders on risk quantification and business insights like how many software licenses are going to be unused, which is sort of really helping their departments cut spending. Sometimes that resonates very well with the rest of the business. So as I said earlier, this isn't just about a technology solution, but this really is about a business solution, right? The business outcomes.
[00:16:28] Speaker A: Remember 2024. I know we're midway through what's sort of your focus, what can people expect?
[00:16:35] Speaker B: Yeah, look, I think one of the things you heard yesterday, right, I mean, tongue in cheek, you know, during the keynote, Jay, thank you so much for not like plugging AI so much. And then. Right, but we. And Jay said, yes, but I'm going to have to mention it now, right, we are going to see, start to see a battle where we're fighting AI generated threats with AI solutions, right? AI security. And we've been focused on AI as an asset for, you know, like for defenders. But in reality, we can also definitely expect these threat, threat actors to make use of these capabilities to create even more nefarious, perform more nefarious acts. So as Jay pointed out yesterday, you're going to start seeing, it's going to be trivially easy, right, for these threat actors to have large language models like chat GPT, to do the dirty work of discovering common exploits or even construct sort of malware variants with them. So we're going to have to build, and you'll see building more, leveraging AI to build more predictive threat detection solutions and the ability to understand patterns and infer, correlate and sort of, we can do better predictive analysis and also mitigation rather than just flagging threats, right. It's knowing that this is really going to happen. We're seeing some trends, we're seeing behavior, you know, bringing things like identity, posture, all of that into play and being able to, like, make better decisions that will, you know, make these types of threats a non event. That'd be one, I reckon. The other thing you're going to see is we're going to see more often, 2024 is going to be the rise of zero trust leading to a firewall free enterprise. I think we've seen this, right, just the recent sort of avanti vulnerability that just happened. Another one. Firewalls have proven to be ineffective. Like legacy firewalls have been proven to be ineffective in shielding companies from zero day threats. Security leaders are searching for new methodologies for protecting their organizations, and I think we're going to start seeing more and more of that. That's an, you know, as you've known, we are committed to in that direction, always have been, and you're going to see more and more of a firewall free enterprise. Another one, another area we made a couple of announcements. We talked about a couple of things this time around was around network segmentation. One major acquisition that we've done just recently is the air gap acquisition. Right. And I think, as we've sort of talked about, the problem with that free zero trust type thinking in the legacy world is if you're on a network, physical network, that you're trusted. Well, we're not all sitting in an office or in a building, like, tethered right to our desks. So this notion of physical security or this notion of the network in its legacy construct does no longer exist. The zero trust segmentation ensures that is no longer the case. Right. So we can segment access to resources to a much greater degree and much finer granularity. I would say that means criminals can no longer access the crown jewels of the organization just by overcoming sort of the weakest points in your network and weakness of the network security solution implemented. Important thing to say is network security is not equal to zero trust security. You have a much higher level of security and protection from zero trust security, I would say. One other thing you're going to see also is around zero trust. SD WAN displacing traditional SD wans when software defined wide area networks first came along several years ago, they were quite amazing for their ability to connect your organization's assets at a sort of fraction of the cost of mpls. Heard it again yesterday around high costs of these mpls backlinks. Right. But today we know that, yes, they may have been helping cost optimize, but they're also plagued by so many common security issues like that that really have enabled a lot of lateral threat propagation across the environment. Right, and movement. So what we found is that by applying the very same principles of zero trust secured zero trust, the zero trust framework principles to the SD WAN branch connectivity, we can just make them as secure as any traffic flowing through the z scale zero trust exchange. So I'd say those are like the four core areas predictions that I see making significant movements in momentum in 2024.
[00:21:22] Speaker A: Joining me now in person is Darwal Shabba, SVP in GM product management from Zscaler. So Darwal, thanks for joining and welcome.
[00:21:29] Speaker C: Thank you.
[00:21:30] Speaker A: So you've presented today at ZFlive, so maybe share with me what you have discussed first, and then I sort of want to get into a little bit more of the specifics.
[00:21:40] Speaker C: There were two broad areas that I'm talking about in my keynote. One is around our platform innovations, how Zscaler platform has been evolving over the last few years, and the new capabilities and experience that we are introducing as part of it. And the second part of my keynote is around innovations in the zero trust networking stack. So platform innovations try to keep platform services like how our customers use our platforms, like administrative experiences, automation and programmability, identity and access, and very interesting capabilities around copilot as well. And then in zero trust networking, we pivot to talk about innovations on introducing more capabilities on a private access service, and new innovations in cloud and branch connectivity.
[00:22:30] Speaker A: Okay, I want to get into the innovation Zero Trust. So would you say Zero Trust is becoming one of those phrases in the market that people's eyes are starting to sort of glaze over and their eyes are sort of rolling back in the back of their head? So when you say innovation, what does that actually mean for people? What do we get?
[00:22:49] Speaker C: So I kicked off my keynote with explaining how Zscaler has been first to the market with many innovations like introducing a cloud based secure web gateway. Zero trust network access, or ZtNa market did not exist when we introduced ZPA product into the market and over a period of time. I think it's a strong validation that the industry is using some of these acronyms like ZTNA and private access to us. Zero Trust is all about not putting trust in the network, but tying trust, or tying the access to the identity and the context of identity. So taking network away from the access layer. All the technology innovations we keep doing are tied to the fact that we started by taking users out of the network and over a period of time extended the same platform to build zero trust architecture for workloads and critical infrastructure and assets running on the branch and factories as well.
[00:23:45] Speaker A: Do you think from your experience, people really understand Zero trust? Because for someone sitting in my position at the coalface of interviewing people at your level, multiple organizations right around the globe, it seems that there's different versions of zero trust. So would you mind sort of giving your version of it just so people understand in detail? In that way, we're sort of singing from the same hymnbook.
[00:24:08] Speaker C: So zero trust is not about a single product or a Z scalers version of zero trust. It is built using an ecosystem of capabilities and products. And this is where, in addition to what technology SQL have built, we believe in an ecosystem of partners. For example, identity plays an important role in zero trust. We work with every identity provider to get the identity of the user. But what we have also noticed is that identities are static. Identities can be stolen, but the richest context or attributes that are tied to users are things that we are seeing in line in real time, all the time, and we are using them to determine the policies. So those signals become very important in addition to our entity. Likewise, understanding the context of users device is very important. Coming from a corporate versus non corporate device might mean different kind of policies in organization. So our integration with EDR vendors come very handy in that space. So going back to your question now, from our perspective, zero trust really means that not putting implicit trust in network or any hard asset, but understanding which source, which is typically a user, is trying to connect to what destination, and then having dynamic conditional access based policies that could be applied to that traffic.
[00:25:28] Speaker A: Talk to me about conditional access. What do you mean by that specifically?
[00:25:31] Speaker C: Yeah, so one of the things that I talked about in my keynote is the concept of adaptive access. So there are multiple attributes that we see in Zscaler world, or signals that get generated based on which access could be regulated. For example, there are some raw signals, like I am sitting right now in Las Vegas here, but if our company starts seeing my traffic coming from China at the same time, it means that there's something wrong with my identity. So a lot of my privilege access that I have to certain system could be revoked based on that signal. There are also more complex aggregated signals like risk score, which looks at multiple attributes, and we are computing this risk score in real time, every two minutes we compute it. So if all of a sudden my laptop starts making lot of botnet calls, or let's say I'm doing some anomalous behavior, downloading large volume of files middle of the day, which I never do normally. So my access profile could be changed. So all these conditions are based on the access of the users and signals that we are seeing. So identity systems have a list of attributes, like user belongs to a certain group or department in the organization, or do they have risky behavior on their device or tied to their identity. Bringing this additional context is very important. And in addition to zscaler context, we are able to leverage the context signals that come from our partners, like Google Chrome partnership that we announced, where we are able to get device signals from a BYOD, from Chrome instead of running a Zscaler client on it.
[00:27:03] Speaker A: So let's keep going with that example. So hypothetically, I'm from Sydney, Australia. I've now traveled to Las Vegas. How could it be like, hey, that looks suspicious. Carissa is not really in Las Vegas. How does it sort of known based on your conditional logic that they're not false positive, whereas in fact I'm actually here.
[00:27:19] Speaker C: So all the policies typically are tied to users, right? So there's a policy for Carissa which says Carissa has access to x number of SaaS application, let's say Salesforce and WordPress, and then access to certain private applications like maybe your internal file upload server for example.
In a typical world, your access is tied to your identity. Now since Carissa moved here to Las Vegas, our policies are also geo location aware. We can see that your traffic is hitting our US west coast data centers, but we are also seeing at the same time your profile is being used somewhere else. Let's say your identity got compromised and someone is logged in as Carissa into your Salesforce account as well. So we can say Carissa cannot be logged into the same account at the same time. So this generates an alert. And even if you have access established, one of the big challenge we see in organization, especially with private applications, is that users connect to applications and these applications have long lived connections, which means you authenticate once a day or sometime once a week, and that access stay is there. So with this adaptive access framework, if I see such anomalous behavior, I can revoke your access even for established connections. And another capability that I talked about or innovation that we are introducing is the concept of step up authentication. Now, step up authentication already exists in industry. We have integrated with every identity provider to support step of work. The challenge we see, especially in large organizations is that they have many legacy applications that do not support modern authentication frameworks. So for those applications, things like MFA and step up authentication do not work. We being inline platform, we can bring the same step up authentication behavior for critical assets that are not modern authentication compliant and still work with your MFA platforms like authenticator apps, etcetera to bring additional security and access controls for your legacy as well as modern applications.
[00:29:22] Speaker A: So going back to the alert, so how quickly would that happen? So that would raise an alert and then automatically just revoke all my access then does someone. So obviously that's AI related based on my activity. But then what happens if it was legitimate and I was like, hey, I'm actually here. Does someone then go and manually review it?
[00:29:39] Speaker C: So there are a couple of ways to do that. You can have policy automation around these kind of use cases. One of them is to say, I'm not going to revoke Carissa's access, but I'm going to pushed a step of authentication signal which says, hey Chris, approving it is you who's coming from Las Vegas. So we might ask you to input your authenticator app, a code that is shown there to continue having your access. If you input your code, you continue to have your access to the application. If you're not, then probably you're not Carissa, who's accessing that application anymore. But instead of revoking access, you can also create an alert for that that could go to your service desk or could be sent to your security team saying we are seeing anomalous behavior tied to this user. So it is very organizational, I would say policy and security posture driven configuration that we can support.
[00:30:29] Speaker A: So going back to the policies, some of these things in my experience as well, working on an enterprise sign historically in security like policy shmolecy, because it's very easy to write a very long document about these, all the things, trying to get people to adhere to it, then trying to implement security controls against that is hard. What would be your advice to doing that effectively?
[00:30:49] Speaker C: This is a very good question. First of all, I see a lot of customers who come to Zscaler from legacy appliance space world, and they have built very complicated policies over decades, and then they want to replicate the same thing in Zscaler, though we can technically support it, but it's a good time for them to rethink how they have traditionally done policies. So instead of doing very, very hard coded network or URL filtering based policies, or hard coded application based policies in the private access world, it's opposite problem with VPN's. You typically connect to a network and you have access to everything. It is the job of the network team to keep reducing the network blast radius or doing more segmentation. With network segmentation, we instead would have customers come and identify who needs access to what.
And at that point, your first goal should be that any namespace exposure or external attack surface that you have should disappear. So the moment you start using our product, your external attack surface comes behind Zscaler. But the internal attack surface or the internal exposure still stays there, like a overprivileged user or a compromised user. So in order to reduce that attack surface, you should leverage ML based capabilities we have in our product, where we understand who's accessing what application they belong to what group or department in the organization. Like marketing accesses these ten applications so we can recommend policies. With machine learning and with the click of a button, you can build fully automated policies. So take a crawl, walk run approach, simplify your access policies, reduce your external attack surface, then go to build more granular policies for your Cron Joel applications.
[00:32:34] Speaker A: Don't you think it requires a lot of time to do that and headspace that people don't have, trying to keep their head above the water, trying to do all of the things and it's like polished is sort of the back of people's minds.
[00:32:43] Speaker C: So again, the way to think about that is you do not revoke any access on day one. You give people what they had entitlement to using their traditional appliances or firewalls as well. In this case, what we are doing is we are reducing the external exposure so everything keeps working the way they are working. You know, what are your top ten cron drill applications are? So you build access policies for them. Every company has tons of shadow it applications. They only have handful of real enterprise apps. So build broader policies for them from an access boundary perspective and within a couple of weeks timeframe, as our customers start sending their traffic through us and we start understanding who's going where and doing what, then our ML engines kick in, we can start recommending more granular policies to you where for very large organization it is not possible for human beings to scale the policy framework. So this is why it is important to start at a broader access level, then go to crown drills and then build a broader segment policy framework.
[00:33:44] Speaker A: But just sort of zooming out for a moment, going back on just zero trust, what do you think? People just don't get about it.
[00:33:49] Speaker C: Still, one of the key challenges that I've seen is especially there is a lot of confusion around what zero trust means. If you look at traditional network security appliance vendors, they are trying to build zero trust with the same network appliances by trying to taking those in a virtualized form factor to the cloud and calling them zero trust. Or sometimes they are still building those trusted, untrusted network and connecting networks and putting boundaries around the network to call it zero trust. In my opinion, the challenge that customers face in those architectures is while they are able to shrink the attack surface with a lot of manual and complex configuration, but you still have the network paths open, a legitimate application needs to talk to another application and a certain port might be open. If that asset gets compromised, then the threats will move laterally. So the confusion in customers mind is, can I build segmentation with network? Just remember that network security based tool. So you are still segmenting networks. In that scenario, you are not creating a real zero trust access policy tied to the user. Most of the network security vendors still take the user identity and map it to a ip or a network layer or network construct. We are not doing that. That defeats the purpose of doing zero trust segmentation or zero trust policies.
[00:35:09] Speaker A: So I'm curious then to understand. So if you look at a bank, because I've worked in a bank before, like you've got legacy systems, super old, you know, critical systems. How does this sort of approach work? I mean, it's easy for like more of a modern company that's cloud based and it's, you know, relatively new to implement something about what Zscaler does. But for these companies been around for hundreds of years and they've got all these old records and who knows where. How does this work for these types of organizations?
[00:35:34] Speaker C: The good thing is our solution is application agnostic. We have many, many large banks who still use mainframes. We have manufacturing companies with 30 40 year old infrastructure applications. In fact, we have healthcare customers who still have a lot of Windows XP in their environment. So we try to stay agnostic of what application is running. Think of it this way, like I am trying to give customers a gateway to applications, but that gateway is not taking any inbound request because if anything can connect to you inbound, that creates a exposure or attack surface. In fact, the connectors or gateways that we deploy in order to give you access are only calling outbound to Zscaler cloud and they are doing it with the identity of that appliance that we understand and then we establish the connection from the user or whatever is trying to initiate the connection. And application behind that could be a mainframe application, could be a legacy application. In fact, most of our large customers have started by putting, especially in manufacturing space, using ZPA to protect their legacy application. First, to your point, for modern applications, they still have some form of zero trust that they can get in the cloud from the hyperscalers like AWS or Google. But the legacy application is where there's a real pain point. Like one common scenario that I've seen in banking is that there are, and also in manufacturing is there are many third party contractors maintaining your applications, right? And they get network based access through VPN or through firewall. And you do not know what is the security posture of your partner or the contractor who's giving you that service on their devices or on their network. So you are basically connecting an unknown entity to your network, traditionally called extranet. But plumbing is third party network to you, and a lot of ransomware attacks that we see happen by compromising a contractor or a third party and getting into your network. Our goal is that even in that scenario, we can build a zero trust architecture where we take the identity of that source either by connecting to their directory or the enterprise directory, or even replacing the need for a site to site VPN with our newly introduced branch offering. You can deploy a branch appliance to establish zero trust connectivity even without the user context, and that really shrinks your attack surface from that attack vector very significantly.
[00:38:04] Speaker A: Why do you think it's predominantly contractors in terms of your ransomware example? You said before.
[00:38:09] Speaker C: So there are a few problems we have seen. I'm not saying everyone has the same problem, but third party contractors might not use a hardened laptop or asset like you will give to your employees. They could be coming from anywhere, BYOD, or they could be having their employer provided assets that you don't know what is a security posture on them. Also, third party contractors sometimes have multiple shared VPN profiles, so they will have connectivity coming into your network from multiple VPN's across the globe, and you're not doing strong identity validation. We also have seen, especially in manufacturing world, where's a PLC provider or a third party hardware provider who has a VPN profile that was created ten years ago. You don't know which user is using it. Some employee moved on, they still have the credential, but other employees are using it. So this becomes a very tough problem to solve for our customers. And again, what we have seen is customers get to the question that you asked earlier. They get very confused when the same appliance vendor says, now I have a virtual appliance in the cloud. You can come through my cloud instead of deploying that on premise firewall or VPN appliance. But what they fail to realize is that it's still creating a network connection now coming via cloud instead of coming directly into your network.
[00:39:26] Speaker A: What do you think about the future of VPN?
[00:39:28] Speaker C: I think VPN has no future that needs to go away.
[00:39:32] Speaker A: Do you think people would agree with that? If you look at customers, a lot of people still talk about VPN, and that's how they operate. I mean, I know companies like yours are saying there is no future, et cetera, and they become obsolete, but how long is that going to take? Because you were saying before, people still running Windows XP that was ages ago. They were talking about VPN. It's not going to just phase out overnight.
[00:39:52] Speaker C: So we have seen a significant uptick during COVID timeframe. And most companies have some form of hybrid working arrangement. Whether employee comes one day a week or four days a week, they have some flexibility to work. In fact, most of our large customers who moved to ZPA for remote work, they started bringing employees back to work. They immediately started telling us we do not need to connect these users to our network because they are coming back to office. So they started building cafe like branches where user gets access to applications even when they are inside the network or inside their office building without connecting to the network. So they are building inside out or universal zero trust architecture expanding to users, even sitting on premise. So while some VPN will continue to exist, but the use cases for VPN, keeping in mind the level of vulnerabilities we have seen on firewalls and VPN coming in last two, three years, the vulnerability that we saw with Ivanti, we saw with Palo Alto, which was a critical vulnerability at cv ten level. These kind of things are making security take more corrective action. And another big thing that I personally observed, which is making customers retire their VPN's faster, is traditionally VPN was owned by networking team because it was seen as an access mechanism, not as a security mechanism. Zero Trust is a broader CIO and a CISO initiative. So networking and security is working together to retiree these VPN's and we think over a period of time the same fate will be met with firewalls as well.
[00:41:27] Speaker A: So who would own that then? And I know you said it's a blend between CIO and CISO, but sometimes there is a little bit of conflict between those two areas that are trying to work together in unity. So how would you advise people to do that effectively? Who sort of owns it then?
[00:41:42] Speaker C: Typically what we have seen, again, not naming any customers, but large customers who are doing very successful zero trust deployments. Security teams own the policy, but the infrastructure is owned by the networking teams and CIO's are the forcing functions and CISOs and ctos, our head of networking and infrastructure are owner of their respective areas.
[00:42:06] Speaker A: And there you have it. This is KB on the go. Stay tuned for more.