News
More from RSA Conference 2023

Jay Chaudhry

Founder & CEO

Zscaler

Zero-trust architecture: Complexity is the enemy of cybersecurity, says Zscaler CEO

Having been founded on the “never trust, always verify” principle, zero trust is no longer a buzzword. It’s top of mind of many chief information security officers.The complexity created by firewalls and virtual private networks is what’s hurting cybersecurity. It needs simplification with zero trust, according to Jay Chaudhry (pictured), founder, chairman and chief executive officer of Zscaler Inc.“The notion was if applications and data move to the cloud and we become mobile, all this firewall, VPN-based architecture will be no good … so let’s build a switchboard totally opposite of firewall, opposite of network security,” Chaudhry said

Zero-trust architecture: Complexity is the enemy of cybersecurity, says Zscaler CEO

Info

Jay Chaudhry | Zscaler

Jay Chaudhry

Founder & CEO Zscaler

(upbeat music)

>> Welcome back to Moscone West, everybody. Watching SiliconANGLE theCUBE's flagship coverage of RSA 2023. My name is Dave Vellante. John Furrier is also here. Jay Chaudhry is here, the CEO, founder, and chairman of Zscaler. Jay, thanks for spending some time with us. Really appreciate it.

>> Dave, I always enjoy talking to you.

>> I want to go back to the beginning. It feels a little bit like 2007, 2008 now when you said a lot of innovation going on. Why did you start the company back in 2007?

>> Well, I'm a lucky product of American dream. Sometimes wonder if my life is real or I'm dreaming.

>> Dave: You have to pinch yourself, eh?

>> Because I was born and raised in a tiny village in the hotel of the Himalayas in Northern India where we got electricity after I finished my eighth grade. We got running water after I finished my 10th grade. I came to America to do my masters in computer engineering. Got to start up all by accident. In '96 when internet was just taking off, I dreamed of building an internet security company. And since I had no experience, all VCs turned me down. Talked to my wife and I said, "The only way we can realize this dream is if we put our life saving on the line." That's what we did. The business took off. Then Ferguson comes and acquires it and it felt like a fluke. Startups are supposed to be hard. It was easy. I said, "Let's do it again." This time, I did not need to raise any funds. So I started three companies. Good luck, good timing, they all became very successful and eventually acquired. Now moving to 2007, 2008, I had no desire to do one more startup and sell it. I want to do something big, something lasting. And to do this big undertaking, I got inspiration of Mark Benioff of Salesforce because I have been using Salesforce since year 2001 in all of my startups. So I knew what a cloud native multi-tenant architecture would be. Salesforce had to compete with Siebel systems. And guess what who won? So I said, if I build a cloud native platform for cloud security, I could do better than any of the legacy firewall VPN guys. And since I was doing it with my own money, so slow time when things are not moving fast, it's a good time to really put heads down and build a great fit.

>> Thank you. I didn't know that story 'cause I was going to ask you, because you're known for cloud security. In 2007, the cloud was just barely out. It was the Salesforce, which was the original cloud.

>> Jay: Absolutely.

>> Right?

>> So Salesforce and NetSuite, I used both of those companies in all of my startup in 2001 when each was under $10 million in annual sales. So I was a big believer that all applications should become SaaS applications. iPhone was just announced with a big screen. So I knew that we will be all more and more mobile. And by the way, AWS was just in its infancy in 2007 timeframe. So the notion was if applications and data moves to the cloud and we become mobile, all this firewall, VPN-based architecture will be no good. So let's build a switchboard, totally opposite of firewall, opposite of network security. User comes to us, we say, "Who are you? Where are you going? Are you allowed to go? Are you taking some good stuff and bad stuff with you?" That was the genesis, the real start which really has evolved into being called zero trust. And that's really what we are very proud of because Zscaler pioneered this thing very, very early on. And today, over 40% of Fortune 500 companies depend upon us. This is some the biggest names. It's British Petroleum, it's Siemens, it's Shell, it's United Airlines. We're very proud of helping our enterprises and our country to protect them.

>> What's interesting about the story is architecture matters, we say that a lot on theCUBE. And in 2007, there were many companies who came after you that missed the cloud. So what was it about the architecture that you saw at the time that has allowed you to endure through the cloud era? No pun intended, 'cause Cloudera missed the cloud. We talked about that, but so what was it?

>> So I had a very simple mindset. I want to do something big, something lasting of public company. And for that, I wanted to see 15, 20 years out and say what will be needed in the longer term? And you had to believe, at least I believe that applications will be out there somewhere, SaaS, cloud, wherever, users will be somewhere the architecture has to be done right. Now, people think about this cloud security or cloud being something unique. I thought of this the following way. Every new technology starts as a cottage industry. We used to have power generators at home once. We loved them because that was a best thing at that time. Then utility companies came, power utility companies. They said, "Plug into the socket, you get power." So cloud computing and cloud security is essentially a utility service. And that's how I looked at it from day one and it had to be done differently. Just like you can't take a million power generators, put them in some factory and say, "I'm a power utility." Or you can't take a thousand DVD players and put them in the cloud and say, "I'm Netflix." That's why I don't believe the firewall and VPN companies will ever succeed. They'll try just like Siebel system did. Then they'll go back to the roots or wherever else they need to go.

>> Yeah, we were at your event last night and you pulled up a customer, just a very brief, maybe five minutes of introduction, but the customer was a forward thinking customer. I'm paraphrasing, but basically the customer said, "Hey, if you're on my team, you got to be thinking," I think he said out of the box. It was tongue in cheek. And so I want to ask you about zero trust because prior to the pandemic, for most people, zero trust was a buzzword. But you talk to any CISO today, they are moving forward on a zero trust architecture. My question is, can you do that without getting rid of stuff? 'Cause you have a lot of technical debt. So it's got to be a journey. How are you seeing that evolve and what role do you play?

>> So it's indeed a journey. And also zero trust didn't really become popular because of COVID. It became popular when SolarWinds got hit. And companies realized that, "Wow, this malware is on my network inside my firewall." And then certainly we had Colonial Pipeline, a remote access VPN problem. VPN is the biggest security threat to enterprises out there. And you know what? Once you connect to the VPN, you own the network, you move laterally as if you got in the castle. You can go wherever you want to go. It's a sad story that firewall VPN companies are removing the word VPN. They're calling themselves cloud-based secure access when underneath its VPN. They're doing a disservice to our country and enterprises. But I guess they're trying to make sure they don't go out of business. But zero trust is fundamental new architecture where you don't put people on the network. You connect them to application. It seems geeky sometimes, so let me give you a simple example.

>> Geek out a little bit, explain it to our audience. They'll absorb it.

>> Let me give you a simple example. Getting on the network with VPN or being on the network with firewalls and VPN is like, I come to see you, they stop me at the reception, they check my ID, they give a badge and they say, "Jay, go inside. Your meeting is on seventh floor, but go wherever you need to go." I am inside. I could wander around wherever, snoop around, not even go to my meeting room and leave. That's what happens with network security and VPN. In the zero trust model, sure they stop me at reception, check my ID, give me a badge. Then they'll say, "Jay, stop. You will be escorted to room 22 and 22 only. You don't even need to know the room number. Once your meeting happens, we are going to escort you out, period." And if you are really security savvy, like DOD, you'll say, "Jay, we are going to blindfold you and take you to the meeting room. Your meeting happens, we blindfold you again, we take you out." You really connect to a given party, a given application at a time. The biggest risk of ransomware is people getting on the network moving laterally and finding high value target. That's really what we eliminate. That's what sets us apart from legacy security architecture. Whether it's firewall on-prem or it's firewalls in the cloud, there's still firewalls.

>> I'm imagining when I go through security at the airport, TSA, you're saying that's what it's like. And I can wander around the airport anywhere.

>> It doesn't matter. You're not allowed to get into the most critical things. You could be out there exactly like zero trust. Now if you need to get on a certain plane, we are going to check your boarding pass, your passport, your visa, and your luggage to make sure the right person gets on the right plane for the right destination with safe luggage. It's probably a good analogy.

>> You're synonymous with cloud security. People think of Zscaler, they think of cloud security but you accommodate hybrid modes.

>> Yeah, we accommodate, we fully support hybrid. In the world of zero trust architecture, the architecture that Zscaler pioneered, your applications could be in your data center, could be in a factory, could be in a warehouse, could be in AWS, Azure or Google Cloud or Oracle Cloud. It doesn't matter. Like a phone, switchboard will connect you to the right application without you having to worry about extending your network to every place. So we very much support hybrid environment.

>> There's a narrative in the industry. You hear it from a lot of technology vendors that we don't spend enough in security, and yet at the same time, it's, I don't know, $100 billion, pick a number, 80, 90, 100, 200, IDC numbers. That's not my business, but it's big. Where do you land on this? It seems like we spend more every year, but we're not more safe. Is spending in and of itself the answer? It's obviously not, but why not? What is the answer?

>> So spending on wrong technology to create complexity is actually hurting. Complexity is the enemy of security. Your question reminds me of a dialogue I had with the board of directors of a very large bank in India. So they wanted me to give me my perspective on how do I see US enterprises protecting themselves. And one of the board members asked me, she said, "Jay, if I look at Fortune 500 companies in America, they have sophistication, cyber experts, they spend lots of money and I read so frequently they're all getting breached. What's wrong with it?" Expertise and budget, both are there. I had to think for 30 seconds. It was a real good question. I said, "Yes, they have a lot of money, but inertia is holding them back." Human beings like to keep on doing what they've done. We are doing the same security model since early '90s, same network model. It fundamentally has to change. So this big change is held back by inertia. It requires people who are progressive or forward thinker and the vendors don't help that much. You can eliminate a lot of these point products, save money, and have far better security than we do today. I had a dialogue with a large retailer in Europe. They got breached. It was ransomware attack. Guess what happened next? The board fired the CISO. They brought a new CISO in and they said, "What do you need?" All purses got opened up. And guess what the CISO did? Bought more and more firewall, segmentation, VPN, everything. Let's build a more tier, a more tier, a more tier. Wrong approach. Luckily, zero trust adoption is happening more and more. When I have 7,000 customers who talk to each other, how they have helped themselves, it's actually helping. We are getting lots of business through word of mouth. CISOs and CROs go from place to place. But my guidance to customers is don't keep on buying more and more. Your tech that is getting worse and worse. Simplify, simplification with zero trust is what's needed.

>> Do you think foundation models like GPT could be the catalyst for that change? You think it'll shake the industry up in a way?

>> I think GPT is going to shake things up in many ways actually. So first of all, you can see more sophisticated threats. You can ask ChatGPT, give me attack surface of this company. Here it shows up. That amount of effort you had to do to find some of the vulnerabilities becomes a lot easier. But it's also helping companies like us to be ahead to build protection against it. So this GPT is a, what I said, double-headed sword. It's going to help, it's going to hurt. It's a race with bad guys. We need to move faster. Enterprises need to adopt technology faster rather than keep on doing what they are doing.

>> You see a lot of data obviously. Have you seen hard, concrete evidence that the adversaries are actually using foundation models to attack? Is there hard evidence of that? We know it's happening. We presume it's happening. Is there evidence today?

>> So Zscaler handles over 300 billion requests through our cloud every day. Now what does that mean? Give you a comparative data point, Google searches in a day add up to about eight or nine billion. Now why is the number so big for Zscaler? Because when you communicate whether to internet or SaaS applications or your apps in Google Cloud, Azure, AWS data center, they all go through us. We are the switchboard. So we see all the signals out there. We actually end up seeing a lot of telltale signs ahead of them. So it's actually helping us see what bad guys are doing. But some of the signals we are seeing this being leveraged are beginning to show up, but they're not at mass scale yet. But I won't be surprised if in six months or nine months it becomes a way to further explore the situation.

>> So you see an evidence of possible signatures and that's a harbinger things to come. I want to go back to something you said. We used to all used to have our own power plants on site. Well, so the reason I thought of this is you remember the Andreessen, it was Sarah Wang and Martin Casado said that the cost of good sold are going to crush many SaaS companies and they're going to have to go repatriate. So, and remember we asked Jeremy Burton that question. He said, "Oh, everybody used to have their own power plant." That's what reminded me. Where do you stand on that? Have you thought about your business in terms of the cost of good sold, the amount that you got to pay a cloud provider? Do you foresee the day where you have to start building your own infrastructure or have you started already?

>> It's a great question. Every home should not have a power plant. But every city or a given state needs to have a power plant. There should be one power plant company out there. So the way I look at is, Microsoft, AWS, Google, are building power plants to build applications for enterprises. They are essentially application power plants. Zscaler is the security cloud. It is the security power plant. I can't be building my security plant on others. I need to build security plant. The requirements of security cloud are very different. We are sitting in the traffic path. Hyperscalers are destinations. They're sitting in a far and fewer places. We are sitting in over 150 locations around the globe. Think of America. Would you be happy if the only four or five international airport to go to someplace? You won't. We got over a hundred. So I need to have our security cloud sitting in all kind of locations because people need to come to us. We need to inspect very high policy and connect. So large companies in a given business will have their own clouds, and enterprises by and large will use public cloud for most of the stuff. And for some applications or maybe for resilience point of view, they may have some of their own data centers.

>> What's your thought on the public-private partnership and the role of public policy and the government as it pertains to security generally? But there's a lot of discussion about privacy. There's been discussion that security companies like yours are basically massive surveillance systems and calls into, so it's like, "Okay, what do you choose? Do you choose privacy or security?" But what's your general sense as to the, particularly I'm talking about the US federal government in terms of its posture with technology companies like yours and maybe even some of the big tech companies?

>> Yeah, a couple of general points. Privacy is a big issue for vendors who offer free products because they take the information, they take money out of it. Zscaler or Salesforce the world don't have an issue with privacy. We don't sell that data to anybody. We get paid by enterprise customers to do what needs to be done. So privacy for enterprise class vendors is not an issue. Now GDPR and all, they want to make sure the data is kept safely and we are taking all precautions to do so. Now the next level is government regulations and whatnot. I think some level of setting, some level of standards is good, but when government reaches too far, it kills creativity, it kills innovation. But if you look at the federal government, unlike the focus US government has put on zero trust, unlike some the initiative that CISA is driving, it's a good organization, it's trying to educate all these federal agencies and it is making a case for public and private sector cooperation. I think that's a good thing. So as long as government says, "I'll do the minimum and then get out of the way," it's a great thing.

>> Yeah, they could be a catalyst for innovation and growth. They certainly have been historically. Last question. So many people felt like, okay, the security market is immune from the macro headwinds. Last summer, we saw security generally revert to the mean. Now it's all over the place a little bit. What are you seeing at the macro level? Deals are getting along, you've talked about this. You guys have always sold to the C-suite, but now there's more approvals necessary. What's it like out there? What's the climate like to the extent that you can share?

>> So security is a lot more resilient than many other application area. So we are seeing less impact, but there is some impact. There is more scrutiny out there. But the vendors in cyber who can improve security and reduce cost at the same time will do much better. The reason Zscaler has done quite well is because cyber is on every CIO, CISO board's mind. But then second part is CIOs also want to save money. When Zscaler goes and say, "Here is my platform," that can eliminate so many point products. I can deliver ROI in cost savings. CIOs like us. So those are some of the reasons that that's going to continue the growth of platform companies for cyber security who can deliver cost savings like Zscaler does. So we are pretty bullish about the market.

>> And that cost savings comes from consolidation or?

>> Two or three things. You eliminate a bunch of security point products. That's number one. Number two, there's operational cost in these traditional appliance companies. Also, in addition, there is a network cost saving. There's a lot of network cost that needs to be taken out because they bring the traffic back to choke points and data centers alike. And on top of that, the user experience goes up, productivity goes up.

>> Jay, thanks so much for your time. You've been very generous. I got to let you go and really a pleasure having you on.

>> Dave, enjoyed it. Thank you for the opportunity.

>> Oh, you're very welcome. All right, keep it right there. John Furrier and I will be back with our next guest. RSA '23 from Moscone. You're watching theCUBE. (upbeat music)