Cloud-Based Cybersecurity: A Q&A with Zscaler’s Stan Lowe

At this year’s RSA Conference, Early Adopter Research’s Dan Woods conducted a podcast with Stan Lowe from Zscaler. Lowe is the Global CISO for Zscaler and their conversation covered three big questions about cybersecurity in 2019. This is an edited version of their conversation that you can listen to in full on the podcast.

Woods: Would you explain, using the NIST cybersecurity framework of identify, protect, detect, respond and recover, exactly what Zscaler does?

Lowe: NIST is one of the founding frameworks that cybersecurity is based on. Zscaler fits into the NIST cybersecurity framework more in the detect, respond and mitigate areas, not necessarily the recovery part because we don’t manage the endpoints. Zscaler provides secure access to applications and data both in the cloud and in your legacy data centers, both for your internal users and your external mobile users.

And Zscaler’s differentiating model is that it is a cloud-based system?

Exactly. We were designed for the cloud, we were born in the cloud and again, our value proposition is being able to provide those users with secure access to their applications and data wherever they are. Access to let the good in and keep the bad out.

Is the idea that somebody, wherever they are, connects to the Zscaler cloud and then gets access to whatever they need in a safe way?

Let’s just use Zscaler as an example because we eat our own dog food, so to speak. I’m a customer. I have no internal network. Whenever my users connect in any of our backend business systems, they connect through ZIA, they use the ZPA apps, Zscaler Private Access and then they connect to that application wherever it happens to be, whether it’s in Salesforce or Workday or Microsoft Office 365 or whatever, they use the Zscaler cloud to access that application and data. Essentially we authenticate to the cloud, the cloud then applies a customer-defined policy that says what access to which applications they have and we provide that transport securely. At the same time we decrypt all the SSL, take a look at it, apply our data loss prevention (DLP) policies and we apply next-gen cloud, firewall, sandboxing, IDS, IPS, and more to the traffic as we see it.

People talk about the idea of zero trust meaning that we are not going to assume that anybody who is inside our network or somebody that is accessing systems from outside the perimeter is trusted. We’re going to revalidate them and take action. In theory zero trust should be a concept that replaces the perimeter, but in practice it seems that zero trust hasn’t really replaced anything. It is an additive capability and it doesn’t take anything away. What does zero trust mean in practice?

Essentially zero trust is one of those marketing terms that we hear a lot of vendors throwing around. And essentially the concept originally was being able to provide secure access to applications and data no matter where the individual was. “We don’t trust you, therefore we’re going to regulate how you access data,” and that was Google’s concept with their CorpNet (which is an awesome concept if you design that in from the get-go). In the real world, that ran into, “Hey, most of us are hybrid and we live in a legacy world.”

For a lot of people trying to implement zero trust using a legacy security architecture model, it ends up being an additive problem because essentially you’re trying to take an existing legacy architecture that was built for a legacy data center where everybody came into that enclave and accessed their applications and data there. But now that’s no longer the case and you’re moving that application and data to the cloud. If you’re trying to implement zero trust from that perspective, which means increasing your security boundary and pushing those security tools into the cloud or replicating those that are legacy architecture into the cloud, yes, it’s going to be additive.

The way that we see it, that’s not necessarily what you need to do anymore. We prefer to look at it from the standpoint of the software-defined perimeter.

What is the software-defined perimeter?

A software-defined perimeter is a perimeter that’s built around the user no matter where the user is. Because, again, once you provide somebody access, now you’ve trusted them in some way, shape, or form, that zero trust concept doesn’t apply. If you have a legacy data center and you’re trying to provide an individual access, you’ve got trust because once they’re on that network, no matter how many times you’ve checked their identity, no matter how many times that you validate that they have the permissions that they’re supposed to have accessing the data, once you put them on that network, they become a trusted part of that network, which breaks down the whole concept of zero trust.

So the way I look at this and the way that Zscaler looks at this and the way a lot of other people are starting to look at this is that’s sort of trying to use a legacy concept in today’s cloud environment, which doesn’t really work.

It seems that if this concept were intellectually complete and consistent, you would no longer have a perimeter but you would have a responsive security system around each of your assets, around each individual, and around each server that would then allow access to whatever you are supposed to get access to.

Exactly. You need to build it that way to begin with, because that’s the way Zscaler operates. I operate in that model; in my view, I have no backend business systems, I have no legacy data centers, I have no data centers at all. I have no internal network. The Internet is my network.

So you’re saying if I’m at the Zscaler offices and I go onto the WiFi, I’m on the naked Internet?

Yes, you absolutely are. We don’t have external firewalls; we use our own applications because all of our traffic is pushed into the Zscaler cloud, which has a full security stack. From that perspective, it’s not additive. But we’re in a unique position in that our company came into existence because of the cloud and we developed the products that can actually support that activity. Most companies have some of their applications in the cloud and some of their applications in a legacy data center. For instance, if you’re an SAP organization, you’ve got an ERP system that you’ve invested tens of millions of dollars into and your business processes are centered completely around that. It’s going to cost a fortune to take SAP, rejigger those business processes and then put that into S/4HANA in the cloud. It’s going to cost so much money that it’s not necessarily going to be worth it from a business risk perspective.

There are going to be organizations with legacy applications and legacy data that they’re never going to be able to move to the cloud, not for an extended period of time. So what do you do? The idea is to be able to apply the software-defined perimeter to gain access to legacy data and applications in your old data center while at the same time providing that same access to your new data, the location of your new applications and your new data in the cloud, and do both of those things seamlessly and securely.

The economic engine of the world today is pretty much based on the Internet for first and second world countries. In order for that to continue to grow into the betterment of humanity, we have to have good faith in the security of the engine. And in order to have that, we have to have good cybersecurity. So in order to have good cybersecurity, we have to think about it differently because the world is changing.

So part of my job is to talk about how we need to do things differently. The other part of my job is the job that the board likes me to do which is be the Global CISO for Zscaler. That’s a huge chunk of my job. I would say about 40% of my job is the job that Jay, our CEO, likes me to do, which is talking to customers about the value proposition of Zscaler.

So you’re a thought leader, evangelist, educator, and you’re an internal CISO — what is the third part of your job?

The third part of my job is dealing with global governments since I’ve got a lot of federal experience.

In practice zero trust seems to be additive; if you go completely into the cloud maybe you could get rid of some perimeter stuff, but before you do, it is additive. But it seems like every generation of new products, there’s a bunch of new toys to buy but nothing gets replaced. When are we going to start seeing actual real, meaningful pruning of cybersecurity where new technology replaces old technology? People have been saying for years that antivirus is dead.

But it’s still being used. Security folks have never met a tool that they didn’t like. The thing that used to drive me crazy about my staff was every time we had a problem or a challenge or a risk, we went out and we bought a tool to solve that problem and that risk. So essentially we ended up with a huge security stack that drives complexity and drives costs into the network. Boards, especially in the commercial sector, are looking at the cost curve for cybersecurity and seeing that it is unsustainable. So what do we do about that?

One of the founding concepts of what Zscaler does is to reduce complexity in the network. So instead of fully utilizing the architecture and the tools that you buy, the toolsets that you buy, often we’d buy point solutions, if we have a DLP problem, we’d buy a DLP tool. Or we buy or we’re looking for an IPS or an IDS or some kind of inherent threat we’ll buy a tool to solve that. We don’t look at it as a whole, as in a holistic view. The way to reduce the complexity or pare down the number of tools that you have is to move some of those applications and some of those tools to the cloud. It is imperative

The idea is that you’re not necessarily taking the tool away, but bringing it in under an umbrella in which meaningful integration can take place and meaningful consolidation of administration can take place?

Exactly. So you’re driving out the complexity of both the security stack and the administration of the security stack so you can not necessarily get rid of people but you can get rid of tools that don’t work together very well.

What you’re saying is you may not prune capabilities but you could prune vendors?

You never want to prune capabilities; you just want to transfer where those capabilities reside. Again, putting them under a single organization or a single stack allows you to have that single pane of glass, that single pane of administration, that single ubiquitous policy application. Being able to see what your users are doing, how they’re doing it, and where they’re doing it in a single place from a single tool from a single instance of that tool: That is the nirvana where people are trying to go. But, again, we live in the real world so oftentimes security guys and IT guys get caught up in trying to do everything so we do nothing.

It’s a perfect segue to the last of my three official questions. And the last question is about cloud migration. Right now if you look at most cybersecurity spending, you’re still spending on on-premise systems. But almost every one of those on-premise systems is powered in some sense by some cloud capability, whether it’s machine learning that’s happening on data consolidated across the systems or some updates that are coming from the cloud. There are lots of cloud connections to on-premise systems. But right now, if you count that spending, it’s still on-premise spending even though it’s cloud-enhanced. So when are we going to get more cybersecurity in the cloud or is it really going to wait for people to implement the cloud complete model?

No; you absolutely don’t have to do that. Moving to the cloud is a transformational journey and a lot of large organizations will always have a legacy data center or legacy data centers and legacy data and legacy applications. There are people who have invested tens of millions of dollars in homegrown applications that they are never going to be able to move to the cloud. But the idea of being able to migrate certain other things that are commodity IT services, like payroll, Workday, your HR systems, Office 365, now you’re moving Exchange to the cloud. Those are the steps that you can start taking today to migrate yourself from your legacy data center to the cloud.

The way that we do IT now and we have been doing it now is we’re really the technologists; we were never considered business enablement. That has changed, both for security people, IT, and chief technology officers. Our job now has changed exponentially. There’s been a sea change in how we need to think about what our jobs are. Our jobs are now business enablement. For a CIO, your job is to provide tools and data and analytical tools to the business to enable them to drive revenue.

From a security person’s perspective, your job is to provide tools and the security posture that allows the business to protect and drive revenue. That’s your job so you have to figure out how you fit into that. That means you no longer are a pure play technologist, you’re not the cybersecurity guy that always put the “No” in innovation. Your job now is to work with those businesses to be able to identify how they can drive revenue in a manner that’s risk acceptable to the organization in which they work.

What you’re saying is that it’s possible to get a better cybersecurity platform if you have a cloud-based world because then all of a sudden you can live without a firewall and have more integrated cybersecurity solutions.

You can live without a physical instance of a firewall. You can use a cloud application and your businesses will be able to do that and they’ll essentially provide you the ability to connect to those services and those tools that you need in a risk acceptable manner.

How many CISOs do you think would be better off not buying the new shiny tool but instead taking that same money and investing in operational discipline and cybersecurity hygiene, meaning being able to control the configuration of your environment with more automation, being able to evaluate and determine faster which patches you’re going to apply and which you’re not, all the other things that are just like mom and apple pie, simple things that if not done leave you vulnerable?

The basics we’ve been preaching for cybersecurity don’t go away in this new environment. Things like configuration management, patch management are always going to be there. We get a lot of pressure from the vendor community and other CISOs based upon things like catastrophic events, NotPetya or some other ransomware or something like that. We spend a great deal of time worrying about a problem or the potentiality of a problem that represents maybe 1% of our risk profile. And we spend a great deal of money trying to solve that 1%. We would be btter off saying, “Okay, yes, that might happen, it could happen, but what are the chances of that risk being realized?”

If you were giving short, quick advice to CISOs you’d say, “Look, really focus on operational discipline, config management, patch management, get those things right and make sure that they’re getting better.”

Yes, exactly. And there are ways, there are tools out there to help you, you probably own them and they’re just not fully utilized. One of the other funky little problems that comes into play with a CISO, that you want to talk about is the regulatory environment because that often drives a lot of interesting behavior with regards to total purchasing and drives a lot of attention, especially in healthcare and banking and the federal government as well. If we concentrate on operational excellence, doing those things like patch management, configuration management, making sure you have a good quality asset inventory, making sure that you know where your devices are, if you concentrate on operational security and you do that well, compliance will come along for the ride, whether you want it to or not. It’s just going to happen organically.

What have you seen people do who are doing a good job of training and inculcating proper cybersecurity mindset into their staffs? And how do you make it something that is motivating and part of everyday life, not something that is seen as an annoying pain?

That’s a third rail. One of the more interesting aspects of cybersecurity is our biggest asset is also our biggest risk and that’s our users. One of the things that’s critical to success for any organization and most especially cybersecurity is making sure that the business people, employees, users, and customers are aware of cybersecurity. That’s getting better now because we’re constantly in the news; every time you turn around there’s a cybersecurity issue and somebody who has been breached. But, again, those types of things, it’s not that they’re not aware of it, it’s just that we have had a tendency in the past to make this mysterious and complicated and beyond the laymen’s ability to understand. That’s not true. We need to change the way that we talk about cybersecurity to our businesses, “Hey, it’s not all this; we’re not all sitting in a dark room with voodoo and chicken bones trying to figure out what the hell is going on. You too can understand cybersecurity.”

Again, we’re starting to see that and I think with the new generations that are coming up, that are coming into the workforce, they’ve been exposed to the Internet since they were born and they’ve had constant discussions from their parents and their teachers and they’ve gone through it in school, so I think it’s going to get easier. But, again, part of our job is to make sure that our workforce understands how what they do affects our security posture.

I have a lot of friends who are CISOs or CIOs or CTOs, and they are asked by their boards or CEOs to buy cyber insurance. They don’t want to buy it because they don’t think that it’s really going to be of value. It’s not that it’s not a real insurance policy; it’s just that there are so many exceptions that allow the insurance company not to pay out, the coverage is so limited that it’s not going to provide much benefit. What would you say to a CISO who is eager to try to argue his board or CEO out of the idea of buying cyber insurance?

First off, you’re not going to. With the boards and the CEOs, especially in a publicly traded company, you’ll never win that argument mainly because they view insurance as a security blanket. Depending upon how the policy is written, you can derive great benefit. There are several CISOs that I know personally who have made claims against their insurance policies and those insurance policies have paid out, not whatever they wanted but certainly around 70–80% which is not bad.

On the flipside of that, the reasons why there are so many clauses and restrictions on those policies is there’s no risk actuarial tables on cybersecurity. There are starting to be and some of the more mature insurance companies are starting to develop those actuarial tables but for the most part they don’t exist because, again, most insurance companies can tell you based upon your age and your location and your organization or where you live and your driving habits and what you’ve done in the past, how many tickets you have, they can almost predict exactly what, when and where and why you’re going to have an accident. And then they base your policy accordingly. For cybersecurity, it’s a crapshoot. So there’s a lot of normal restrictions that don’t exist in normal policies that exist in cybersecurity policies. You have to be a sophisticated buyer. Don’t take the first one you get. Go out and get multiple quotes; be a good consumer of insurance.

As we go down this road, we’re not getting reduction of capabilities but we are getting consolidation of capabilities and so it seems to me that I have yet to see cross-vendor consolidation or cross-vendor integration work really well because what’s exposed when an event is raised is only a limited amount of information that goes outside the product boundary. But inside the product boundary, you have access to much more context, much more information. So it seems like the only successful integrations are inside company boundaries where a capability inside a firewall is integrated with an antivirus or with a DNS system inside a portfolio. Do you see that the primary engine forward of simplification and of integration is going to be consolidation and construction of larger portfolios underneath company umbrellas?

Yes, absolutely. If you think back to the mid-1990s, there were, what, six different operating systems? Today, effectively, there are two. There are flavors of Linux out there but primarily for the vast majority of the consumer base, it’s Windows or Apple macOS. So from a cybersecurity perspective, we’re in that same boat now. We’re starting to see a lot of the different acquisitions happening. I think we’re going to see a consolidation in the security marketplace in five or six years or maybe in as little as three. In three or four years, you’re going to see four, five, or six major vendors you will get your entire security suite from.