Zero-Trust Security for a Cloud-First, Mobile Enterprise



Lisa Lorenzin: I actually started out studying Medieval and Renaissance studies in college. So one of the things you learn about studying Medieval studies is Medieval castles. There were a lot of them. They were in all sorts of shapes and all sorts of places, and they were built to solve a problem, which was you needed to protect your people and you needed to protect your gold. So when you build a castle, you need a way to get people in and out. You build a draw bridge, which necessarily means that you have to have someone to guard the gate.

The problem with this model is that we're using it today. Works great in the Middle Ages, not so well in today's world of IT. When you an enterprise network where you need to allow outbound traffic to the internet, and you need to allow inbound access to private applications, the model is you build a hard perimeter around your environment. The equivalent of that Medieval castle, and then you establish a drawbridge for outbound traffic, and you establish entry for inbound traffic, and you secure that with these stacks of appliances. On the way out, you're doing fire walls, intrusion prevention, URL filtering, antivirus, state a leak protection, SSL decryption, sand boxing of potential malware. On the way in, you have a VPN concentrator. It's got an inbound listening port so you need DMZ firewalls. You need to have load balancers to scale across stacks of appliances, and then you need internal load balancing for your internal resources, global load balancing across multiple data centers, and if you're any kind of a target, you also denial of service protection.

So this is that modern day equivalent of the castle and moat. The IT world has really changed since the networks of 20 years ago where this model made sense. I started out working for Blue Cross Blue Shield in North Carolina, and we had one data center. It was adjacent to our main headquarters building. We had a few remote sites that were connected by site to site VPN. We had a few partners that came in through B to B VPN, but we really had this MNM security model. Hard on the outside, soft on the inside.

In the past two decades, a lot has changed, and one of the biggest changes is the migration of applications to the cloud, whether this is software as a service for publicly accessible resources or private cloud instances or something in between where you're running a private instance in a public cloud. And the other big change is the user migration.

So now you've got mobile users, apps in the cloud, connections going directly to these resources, except if you still need to protect those resources, you may not want to allow those direct connections.

So cloud and mobility have made a C change in enterprise networking over the last 20 years. Adoption of cloud services is increasing at an incredible rate. There are millions of customers for AWS, and we're also seeing a lot of shadow IT because it's now so painful to get to a resource in the data center if you're in a hotel or in an airport, that you might just want to throw something up on Box and tell your coworker to go grab it from there.

I'm the poster child for this by the way. I'm 80 percent travel. I spend most of my time doing my work from my phone, and I need a way to get to resources internally that doesn't require me to crank out a laptop when I'm running between dates.

So the problem is legacy VPN, traditional layer three IP sec VPN works really well for what it was intended for, which is site to site connections. You're connecting two networks securely over an untrusted transport. But when you start to do user to site connections, client to gateway IP sec, now you're bringing a user in through multiple hops to get to these internal resources. So we had this model at Blue Cross, we had it at Net Screen, we had it at Juniper, coming into the data center to get to resources. I was going through at least three hops, DMZ firewalls plus my VPN concentrator. Probably more like five with the internal and external load balancing, and that was after I got there through the GSLB.

So, this experience was pretty painful, but it's kind of like the frog in the pot of boiling water. Originally I was connecting in over dial-up. So the fact that it was slow, I really didn't notice. Then I got a cable modem and I started to realize how much it sucked to dial in in the evening, to connect in in the evening. Then we switched to our cell phones, and we go back to it being okay because RTT of the first cellular data models were no faster than my dial-up, but now I have 3G, LTE. So now I've got this problem, and it only gets worse when you start to connect applications in private instances in public clouds because now you have again, your direct connect or your express route. Your data center is connected to these private instances, but you don't want to expose them publicly. So you end up bringing a user into the data center, hair pinning them out to your VPC or your AVN, bringing them back to the data center, and then back out to the user. And it just gets worse and worse.

So the biggest challenge here is we're still following that model of placing the user's endpoint on the network. And that introduces a lot of risk, anything from compromised endpoints to unacceptable behavior like lateral movement or reconnaissance. And it also means we need an incredibly complicated system with multiple layers of ACLs, firewall configuration, load balancer configuration. The user experiences uniformly pretty poor frankly, and it's incredibly difficult to set this up, to maintain it, to refresh it, et cetera.

So we need a better way. What we're seeing is, we have the users moving out of the premise. We have the applications moving to the cloud, and so we're seeing more and more workloads going to the cloud, and all of this is being done over the internet. So there's a realization now that your corporate network is really the internet, and that means that network security is a much larger problem than we've ever had to contend with before because that's a network that we don't control.

So the IT world has evolved. Our solutions for user access and for access security need to evolve as well. As the applications are moving from the data center to the cloud, and by the way this isn't a binary shift. Data centers are still with us despite the fact that people have been saying the cloud is going to take over the world for 10 years. I think it's going to be another 10 years before data centers truly get reduced to a point where they aren't a big part of the problem.

The network model is really transforming from that hub and spoke environment to direct connect, direct to cloud local breakouts, and we have the need to transform our security from this castle and moat model to a much more granular user to application model. We need single sign-ons so that you get seamless access no matter who you are, no matter where you are, but we need the security that you can only get to the applications that you're authorized to see.

The goal at Zscaler is to enable this transformation of both network access and application access. The network transformation is served by our Zscaler internet access service, and the application transformation is served by our Zscaler private access service, and in both cases, we're moving that stack of appliances, taking that functionality and running it in our global cloud platform. So you have the ability to make sure that when you're connecting, your users connect to the internet, nothing bad comes in, and nothing good leaks out. Kind of like clean pipes to the internet, and on the private access side, we want to be able to keep your private applications private even in a public could environment, and easily connect users to those applications.

So Zscaler Internet Access to our flagship product. We've been around about 10 years, and I joined about 15 months ago. So there's a lot of conversations that I go into where they say, "We have Zscaler." And when someone tells me we have Zscaler, I know exactly which solution they're talking about because for the first eight years, this is what Zscaler meant. So, we want to enable local breakout direct internet, taking advantage of the SD-WAN environments and moving that security stack to the cloud across multiple different types of controls, from access control to data protection to threat prevention. All of this can be globally distributed, centrally managed, and at a scale that you've never seen before.

So this slide is actually out of date from the two weeks ago I think that I put it online. I didn't want to try to fix it at the last minute this morning because we just found out from a mate who runs cloud operations that we're now over 50 billion requests a day. We have more than 100 data centers around the world, and when we say we block 100 million threats daily, that sounds like a made up number. But what it means is that when we see an outbound threat in any environment, we can apply protection across every environment that we serve, and we have customers with millions of users. We have customers with presence in over 100 countries. So this is the Z in Zscaler. The purpose of our company name is to stand for the zenith of scalability.

On that global distributed, secure cloud platform, we've now built a second service offering which is Zscaler Private Access, and to be honest, this is why I came to Zscaler. I've been doing remote access VPN and NAC with both as an end user, then as an IT administrator, and then as a technology vendor, and both of them are really hard. We need a better approach. 802.1X, has anyone in here tried to deploy 802.1X across your entire organization? Okay, couple hands. Would you say it was successful? No. This was my last 10 years frankly.

So what we're trying to do instead is build a better model where we move the intelligence and the access control into the Zscaler cloud, and we have ZPA brokers, which are a render vows point for carrying traffic, receiving requests, transporting the request, getting a policy decision, and then actually carrying the end to end traffic to the requested application, and all of this is managed by our cloud policy engine, the central authority, which again is centrally manageable by globally distributed and redundant.

We get traffic into ZPA using the Zscaler app in the end point, and this app can also be used for road warriors to hand outbound internet traffic so you can protect both their outbound traffic to the internet in SAS apps, and their inbound traffic to private apps. And this is where the partnership with Okta begins because we use Okta as the back end identity provider for authentication and authorization, for flexibility, for seamless user experience and easy deployment.

The real magic in this system happens at your premise, whether that's your data center or your private instance in a public cloud because we put a lightweight virtual instance that we call a ZPA connector. It makes an outbound connection to the cloud and that's it. No inbound listening port, and we mean it. If you install one of our prebuilt VMs, I've had people call me because they can't SSH into it. We don't turn it on. There are no inbound listening ports. If you want to manage it by SSH, feel free to console in and turn it on. That means we don't need the DMZ firewalls. We don't need that denial of service protection, and traffic is distributed across these connectors by our central authority.

So you don't need global load balancing, you don't need local load balancing, you don't even need clustering configuration. Load up a virtual instance, or an RPM, put a provisioning key on it, it phones home to the cloud. And the connectors are cattle not  pets. You can refresh them easily. They have no stored config beyond the basic networking config of the underlying OS, and they scale horizontally. They can be grouped for better access to applications.

So the real difference between a traditional VPN model and Zscaler Private Access is that we can bring user traffic in to your applications at multiple points rather than bringing everyone into one egress point and back hauling them wherever else they need to be, and we can do that without exposing applications to unauthorized users, whether those are external or internal users.

So this really lays the foundation for a zero trust security solution. We are not putting end points on your network. We're connecting users to applications, and if the user is not authorized access that application it's invisible. They can't ping it. They can't even detect that it's there. Even if they are authorized to access the application, you can run ZPA in a configuration that they can't see what it's IP address is, and they have no idea whether it's running in the data center, in the cloud, or what location.

This allows us to deliver application based segmentation so rather than having to do complicated network segmentation, you can build simple access policies based on user role and what resource they're trying to get to. And underlying all of this, we can use the internet as our secure network without the overhead of traditional VPN. We use dynamic TLS1.2 tunnels, certificate pinned and mutually authenticated so they can't be man in the middle attacked. And when the traffic transits are cloud, you have the option of using your own PKI for that encryption so that even with the traffic is in our cloud, we can't see into it, and nobody else can either.

So, the benefits of this approach range from the user side to the administrator side to the finance side, and I'll start with the user side cause frankly, that's what I care the most about. I don't have a VPN plant on my laptop for the first time in probably 25 years. And it was really weird at first I have to say. But I don't miss it. I cover the Americas, but I also cover Australia, New Zealand and Asia. So if I'm in Sydney or I'm in Singapore or I'm in North Carolina where I live or I'm at headquarters, I type in and I get my app. Magic.

So it's a faster connection, you don't have the set up time of VPN. We had one organization that was evaluating ZPA, and the biggest obstacle to deployment in their environment was their head of desktop support because he didn't want another agenda to manage on the desktop, and oh my god I feel you. But he had a 40 minute commute by train in the UK. So they enrolled him in the pilot, and he was accustomed to sit down, fire up his cell phone, hot spot to his cell phone off his laptop, and he goes in and out of these train tunnels, and every time the train enters a tunnel, his connect drops, and every time it leaves it has to reestablish. So he's gotten used to waiting 30 seconds a minute after every tunnel. Put ZPA on because of the dynamic TLS tunnels, if he was working on non-interactive things like web browsing or you're reading your email and you click through to a link, it's just there. He became one of the driving forces for deploying ZPA.

From a security stand point, you have a lot of advantages as well. The end points are not connected to the network so you have less concern about lateral movement, about reconnaissance. You have a reduced exposure for those applications, and you have the ability to provide very granular control and visibility of exactly who's going where.

Cost can be a real factor in a security solution as well. In general, one of the first questions that we get asked, especially when you're proposing something that's so different from the traditional model is what's the ROI on this? So Forester actually has a couple of analysts who've been doing some really interesting work on the benefits of security as a cloud service, and we've got a webinar on demand on the Zscaler website, and they've also got some really good white papers on that. But in general, you're reducing your CAPX because you don't have to purchase and refresh hardware appliances. You're reducing your OPX because you have fewer consoles to manage, fewer log formats to get into your SIM. You're reducing the overhead of the expensive IT security staff, who are dealing with basic troubleshooting rather than digging into the real indicators of compromise or the real user challenges that they need to be addressing.

So, our goal is to improve the simplicity of the environment, making it easier to deploy, reducing the amount of on-premise network segmentation configuration, and allowing users to access from any device. We have the Zscaler app for Windows, OS X, iOS, and Android. And we now have browser-based access to web apps so that you can get to it from any platform as long as the user can use a web app.

So, this allows us to address multiple-use cases. The primary one that we started with, that we knew about, was VPN replacement. But then people started coming to us to say, "We really need to use this to accelerate network consolidation after a merger. We have a file share at our company that's on 10115. We have a web server on a company that we just acquired that's on 10115." Who in here is not on the 10net internally? ... Nobody. Okay. That's unusual. Usually I get a couple hands. Everybody's got the same private IP space.

So, when you buy a company and you have to merge, you often have network consolidation, you have to put proxies and all sorts of NAT passthroughs. And if you can use EPA? DNS resolution is done at the connector. So, you don't have to worry about that because the connector will access the resource locally.

Cloud migration is another great use case for this because, as the application moves from the data center to the cloud, you can access it in both locations. The users don't even need to know that anything changed. If they're accessing it by a hostname, literally that's all under the hood to them.

And secure partner access allows you to provide very targeted granular access for individual applications rather than connecting that user to your network.

So, those are all what I consider the use cases of today. But really, they are the prelude to what we're really trying to build with CPA and that is a zero-trust security model. And the idea behind zero-trust is, instead of having access based on where you sit, you have access based on who you are. You use the internet as an untrusted network, but you allow users to access across that network for remote access. Let's extend that concept to on-campus. And this is why I asked about 802.1X.

What if you could control who goes to which application in your environment without having to touch every port? What if you could create the same access policies and have the same visibility for users sitting at their desk that they have when they come in from a hotel? There's some things that you can get on a remote user that are harder to get on an on-premise user.

So it's a software-based solution. It's based on initial work ... the DISA blacknets that were done in the early 2000's. They were trying to do this with IPsec VPN's. And it was a good effort, but the complexity there was just amazing, right? Cause again, site-to-site technology. So, Google took a run at it starting in, I think, about 2011. And they got farther. And they're still building it out today, but they are seven years and, I think, five white papers into it. And not everybody has the resources to do that or a user base that's primarily composed of engineers that they can experiment on, right? So, we need a way to take this model of identity and device-based access and we need to make it scalable for a regular enterprise.

Who in here has more IT staff than you do work? ... I never did anywhere I worked either. So, we need a model that allows you to tackle a complicated problem with as few resources as possible. The zero-trust approach ... we combine with Okta to get to a point where you don't need to worry about whether a user is on or off-premise. Users are constrained in what applications they can access regardless of whether they're at their desk or in a Starbucks. Access is granted to the applications based on who you are, what device you're on, and possibly other context information.

So, Okta is critical for this for us because we consume SAML attributes from Okta to create access policy. And the obvious attributes are going to be something like your name, your group, your role, maybe even your location. But if you look into the future, there's a lot more that we might want to know, like, "What's the compliant state of your endpoint?" Or, "Are you logged in from the U.S., but you're also logged in from China at the same time?" So, we're really looking at a future where Okta becomes a single source of context for behavior, and user identity, and role. And then, we take that context and we use it to create access policy and enforce access rules, and that way we can verify authorization. And then, we can microsegment so that a user gets access on individual segments and no ability to go outside that swim Lane.

So fundamentally, we use Okta for authentication and authorization and that allows us to focus on what we do best. And what we do best is not tying into 73 kinds of MFA and 16 different flavors of active directory on the backend. What we do best is consume a SAML assertion and use the attributes from Okta. So, SAML is fantastic here because it gives us seamless access, easy single sign-on, the ability for organizations to easily modify and deactivate user access. And the end result is we've got a globally available solution that scales wherever you need it. It's easy to deploy, provides a seamless user experience, and reduces administrative overhead, and also lowers the total cost of ownership.

So today, we have Arum DeSouza, the CISO of Nexteer Automotive and he's going to join me to talk a little bit about what Zscaler and Okta can do in the real world.

Arum DeSouza: Thank you.

Lisa Lorenzin: Thank you ... so, I caught a little bit of your presentation earlier. And it sounds like you're really a strong proponent of the cloud-first model. So, I wanted to ask you what does cloud-first really mean to you?

Arum DeSouza: Yah, you know, what I think of the cloud can be distilled into one acronym that I've made. It's called RUSTIC. R-u-s-t-i-c. And I'll explain.

So, "R". It stands for "reliability" and "risk management." It provides you unmatched reliability because no internal IT staff can scale, like you said earlier, to support, right?

Lisa Lorenzin: Sure.

Arum DeSouza: But also, it's risk management too. As you expand your company, have mergers and acquisitions, you know, they want everything yesterday. And you can't provide those services if you're in-house. We all know that, right? The cloud allows you that ... to mitigate business risk from that perspective.

"U" is a concept, I think it's listed on here, is the notion of anywhere, anytime authorized access, right?

Lisa Lorenzin: Ubiquitous.

Arum DeSouza: Yeah, "ubiquitous access." Perfect. So, like you were saying earlier, you don't need clients or anything like that. So, that's really key.

The "S" in rustic stands, for me, for "security" and "scalability." And we'll talk more about the security part later, but certainly scalability is very important. Again, as a business grows ... to scale up, scale down it's a really valuable paradigm. The cloud gives you that.

"T". "T" is actually ... you used one of them earlier. It's notion of "transformation." Especially as we go towards digital transformation, the cloud allows you to reengineer your business processes, have better business models, and so many things. But the second part of the "T" equation for me is the notion of "trust," right? It's trust, not only is zero-trust at the user level ... but actually, I want to stress something: the notion of trusted partnerships, right? At Nexteer, we speak about the power of federation because just as Okta and Zscaler have this trusted partnership, as well, for us, as Nexteer, we value our trusted partnership with providers such as yourself and Okta. And that's the fuel that makes this whole thing work, right?

"I" is the most complicated one in that acronym. Actually, it, first of all, it's "identity," right? Identity is a new digital parameter. We talked about that in earlier call. You know, I think Todd McKinnon talked about identity challenge. It's fundamental because you can't do without it. One of the others "I's" ... it's "interoperability" and "integration," right? And certainly, in this partnership between Okta and Zscaler, we see that thing resonating very powerfully. The interoperability and integration with SAML, the one click, the invisible authentication, right?

And the last one actually, and not surprisingly, is "innovation" because if you do all the above things, you'll be able to innovate your business, deliver better models. And, of course, if you do all the other things, you can get business confidence. So that's RUSTIC for you. And that's what the cloud means to me.

Lisa Lorenzin: Wonderful. Thank you. And so, as a CISO, what do you see as the implications for your organization for that cloud-first?

Arum DeSouza: Well, I think, first of all, as a CISO, you need to build, like an NFL coach, a security playbook. And certainly, I'm a bit tired so I can't recite it ... everything. But there are various tiers in that, right?

The first, most important thing is we need to have a secure enterprise architecture, right? And make sure security infrastructure fit into the global business process and the enterprise architecture. And you saw an example in my previous presentation about layering security solutions and the applications services infrastructure. So, that's the first part.

The second part is one has to always partner with the business, make sure that they understand what you're doing so that when they are consuming a cloud service ... just because they can put something on the credit card and get a cloud service, that doesn't mean that makes it right or even acceptable. They need to make sure that they work with you in IT. They make sure that you're a trusted advisor to them, make it fit into identity-framework, see if it's compatible and those kinds of things. You know, from a cloud-provider perspective, it's very important to have the proper governance, making sure they have the administrative, physical, and technical safeguards in place. You're going to say to me, "Okay, Arum. How do you do that?"

Well, I think if the business keeps you in the loop, I say that not jocularly, we can put certain things in place. We can make sure that we checked the SOC reports of the cloud provided before to make sure there's [ReliaBalance 00:26:54]. We can send, at Nexteer, we send them, like, 54 questions for pre-screening, making sure they are compatible with the security architecture and those kinds of things. And there's a variety of other things that one can do. But last but not the least, making sure that the service fits neatly within the identity framework because we know that's where the ball stops, right? Or the buck stops.

Lisa Lorenzin: Absolutely. And I have to admit, the last probably five years that I spent at Juniper and then Pulse, whenever anybody said Cloud to me I said, "Go away cause all you're doing is moving your problems into a server you can't touch." But it sounds like you've really found a solution to that.

So, can you elaborate on the business drivers that led you to replace the security technology that you were previously using?

Arum DeSouza: Oh, absolutely. There were, I think, a couple of things out of convenience. Some of them were strategic.

So, in no particular order, the reason we actually first moved to Zscaler solution was after our Office 365 migration. We found that the network was choking, it wasn't doing well, etc. And the reason for that is, Office 365 no doubt is a very powerful platform, but it was kind of like the on-prem exchange taken to the Cloud, if you will. So, when you start working with the various clients that are connecting, each client will open up to 20 or 30 connections ... just connect Office 365. And that's a bit silly. So, you know what happens then. The old saying goes, "If you build it, they will come." We just kind of clogging the network. The user experience suffers. So, having been to some conferences and some Zscaler stuff, we got the dialogue going. And we were able to go to Zscaler. It really helped us out, right?

The other thing, at the same time ... speaking about network performances, prior to Office ... Google, but as well as from a proxy perspective, we had the older device-based appliance proxy. The regional hub and spoke model. And this is the greatest enemy of network performance and especially, as we say for ... ubiquitous access is really not good. So, going to Zscaler Cloud provided us that additional paradigm shift of where we went to scalable cloud platform that you just round robin load balancing and these kind of lovely things. So, that's really great.

The third thing is, and you talked about it in your talk, is the synergy with Okta. Okta is our identity management framework. It plugs into play. We're able to service a request like you said. We can do various many things. And last but not the least, I think, obviously, we wanted to find the synergy between Okta and Zscaler to power our business and enhance the user experience.

Lisa Lorenzin: Definitely. User experience network performance. And I'm always excited when I'm talking with a potential customer and I hear that they have Okta because I've literally been on calls where they say, "Okay, we've got our SAML administrator. We've got our ZPA administrator. Let's tie these two things together." And ten minutes later we're off the phone. I mean, it's just ... it's so simple.

So, generally security is perceived to be a constraint on business. Negative user experience. It sounds like you're having better user experience with Zscaler and Okta. Can you go into detail on that?

Arum DeSouza: Yes, absolutely. Let me rewind the clock a little bit. When I joined Nexteer in 2015, one of the first things I did was actually say that I'll do an enterprise risk assessment. Not that I'm a glutton for punishment. I did it by myself because it gave me the opportunity to go into the length and depth of the business, build a relationship, start to get the people while accomplishing the mission, right?

Whereas on the one side, we identified seven key risk, which I said in the previous talk: IP protection, cloud computing, governance, email security, onboarding, offboarding and those kinds of things. I made an action plan for that. What you're going to do for about 18 months to 2 years. But the closing slide ... I said to upper management, "You guys are very familiar with using security, you know, tactical level. What I talked about: the fence and the dog. I mean, the firewall and the content filtering. But we're going to transform it from the tactical to the strategic. With three key principles, right? The first thing is to use security as an enabler. Drive your business process re-engineering. And the third is to fuel innovation."

Because, you know, the worst enemy of IT and security is when you are becoming bureaucrats and saying no. The Department of No. And I have never been like that. I just hate it, right? So, in fact, fast forward now. We're actually done many of those things, right? So, let's see the scorecard. Security as an enabler. Back in the day, people used to write their passwords on sticky notes, stick it under the desk. That's a big enemy of security and it's not productive, right? So today with Okta single sign-on and the pass through, all that's gone. With our onboarding, offboarding project, the identity life cycle management project, provisioning, de-provisioning. It's pretty seamless. And even provisioning through Zscaler services to Okta is- 

Arum DeSouza: And even provisioning to z-scaler services, doctors, is automatic right?

And so we've done those kinds of things to earn the trust of the business, I mean if I just said those 3 phrases, 3 years ago and then nothing about it, no. But the thing is, the real powerful story in this is not only the fact that we said those, it's the ability that the two things and the two T's, trust and transformation, right? And the trusted partnerships and the equal system working together in one unified fashion. So I think that people see that and they appreciate that and it's been a big success.

Lisa Lorenzin: You build a partnership and you gain their trust, and then you're all able to transform together. It's very cool.

So how did you do that though without compromising on security and privacy requirements? Because I hear that is a big concern when you move data into the cloud, or you move services into the cloud.

Arum DeSouza: Well, you know I think it's back to the security playbook.

Lisa Lorenzin: Mm-hmm (affirmative)

Arum DeSouza: The due diligence and the governance, right? Well it's a two-fold governance. Obviously, we have a playbook to select the cloud and making sure it fits into enterprise architecture, it fits into identity framework and all that, making sure they are secure.

But the thing that I'll stress is the people, process, technology dimension. So you can do everything you want pre selecting, but you need to have the right business process, the right user behavior, the right you know. It's a culture change really. You need to focus on culture change, education, trading and awareness is key. It's not a magic bullet, it's a process, it's a journey, but you know, one of the things, the power of iteration that we do is, you know if it was just one our own singing the message, they'd tuned me out.

Lisa Lorenzin: Mm-hmm (affirmative)

Arum DeSouza: So the power of iteration means we have like, you know, people first of all across different groups of IT, across global and regional IT, we're building partnerships with HR, with purchasing ... to make sure that they are actually embracing the message and spreading the word. And not everyone drinks the Kool-Aid immediately, but nevertheless I think people are beginning to understand the power of iteration because at the end of the day, someone said earlier, "We are better together." It's true.

Lisa Lorenzin: Yes, and you can't force people to do something but if you show them the benefits, you can make them want to do it, or understand why it'll help them.

Arum DeSouza: Right, absolutely.

Lisa Lorenzin: So you're well under way on that network transformation. Do you have any thoughts about a zero trust model as some strategic point down the road?

Arum DeSouza: Well, you know I'm not sure everyone here knows what zero trust is. I know you talked about it, but just from my perspective, I heard about zero trust a few years ago, in 2013 -

Lisa Lorenzin: Mm-hmm 

Arum DeSouza: ... and there was a guy called John Kinderwag -

Lisa Lorenzin: Yes.

Arum DeSouza: ... who I believe worked a forester and at the request of NeST. The National Institute of Standards and Technology did a study and he came up with the zero trust model. And basically some of the key points that they said, the first things he says, "Stop trusting packets like they are people. There's no such thing as a secure internal network and trusted internal network, untrusted external network.

Lisa Lorenzin: Mm-hmm

Arum DeSouza: You know, all networks should be untrusted. And that is like, come on. That's really great.

So you know fast forward today, five years later. I think it's a doable proposition right? Because you know, one thing I have to say before I go further is understanding the notion of the identity coin. There's two ... for me the identity coin is twofold, right? There's the classical well known one; person, device, location, who, what, where kind of a thing. We all know that. What's the logical side of the coin? It's the attribute base control, the behavior of base control, the contextual access control, and the role-based access control. So, when you take all those into a dynamic paradigm, that's done through an adaptive multifactor and things like that. That's the way to go.

But it also means realizing and leveraging identities, digital parameter, and making sure there is you know, robust interoperability integration. Because I do see the day coming. I read an article the other day that the rise of the invisible identity.

Lisa Lorenzin: Yes.

Arum DeSouza: And I know it was touched upon earlier today because based on you know, balancing the various sides of the identity coin through Okta and the adaptive multifactor and Zscaler working together. I think it can be done, but I think at some point in time the thing is the users are going to have to pay a little bit of pain, right? What I mean is ... see, remember the identity coin. We can do all the beautiful things on the logical side. You can do all the things like Okta with showing, but if you really want to be secure, you need to validate the device as well.

Lisa Lorenzin: Yes.

Arum DeSouza: So you know, for example we could get the certificate to the device. So we have to take a little bit of pain for not remembering passwords so I think zero trust is feasible but again, it's a culture change. People need to know that instead of taking just one authentication token, they may have to take a second. But to me, that's a small price to pay.

Lisa Lorenzin: I hear you. And I think that as the concept of identity as a spectrum rather than just a point in a line. As that matures, the way that we check that can also mature. So the device posture initially I think, will be a little more intrusive but then as we can gather that data from backend systems, again it will go under the hood the way everything else is.

Arum DeSouza: Absolutely.

Lisa Lorenzin: So, do you see zero trust as feasible even if a multi-cloud environment as data moves out of the enterprise?

Arum DeSouza: Yes, I do believe so. And if you'll remember the definition of John Kinderwag, right? You're not going to trust networks. You're not going to trust packets. What they're going to actually trust are users and data. And you spoke about that earlier very eloquently, better than I could so I'll just steal your line, right? I think when you start focusing on users and data and then wrap identity around them when the fabric and the cornerstone. I think zero trust is fully achievable. And I don't think we really have a choice and I'm going to tell you why.

See, as we get into the era of the fourth industrial revolution and we get all this gnarly ubiquitous connectivity, everything connected together, we need to be able to have you know, the federated trust model to work. Because how do you validate you know, I'm connecting my fridge to the internet. How does it know it's really me? I want to connect to my microwave. How does it know it's me? So I think I see, for example, you know like fridges be part of a network, and then microwaves are part of a network, and you could be traversing, you can say bridgehead gateway devices across the internet, wrapped in a layer of identity token using two sides of identity coin. So I see that day coming, so federation, federated identity, I think those are the key enablers for Zero Trust.

Lisa Lorenzin: Okay. Thank you. So given what you know of Zscaler or Private Access, I know that you've deployed Zscaler internet access fairly broadly in your organization. Do you see private access as a path to get you to Zero Trust, or do you see it addressing other use cases in your environment?

Arum DeSouza: Probably both, so let's take one at a time. So I think as it says on the screen, one of the key paradigms of next year is the principle of convergence, consolidation, and collaboration, right; the ubiquitous, to use your word, collaboration anywhere. So today we've moved away from the device-based proxies, but I'm not going to mention the manufacturer. But we do still have the you know, regional hub and spoke based you know, private networking. And to me that doesn't scale very well.

Lisa Lorenzin: Mm-hmm (affirmative)

Arum DeSouza: In fact, one of the powerful things we've done with Okta really is the ability to serve single sign on to internal applications through a device called SPGateway, which is a reverse proxy, and provide that user experience. So that model of hub and spoke, appliance based proxies is dead. So what I'd like to do at some point in time would be to move to a scalable cloud platform -

Lisa Lorenzin: Mm-hmm (affirmative)

Arum DeSouza: ... which hopefully ZIA ... because it allows this leverage, allows this synergy with you know, a success for your company. It's a good product. I've certainly seen it from a Zero Trust perspective. I think there's a lot of play and value there too for the same reason I mentioned. Because when you get away from the limiting device-based appliance to a truly scalable cloud solution that has modules working well together, and with the identity framework and other partners, I think that's really a recipe for successful Zero Trust if well-designed.

Lisa Lorenzin: Wonderful. Is there anything else that you'd like to share? Any final thoughts before we open it up to a few questions?

Arum DeSouza: Well, I think you know, I'm going to sound like a broken record, but I think trust is a big thing. Trust is a big thing; trusted partnership, trusted identity you know. And these are the sort of underpinnings for the digital transformation and powering secure use for the fourth industrial revolution.

Lisa Lorenzin: It's really fundamental. Absolutely. So we have about five minutes left, so if there are any questions we can take a few questions. If you want to raise your hand, I believe the nice lady with the microphone will find you.

Arum DeSouza: (laughs) (pause) No questions, huh? (laughs)

Speaker 2: So I live in Midland Michigan, so I have to shout out to Michigan. (laughs) Is uh, next year now like completely without any VPN appliances?

Arum DeSouza: No, that's what I was saying. We do have VPN appliances today. There's another manufacturer, and the goal shall be to merge them to Zscaler. It's just you can only work on so many things at one time. But certainly the synergy with Okta and Zscaler. It's something we're looking at to do later down this year.

Lisa Lorenzin: So you're fully deployed with Zscaler internet access -

Arum DeSouza: Yes.

Lisa Lorenzin: ... but haven't yet started with private access.

Arum DeSouza: Correct. Not yet. Yeah.

Lisa Lorenzin: Okay. Any other questions?

Speaker 3: Hi. You mentioned device compliance checking earlier.

Lisa Lorenzin: Yeah.

Speaker 3: Was that a capability you're looking for handling on the Zscaler side, or something on the Okta end with some of the capabilities that -

Lisa Lorenzin: Both, actually. So we have basic device posture checking built into ZPA today, and the goal there is to identify whether it's a managed or an unmanaged asset. And if it's a managed asset, to identify whether it's a corporate-owned or a BYOD, or personal device. So that's sort of ground zero for posture, right? Do you own it or not? Can you control it or not? The future for posture checking with ZPA would be then to expand to compliance-based checks. Do you have full disc encryption, is your anti-virus up-to-date, are you patched? And there's a couple different approaches for that. One is to ask the endpoint, and that's been the legacy VPN solution. Put a host check or a health check on the endpoint as part of the VPN client. That model's really hard to scale, because you have to keep up with everything on every endpoint. And also, you're trusting the endpoint to report its own health, which if you have a root kit or something that interferes with that report, you've got a problem.

So what I see as the future of endpoint posture checking, is integrating intelligent backend systems with your identity provider, so that instead of asking your endpoint whether it's compliant, I get a SAML attribute from Okta that was populated by your endpoint software management, or your security software. So we sort of have basic checking today. We have the path that we're going in the future, and we have the partnership with Okta to pull that in a more intelligent way than has been possible in the past. Thanks. (pause)

Speaker 4: Yeah, so you were talking about how Zscaler solved your network latency problems. Is that just because it reduced the number of sessions?

Arum DeSouza: Yeah. I think that's a multi-tiered answer, and Lisa, jump in. You're the Zscaler expert. (laughs) But ... No, I think a couple of things right? I mean we are a legacy company, many years old company, and the network wasn't quite ready for transformation like that. So I think it exposed chinks in the armor that were already there. So certainly using Zscaler and the connection management, and the partitioning ability to save 40% of the cloud to Zscaler. Certainly helped to reduce the congestion.

So I think there's more things we can do. I think at the last mile, putting devices like Riverbed or something like that to actually make it much better. But I think what Zscaler helped us to do was to sort of better manage those role connections and then partition the connectivity if that helps. And if you'd like to say something ...

Lisa Lorenzin: That's definitely a factor, and in general what we find is that local breakout, rather than back hauling all that traffic to a data center and sending it out, where you're really doubling the amount of traffic on your network for outbound protection, is one of the biggest wins in network performance. And unfortunately we're out of time for right now, so I just want to say you can find this and other case studies on our website. And we also have several things on the seats for you. So please do fill out the Okta survey card for entrance into the drawing. And also, if you're interested in seeing more of our Zero Trust security solution, we have a demo at our booth; G7. You can also enter to win the NikeiD shoes there, or by going to, which will run you through a basic check of what security you have in your organization and show you what you could possibly benefit by installing ZIA or deploying ZIA. But thank you very much for joining us.

Arum DeSouza: Thank you.

Legacy on-premise, perimeter-centric security solutions were not designed to efficiently or effectively manage risk for cloud-first enterprises. In this Oktane18 session, learn how Okta and Zscaler have combined their purpose-built, multi-tenant clouds to establish a secure foundation that enables enterprises to seamlessly protect user’s internet access to web and cloud resources, and remote access to enterprise applications. Come see how enterprises have simplified operations and increased business agility, without compromising security.