Twentieth century security approaches are no longer fit for purpose. With applications and data distributed more widely than ever and users operating from different locations, security strategies must evolve.
Dhawal Sharma, Executive Vice President,Product & Product Strategy, says this is what drove Zscaler to create a cloud-first security platform that is founded on the principles of zero trust in the cloud-based world.
“You cannot build Netflix by running DVDs in the cloud. It’s the same analogy. When we started building this company in 2008, we saw that everyone would start using more applications from the cloud and people would be working from anywhere. We could foresee that security would move to the cloud,”
As new services, applications and ways of working evolved more security tools were added. That led to two major issues: increased complexity and a greater chance of a gap being created when the existing security stack did not protect the ever-expanding threat landscape.
While zero trust has been a key security concept for some time, Sharma says Zscaler built its cloud-native security platform before zero trust became an industry buzzword.
“In simple terms, zero trust says you do not trust anything until it’s verified,” says Sharma. “We have built a platform that can validate identity, workloads, and data movement in real time. It’s not just about verifying an identity at log-in but continually assessing if that identity is being used in a way that adheres to policies. This goes for regular users, IoT devices and any other application or service.”
Rather than relying on physical appliances such as firewalls this approach is more flexible and scalable. It means that as an organisation grows it doesn’t need to invest in more hardware. Zscaler can support organisations as they expand globally with over 160 points of presence around the world. This enables organisations and users to establish a secure connection to the internet and cloud applications from almost anywhere.
The firewall free future
Sharma says the use-case for traditional firewalls is disappearing.
“We have a practical roadmap to a firewall-free enterprise. Whether you deploy firewalls for VPN user access, in branches or data centres, or in public cloud as virtual firewalls, we can replace all these use cases. Firewalls were built to secure a perimeter. That paradigm is gone.”
One of the big challenges organisations face is the ephemeral nature of many threats. Attackers create new domains, establish containers and use other tools that can appear and disappear in minutes. Zscaler helps organisations manage these risks by limiting access to newly created or observed domains. Sharma says the platform allows access but restricts activity such as the ability to copy, paste, upload and download.
Almost every piece of threat research finds that users are a major point of vulnerability. Zscaler understands this risk and assigns risk scores to users at least every two minutes. It also quantifies organisational risk using four broad metrics: the threat surface, the ability for an attacker to move laterally in a network, indicators of compromise, and data loss.
Traditional approaches addressing these risk areas resulted in deploying firewalls to monitor and block east-west and north-south movement, using data loss prevention (DLP) tools and looking at threat feeds. But the volume and complexity of data make it difficult to employ a robust zero trust strategy. Sharma explains that this is where AI and machine learning are valuable.
“We use AI to learn user behaviour and how applications talk to each other and build policies with recommendations to minimise the risk of a breach or compromise. We also use it to overcome the issue of false positives and negatives in DLP that led to DLP tools being only used for detection. We are using AI to enable DLP tools to work in prevention mode in many large banks.”
The future of security
Looking ahead, one of the key challenges organisations face is data protection in the post-quantum world. Quantum computing will render many of the cryptographic controls we depend on obsolete. Just as Zscaler was prepared for the distributed cloud-based world we operate in today, it has been working on post-quantum technologies for several years.
“We are rolling out decryption for post-quantum ciphers later this year and early next year. And our customers won’t need to take on the computing load. We are optimising our engine to support that,” says Sharma.
Agentic AI is also a major area of focus for Zscaler. Sharma explains that the adoption is nascent because it lacks a proper identity and authorisation framework. With Zscaler providing the gateway for access to cloud services, it has the coverage ability to sit between agent-to-agent and LLM-to-agent communications, whether they are tied to non-human identity or digital twin of a user.
Sharma says, “The key foundational belief for our zero trust architecture is that every action on every endpoint needs to be verified. A zero trust architecture built with modern tools minimises complexity and helps businesses securely operate and scale.”
If you would like to learn more about Zscaler please visit https://www.zscaler.com/