Day two of Zenith Live jumped right into our third innovation keynote of the conference, focused on our initiatives to extend zero trust connectivity beyond users to workloads and IoT/OT devices. In the same spirit, I’m diving right into key takeaways from the second half of our main event in Las Vegas.
Extending zero trust connectivity beyond the user
Dhawal Sharma, Zscaler VP & GM of product management, pivoted in his keynote from a security to a networking focus, taking the audience through the evolution of networks from monolithic, as workforces worked almost exclusively from corporate offices, to gradually more distributed leading up to the pandemic until ultimately taking their current hybrid form.
For the past 30 years, Dhawal emphasized, IP-based networking worked well. But the movement of employees from behind the corporate firewall and increasing adoption of cloud-native applications mean routable networks expanded attack surfaces beyond reason. The Zscaler Zero Trust Exchange addresses these shifts, allowing users to be connected to resources without the need for routable networks, effectively hiding both from internet onlookers.
Establishing this history is essential to understanding what we mean by extending zero trust connectivity. Many users sit outside the corporate network today, and workloads and IoT/OT devices make up an increasing proportion of corporate traffic.
Workloads require a zero trust connectivity framework at the cloud level. Employees and IoT/OT devices need a zero trust connectivity framework wherever they reside. We released Cloud Connector and Branch Connector to cover these use cases. According to Dhawal, it is akin to the shared responsibility model in cloud computing. We aim to shoulder the responsibility for zero trust connectivity to lighten the load on our users. In other words, we are automating how users bring traffic to the Zero Trust Exchange.
Cloud Connector innovations
Brian Lazear, Zscaler Vice President, Product Management, took over for a deeper dive into the cloud workload innovations. Brian discussed three core challenges facing cloud development and security practitioners:
- Operational complexity – With hundreds of workloads in existence at any time and new ones being constantly created or retired.
- Manual segmentation – Unrealistic given the number of existing workloads, which can expose organizations to attacks and data loss.
- Multi-cloud environments – That often must be managed independently of one another due to nuances between platforms.
He then explained how Zscaler helps address these challenges by:
- Simplify operations through enhanced, near real-time visibility offered by workload discovery-as-a-service, infrastructure-as-code integrations for easy templating and granular configurations. You can tie these to ZIA and ZPA policies.
- Automate segmentation with the ability to add app-to-app controls and machine learning-backed grouping policies, as well as visibility over which apps talk to which others for true microsegmentation capabilities.
- Unify multi-cloud environments by introducing Google Cloud Platform support in addition to existing AWS and Azure offerings. New capabilities stemming from our partnership with Equinix allow push-button direct connectivity to the Zscaler Zero Trust Exchange for uniform policy enforcement.
Managing a multi-cloud environment was especially taxing for NOV VP of IT Patricia Gonzalez-Clark. "They're very similar, but then they each have their own nuances. That's why we are especially excited about the advances to the Zscaler Cloud Connector, especially policy by tags."
Branch Connector innovations
Cafe-like connectivity is the gold standard for branch locations, confirmed Zscaler VP of Product Management Naresh Kumar. He took to the stage to explain how Zscaler Branch Connector innovations make it possible to open a laptop and connect to the business from anywhere.
To do so securely, we focused on removing the need to connect different office branches using SD-WAN-enabled site-to-site VPNs. These entail a discoverable attack surface and can enable lateral movement if breached. Instead, the Zscaler Branch Connector is a network edge function that forwards traffic via a TLS tunnel with no overlay network required.
Essentially the same technology powering ZPA today, Zscaler Branch Connector provides a singular path for traffic from the branch office to the Zscaler security cloud. No attack surface. No opportunity for lateral movement.
This innovation keynote ended with Zscaler Sr. Director, Product Management Javier Rodriguez Gonzalez and Sunbelt Rentals EVP, Chief Digital & Technology Officer JP Saini expounding on the benefits of Zscaler Digital Experience (ZDX )and its new feature set.
AI enhancements simplify diagnosing performance degradations for customers by automating the discovery of problems with, for example, an internet service provider. This feature pinpoints issues quickly and delivers reporting on which users are affected and possible remediation steps, all at a speed only possible with AI assistance.
ZDX "allows our teams to be more proactive in identifying issues and pursuing remediation accordingly," said JP.
Taking a digital transformation road trip with CarMax
Shamim Mohammad, EVP & Chief Information and Technology Officer at CarMax, walked attendees through a phased digital transformation journey. Founded on the idea that buying a car could be straightforward, CarMax and Shamim were determined to make their zero trust implementation equally easy.
Though it broke the mold, CarMax had a more challenging time innovating in IT. Before its transformation, the company was sitting in a massive legacy environment. Hair pinning was causing latency and fragmenting the customer journey. So CarMax established two goals:
- Strengthening the business by setting the standard for the digital car buying experience
- Overhauling IT operations by prioritizing cloud-native productivity solutions for its workforce
By migrating business applications to the cloud, CarMax could operationalize the massive data sets it had amassed across its roles as a direct-to-consumer car dealer, vehicle wholesaler, and financial institution (as a top-10 auto lender). The migration also shifted mindsets among Shamim’s team from project completion to business enablement, inspired by the feeling they could contribute to the company’s success.
Next, CarMax locations switched to local breakouts so users could access the internet directly. The employee experience improved, network-related costs cratered, and security enforcement became more manageable.
According to Shamim, CarMax is now confident that the online car buying experience is secure for customers, and the company can provide excellent insights garnered from its large dataset.
"One thing I love about Zscaler is they're innovating," he said. "As a company focused on being an industry leader, we need a partner that can innovate."
An integrated solution to distributed data protection
How can data protection be secure, simple, and productive? For Zscaler SVP Take-Off Teams, Willie Tejada, that is the fundamental question driving his team to dream up innovative ways to keep organizations safe from data loss and theft.
To rise to the challenge, Zscaler GM & VP, Data Protection Moinul Kahn said his team has delivered over 70 new features in the past six months. To what end? Comprehensive, fully integrated data protection capabilities with the least burden on Zscaler users.
New features advancing this goal include:
- AI/ML-powered automatic data classification and enforcement – Using sophisticated techniques to automatically classify data on the wire according to categories and enforcing rules based on policy.
- Improved incident management – Automatically notifying users of data loss prevention (DLP) rule violations and providing the opportunity for justification of that action.
- Cloud app control – For granular policy control over applications like ChatGPT, which allow rules to allow use but block actions like uploading source code to third-party apps.
- Data protection for unmanaged devices – By enforcing remote browser isolation to protect against uploading and downloading, copying and pasting, and even watermarks to discourage screenshots.
Email DLP – Through SSL/TLS inspection of outbound mail that checks subject lines, body text, and attachments for DLP violations.
These capabilities are essential for John Graham, CISO at NetJets. His company possesses data critical to ensure its elite clientele is comfortable and accounted for on private flights. Their privacy is paramount for NetJets. After hiring a red team hacker to prove somebody can steal information belonging to clients from cloud applications, John called in Zscaler.
"We utilized the Zscaler team to actually prove that, not only could we see this happening, we could stop it," John said. "It proved itself out right away."
For Equinix Deputy CISO Gene Casady, the most valuable data protection capabilities involve a cloud access security broker (CASB) solution. As an administrator of SaaS apps, Gene was looking for a CASB that integrated several functions into a single solution to reduce cost and simplify operations. He looks forward to seeing how the latest product enhancements will increase efficacy.
"What I'm most excited about is seeing how Zscaler will apply AI and ML models cross-functionally to my unique data sets to produce more accurate and actionable alerts," he said.
Zenith Live 2023 in Las Vegas has wrapped. We look forward to hearing from more customers at Zenith Live EMEA in Berlin on June 26-29.
What to read next