One of our cultural values at Zscaler is customer obsession, where every employee is expected to not only go beyond customer expectations but deeply understand customer challenges to better help solve them. Conviction about how to solve the problems enterprises face doesn’t come from reading news articles or analyst reports (though both can be helpful) but by having as many open and direct conversations as possible.
As we’ve extended our Zero Trust Exchange platform over the past two years to protect cloud native applications and workloads as well as users, our product teams and leadership have had hundreds of these conversations. What did we learn?
In today’s cloud native environments, development teams are innovating faster than ever before. Application development methodologies are moving away from the traditional “waterfall” model toward more agile continuous integration/continuous delivery (CI/CD) processes with end-to-end automation. This means developers have embraced microservices-based architectures built using containers, assembled in DevOps-style development pipelines, and deployed programmatically into cloud infrastructures.
Unfortunately, security tools have not kept up and are ill-suited for the speed and scale of developer-driven, API-centric, infrastructure-agnostic cloud native applications. Most organizations today use an acronym soup of tools to achieve complete cloud security coverage. CSPM, CIEM, IaC scanning, CWPP, CNAPP, DLP, vulnerability scanning, and more are all part of the standard “stack,” with some coming from cloud providers and others from third-party security vendors.
These point cloud security tools do not integrate together, address only very narrow security weaknesses, and have difficulty correlating risks leading to issues such as lack of visibility, complexity, and friction among cross-functional teams that slows down overall progress.
To meet the scale and speed of cloud native application development, organizations need a comprehensive security approach that envelops the entire CI/CD lifecycle to integrate seamlessly with developer and DevOps workflows. Such an approach necessitates a simplified architecture that correlates across cloud and workload weaknesses to prioritize true risk and deliver remediation via each stakeholder’s preferred workflows as early as possible in the development process.
When taking on substantial new areas like this, it’s common for people to say that you need “startup DNA” on the team. But, others will say that “there’s no substitute for people who’ve scaled up a platform and lived to tell the tale.” With posture control, the team we’ve built comes from the best of both worlds.
We’ve significantly expanded the teams that came to Zscaler via our acquisitions of Cloudneeti and Trustdome. We’ve hired entire teams that have scaled other cloud security platforms to cover new areas such as vulnerability scanning and DevOps integrations, and we’ve made internal transfers from the team that built Zscaler into the cloud security juggernaut that it is today.
The result? A team of hundreds of sharp, highly motivated engineers with startup DNA and a proven ability to scale—all of whom are laser-focused on public cloud security and our latest product, Posture Control.
Zscaler Posture Control is a comprehensive CNAPP that reimagines cloud security. It’s purpose-built to identify hidden risks across the cloud native lifecycle caused by a combination of misconfigurations, threats, and vulnerabilities. The platform correlates signals across several cloud security engines to identify and prioritize cloud risks and security incidents. An entirely agentless architecture streamlines workload security (for 100% of workloads), and native tool integration means developers and DevOps can identify and remediate security issues without slowing down work.
Figure: posture control new and comprehensive user interface/alerts dashboard
Critically, posture control was built from the ground up as an entirely new platform. The expected route would’ve been to combine technologies like CSPM, from our acquisition of Cloudneeti, and CIEM, from our acquisition of Trustdome, into a single UI and single user account, but such an approach wouldn’t solve the challenges that we’ve heard from our customers time and time again. Only by rethinking every aspect of the product, from onboarding and deployment to risk scoring and prioritization, can a product like this capture the needs of today and tomorrow.
Figure: advanced threat and risk correlation investigation and attack path results
At the heart of the platform is a unified database that pulls from many different sources to identify and analyze the combinations of cloud and workload weaknesses that attackers are most likely to exploit. The resulting risk-based prioritization makes InfoSec teams much more efficient.
Native integrations into development and DevOps workflows allow those same teams to partner more effectively with the CTO’s organization, minimizing costly and time-consuming security reworks as well as the number of weaknesses that make their way into your production cloud environments.
Combined with Zscaler Internet Access (ZIA) for Workloads and Zscaler Private Access (ZPA) for Workloads which secures applications at runtime, Zscaler Posture Control provides comprehensive protection for both cloud native and traditional applications running on any service in any cloud.