Zscaler CEO Jay Chaudhry On Why He Touts Zero Trust, Not SASE
‘With SASE, I think Gartner says it’s SD-WAN plus SSE. SD-WAN is anti-zero trust,’ Chaudhry said in a recent interview with CRN.
Chaudhry On The Record
As cybersecurity vendor Zscaler continues to enjoy strong growth and aims to boost its reliance on channel partners, its founder and CEO, Jay Chaudhry, wants to be clear he believes the focus should remain squarely on zero trust. While many have pointed to the overuse and misuse of the term “zero trust” in security — Chaudhry among them — he contends it is still the right way to describe the overarching answer for today’s cybersecurity challenges.
Chaudhry also believes that other terminology that has emerged is not as ideal. For instance, SASE (secure access service edge), a Gartner-coined category that includes zero trust as one of its goals, is not getting much airtime from Chaudhry. During his keynote at Zscaler’s Zenith Live 2023 conference in June, Chaudhry did not mention SASE or SSE (security service edge), while bringing up zero trust at numerous points.
In a recent interview with CRN, Chaudhry said this was very much an intentional move. “I want to talk about architecture. Zero trust is the architecture,” he said during the interview, which took place during Zenith Live. “The education [for customers and partners] needs to be at the architectural level.”
Chaudhry pointed to another reason for not wanting to emphasize SASE, as well. One of SASE’s key components, SD-WAN, is actually at odds with enabling a zero trust architecture, according to Chaudhry. “SD-WAN is anti-zero trust,” he said. “SD-WAN says, ‘Once you get on a network, you can go anywhere on the network.’ Zero trust says, ‘Sorry, I’ll only connect to your application.’”
Zscaler is happy to work with vendors who provide SD-WAN, and to support customers who want to use that approach, he noted. (Zscaler is, in fact, an example of an SSE vendor that offers well-integrated SASE capabilities through partnerships and integrations with leading SD-WAN providers, Gartner analysts said in a report last fall.) “But we are not [doing SD-WAN],” Chaudhry said. “I’ve always said we won’t build SD-WAN, and we won’t buy SD-WAN.”
Ultimately, “security and network needs to be decoupled. Network should be simply plumbing,” he said. “So trying to [deploy] security and network, from the same vendor, doesn’t make a lot of sense.”
In the interview with CRN, Chaudhry also discussed Zscaler’s aspirations to reach smaller businesses with its products, why he thinks firewalls continue to be popular and how Zscaler is differentiated when it comes to generative AI capabilities.
What follows is an edited portion of CRN’s interview with Chaudhry.
Do you foresee a world that doesn’t have firewalls in the future?
Almost, but not quite. Firewalls will become like mainframes. I used to sell mainframes during my days at IBM. A bunch of them are still there, running somewhere. But they become incidental, because the world they were designed for was different. Firewalls are designed for knowing that your servers are sitting in these data centers, and they need to be protected — that castle-and-moat. Now your data is everywhere. You’re not really trying to create these castles with firewalls. You are connecting the right party to the right party. And these parties are not even exposed to the internet. We, as a switchboard, are connecting them [to their applications]. We connect the people so their applications go dark from the internet, they can’t be discovered. It’s the opposite model. It’s not securing the network. The network is nothing but plumbing.
How far off do you think it is, that we’ll move into this world without firewalls? Decades away, or years away?
Sales of firewalls are pretty good. Probably if you look at the product budget [for cybersecurity], close to half the product budget is in firewalls and VPN. So every customer knows them. They get breached, they do what they know — they buy more. They call the firewall vendor [and they’re told], “Buy more firewalls.” It’s a stupid thing.
But our customers are getting it. They’re progressive, they’re forward thinkers. They’re probably going to tell you that the firewalls are not that important for them. They’ll probably tell you they’ll have them in a data center for a while [to come]. But it’s a matter of time. I think in coming years — it may be three, four or five years — I think it’ll become non-critical. It’s not a decade away. But right now, when breaches happen, and the board is worried, they go and buy firewalls.
I think they will wake up. Forty percent of Fortune 500 companies are our customers. They get it. But there are lots of others who don’t get it. In terms of our overall market participation, while we are high in the Fortune 500, when you start coming down, our share is high teens. So the rest of the world is still on the old-school architecture.
Some of them don’t fully understand the difference [in what Zscaler offers] because the legacy guys are busy with their marketing propaganda to claim they do zero trust. And inertia — combined with the [firewall] vendors saying, “I’ve got it, don’t worry about it” — is holding some of them back. But it will go away. It’s a matter of time.
Do you see an opportunity in bringing Zscaler to smaller businesses?
Our No. 1 market is the top 10,000 companies. And then there’s the next level, and you sell them differently. So different channel partners play a role at different levels in large companies, large system integrators and service providers play a role. The more you come down to the smaller market, a broader [number of] channel players have a role. And that’s why Karl [Soderlund] is here, to help us leverage the channel more than we have leveraged it.
His mission is not just to take us to smaller customers. Even larger customers, and working with system integrators, is a big opportunity. He has spent most of his professional career working with channel, so he brings more sophistication on channel programs, more relationships. He is going to help us refine some of the programs.
Would you go so far as to say that the next phase of your growth with Zscaler is going to be a lot more reliant on partners?
Absolutely. Leveraging partners is critical for us to accelerate our business growth to the next phase of $5 billion [in annual recurring revenue] that we’re trying to get to.
I don’t think I heard you say anything [during the Zenith Live keynote] about SASE or SSE. Do you feel like zero trust just resonates better at this point?
Zero trust is the real architecture. SSE — Gartner keeps on adding, removing things. It’s a collection of things. I want to talk about architecture. Zero trust is the architecture. If you’re talking about an electric car versus a traditional car, that’s [a difference in] architecture.
The education [for customers and partners] needs to be at the architectural level. With SASE, I think Gartner says it’s SD-WAN plus SSE. SD-WAN is anti-zero trust. SD-WAN says, “Once you get on a network, you can go anywhere on the network.” Zero trust says, “Sorry, I’ll only connect to your application.” So we support vendors who provide SD-WAN. If my customer is doing SD-WAN, we support that, we integrate. But we are not [doing SD-WAN]. I’ve always said we won’t build SD-WAN, and we won’t buy SD-WAN.
So SD-WAN is contrary to the whole zero trust architecture, in your view?
Exactly. And also, security and network needs to be decoupled. Network should be simply plumbing. So trying to [deploy] security and network, from the same vendor, doesn’t make a lot of sense.
You’re obviously not promising to deliver all the pieces needed to get to zero trust, but you’ve been adding more elements — you just announced identity threat detection for instance. Do you feel like Zscaler is getting the closest to fully delivering zero trust?
We’ve got more pieces than anybody else. If you were to talk about zero trust in three simple things, it’s No. 1, who are you? It’s checking identity. No. 2, the device you’re coming from, is that trustworthy with the right posture? CrowdStrike, Microsoft do that. Three, based on the policy, connect me to the right party. So we are the switchboard sitting in line connecting party to party. So we are an important piece of it. We are able to check many more things that others can check.
Among the security vendors, do you feel you’re best positioned for helping customers with generative AI?
Absolutely. And let me tell you why. To do generative AI right, you need three things. Domain expertise — many companies have it in the security space. And then you need data scientists — you can hire and build that expertise. And third is data — tons of data. It’s all about data, because data is needed to train these large language models. And there are two kinds of data. There’s public data, which ChatGPT has been trained on — everything out there. So when you ask general questions, ChatGPT can answer. Then there’s private data. It is data about your business that no one else is supposed to know.
Before any big breaches [occur], there’s always reconnaissance. And since we have the switchboard, every communication goes through us. So we have these 300 billion plus logs [per day] of all communication. We can actually mine it and figure it out and say, “For this customer, some bad guy [is undertaking] reconnaissance.” You can see the path of steps they’re taking to try to breach them. And when you’re sitting with 40 million users, and you’re sitting with all these logs, you can actually figure it out and predict. You can say, “Here are 15 different paths the bad guys generally take.” You can train them, and you can see if a new path is being taken against this customer. “Potentially, this path has seven steps, and somebody’s sitting on step five and step six.” So those patterns can be seen if you have tons of data.
So [we have] tons of these private logs — not to be generally made available — but we anonymously use all the logs to look at the threats. Because our customers actually happily share anonymized threats data, because it helps them, and because every customer benefits from it. So being able to predict and help them is a unique opportunity that we have.
What’s the biggest differentiator for Zscaler from competitors at this point?
I would rather say, firewall companies trying to claim zero trust architecture are taking shortcuts of spinning virtual machines in the cloud. But the architecture of firewall — which is designed to protect servers — is not right to protect users, which needs a proxy architecture. They lack two things — proxy architecture is one, and multi-tenant architecture is two. Some of these guys are claiming that they are building proxy architecture. But building a new architecture takes a long time. We have worked on proxy [and] multi-tenancy [architecture] for a dozen-plus years. So it’ll be very hard for someone to come from behind and catch up.