You can't take a zero-trust view with traditional hub-and-spoke architecture: Scott Robertson, Zscaler

A Zscaler report reveals that there is a 400 percent spike in SSL-based phishing attacks. Scott Robertson, VP-APJ of Zscaler reveals what makes SSL inspection such a daunting task for the enterprise.

Scott-Robertson-Vice-President-APJ-Zscaler-300X225_0_0.jpg

Secure Sockets Layer (SSL) has become the most widely deployed security protocol the world over. The challenge most organizations face stems from carrying out SSL inspection at scale. But the problem right now is that the bad guys know this. And that’s precisely why hackers have started using SSL to deliver their malware.

In an exclusive interaction with CSO India, Scott Robertson, VP-APJ of Zscaler discusses how the nature of cyber-attacks has changed and with CXOs facing the axe in the wake of a breach, cybersecurity is now a board-level issue.

Robertson points to a recent Frost and Sullivan report that reveals that the average economic cost of cyber-attacks stands at an astounding USD 10.4 million. This includes both direct cost and indirect causes like jobs losses and macroeconomic factors. 

He observes that it’s imperative for new age organizations to move away from the traditional hub-and-spoke model and break free of the traditional castle-and-moat approach to enterprise security.

Edited excerpts:

Scott, could you take us through the current threat landscape. Despite numerous companies embracing HTTPS protocol, a Zscaler report reveals that there is a 400 percent spike in SSL-based phishing attacks. What are we not doing right?

We are seeing the traditional hub-and-spoke architecture and castle-and-moat mentality make way for a world in which you let the policy follow the user, irrespective of the device they use, or where they are.

... To be able to do an SSL inspection at scale is an extremely tough exercise for most enterprises. Hackers know that while all the traffic is SSL encrypted, organizations are slow to invest in that technology.
Scott Robertson
VP-APJ, Zscaler

You have to take this zero-trust mentality towards all users and all connections. You can't take a zero-trust view with the traditional hub-and-spoke or castle-and-moat type approach to security.

If you look at global statistics, you'll see that about 80 percent of internet-bound traffic today is SSL encrypted. You only have to think back to the Edward Snowden incident and how quickly the protocol moved from HTTP to HTTPS. 

It's an interesting conversation around privacy versus security. As individual consumers, we feel a lot safer about how the Facebook traffic is SSL encrypted. But as an enterprise, it creates an incredible amount of investment and performance impact by having to inspect that traffic.

“Sadly enough, in the world of security, we need large breaches to be exposed and reported on for the rest of the world to sit up and realize how important cybersecurity is.”

Zscaler had the foresight to see this early and around five years ago, we invested in moving all Zscaler capacity to SSL inspection. About 70 percent of our customers now use SSL inspection. 

As an enterprise, you have to now buy maybe 2-5 times the capacity of your SSL inspection devices to be able to maintain the same level of throughput, because now every time a new internet property moves to HTTPS, it increases the load on your network and appliances to inspect that traffic.

To be able to do an SSL inspection at scale is an extremely tough exercise for most enterprises. So the increasing phishing attacks is no surprise really. Hackers know that the world has moved towards SSL, but they also know that while all the traffic is SSL encrypted, organizations are slow to invest in that technology.

Although cybersecurity has become a board-level conversation, the entire planning around security comes pretty late in the digital transformation process. Only 20 percent of organizations think of security early in the digital transformation process, as compared to 60 percent in the later stages. What are your thoughts around that?
 
Well it depends upon the organization's appetite for transformation in general, and where they are on that journey. 
 
If you look at the organizational structure of many executive teams today, quite often the chief security officer or the chief risk officer reports directly to the CEO. The actual structure of the security team has shifted outside of the technology function. 
 
We only have to look back at why this has become a board-level conversation. CEOs are getting fired because of security breaches. It's no longer acceptable to say "I wasn't aware, I'm not a security expert."
 
You only have to look back at the Target incident, where the CISO, CIO and CEO had to leave within 3-6 months of the incident. The CEO doesn't necessarily have to know about APTs or how sandboxing works, but it's absolutely his responsibility to ensure the safety of the company's revenue and share price. 
 
Sadly enough, in the world of security, we need large breaches to be exposed and reported on for the rest of the world to sit up and realize how important cybersecurity is.

What are the security challenges specific to a hybrid cloud environment? What can companies do to address these problems?
 
Most organizations move their non-critical applications or web-based applications to a hosted environment first. Moving mission-critical applications could be a little delayed. But as soon as you move these applications to the cloud, you need to be able to secure them. 

Zscaler has over 30 million customers coming through on its cloud and processes over 60 billion transactions every day. To add some context, the average number of Google searches on any given day is around 4-6 billion.

Quite often, we see that what holds a company back is securing those applications on the cloud. SD-WAN has become a very hot topic in the last 18 months – it has moved from being a hyped conversation to a real-world deployment scenario.
 
While applications are moving to the cloud, traffic still has to be routed through this stodgy old egress that secures the network. 

Zscaler has over 30 million customers coming through on our cloud and we're processing over 60 billion transactions every day. To give you some context, the average number of Google searches on any given day is around 4-6 billion.

So when a customer gets a brand new zero day, our threat management team will identify that, build a fix and apply it to our cloud. We have over 120,000 updates on our cloud every day.

There are a lot of startups that are now leveraging emerging technologies like AI and automated threat intelligence. How do you ensure that Zscaler stays ahead of the curve?

Of the numerous security companies that exist right now, probably 90 percent of them may not survive. A lot of times I speak with customers and partners, their main concern is: how financially viable are you? 

To answer that, one needs to look at the longevity of this company. From a partner point-of-view, they still have to manage their business driven by the traditional hub-and-spoke model.

Fundamentally, it all boils down to the business – you ought to be able to generate profits to stay in business. So, longevity in the market tells much more than whether a company is well funded. It tells you that they are differentiators and that they are disrupting the market.

From a channel partner point-of-view, we work directly with the largest service providers in the world, because they have contracts with the largest enterprises. So it's natural for these service providers to provide a layer of security as an extra layer on top of that data.

We're also seeing born-in-the-cloud type of partners who invested in skillsets to migrate applications from on-prem to AWS or Azure. Partners investing in cloud-only technologies are doing very well because they have no legacy of old world technology and they're helping organizations move applications to the cloud or helping organizations with their mobility strategy.

And because they are so nimble, they are able to undercut some of the bigger, more traditional players who are still invested in the old world architecture.

Zscaler has been able to surpass most market projections. What has fueled this sudden spurt in revenues?

Security, network and application transformation are primarily the three main catalysts to the growth. It's often the application transformation journey that people start with. 

The 'tailwinds' that we see arises from the migration story to cloud. SD-WAN is driving network transformation - being able to partition traffic that's bound for corporate network and push internet-bound traffic directly to the internet.

Now network transformation cannot occur without security transformation. So all of these are actually interlinked.
 

Interview

You can't take a zero-trust view with traditional hub-and-spoke architecture: Scott Robertson, Zscaler

A Zscaler report reveals that there is a 400 percent spike in SSL-based phishing attacks. Scott Robertson, VP-APJ of Zscaler reveals what makes SSL inspection such a daunting task for the enterprise.

Scott-Robertson-Vice-President-APJ-Zscaler-300X225_0_0.jpg

Secure Sockets Layer (SSL) has become the most widely deployed security protocol the world over. The challenge most organizations face stems from carrying out SSL inspection at scale. But the problem right now is that the bad guys know this. And that’s precisely why hackers have started using SSL to deliver their malware.

In an exclusive interaction with CSO India, Scott Robertson, VP-APJ of Zscaler discusses how the nature of cyber-attacks has changed and with CXOs facing the axe in the wake of a breach, cybersecurity is now a board-level issue.

Robertson points to a recent Frost and Sullivan report that reveals that the average economic cost of cyber-attacks stands at an astounding USD 10.4 million. This includes both direct cost and indirect causes like jobs losses and macroeconomic factors. 

He observes that it’s imperative for new age organizations to move away from the traditional hub-and-spoke model and break free of the traditional castle-and-moat approach to enterprise security.

Edited excerpts:

Scott, could you take us through the current threat landscape. Despite numerous companies embracing HTTPS protocol, a Zscaler report reveals that there is a 400 percent spike in SSL-based phishing attacks. What are we not doing right?

We are seeing the traditional hub-and-spoke architecture and castle-and-moat mentality make way for a world in which you let the policy follow the user, irrespective of the device they use, or where they are.

... To be able to do an SSL inspection at scale is an extremely tough exercise for most enterprises. Hackers know that while all the traffic is SSL encrypted, organizations are slow to invest in that technology.
Scott Robertson
VP-APJ, Zscaler

You have to take this zero-trust mentality towards all users and all connections. You can't take a zero-trust view with the traditional hub-and-spoke or castle-and-moat type approach to security.

If you look at global statistics, you'll see that about 80 percent of internet-bound traffic today is SSL encrypted. You only have to think back to the Edward Snowden incident and how quickly the protocol moved from HTTP to HTTPS. 

It's an interesting conversation around privacy versus security. As individual consumers, we feel a lot safer about how the Facebook traffic is SSL encrypted. But as an enterprise, it creates an incredible amount of investment and performance impact by having to inspect that traffic.

“Sadly enough, in the world of security, we need large breaches to be exposed and reported on for the rest of the world to sit up and realize how important cybersecurity is.”

Zscaler had the foresight to see this early and around five years ago, we invested in moving all Zscaler capacity to SSL inspection. About 70 percent of our customers now use SSL inspection. 

As an enterprise, you have to now buy maybe 2-5 times the capacity of your SSL inspection devices to be able to maintain the same level of throughput, because now every time a new internet property moves to HTTPS, it increases the load on your network and appliances to inspect that traffic.

To be able to do an SSL inspection at scale is an extremely tough exercise for most enterprises. So the increasing phishing attacks is no surprise really. Hackers know that the world has moved towards SSL, but they also know that while all the traffic is SSL encrypted, organizations are slow to invest in that technology.

Although cybersecurity has become a board-level conversation, the entire planning around security comes pretty late in the digital transformation process. Only 20 percent of organizations think of security early in the digital transformation process, as compared to 60 percent in the later stages. What are your thoughts around that?
 
Well it depends upon the organization's appetite for transformation in general, and where they are on that journey. 
 
If you look at the organizational structure of many executive teams today, quite often the chief security officer or the chief risk officer reports directly to the CEO. The actual structure of the security team has shifted outside of the technology function. 
 
We only have to look back at why this has become a board-level conversation. CEOs are getting fired because of security breaches. It's no longer acceptable to say "I wasn't aware, I'm not a security expert."
 
You only have to look back at the Target incident, where the CISO, CIO and CEO had to leave within 3-6 months of the incident. The CEO doesn't necessarily have to know about APTs or how sandboxing works, but it's absolutely his responsibility to ensure the safety of the company's revenue and share price. 
 
Sadly enough, in the world of security, we need large breaches to be exposed and reported on for the rest of the world to sit up and realize how important cybersecurity is.

What are the security challenges specific to a hybrid cloud environment? What can companies do to address these problems?
 
Most organizations move their non-critical applications or web-based applications to a hosted environment first. Moving mission-critical applications could be a little delayed. But as soon as you move these applications to the cloud, you need to be able to secure them. 

Zscaler has over 30 million customers coming through on its cloud and processes over 60 billion transactions every day. To add some context, the average number of Google searches on any given day is around 4-6 billion.

Quite often, we see that what holds a company back is securing those applications on the cloud. SD-WAN has become a very hot topic in the last 18 months – it has moved from being a hyped conversation to a real-world deployment scenario.
 
While applications are moving to the cloud, traffic still has to be routed through this stodgy old egress that secures the network. 

Zscaler has over 30 million customers coming through on our cloud and we're processing over 60 billion transactions every day. To give you some context, the average number of Google searches on any given day is around 4-6 billion.

So when a customer gets a brand new zero day, our threat management team will identify that, build a fix and apply it to our cloud. We have over 120,000 updates on our cloud every day.

There are a lot of startups that are now leveraging emerging technologies like AI and automated threat intelligence. How do you ensure that Zscaler stays ahead of the curve?

Of the numerous security companies that exist right now, probably 90 percent of them may not survive. A lot of times I speak with customers and partners, their main concern is: how financially viable are you? 

To answer that, one needs to look at the longevity of this company. From a partner point-of-view, they still have to manage their business driven by the traditional hub-and-spoke model.

Fundamentally, it all boils down to the business – you ought to be able to generate profits to stay in business. So, longevity in the market tells much more than whether a company is well funded. It tells you that they are differentiators and that they are disrupting the market.

From a channel partner point-of-view, we work directly with the largest service providers in the world, because they have contracts with the largest enterprises. So it's natural for these service providers to provide a layer of security as an extra layer on top of that data.

We're also seeing born-in-the-cloud type of partners who invested in skillsets to migrate applications from on-prem to AWS or Azure. Partners investing in cloud-only technologies are doing very well because they have no legacy of old world technology and they're helping organizations move applications to the cloud or helping organizations with their mobility strategy.

And because they are so nimble, they are able to undercut some of the bigger, more traditional players who are still invested in the old world architecture.

Zscaler has been able to surpass most market projections. What has fueled this sudden spurt in revenues?

Security, network and application transformation are primarily the three main catalysts to the growth. It's often the application transformation journey that people start with. 

The 'tailwinds' that we see arises from the migration story to cloud. SD-WAN is driving network transformation - being able to partition traffic that's bound for corporate network and push internet-bound traffic directly to the internet.

Now network transformation cannot occur without security transformation. So all of these are actually interlinked.