This episode, featuring hosts Tom Tittermary and Tom Gianelos with special Zscaler guest Conrad Maiorino, explores how Zero Trust eliminates network access points by making applications unreachable, as opposed to traditional security. They discuss Zscaler Private Access (ZPA) and Zscaler Internet Access (ZIA), which are used for secure, mutually authenticated user-to-application tunnels, disrupting adversary tactics. The discussion highlights Zscaler's solution for "Denied, Deprecated, Intermittent or Low Bandwidth" (DDIL/CDOL) scenarios, ensuring secure access even without constant cloud connectivity. The speakers also cover integrating Zscaler with identity providers for policy building based on user attributes and why this Zero Trust security is valuable for the DoD and other critical sectors like hospitals and manufacturing. This episode is perfect for cybersecurity professionals, especially those working with or for the Department of Defense, IT leaders and network architects looking to implement or deepen their understanding of Zero Trust principles. Listen today!
So, hey everybody. This is Tom Tittermary back for another episode of Zero Trusts Given Today. Oh man, today we have a super special guest, and I'm going to introduce him for a second. First, I want to introduce Tom Gianelos, my wonderful co-host, who's in this game with me around this time. Tom say hi, hey everybody. Yeah. So today we have a super special guest. This person has been referenced in other episodes. He's one of my favorite people to talk to on this topic, and I had to share him with everybody in the listening audience. Ladies and gentlemen, Mr. Conrad Maiorino. Conrad, why don't you introduce yourself?
Thankyou, Tom, that's very nice introduction. There is undeserved, I kind of say, because we're just doing our job. But I'm Conrad Maiorino. I work for Zscalerr as the SE on Tom's team for a mill debt.
Yeah,so, Conrad, I kind of referenced this earlier, right? So, Teddy Roosevelt was famous for saying, all credit goes to the man in the arena. Conrad is the man in the arena, right? Like he's out there having individual conversations with the mill depth that he covers, trying to make meaningful impact around this topic of Zero Trust. So, he is in the weeds. He's in the console; he's looking at policy. He's trying to figure out how he could bring more and better security out to the war fighter, specifically in the context of the Zero Trust conversation. So, Conrad, what have you been working on lately? We'll have to obfuscate out a little bit about the specifics of what you've been working on. Tell me a little bit how you are working to bring higher levels of security and Zero Trust to the war fighter and the buildup that you're working through. And then, by the way, like, pivot off of that and tell us, like, all right, well, why? What gets you up in the morning? What gets you put on this task?
So first I want to say, you said the arena. So now my new call sign is going to be spot, I guess from this point that being said, thanks Tom what I really, really wanted. What wakes me up in the morning, not what keeps me up at night, is the technology that I'm able to provide now. And my path to Zscaler was very crazy. I was actually working for a different company. I was visiting a customer in this attack, and they asked me, what was, what's the difference between your current security and the way you do it, versus scaler. And my exact response was verbatim, is who Zscalerr. I know how to spell it. I never heard of these guys before. After I did all my research. Two weeks later, I called everyone I could and I got a job here, because I knew this was the future. I really, really understood that this was the future, but what I also knew is that it was going to be a Herculean effort to take with what was atrophy of the mind and the belief and change the legacy mindset of how we do, how things are done, the old way, into this New Way. And I was up for the challenge. Yeah.
So, I mean, in your old role, we won't mention, like, you know, the individual vendor you were with, right? But you spent easily over a decade in the industry building like, which, at the time, was probably like, the best way to put these different, you know, structures together in order to provide security, right? You build a big wall. Around the castle and a moat around the castle, and you make sure that you're checking IDs on the way in and everything like that. What was it specifically that you saw when you did that two weeks’ worth of research from Zscalerr that really made it click for you, because I think the process that you went through to come to that might also hit some of the listeners on the phone, like, what were some of the you came from? Like, there wasn't a better expert relative to a decent number of the DoD on how to build those. I don't want to call them legacy infrastructures, but those castle and moat style infrastructures, when you saw Zscaler or what really made it click for you, and then, how do you pass that information? How do you communicate that over to customers you work with?
Now,so the first thing, first and foremost, at the time, I didn't, I didn't have this, this little saying. It comes from our CTO Hansang, it says if you're reachable, you're breachable. When I first was starting to look at this technology, and I saw no open listener, and all of the applications are now hidden. When I look at Zia, that hides the user from the internet and from being out there, ZPA hides the application. So, if I have everything hidden, how do I attack that? If it's if you can't see it, you can't attack it. That was my first thing that said, wow, this is a really new technology. I really like this. And diving in deeper and looking at the defense in depth inside of Zia, and all the things that it's doing and it's it is purposely built so every single function, every single feature, every single thing talks to one another. I'm not going to talk about the AI, because AI wasn't big when I got to Zscalerr and all that other stuff, but still from back then, how all of that integration speaking to each other, and then taking a next step of having open API. So, if I have existing investments and future investments in my data center for my customers, I can leverage Zscalerr very, very simply and give me what I need to protect a war fighter. I was like, I was all over it. I called everyone I knew and almost to a begging point to come work here.
Yeah,so taking a couple steps back, right? Because so folks that are we don't, it's interesting, right? We do a Zero Trust show, and Tom and I happen to work for Zscalerr. Conrad does too, but we haven't had an episode yet where we really talk about Zscalerr in depth. So, you know, warning to everybody, this is, we're going to be talking about Zscalerr a lot in this episode, because I think it's time, and it merits it when we talk about Zia and ZPA. Like to break those individual acronyms down, right? What Conrad is talking about, in a large sense, from a ZPA perspective, how do I connect that user and that thing? How do I take all the PDP that I've pulled in the environment, policy decision point data in the environment, and how do I enforce a connection between those two? And one of the other points I'll go to Conrad, and I talk about a lot, is if I look at all of the adversary play books on how I would get at individual mill, depths, commercial companies, etc., right? The first step in every one of those is, let me go find all the front doors. And then the second step is, what are the vulnerabilities in those front doors? How do I exploit those front doors now? How do I get on the network, and now that I'm on the network, how do I find a soft target? How do I exploit the soft target? Exploit or basically x fills or destroy data. So, Conrad, when you say there's no open listener, right? I think that, and we talk about this, I mean, what we're talking about is theirs, I'm disrupting the first step of pretty much every adversary playbook. Like there's no way to get at the front door because there's no front door. Could you break down a little bit for everybody? Like, exactly how that works in the context of Zscalerr,
Sure. So, the way you normally do it with a VPN is you take a user and you bring them to that security you say, knock, knock. Who's there? Here's my zero day. Let me in because you have an open listener waiting for the user. Zscalerr does it a lot differently. What Zscalerr does is it, it understands who's the users that they somewhat they somewhat trust. I call it somewhat because we have to go through different attributes in order to make sure in that moment of time we trust them. And what happens from there is okay, I then understand who the users are. I have a reverse proxy to an application that reverse proxy only speaks to the Zscalerr Zero Trust exchange, and I could be in our cloud and or on prem. When that happens is I any anyone trying to get to those applications. It just gets dropped. There is no open listener. It doesn't respond. The only thing that it the reverse proxy, or what we call an app connector, is the only thing that talks to the application and the and the zero and the Zero Trust exchange. That's it. It doesn't talk to anything else. When, when, when a user comes in, that that connection is mutually authenticated. Certificate pin, so there's no man in the middle. So, from the user's perspective, the user talks to the broker, the Apple connector talks to the broker. It is stitched together, and that TLS tunnel is built to the application. Here's the other point that got me the Zscalerr, your user is not on the network. So, what does that mean? That is an HOV tunnel, if you will, that no one can see in, and the user can't see out, and it's just a tunnel to that that application in that moment of time. But we have to say, hey, do I trust the user? So, I go through all the user attributes. I trust the device. I go through the device attributes, and then I do security policy to allow. Me to create that tunnel in this moment of time. The other thing I like about it, whether it's two minutes or 15 minutes, Zscalerr constantly does the posture checking. So, at oh 800 when you use a log in, everything was fine. Oh 915 so malware woke up. Your Zero Trust on the endpoint dropped. Now you just lost access to all of all the applications. Maybe we give you access to just the deception network, and let you run wild while we get threat intel.
Yeah,so it's interesting, right? What really highlighted it for me? Conrad and Tommy started Zscalerr, maybe, like three, four months before I did, right? And at the very early days of Zscalerr, I'm still figuring out my new hire stuff, and I'm going through the training, and I had a solid understanding of how some of this stuff worked. We went through a red team exercise, right? So, we had an external third party come in, and I won't say who did it, but I was nervous about this. I didn't know Zscalerr well enough yet to go bet my career on it. Here we were in the middle of a red team exercise, and the red team came in, and they basically did what red teams do is they look for the front doors, right? And we demonstrated it like, yeah, we're accessing this application, and we're doing it securely. And so, what do they go? Do they go, look for the front doors. They look for the, you know, the VPN concentrator at the front door. So, they get on the network, and they exploit the host. And what they quickly turned around said to us was, we don't see anything. And we said, we know. And they said, whoa. So, Conrad was talking about the app connector. The App connector is this, you know, this light weight VM that communicates out bound to the C scale or cloud. So, the red team heard that, and they said, well, you need to give us the IP address of the app connector, because they're like, well, that's the front door. That's how this red team exercise is going to move forward. And we said, Well, no, like, Red Team, red team. Like, you guys figure it out. So, we landed on this notion of like, well, let's say that I had, I socially engineered an insider inside, and I got the IP address, and I said, Cool. Well, let's write it in the report. Okay, cool. Here's the IP address that we gave them, and we did it with kind of a smart because we knew was going to happen next. And they said, well, the app connector won't take an inbound connection. And we said, we know. And the exercise was kind of over, right? But it just goes to the point where, like, a red team came in and they follow the play books that every adversary follows about, find the front doors, exploit the front doors. That just doesn't exist. If somebody's utilizing this Zscaler or private access solution that we're talking about that Conrad spends a lot of time talking to the DOD about.
Yeah, and that's a major differentiation compared to everything else that's out there. When I got to Zscaler it to me, it was the best possible solution for the war fighter. I love what Zscalerr is doing, and Conrad coming from, like our similar backgrounds, we actually joined Zscaler on the same day. Worked in this the old company together.
We did work in the old company together as well. That's so we do go back. I When the notion of ZPA was first presented to me being an old route switch firewall guy, I immediately went to what is impossible. And I guess I'm from Missouri, the show me state, right? I really, once it was demonstrated to me, it was the same level of near desperation to get a job here, because as soon as it was actually proven out, and I saw within a lab environment that I was accessing the lab equipment. I had no VPN client, I had no listener, no nothing, but I was accessing everything I needed to. I immediately spoke with that engineer that worked with me and said, are you guys hiring? And the rest is, the rest is history, almost, almost five years ago, right?
Ancienthistory? Same thing, and you just brought up one of the reasons why it's so difficult when you have that legacy mindset in you know, to understand what, what this really, is, this technology really, really can help. But it's, it's, there's a big gap to understand the transformation, right switch guy, that's impossible. When we go and have those first meetings, we get that's impossible all the time. Sure, that you do that, you have to have, there's no way this could work. Like you said, the show me state, let's do a POV and prove that out. Those are the kinds of things that is, is the hardest for us is to get through. Hey, we've been doing it so long, the castle and mold way, we have all of that, you know, all of that in place. Now it works, but does it really work? What we should be doing is exactly what we're doing here, is have these kinds of things open the conversation and let people learn the way they need to learn to understand this technology. And
besides, what's more fun than that? Oh, crap moment. The first time we were going through a POV, and the challenge is put forth, well, here's, here's my application that I need a VPN to access. I'm like, okay, cool. Give me about 15 minutes and we'll be accessing it through ZPA, and you don't have any active listeners. And I, I was going to say, Oh, crap. Moment, I guess was, yeah, this is, this is PE. You, okay, yeah, those are, those are fun times. Those are a lot of fun.
You just brought a memory to me. I was doing my first POV at Zscalerr for the customer that I'm working with now, and it we went into their environment, and we set everything up. I hadn't. They gave me an intern, which was really no joke, they gave me an intern. I did not touch the keyboard. I just guided him into doing everything. And he's actually doing the demo for the entire Zero Trust team with this, with the security. ISM there an intern, an intern, okay, so everything set up. He's showing it. And they go, what is what aren't you doing right now? And we said, oh, we're not doing the ESXi server. And he goes, okay, get to the ESXi server. Now. I said, go to I said, you know how to do it, right? Go to the app, the app segment, add the add that in there, into the app segment. Sure. Put it on the existing policy. Remove your Ford in that VPN, and then there's trying. He does that, connects to the ESXi. The ISM says, how are you doing? I mean, stop the meeting. What did you put in my network? What's there? And literally had to take the next two hours with the ISM to understand how we were able to do that and why there was the only thing that was there was that app connector that was reporting out to the Zero Trust exchange, and it just after that, I had 10s of dozens of meetings, right? Because they wanted to know more, right? How did you do that? It was like smoke and mirrors. It's not, it's a great technology. It's, it's a little bit difficult to understand that first, but once they have that come to Jesus’ moment, it's like, oh my god,yeah. And we will, we'll be the improper magicians, and we will show how we actually play our hand here, right? Absolutely.
Yeah. We, I mean, so many things that my, by the way, my favorite products to work with customers around are the ones where I walk in and I go, I could do X, Y, Z, alpha, delta. And they go, Bull crap, since we're sticking with crap today, right? And I go, okay, when you want to set up a POV. And then that, that light bulb moment happens when they actually see it. And then the deeper discussion happens about, how is this actually working, right? But not to, I don't want to give anybody the anybody the idea that this is like market texture, or, you know, info magic, or whatever it is, right? So zpa, we're talking about, if you listen to Randy Resnick, if you look at the DISA Zero, Trust reference architecture to dot O, right? Randy Resnick in Baltimore, when I watched him speak last year, somebody asked him the question like, hey, what's the last best text document? You know, we've got the controls. What's the controls. What's the last best text document? It's the DISA Zero Trust reference architecture; 2.0 this is canon Randy said in public. And, you know, a couple places published it. If you go to page around 72 in the DISA Zero Trust reference architecture, you're going to see Software Defined perimeter, which is pretty much if you want to open it up at home and, you know, play the home game. I could easily swap in. That's what ZPA is doing, right? I've got both sides talking towards the middle, and I have a broker in the middle that's enforce a policy based upon a ton of really rich, you know, policy decision point data, right? So, when you, when you've been talking to customers, right, you go from that, that magical moment of like, okay, they get it right. So then talking about this Herculean task of going from Castle remote over to understanding this new Zero Trust methodology, like, what have some of the steps been? What are some of the difficulties you've been in? What are some of the other companies and practices you're working in to make it more of a rich solution?
So, the first thing, it's a monumental effort, because everything is broken down to little, little teams that do little, little things overall. So, who's handling the URL filtering is different. Who's handling the firewall, who's handling the ICANN piece, who's handling the attributes in the ICANN piece, who's handling the attributes of the device, is a lot of things. So, the way I approach this was, once I got them to understand what Zscalerr was doing, the next thing that always came up was they'll never work in my environment. My environment is too complex, right? Okay, so let's go look at let's have an architectural, you know, discussion, and understand what your network looks like. Nine out of 10 times was we really don't know, once it leaves us, and this goes into this thing called the DOD. And yeah, we really don't have an understanding with that. We have to open up tickets. It's the I, A, P, it's lost. We packets take hours to go through it. So, the first thing that we did was, okay, once we understood what their network looked like, we would then say, Hey, let's go start talking to the B cap. So Zscalerr went in, took CIA Z scaling internet access, Zscaler private access. And now we're talking on the B caps. So that is the first path that we took, trying to understand that that got them really, really interested. Oh, wow, they're able to do this. The next thing we started talking about is, okay, now that we understand the network, how this thing is going to route all the architect. Actual stuff. We had to go piece by piece by piece. Zscalerr works with an identity provider. What samples insertions Do you want us to receive? We don't know. So we go work with the ICANN people. We understand all of the stuff. So the US citizen, right? Did they do that cyber training? All of that stuff being fed into Zscalerr and applying that to policy. Once we understood that we understand what the locations were, we built the policy on the location. Are you coming from base camp, post station that's a trusted network. Are you coming from the star books? You're coming from home? How that trans at transactional path would work? Understand it's just step by step by step, and it took us over a two-year process. That's right, you go to a billion, you know, $40 billion $50 billion corporation. You get that done in six months. DOD takes a lot longer. Why? We're protecting the war fighter. We're protecting the United States. We got to make sure every single step is perfect. Then the next steps going, okay, who handles the URL filtering? Is it? Is it? You know, department a, department B, department C, who's handling the fire wall. We were going through that. So, in essence, what we had to do is we had to write a Con Ops for each and every piece as we were doing this. Hopefully that answered your question.
Tony, yeah, well, the single biggest thing is so again, all credit goes to the Man in the Arena, right, like you took on this Herculean task of taking this new, you know, powerful product that's a cloud product, and being able to map it against these, these legacy infrastructures, and especially relative to the DOD, right? So you went out there and basically forged the path to be able to a lot of these conversations I've had the other mild apps, after you've gone and done that work, that two years’ worth of work, we could short cut a lot of those, because there's a million things that we figured out that are topics that don't happen in the commercial space or the FSI space, that that are very specific topics relative to the DOD. So, we can actually short cut those and get there just a lot quicker. Now, in terms of a lot of these different things, yeah, the technology had to change somewhat to represent the needs of the Department of Defense. One of them was the detail portion. Now you go and have a conversation, I can never use you. Why I get I get disconnected, my users can't log in. That's a great question. If you're asking me to replace that firewall that's there that's able to operate, whether it's connected to a cloud or it's not, and I have everything configured there. Zscaler needs to be able to do the same exact thing. So
just super quick. And I just want to make sure, you know, I I'm always trying to avoid the the alphabet, acronym soup, right? So, for the folks that when we talk about DL, they're also calling it C doll now, and you'll, you'll remind me of what that acronym stands for. D deal is, in essence, it's denied, deprecated, intermittent or low bandwidth, right? So, if I'm in a scenario which happens all the time in the DOD, where I lose connectivity to home, right? And I have to operate in a in an air gap style compartment for some period of time. How can I do that? Right? It's got to work. And this is, this is one of the big things I hear about cloud services. Me and a lot of the other cloud service folks, the product management folks, are trying to work together on people want to advantage. They want to take advantage of the scale and the scope and the power of cloud. But they go, wow, D deal. I got detail and some of these times it basically, you know, it's a way to shut the conversation down. So ideally, in a detail scenario, right? Let's say I'm utilizing Zscaler, and I'm utilizing a cloud service. When I get into a detail scenario, and it could be, whether it could be, I turn off com specifically, because I don't want to provide any signal out into the signal environment, whichever way, right? I want all the benefit of cloud when I have access to that cloud, and then when I don't have cloud, I want everything in my compartment that I have reachability and visibility to to keep working the same way with the same security controls, right? So we solved for that. Conrad, you get a lot of credit. No, no. Built it. Conrad and I had a lot of extensive conversation. This is, this is part of that trail blazing piece. Like we had to take a lot of the information we had from the customer and have us go build this into the product it's delivered. And if anybody wants additional information about it or a brief on it, Zero Trust given@gmail.com We'd love to come out and do a house call with you, but we saw for that detail piece. Now we're working with other companies, other cloud companies, on how they're handling their individual detail pieces as well. Because I think the, you know, the hard part of the conversation for a lot of folks is, I want something that runs in detail, but I want to leverage the scope of cloud. And I think the way people have been handling the detail piece is, well, let me get something, software or hardware I can install in this local environment, and what they run into is, well, now I need to bring 2345, administrators and complexity and upstream and downstream effects around that. Conrad, one of your biggest things that we talked to the engineering folks about is like, if I'm going to build detail for a cloud service, I want it to be Nokia brick phone resilient, because you're serving the war fighter. And I want it to be grunt, simple, right? And I think we landed on exactly where we wanted to go, where the clouds there, everything's great. Cloud goes away. You don't touch the Z scaling piece. Everything can everybody. Could find everything and punch those tunnels locally and get that same secure access without having, you know, free run of the network or a failure open scenario or anything like that. What is, what is. When you have been having these conversations from a detail perspective experience, especially like, how has that affected the different conversations you've been having with your customer?
So,in the beginning, first C Dil, contested, disrupt. CDO is the other acronym now that I think has replaced detail. But I keep saying details coming up more and more. Yay, tested, disrupted and operationally limited. Sure, that's what that means. Yeah. So how that have those conversations been going with your customer?
So, in the beginning was really difficult. I love what you're doing, but I'm not really worried about, you know, me losing the connection while I'm on CONUS. It's when Diego Garcia and I have a weather event, and it takes me three weeks to bring to fly in new equipment in order to get the connection back up, then my users not work anymore. And it's a truly valuable thing that we have to overcome, right? That that is a scenario that could happen at any given moment. Don't worry about the adversary. Don't worry about the weather. And if we're not able to provide that, the conversation was at a halt. And coming to you, coming to the leadership of Zscaler. We got together and said, Yeah, we need to be able to do this. And from that point in time, once we said it's in development, the conversations continued. They knew we were going to be able to provide that. And like you said, an 18-year-old coming out that you know, you could be a feel, I like to say this, because the colonel told me this back. He goes, after we gave him a briefing, he goes, Wow. Zscaler from field, chef to Zscaler, admin, no problem. And, you know, I like saying that now, because it really was true. He got it. He understood it to a point that it can be configured to do it automatically for when that time needs to happen.
Yeah. Well, the other interesting thing about this is, like, me and Conrad spent a lot of time in California with us with our corporate entity, having conversations about how we need to tailor the product specifically for for DOD use cases. And we went out there with detail. They were like, You guys are nuts, like, who wants this? And we got through the whole build. And then, you know, they were, you know, the engineers were not happy. They thought they were sending them on this errand, that it was going to have a very limited use case. And and then they went and started socializing around. Like, yeah, we're doing this thing. These DoD guys are making us do this thing. And it's turned out to be, like, one of the hotter ticket items. Because you think about it, like hospitals, oil and gas manufacturing, right? Like they want this Zero Trust capability, this STP capability that we have, but they can't handle a cloud outage, to not be able to get to their own applications internally, right? So just it solved a giant gap and a hole in the in the in the matrix that we had there. And it's awesome to be able to talk with the DOD about it now, yes, and it's what they need, and we are providing it. Yeah.
So, Conrad, tell me a little bit about I often refer to Conrad as the most passionate man of the business, right? So, give me a give me a brief you talked about it a little bit at the at the top of the show, but I want to dig into a little bit more, right? So, we all basically, I've used the notion before, right? Like we vote with our wallets, like we decide, like, we decide, like, who we're going to support not going to support. You've kind of laid down that. Hey, I'm going to support the war fighter from a security perspective. Like, what is what? Tell me a little bit about, like, why did you pick that route? Why is it important to you? And what are you trying to accomplish for this individual build up that you're working with these days?
So, a while back, I wanted to be part of something that was bigger than myself.From a career perspective, I believe I accomplished everything from myself and my family and it was time to give back. You know, you had three phases of life that I like to talk about. One is, you know, you go, and you learn as much as you can in phase one. Phase two is you acquire as much capital as you can to get to phase three. And phase three is taking what you you've learned, taking all of that capital and giving back, giving back in every way possible, whether that's through missions, whether that's through whatever the case may be, giving, you know, taking people who are new to the industry and mentoring them the stage three, and what I like to call a project that's bigger than myself. What can you do? And I wanted to serve those who serve. And I started that career serving those who serve back way, way back when I was at Nevada, like, no competition. Yeah, they're friends. Yeah. So, they're friends. So, when I, when I saw all of the complexity and all of the different ways that the DOD, I was like, this is, this is home for me. I live for the chaos. I live getting from, you know, out of that to into something that's that can, can make the war fighter safe, make the country safe as a whole. That's what really that's what wakes me up every single morning. And what wakes me up what morning with bells is having a Zscaler or technology that I can give and provide them to keep them safe. I found the path that I need to be on, and that's why I'm so passionate about it. I really believe in what I'm doing for the war fighter. I really believe what I'm doing for this car. Drink, yeah, it's funny. It's burnouts a thing, like, you spend a ton of time on the road. I spend a ton of time on the road, right? But, you know, and I get asked about people see, like, my nights in Bon voy in the course of the year, and the like, how do you avoid burnout? And the way that I, the way that I always break it down is, I got to have three things, right? And these are my, this is my antidote to burn out, right? I got to work with brilliant people. Is number one. So Conrad Tommy, you know, if I'm the smartest guy in the room, I'm in the wrong room. I need to be in a room where I'm struggling to keep up intellectually, if I have that and I have that rigor, all right? Well, that's box one. Two is I need challenging problems, right? And you just landed on it. Like, what we're doing is we have this killer technology that we know can serve and need and provide better protection of the world. Of the war fighter. And there's this giant, you know, pivot that happens in the middle, and a lot of it's a cultural pivot, right? And it's a challenging problem on complex networks, right? So, we've got to work with brilliant people. I got to work on challenging problems, and then you landed on my third one too. So, we have the same methodology, we just say it different ways. The third one is the solutions have to matter, right? I need to work with brilliant people on challenging problems where the solutions matter. When you get to see the effect that you're having right on the far end of this challenging thing that you worked on with these brilliant people, that, to me is that's the if I have that, I'm not going to get burnt out ever. It's a joy to be able to go do this all the time and work and talk to these interesting people.
Amen. Totally agree with you 100% on that. Yeah, so we talked a little bit about so we've been talking about Zscaler private access, right, which is that one to one tunnel punch, if we're taking three steps back from a Zero Trust perspective, think of this as we're the guy with the bat. We give it and we take it away, right? We take all the PDP, all the rich data, all the attributes you can pull out of the IDP. If you listen to the episode, we did with Dave Pearson from service now we've potentially aggregated that somewhere. So right now, you have this opportunity to make this decision. Zscaler is enforcing that decision and using SDP, Software Defined perimeter, to punch those two together, one to one right. The other side of the house that we use the acronym a couple times. We talked about it in brief, right? So, there's the other side of the house, which is Zscaler internet access, right? So, for me, I've worked at other security companies, where I've tried to be one to two to three of the 12 products in the outbound stack that is protecting users from the internet and trying to manage DLP, CASB around, you know, individual public applications like 365, right? Zia was one of the big reasons I came over to the company, right? Because it, I'll let you take it from there. You talk about this so much more eloquently than I do. Could you talk about Zia and what it's doing in your agency right
now? So, Zia, I like to compare it to an IAP, and everything that an IP is doing, like you said, if you look at like a JRSS and that stack, you have all the different products in there. And what industry has realized is getting these single point products is it's very, very difficult to get them all the work API driven massive amounts of possibility of something going wrong because I have multiple points of failure, that that is really not the best way to move, but the best way to move is to have a platform that's purposely built, like I said in the beginning of the Podcast, where each and every function, each and every feature, talks to one another. If I accidentally click on a brand new zero-day phishing link that users risk should go all the way down, and that should be fed into my private applications, right? So I know maybe I'm no longer having direct access, but now I'm going to get a browser based access where I can't upload or download or print or do anything, right, but at least I could still do my job and try to understand where, you know, support comes in and looks at my end point, make sure that nothing was downloaded or anything that bad happened. Having Zia in a way that understands, you know, like I said before, it hides the user, but it also carries the understands what the user is doing and the risk that it's providing to the zpa, Zscaler, or Zscaler private access. Excuse me, little bit nervous. Tom sorry about that. That being said, when each and every function is communicating with each other, each feature is communicating each other, it keeps that user more secure. It goes from unknown to known, very, very quickly. Zscaler is doing over half a trillion transactions a day, and over 300 trillion signals. You know, I imagine that this, this gentleman out there sweeping, you know, you're sweeping the ocean, right? And with the water, it just keeps coming in. That's what all the words now, if you think about it, 500 billion transactions, half a trillion transactions a day. Think about 300 trillion signals. How Zscaler is learning quickly, how Zscaler can automate that from an unknown to a known. Hopefully, that answers your question, sir, yeah,
I do have one point I know with the customers that I support. And obviously the customers that you support as well, the whole construct of defense in depth. So, I think that was part of the Genesis as to why these customers built these, these massive stacks with variants and technologies and variants and providers and stuff. Because they were thinking themselves, okay, we've just strengthened our castle, because we have that depth in play now. Now you come in with a single solution and say this, this will now fix all of your all of your issues from a security standpoint and will still provide this sort of defense in depth. But how is, how does that? How's that? Great question. So not a single vendor. No single vendor can do Zero Trust money you need to have Zscaler is just the transport. You still need to do end point. You still need to do identity and combined all of those in right? But what we learned from the last decade and a half is that individual stacks do not work. Why? Because I'm fighting for the same dollars as you is is product one, product two, product three, right? If I'm fighting for the same dollars, I don't want to have the integration with you. I'm going to make that as hard as possible, because I'm fighting everyone. That's my opinion on this. But now you have a company that's able to take all of that technology from a transport perspective, where I'm applying security policy to that transport, whether it's in line or at a band, right, and give you what you need. But before I build that tunnel, before I do anything, I'm going to take another technology that's not the transport the identity, and make sure that you are who you say you are. And then you give me all of those SAML insertions about who you are and applying security policy. And then, on top of that, using an end point right understanding the end point posture, whether it's coming from in tune, whether it's coming from Zscaler or doing it, or any other crowd strike, whatever you have, feeding that into Zscaler we can do that. If you have a CMDB as the truth, you do an API call into Zscaler, which we're working on my current customer now, where that CMDB tells Zscaler when you're looking and when that user asked for that application, you do the posture check, then you do so you're not constantly doing it, not overworking your network. Just as needed. It's as needed, correct? So, to make it clear, not this, I feel Zscaler of feels. I believe everyone in both of you feel Zero Trust cannot be done by a single vendor. It's definitely broken up end point transport and identity. And the transport uses both the identity and the end point before it creates that tunnel to that app, to that asset, whatever that asset may be, and then constantly does adaptive access or continuous comply to connect, to make sure that nothing has happened. Like I said before, oh, 800 everything good on 915 malwares woke up. You just lost that access to everything. Now you just have to the access to a deception network where we just honey pot you and withdraw the threat intel we can get on you.
Perfect makes sense. So, Conrad, you have my favorite. You said it one time, and I've quoted you a million times, but you have a different way of talking about Zero Trust, right? So, do you want to? You want to, you want to tee that up I've mentioned in other shows and giving you credit for it, but like, give it to us again. Have it sink in and give us a give us a breakdown how you came to that understanding. You walk down any show and you see Zero Trust. AI, Zero Trust. Ai, I don't call it Zero Trust. I want to use the language that our customers understand, and that is dynamic need to know. You work from nine to five, you have a dynamic need to know. Maybe from eight to six, eight to seven, you lose your need to know when your home, and Zscaler can provide that you at nine o'clock at night. What's your reasoning for having access to something? You don't you don't work, then you shouldn't have that, and that should be removed. That is what I mean when, when I look at Zscaler or Zscaler, you look at the switchboard. You call it like the old way with the phone, right? You have a person I need to talk to. I call I call that switchboard. I'm going to say, hey, this is Conrad. I need to talk to Tommy. I need to talk to Tom. Take the switch. Boy goes well, looks up the policy. Yep, he's coming from a secure location, yep. I then connect it, and I then have a conversation with you that Zscaler is that switchboard? Is that operator? And then, while it's doing that, it's following me, it blindfolds me, takes me to that room. I don't know where anything else is when I'm blind, for me, when I'm in that room, there's no windows, there's no you can't see out. That is what it's all about, right? When we're talking about this, I like to say Zscaler being the switchboard from a zpa perspective. But then what it also is, if you go. To like a hub of an airport for CIA, where we're scanning the luggage, looking at your ID to make sure you say who you are doing, the identity, looking at, you know, everything that's inside your luggage, whether you're checking it or you're bringing it on as carry on. And then, hey, your certificate says you're going to Miami, but this is the plane to Denver. Why are you trying to get on this plane? That's what Zscaler is also doing.
Yeah, it's an interesting like, sidebar conversation. We talk about trust. And the other show, I was trying to pivot cross pivot trust in the notion of faith, right? Like, do I have faith in this thing? In the absence of data? We talk about trust, one of the interesting things that I find. And just to go back to the internet access, these killer Internet access piece for a second. You know, when you're going out to the internet, I don't know if everybody realizes this, because all different types of folks have been listening to the show. You know, you get routed to a stack of nine to 14 things. And there's antivirus, there's IPs, IDs, there's DLP, there's CASB, there's sandbox, there might be browser isolation. There is right and typically this stack is, you know, it's 14 boxes that have 14 different admin consoles that there are 1000s and 1000s of pages of admin work behind that you need to work on. The admins that are working on those boxes are trying to make the policy match the, you know, the individual policy, the agency, but then you have to manage patch Tuesdays, upstream and downstream effect. They're running down hallways with thumb drives trying to update these stacks. Right? I'm doing, like, an informal survey amongst all of the individual like DOD and contractor folks that I've talked to, and the question I ask him is, is, like, All right, so this stack that's protecting, you know, users from the internet, that's protecting, you know, the DOD and assets from from the internet and these, and making sure that the good the bad stays out and the good stays in. How much of your time, just from an hours per day perspective, are you spending maintaining the stack, and how much of your time are you spending actually, like, iterating policy, like, what we would call doing the real cyber security work, going through your Sim and looking for, like, low and slows with really creative algorithms, right? So the numbers vary, right? But I've probably asked 100 people, and the overarching response that I get, if I average it out, is 70% of their time managing the stack, 30% of the time doing what I would call real cyber security work, right? So now we get back to the whole human intellectual capital conversation. Of like, how do you want to spend your smart people? Do you people? Do you want them spending 70% of their time running down hallways with thumb drives and trying to manage upstream and downstream effects? Or do you want them doing like the real core cyber that the mill gaps or the CO com or the agency needs, right? And by the way, you ask these people the secondary question is, how much of your time do you spend doing either of those things? 7030 Well, which one of those things do you like, and which one of those things do you not like? And they go, I hate maintaining the stack. It's pain. I had constantly errors and alerts, and I got to create outages, and people are all mad at me. And, okay, why'd you get into cyber? It's like to do the 30% right? So, by the way, like you have a fixed number of super sharp people in your organization that you have access to, right? They want to spend their time doing a cyber that's why they got into the business. And they're spending 70% of their time doing this. It based patch, Update Management upside down, right? If you want to keep them, give them more the cyber work. That was the biggest thing when I so Zia, the way that it works is we decrypt the package once on the way in, we SSL, decrypt it, and all the engines fire at once, and all the policies managed in one place. We manage all the patch upgrade down grade all that. There's no there's a very small amount of patch of basically stack maintenance from the Zscaler side. You give that time back to people, but I've watched that be really powerful, especially the work that both of you guys have worked with. Zscaler over the FSI community too. I know that we've seen it.
So, what you just said is really, really important. If why would why would you want to maintain the stack? Why wouldn't you want the OEM to maintain the stack? They know how to upgrade it. They know if there's a problem. If you're doing it and you have a problem, you're going to call them anyway. So if you're allowing them to do it from the beginning, and they're going to do it right. 99% of the time where there is no outage, right? You do a side A, you do a side B, you do, you know, you know. You do PSE one, you do PSE two, you bring in the cloud on prem, and we do, and we are able to do that for you, again, concentrating on what's important. So, I believe this is a new way, and that and our customers are understanding, yeah, we want Zscaler to do that. We don't want to do that anymore. Let's concentrate on what's important. Let me go look inside my deception to see who's in there and what they're doing right, concentrating on the good stuff. Who's attacking you, the weapon they're using, you know, what's their mission? You all have that at your fingertips now, because it's all an integrated solution with
Zscaler, yeah, so Tom, I'm going to, I'm going to put you on the spot for a second. There was, there was one particular systems integrator where we did some work together around, right? And the number gets thrown around about how many admins they have for for CIA, for the amount of people that they. Protecting. We're not going to mention them by name, right, but right, you know how I'm you know who I'm talking about, right? Yeah. So, so give us a little bit of data around that.
So, yeah, this is one of the large Fs eyes that had a user base of over 100,000 users. There's a couple of stories. Actually, I want to, I want to bring up some scalability and growth capabilities as well. This, this same integrator, they were doing a slow roll out of our Zia solution, and I was wondering if we were going to go there, but we're going to go there, so they why not? Right? It's We're all friends here. They got an order from their desktop engineering team that they're going to be rolling out 1500 users for this one evening that we were and so that was, that's no problem, 1500 users, okay, well, that that they'll wake up in the morning and the Zscaler client connected Lee running on their machine. Unfortunately, the desktop group misunderstood the order and did 15,000 that first night, or that one night, so a whole 10x more than what was expected, and then we're a little bit on the edge of our seat. But I was an interesting day. Yeah, you and I were, again, do you talk about those moments like, yeah, I believe in the you know, you're betting some level of your career around a technology, right? Right? Because stop and no, no, it's that was, that was exactly the emotional roller coaster we were on. We felt like everything should be fine, but we're like, okay, we're just going to be I'm going to add my phones on the ready. And the truth is, the phone stayed silent. So, whether we went from 1500 to 15,000 for that one rolls out for one evening, it was absolutely invisible to the users. And that was actually a pretty impressive inflection point for the relationship we have with this particular integrator, when they saw just how quickly our clouds can scale based on the number of users we can add in a single, single event for their tenant also. So, the question specifically was regard regarding how many admins for over 100,000 users.
Yeah,so, they okay, so they used to have just for their internet access. They were over 25 admins were running for that, for those uses, specifically just for their internet access. So those were the 25 admins that were managing that that stack that Tom had talked about in Conrad as well, once Zscaler was completely rolled into this particular customer, they're down to three admins now, and these are very, as Tom astutely pointed out, these are very, very smart people. So, they've freed up the intellectual capabilities of 22 of their top engineers that were just managing their internet access, and now they're often able to do something much more meaningful and useful to this organization. So, Win, win all the way around for that particular integrator, think about all the learning that you have to do for that stack and each and every component, right?
It'sin the additional logging. That's the lot the logging is really key, right? And, yeah, that's a lot of time invested in the correlation of the data. And it seems love that. Why? Because you're ingesting more and more and more and more, even though it's redundant, right, right? It's, we want to go to the 300 trillion signals and look at that, what's important and freeing up all those they're able to do that now. And I bet your job satisfaction is up. I sure it is absolutely two more things I wanted to dig into, right? So, it's interesting, right? We keep talking about the notion of trust or faith, or we talk to folks a lot of time about when you are protecting these users from, you know, these, these individual actions, interactions with the Internet. You know, about 85% at this point, I think of that traffic is SSL encrypted, right? So, I end up talking to a lot of folks, and I ask them, I go, all right, are you guys doing SSL decryption when you do your inspection? Meaning, is this just flowing through? Is Klingon poetry as fully encrypted material that you can't touch. Are you actually breaking all of this stuff open and doing real inspection against that those individual pieces of data? And they the answer I always get is Yes, I have the ability to do SSL encryption or decryption. And then we get to the secondary question of, great, how much? And it's we're very selective about what SSL decryption we do, because it's heavy. It's a weighty thing. Takes a lot of hardware in your data center to go do that right? And then I finally get around to being like, all right, what percentage of the traffic? And it's like, wow, about 12% we're decrypting about 12% so I'm just, I'm going to, I'm going to lay the gauntlet down here. That means you're trusting 88% of that traffic that's flowing through your network. I'm having faith that those are good, solid transactions that I don't actually need to go in and inspect. One of the other big reasons I came to Zscaler is like, we're doing SSL decryption at scale. So average customers doing 85 88% and the things they're not SSL decrypting are things like banking, health care, like things that like from a legal perspective, they should PII that they shouldn't be getting into, that are from the individual users, right? But that was a massive into. Individual thing for me, I don't know if that that conversations kind of track true
over on your side contract it has. It's been an ongoing challenge to make the legacy systems encrypt, because every time they turn it on for the amount that they want to do, it cripples the system. And when I what I like to talk about is the encryption is if you, if you don't, if you, how do you block the bad or protect, you know, protect the good from going out right, the secrets and stuff like that. If you're not inspecting your traffic, and why would you want to bring the fight into your house? Bring the fight into the street? That's the Zero Trust exchange out of your house. You don't mess up your house. The fight goes down there and in the street. And if you're not in decrypting and then looking in those packets, the fight is going to come down to the end point, which is in your house. And I don't think there's an end point today that's ready for that fight. If they're there, they're on your network, they're in that. That's it. It's over, game over. And now you have to do what you need to do to get them out of your network. So, encryption, decryption is very, very important, and do it on everything that you possibly can, right?
Yeah, so I'll cut this part. I had it. I had something I was going to bring up, and I'm drawing a blank on it now. Crap. Crap, crap, crap, pretty crap, crap, crap, butit's okay. I'm looking I don't have any more dynamic. Need to Know. Maybe I've been revoked 48.
I want to get into just like, one, like, fun topic, and then, then we'll close go, no, no, no. I mean, we could talk about it, whether you want to bring up Brooklyn pizza, we want to just something a little bit off, because this is what we have the episode with Conrad. May are, no, its pizza, yeah. Oh, I remember what you said yesterday I was, I was playing with Tommy. Yesterday we were, I said, I really, I want to get Conrad spun up, so everybody gets tasted like super passionate Conrad. And I was saying, hey, you know, Tommy and I went to do this. We were out in Omaha. I had the best pizza my life, just to watch you get all spun up. That's exactly.
Okay, yeah. I mean, we so we can start at any point. But, yeah, I do want to bring up just something fun, right? That's not non. And then we can, then we can close out, yeah, 321, go, go, no, absolutely, you're on. So, so Conrad, you know, we're kind of coming to the end of the end of the show, and thank you, but there's absolutely it's been fun as always. But there's more to Conrad Marino than just a Zero Trust engineer, right? What other dynamic need to know? Engineer, perhaps your right. Yeah, noted, right? Is there anything else, like, any other hobbies or anything that you enjoy kind of, kind of doing or talking about, or
I like a lot of things like you brought up the love to make pizza. Make pizza at home brings people together. You would never know from the accent. There's a lot of things I love to I just love to spend time with my family, right? Because we travel so much, and time I get my family is sacred, right? And whether you know where in the car, just, you know, going to drive wherever we're going to go, to do whatever we're going to do that week. That's, that's the, one of my favorite things to do, is just with the family, like my kids are in school, or my daughter just graduated last year. My son's taking the fifth year. Uh, decided to add math to his physics. Of course. Why? Not sure you appreciate that.
You know, driving down to cm and A and M, or driving when my daughter was at school to Arkansas, and spending time with them, family is very big in my house, and that's my hobby, that's my passion, also my love and spending time my wife when I can doing we do some crazy things, like we'll just go hiking, sure, we'll get in the car, and we'll say, we'll roll the dice. And this is what we're doing right now, very spontaneous. And I love doing that. Some other hobbies I really like to do that's outside of the family, that's individual, is I used to love to to do anything with water. I'm really big with the water. Born price, right? So, sailing. Nice attending NYU only got my sailing license. Took sailing as my PE right, loves to sail. I tried to surf. Isn’t happening, no, just too old. Try to do it down in Cabo. Kids do it every time they go. I can't do it. It just, I'm going to die out there. Do that. I also like to ride horses when I get the chance. Nice. You know, it's a bit we're dealing with. What we're dealing with every day. Running a horse is just. Peaceful to me, right? And it brings me tranquility, to be honest with you. And there's just something about the animal that I really love and enjoy and nice. My other real passion is, you know, trying to make sure my kids are okay and taken care of. Yep, that's, that's, that's what dads do.
I'm a worrier. How are you doing today? Speak to my kids like every day five times.
I tell everybody, no, not at all. You guys old. So, you guys will probably, hopefully back this up. I'm going to do it, you know, live on recording, right? But I think that every time you guys have ever needed me, or work has ever needed me, that I've been like, immediately, like, it's show up and I'm there until my family needs me, and then I'm a ghost. Like, there's, there's like, well, I'd really like, Yeah, but if my family needs me, that's the easiest decision in the world. Is like, hey, I've got cover, I've got you, I've got you, I've got other people. At Zscaler, I have, again, I work with brilliant people, and I'm really the smartest guy in the room. I can spread the load on that. But if, if family needs me, that's 100% first. That's priority.
Thing about being at Zscaler that I really love is the leadership here is it's forward thinking. They're there for you. It's a culture that is just phenomenal.
Yeah, people talk about that, but it's really, ever, rarely, ever seen in this to this level, but this company cares deeply about us, right and our health and our families. You know, just like last year, they gave out the calm out to everyone, and I've been using it every night to help me go to sleep. My mind is constantly racing right turn on that green noise in or the brown noise one night. And I'm good. They just gave it out to everyone just, just to help them. That's amazing. That's a company I love working, right, right? And it's my company, and I'm proud to work here. Me too to work, yeah, and it's like I said, it's not a right, it's a privilege, right? Absolutely. I think there's, we're not going to find a better place to wrap this up. To wrap this up than right there, right so great.
Hey, Conrad, thank you for coming in. Thank you. I know your time is valuable, and we appreciate you coming out and having this conversation with us. I'm sure all the listeners can appreciate it too. Tom always Tommy G Thank you so much. Thank you, my partner, in arms here and getting through this podcast. Everybody. This is Tom titter, Mary. If you have questions, comments, thoughts for Mr. Conrad my Reno, you can reach us at zero trusts, given trusts with an s@gmail.com Again, it's zero trusts given with an s@gmail.com so if you have a question around Zero Trust, do you think germane to the topic? Fire it in. We address it on the show, and we think it's a good topic of conversation. We're trying to put together some gift packs so we can get you some some swag from the zero trusts. Given I don't forget to do t shirts or mugs, but we're going to do something fun, so look forward to that. But again, thank you guys very much. Thank you so much for spending the time with us. I thought it was a great conversation. And everybody out there, thank you so much for your time and listening to the show, and we'll catch you next time.