 Hey, welcome back everybody. Jeff Frick here with theCUBE. We're having a CUBE conversation at our Palo Alto studios. A little bit of a break in the conference schedule, which means we could have a little bit more intimate conversations outside of the context of a show. And we're really excited to have our next guest. He's running a billion dollar company evaluation. They've been at it for almost 10 years. Cloud first from the beginning, way ahead of the curve. And I think the curve's probably kind of catching up to him in terms of really thinking about security in a cloud based way. It's Jay Chaudhry. He's the founder and CEO of Zscaler. Jay, welcome. Thank you, Jeff. So we've had a few of your associates on, but we've never had you on. So great to have you on theCUBE. I appreciate the opportunity. Absolutely. So you guys from the get go really took a cloud native approach to security. When everyone is building appliances and shipping appliances, and they have beautiful fronts and flashing lights, and everyone's enamored with appliances. You took a very different tact. Explain kind of your thinking when you founded the company. So all the companies I had done, I had looked for a first mover advantage. So if you were a first mover, then you got significant advantage of others. So look at 2008. We were going to internet for a whole range of services. Lots of information sitting there from weather to news and all the other stuff. Now on cloud applications point of view, Salesforce was doing very well, NetSuite was doing well. And I've been using Salesforce and NetSuite in all of my startups since year 2001, when each of them was under 10 million in sales. So my notion was simple. Will more and more information sit on the internet? And so it was yes. If Salesforce and NetSuite are so good, why won't other applications move to the cloud? And so it was yes. So if that's the case, why should security appliances sit in a data center? Security should sit in the cloud as well. So with that simple notion, I said, if I start a new company, I had no legacy boxes to worry about. You started a clean slate, clean architecture, designed for the cloud. What we like to call born in the cloud for the cloud. That's what I did. What great foresight. I mean, I'm trying to remember 2008, if the enterprise adoption of cloud, I mean, Salesforce really was the first application to drive that. I mean, I was thinking if poor ADP gets no credit for being really the earliest cloud, they weren't really a solution, right? That's correct. At the service provider. But so Salesforce really kind of cracked the enterprise nut for trust with SaaS application. That's correct. This wasn't even a term back then. So taking a cloud approach to security, very different strategy than an appliance. And credit to you for thinking about, you could no longer build the wall in the moat anymore. Exactly. In an internet world. Yeah. So my notion was simple. The old world of IT security was what you just mentioned, castle and moat. I am safe in my castle. But when people wanted to go out to call it greener pastures, you needed to build a drawbridge. And that's the kind of drawbridge these appliances built. And then if you really want to be outside for business and all other reasons, you're not coming in. So notion of castle and moat is no good. So we said, let's give it up. So let's get away from the notion that I must secure my network on which users and applications are sitting. I really need to make sure the right user has access to right application or service, which may be on the internet, which may be on a public cloud, which may be a SaaS application like Salesforce, or it's maybe in the data center. So we really thought very differently. Network security will become irrelevant. Internet will become your corporate network and we connect the right user to right applications. Very logical. It took us a while to evangelize and convince a bunch of customers. But as G and Nestle and Siemens of the world jumped on it because they love the technology, we got fair amount of momentum and then lots of other enterprises came along. Right, right. It's so interesting that nobody ever really talked about the internet as an application delivery platform back in the day, right? It was a BBN and then we had a few pictures. Thank you, Netscape, but really to think of the internet as a way to deliver applications and then enterprise applications. What great foresight that you had there. So I think we built on the foresight of Salesforce and NetSuite and other information sources on the internet. I came from security side of it. I built a number of companies that built and sold appliances. Right. But it was obvious that in the new world, security will become a service. So think of cloud computing. People get surprised about cloud computing being big. It's natural. It's a utility service. If I'm in the business of manufacturing, widgets, A, B and C, computing is not my business. If just like I plug into the wall socket and get electricity, I should be able to turn on some device, some terminal and access applications sitting somewhere and managed by someone. So we needed good connectivity over the internet to do that. As that has matured over the past 10 years, as devices have become more capable and mobile, it's a natural way to go to cloud computing and for us to do cloud security was a very natural thing. Right, right. So then you place at the right time, right? So then you picked up on a couple of these other tremendous trends that a cloud-centric application really takes advantage of. First is mobile. Next is bring your own mobile, right, BYOD. And then this funky little thing called Shadow IT which Amazon enabled by having a data center at the swipe of a credit card. Your application, your technology works great with all those various kind of access methodologies still consistently, right? Yeah, and that is because the traditional security vendors, so-called network security vendors, were protecting the network. They assumed that you sat in an office on the network. Or if you were outside, you came back to the network through a VPN. We assumed that, forget the network. A user sitting in the office or at home or at a coffee shop airport has to get to some destination over some network. That's not what about securing the network. That's about policy and security that says, whether you are on a PC or a mobile phone, you're simply connecting through our security check post to where you want to go. So mobile and cloud were the natural two things. Mobile became the user. Cloud became the destination. And internet became the connector of the two. And we became the policy check post in the middle. So what do you do in terms of your security application? Are you looking at MAC addresses? Are you looking at multi-factor authentication? Because I would assume if you're not guarding the network per se, you really must be all about the identity and the rules that go along with that identity. Yeah, so it's a good question. So user needs to get to certain applications and services. So you put them in two buckets. First is external services. External means that a company doesn't need to manage or maintain. And that is either open internet, which could be Google search, could be Facebook, LinkedIn, and type of stuff. Or it could be SaaS applications that Salesforce offers or Microsoft Office 365. So in that case, we want to make sure that when users go to those sites, nothing bad should come in. That means malware stuff. And nothing good should leak out, your confidential information. So we are inspecting traffic going in and out. So we are about inspecting the traffic. The packets. The packets to make sure this is not malicious stuff. Now for authentication, we use third-party services like Microsoft AD or Octa. They tell us who the user is and what the group is. And based on that, sitting in the traffic path, we are the guy who enforce the policy. So that is for external applications. The second part of Zscaler service, what we call Zscaler private access, is to make sure that you can get to your internal applications either in your data center, or they're sitting in a public cloud such as Azure or AWS. There we are less worried about malware. We are more worried about, is the right person getting to the right application? And the other checks are different. There you are connecting the right parties and less worried about security. And then does it work with the existing, trying to think of the name of, the internal corporate systems who identify, you integrate, I assume, with all those existing types of systems. Yeah, so we look at the destination. Your existing system could be sitting in your data center or in the cloud. It doesn't really matter. We look at your data center as a destination. We look at stuff sitting in Azure as a destination. And then this new little twist, so obviously Salesforce has been very successful. We referenced them a few times and I'd just like to point to the new 60 story tower. If anyone ever questions whether people think cloud is secure, it's like go look downtown at the new skyline in San Francisco. But there's a big new entrance in play on kind of the enterprise corporate SaaS side. And that's Office 365. I guess it's not that new anymore. Still relatively new. I'm just curious to get your perspective. You've been at this for 10 years almost. The impact of that application specifically to this evolution, to a really pure SaaS based model, getting more and more of the enterprise software stack. So number one application in any enterprise is email. Unfortunately, that's got to be your next starter. We got to fix the email problem, but we'll stay that for another conversation. So email, calendaring, sharing files and whatnot. It used to sit in your data center and you had to buy, deploy, manage servers within a Microsoft exchange. So Microsoft said, forget about you managing it. I will manage your exchange with a new name Office 365 in the cloud. So you don't worry about it and you come to me and I'll take care of it. I think it's a brilliant move by Microsoft and customers are ready to give up the headaches or maintaining the boxes, the software and storage and everything. Now, when the biggest application moves the cloud, every CIO pays attention to it. So as Office got embraced, the corporate network started to break. Now why would that happen? If you are in 50 cities around the globe, your exchange is sitting in Chicago data center. Every employee from every city came to Chicago data center. Now Microsoft Office is sitting somewhere. Why should every employee go to Chicago? That's where the networks are and then try to go to cloud. So they backhaul over traditional corporate network using MPLS technology, very expensive and then they go to the internet to go to Office 365. Slow, no one likes it. Microsoft doesn't like it. Speed of light is too damn slow. Speed of light is speed of light. You can only go so fast. It's not fast if you're going around the world and you're waiting for something. If I have to go to New York city to my data center so I could come to a local site in San Francisco, it is horrible. And that's what our traditional networks have done. That's what traditional security box has done. What ZSkiller says, don't worry about having two or three gateways to the internet. You have as many gateways as your employees because every employee simply points to the ZSkiller's nearest data center. We are the security stack. We take care of security inspection and policy and you get to where you need to get to the fastest way. So Office 365 is a great catalyst for ZSkiller. As customers are struggling with user experience and the traffic getting clogged on the traditional network, we go in and say, if you did local internet breakout, you go direct, but you couldn't go direct without us because you need some security check post in the middle. So we are the check post sitting 100 data centers around the globe and users are happy, we are happy. So that was going to be my next point. Begg's a question. How many access points do you guys have? But you just answered it. You have hundreds. So you work with a local Colo, you got a short hop from your device into the ZSkiller system and then you're into your network. Yeah, we are deployed in 100 data centers. These are generally Colos coming from leading vendors. Maybe Equinex, maybe Level 3, entire cities of the world. And the goal is to shorten the distance. I'll tell you two interesting anecdotes. I talked to a CIO last year. I said, how many employees do you have? He said, 10,000. He said, how many internet gateways do you have? I thought he would say, five. He said, 10,000. I said, what? He said, every employee has a laptop. Then laptop goes where the employee goes and it directly goes to the internet. It's a gateway. Then he said, sorry, I misspoke. Every employee has a smartphone. And many have tablets too. I have 25,000 gateways. So if you start thinking that way, trying to take all the traffic back to some security appliances sitting in a data center or 10 branch offices, makes no sense. So that's where we come in. And I had an interesting discussion with a very large consumer company out of Europe. I went to see them. They're one of our early customers. I met the head of security. I said, I'm here to understand how well these killers are working. Since our security is so good, you must be loving it. He smiled and he said, I love your security, but I love something more than your security. I said, huh, what is that? He said, imagine if the world had four airport hubs to connect through and you're a world traveler, you'll be miserable. He said, I have 160,000 employees in 130 countries. I have four internet gateways with security appliances sitting there. And everyone has to go to one of those before they get out. So they were miserable. Now they are blogging on the internet. Then internet has become very fast. So he said, as a CISO, I love it because security leaders are blamed for slowing you down in the name of security. Now I have made users happy, I've brought in better security. So it's all wonderful. Jay, sounds like you're a virtual networking company that Trojan torsted in as a security company. So let's put it this way. I mean, the value you probably, I'm teasing you, but it's a really interesting kind of twist to the tail. So no, no, you are actually making a very good point. So this is what happening. Every CIS talking about digital transformation through IT transformation. Now if you start drilling down, what does that mean? Applications are moving to the cloud. So that's the application transformation going on. Because applications are no longer in your data center, which was the center of gravity. If applications move to the cloud, the network that designed to bring everything to the data center becomes irrelevant. It's no good. So now companies are transforming the data center. Sorry, they're transforming the network. Now to transform network, so you could directly go to the application, the only thing they're holding you back is security. So we essentially built a new type of security. So we're bringing security transformation, which is needed to transform your network and transform your applications. So that's why people, customers who buy us, is typically the head of application, head of security and head of networking, all three come together. Because transformation doesn't happen in isolation. Traditional security boxes are bought typically by the security team only. Because they said, put a box here, you need to inspect the traffic. We go in and say, the old world of IT is changing. Let me help you transform the new world, we call it cloud enabled enterprise. And that's what we call it. Pretty interesting too when you think of the impacts that not only are you leveraging you as a security layer in this cloud and getting in the way of the phone traffic and the laptop traffic, but too as people migrate to more and more of these enterprise SaaS apps, you're leveraging their security infrastructure, which is usually significantly bigger than any particular individual company can ever afford. That's correct. So a point there. So Salesforce, an enterprise doesn't need to worry about protecting Salesforce. They need to make sure they can have a shortest path and the right user is getting there. So we help as a policy check post in the middle. And also we make sure employees aren't downloading confidential customer information and sending out in Gmail to somebody else. But when applications move to Azure or AWS, you as an enterprise have to worry about securing it. If you expose them, if they resolve to the internet, then somebody can discover you. Somebody can do denial or service attack. So how do you handle that? So that's where we come in, we kind of say, even though your applications are in Azure, I will give you the shortest path with all the technology that you need to secure your internal application. It's interesting because there's been recent breaches reported at Amazon where the AWS customer didn't secure their own instance inside of AWS. It wasn't an AWS problem, it was a configuration problem. Or it could be the policy problem. Or a policy problem. Somebody, for example, came in to your data center over VPN and once they are on your network, they can have what we call the lateral movement. They can go around to see what's out there and they can get to applications. So we overcome all those security issues. Okay, so you've been at this for a while. 365 is a game changer and kind of accelerating. As you look forward, what excites you? What scares you? Where do you see kind of the security world evolving? Obviously, we hear in the news all the time that the attacks now are oftentimes nation states and the security challenges grown significantly higher than just the crazy hacker working out of his mom's basement. So as you see the evolution, what's kind of scary and what's exciting? I think the scary part is inertia. People kind of say, this is how I've done security within the castle and moat. That's so odd. Still, they still do it because they feel like I can put my arms around, I can see the drawbridge and I can see the airplane right over the top of the wall. They're missing on that part. So once someone gets into your castle, you are in trouble. So in the new approach we advocate, don't worry about castles and moats. The applications are out there somewhere. Your users are out there somewhere and they just need to reach the right application. So our focus is connecting the right people. Now, more and more devices are coming in. We all hear about IoT's out there. The IoT at the end of the day is a copier, a printer, a video camera, or some machine control thing. Or a nuclear power plant. They all need to talk to something. If they get hijacked, you think your nuclear power plant is sending information about its health to place A, but it's going to Ukraine. That's a problem. How do you make sure the IoT controls in a plant are talking to the right parties? So we actually sit in the middle of kind of connecting the parties so that's another area for us for potential looking at the opportunity. So another big one, like mobile in 365 wasn't enough. Now you have IoT. Yeah, it's a natural. I'm hanging out with you more, Jay. So today, every day, we see tens of thousands of cameras and copiers calling the internet. And customers have no idea. Now, why are they calling? Generally, there's no malicious motive. The vendor wanted to know if the toner is down or not. All things are working fine, but they have no security control. Our CISO does a demo from the internet. He logs onto the camera or the printer and copier and actually gets, can show that information can be obtained. So those are some of the things we must control and protect and you do it not by doing network security, but a policy-based access from a right device to a right destination. So are you seeing an increase in the kind of machine to machine? Tremendous amount of traffic, machine to machine. So there's the IoT traffic and there's a machine to machine traffic. So when you have a bunch of applications sitting in your data center and you have a bunch of applications sitting in Azure or AWS, they need to talk. So a lot of that traffic goes through Zscaler. So we're logging and forcing it. Then you have an application that needs to go and get, say, some market pricing information from internet. So the machine is sitting in your data center or in Azure is calling someone out there or some server to get that information. So we come in between as a check force to have right connectivity. It's your same value proposition. Same value preference, very simple but elegant. All right Jay, I'm hanging out with you more. You seem to have the touch to know where to be at the right time. We're having fun. It's a great story and I really appreciate you taking a few minutes out of your day to stop by. We have a great team that makes it happen. That's a big piece of it. Absolutely. Well, and good leadership as well, obviously. We have great leaders in the company. All right. Thank you. I'm the founder and CEO of Zscaler. Check it out. Thanks again for stopping by theCUBE. I'm Jeff Frick. Thanks for watching. We'll catch you next time.