As the move to cloud-native accelerates, we are seeing the rise of the cloud-first architect and their impact on DevSecOps, cloud security and more.
In this DevOps Chat, we sat down with Chris Hines of Zscaler to explore the importance of this position and how security is working with Dev and DevOps to make us all more secure.
As usual, the streaming audio is immediately below, followed by the transcript of our conversation. Enjoy!
Alan Shimel: Hey, everyone, it’s Alan Shimel, DevOps.com, Security Boulevard, Container Journal, and you’re listening to DevOps Chat.
This is gonna be a really good chat. I’m happy to be talking with Chris Hines from Zscaler And, of course, if you’re not familiar with Zscaler, they are one of the early companies in kinda moving data and security to the cloud with their Zscaler Cloud and stuff. Just full disclosure, you know, in my consulting days, I actually had the pleasure of working with Jay Chaudhry and the Zscaler team, and I wrote some of their early, early white papers and position papers on a lot of the earlier Zscaler stuff, so it’s a pleasure to have someone from Zscaler on.
Chris Hines: Thank you so much. I appreciate the time to be here. You know, obviously, being able to work here at Zscaler, we’re working on a lot of this Cloud-First Architect initial work and kind of like you said, designing—this architect has really redefined the way security’s done, right? Leveraging the cloud to do it versus some of the legacy incumbent technologies like, you know, network compliances, for instance.
And a lot of the work I get to do here at the company is helping educate our customers on the value of this new kind of architecture. You know, helping drive our go to market strategy for one of our key services, something called Zscaler Private Access, which has really changed the way in which we secure access to our private applications via our platform. So, thanks for the time to be here.
Shimel: Not a problem. Chris, we should really start—I wanna jump into Cloud-First Architect in a second. But just in way of introduction and level set, can you just give our audience, you know, what’s kind of your official title and role at Zscaler?
Hines: Yeah, absolutely. So, I drive go to market for Zscaler Private Access, right? So, heading up our initiatives, our marketing initiatives for it. And it’s funny, prior to my Zscaler days, I actually worked at a company called Docker. So, the whole—
Shimel: I’ve heard of ‘em. [Laughter]
Hines: Yeah, helped build out our enterprise message there, right? Because Docker initially started as an open source company, right? Built out this massive community of developers and, you know, across various sets of Linux and all this good stuff, and figuring out how do we work with that to now enable enterprises with this awesome containerization technology as well.
So, very familiar with this whole migration space and why it’s so critical and some of the key players involved in it.
Shimel: Excellent, man. Alright. So, you mentioned what’s gonna be the magic word for today, and that’s—or the magic phrase—and that’s Cloud-First Architect. So, every time we say Cloud-First Architect, if our listeners at home can do a quick shot and we’ll see just where we are at the end of the podcast. [Laughter]
But let’s start off with this, Chris. What do we mean when we say Cloud-First Architect?
Hines: Sure. So, a lot of the customers we work with are kinda redefining the way that security’s done. Alright, when we look at every kind of major transformation that’s taken place in humanity, it’s been transformation around transportation, going from Henry Ford’s Model T, to now we’ve got the new Model S or Tesla Model 3s, right? We have—we started with kind of drawings of rockets to self-landing engines of those rockets, right? And a lot of it’s begun with the architect.
And it’s the same case as we look to kinda embrace this next kinda fourth Industrial Revolution when we look at technology now. It’s gonna be the architects, the forward-thinking individuals who are looking to say, “Hey, you know, the way we’ve been doing security and networking for the last 30 years, it’s time to change,” right? And it’s having that mentality of, as organizations look to embrace cloud, whether it be SaaS applications like Office 365 and Salesforce or Box. Or IaaS platforms like Azure, AWS, and GCP—how do we design an architecture that supports this new world, right? And you kinda layer in the fact that we now have a set of users, right, mobile users who are gonna eventually outnumber the amount of users working in the office.
So, when you start to couple these kinda macro level trends together, you start realizing—hmm, being cloud first, right, using technology that’s built to scale, built to be agile but at the same time remains secure is a really critical move. And we believe that the architect is an important role in helping drive this transformation to cloud.
Shimel: Absolutely, absolutely. And what’s interesting is, even in the way you’re talking about it, sort of the idea that security is integrated in here, right, that security’s part of this Cloud-First Architecture—
Shimel: – that this Cloud-First Architect needs to be if not a security person, security-savvy.
Hines: That’s exactly right.
Shimel: That’s exactly right today, but that wasn’t exactly right, you know, five years ago. [Laughter] I will tell you, and I spent the last 15 years, 20 years in security—there was, you know, (a) security had no seat at the table with these people as they talked about their cloud migration and transformations.
Hines: You know, it’s funny. It’s always kinda taken—it’s been an afterthought, right?
Hines: It’s like—alright, we gotta do something new or do something fresh. Oh—
Shimel: “Oh, we did that already. What’s the security implications of it?” Talk about closing the barn door after the horses ran out.
Hines: Yeah, obviously. [Laughter] But now, it’s like, security can actually be at the forefront, and instead of being an inhibitor to business change, it can actually enable business change.
Shimel: Yeah, an accelerator, even. More than an enabler, an accelerator, Chris. And I think that’s important.
I think the other thing, though, that we need to call out and recognize is that—you know what? So, I remember being at the RSA Conference in 2005 when this whole cloud thing, you know Cloud Security Alliance and all of this stuff was launching. And, you know, cloud became a real thing.
And, you know, the initial reaction or the initial security industry response was to say, “Well, it’s really not that different from what we do already. And so, you can take the security solutions we already had and just use ‘em for your information in the cloud, right, for your infrastructure in the cloud.” And, you know, my friend Rich Mogull, who was at Gartner then, or maybe he had started Securosis by that point. You know, he called that cloudwashing, right? Where we took our security from—you know, that was pre-cloud or not designed for cloud, that wasn’t cloud native; cloud native wasn’t a word then—and just, you know, tried to use that for our cloud infrastructure.
It didn’t work so well.
Hines: [Cross talk] That’s where it’s so important. You have—look, you can either retrofit something, a 30-year-old technology that actually outdates the thing it’s now trying to secure, right, or you can leverage something that’s born in cloud and built for cloud altogether.
Shimel: Yep, and that was Zscaler. Zscaler was one of the first kinda born in the cloud, built in the cloud, for the cloud—even though it was protecting end point data and everything else back then, it was really designed to leverage the cloud.
Hines: That’s exactly right. And the whole premise behind that was, you know, our CEO, obviously, this is maybe, I think, his sixth company, right? And he’s built companies where it was around designing network security appliances, and it was like—wait. You know, as more users become mobile, as we start to embrace more cloud, we don’t control the Salesforce or Box or Office 365 network. We don’t control AWS’s or GCP or Azure’s network, right? So, how do we do network security any more? It’s actually impossible, right?
So, it made sense when you had, you know, the center of gravity existed in a data center. It was like—okay, my architecture is gonna be built around my data center. So, I need a network to connect remote users to it or local users and, by the way, to protect it from the Internet or nefarious actors or bad actors, I’m gonna have a host of appliances, remote security appliances to guard it, right? That made sense.
But now, as the majority of apps, or a large portion of apps, I’ll say, are migrating to the cloud, why route users through a data center or through this gateway and then up to the Internet? Why not take them directly out to the Internet altogether?
Shimel: I agree with you 100 percent, man. I think we’re in violent agreement, there.
So, a couple things I want to throw up at you, there, Chris, and get your feedback on, too. Number one is, just as we can’t take, you know, on prem based security, technology, and solutions and think they’re gonna work in a cloud environment, you also cannot take on prem designed applications that were designed to work in a LAN, right, or were designed to work within that data center and just move ‘em up to the cloud like it’s just, you know, I’m just changing servers. It’s more than just changing servers.
To really harness the power of the cloud, right, to really leverage it and make the kinds of gains, you do need to re-architect, to redesign a lot of these—I mean, data is data, we get that—but we you need to redesign these applications if they’re gonna take advantage of a containerized environment versus a hypervisor or what have you, right?
Shimel: And I think that’s another reason why it’s really important to have this Cloud-First Architect who’s taking these applications and truly transforming them into cloud native.
Hines: Yeah, that’s exactly right. I mean, you’re gonna have a certain set of applications that, maybe in some cases, depending on the level of compliance from our industry that might ever be migrated to cloud in reality, but then you also have legacy applications that might have monolithic code bases, right? Where, in order to actually leverage a futuristic technology or, you know, let’s say, get them to a distributed micro services architecture—yeah, it’s gonna have to be rebuilt or re-architect some of those in quite a way. Or, you know, you take some of those legacy apps and you stick it in a Docker container and leverage, you know, Kubernetes or Dockers who wouldn’t have migrated and orchestrated at that scale.
And I think part of that is, when organizations look at adopting cloud, you need to think of—first off, what’s driving it? It’s the applications, right? It’s which applications do I wanna begin with, right? Are you gonna start with some of the non-critical applications to kinda get your feet wet with [Distorted audio] this migration, right?
Shimel: Yeah. [Distorted audio] Yep. Another point I wanted to make, Chris, and that is the idea of shift left, right? We hear, you were at RSA last month—I think it was a month ago already—we had our fifth, I think it’s the fifth DevSecOps event at the Moscone Center on Monday. And every year, the crowd gets bigger and bigger. And of course, one of the topics is shift left—right? Shifting security left.
When we talk about the Cloud-First Architect, that’s almost like the ultimate shift left, right? He needs to be involved right from the get-go—hence, the word first, right? [Laughter] It’s not Cloud-Second Architect or Cloud-Last Architect, it’s Cloud-First Architect. But, you know, he or she needs to be there right from the get-go in terms of designing, you know, if you’re gonna do cloud-native, if you’re gonna do specific design for the cloud.
Hines: Correct. Right, and again, that’s a great—I see that as an opportunity for security professionals, the security architects now, right?
Hines: Now, step up and be part of the forefront, you know—a proactive approach rather than a reactive, and I think most security folks would appreciate that, right? Being more involved in the strategy beforehand. Because the reality is, this is new for many folks involved, and I know you have some of the legacy folks who are, they wanna wrap their hands around some kind of appliance that they can manage and now moving to a hosted service that they don’t control can be, you know, difficult, right? Just from a personnel and a comfort level situation, right? That’s one kind of piece behind it, from a security perspective.
You also have a finance piece as well, which we can talk through where, okay, if I purchase security appliances, let’s say, and I’m a security individual, I’m comfortable with this, but let’s say even if I wanted to move to cloud, how do I depreciate those assets quick enough to make it worthwhile to move and embrace a new technology and pay for a new technology, right?
So, security actually becomes inhibited by a bottom line thing as well, which is never a situation where you wanna be in, but that’s a reality of business, right?
Shimel: Yep. I hear ya 100%. So, now, let’s take this concept of cloud first and Cloud-First Architecture, Cloud-First Architect and apply it to Zscaler. What are you guys doing with it, how is it helping?
Hines: Yeah, so one of the big areas, especially that I’m focused on myself is, you know, people talking about this concept of zero trust security. So, I don’t know if you’ve heard the term or you’re familiar with the term—
Shimel: Yeah, no, if you were at RSA this year, Chris, you heard the term. [Laughter] [Cross talk]
Hines: So, there’s this fundamental approach around, how do we embrace zero trust? The idea has been out for, let’s say, 10 years. But the reality at the time was, we were leveraging network-centric appliance based technologies that were anchored in the data center. And, you know, as you look to embrace more cloud, you start to realize, you know, the older idea of zero trust needs to evolve really quickly.
And there’s been some initiatives with Forrester research where they’re talking about things like zero trust extended, and this is great. But in reality, we need to look at an architecture that scales and provides zero trust security at a basic level but also integrates with the other key players in the market like the other pieces of the ecosystem. Identity becomes an important thing to set context, right? You gotta work with the mobile end point teams, like, their MDM solution to provide security there.
There’s a host of platforms and partners you need to work with to enable zero trust. And looking at redesigning the way that security architecture is done overall is a great opportunity to do that, because if the goal is to begin with never trusting the user, but then provide access based on context and then monitor that, why not have a platform that can provide a really kind of granular level of security without the inherent risk of trusting the user by putting them on the network at all, right?
So, this is some of the fundamental beginnings of the way in which we’ve architected our platform where it’s not around connecting a user to a network, right, it’s about connecting a user to a specific application from there. Once you open up your mind to that and decouple application access from network access, you can actually become this Cloud-First Architect that we envision the world becoming quite quickly, right? And the architects working at some of the world’s largest as well as small GB—we call it GB, but general business or small sized organizations as well, right?
Shimel: Yep. Excellent, excellent, excellent points, man. So, where do you see this going next?
Hines: Man, there’s a lot. Like, so, there’s a world where you’re connecting user to applications, then you look at kind of where things are going with IoT, where things are going with 5G, with mobility, with—you know, this idea of Internet connected devices as well, you can start to really apply this security idea of hosted security in the cloud, right, but applicable across users, different technologies as well regardless of where the application is running, right?
It’s not just around running apps specifically in Azure or in AWS or on a data center. It’s enabling all this, right? It’s this concept of, you know, the security policies follow the user regardless of where they are or regardless of the application which they are attempting to access runs within. And there’s so much opportunity when you open your mind to this new Cloud-First Architecture, and I just hope that this podcast here with you can help inspire some of that change within the enterprise.
Shimel: That would be nice. [Laughter] I love our podcast. I don’t know how influential it is, but it’s a start, anyway.
Chris, we’re coming up on our time limit here, as I mentioned to you earlier on. It goes quick once we get going.
Hines: [Cross talk]
Shimel: It happens. But look, you know, we haven’t had anyone from Zscaler on in a while, so I want to thank you for coming, and I want to invite you back soon and, you know, always happy to get the Zscaler point of view out to our audience.
Hines: It’s my absolute pleasure, thank you for being here, and we appreciate your support. And, you know, thank you.
Shimel: Alrighty. Christopher Hines from Zscaler talking about Cloud-First Architecture and the need for a Cloud-First Architect. This is Alan Shimel from MediaOps, DevOps.com, Security Boulevard, Container Journal. You’ve just listened to another DevOps Chat. Thanks, everyone. Have a great day.