Zscaler, Inc. (ZS) Earnings Call Transcript & Summary

My name is Ofer Yarom, and I'm a Director of Product Management in Zscaler. With me today are Sushil Menon, the Principal Product Manager for Zscaler and a DSPM expert; and Jake Berkowsky, Head of Applied Cybersecurity for Snowflake. On our agenda today, Jake is going to kick that off by talking about Snowflake's approach to security. He's going cover the security model and the shared responsibility model that Snowflake is promoting. Then we will talk about what is required for us as customers in order to match that part of the shared responsibility and secure, make sure that our Snowflake data is secure. We'll talk about the challenges of doing that with huge amounts of data with so many databases that are out there in data lakes and services that are out there and the ability to solve that with an automated tool and how DSPM is going to help us do that. And then Sushil is going to take us through a deep dive into Zscaler DSPM and how that works in order to make sure that your Snowflake data is better secure and protected. A little bit of housekeeping. This session is going to take approximately 40 minutes. We're going to record a session, and it's going to be available for you later online if you are unable to attend the complete session. During the entire session, if you have any questions, please post them in the Q&A. We have our experts that are going to answer those questions in real time online for you. And then towards the end of the session, we're going to have a Q&A part we're going to pick the most common questions, the most popular ones and answer them in here. So with that, Jake, let's get started.

Thank you very much, Ofer, and thank you for having me. I'm going to talk a little bit about Snowflake and how we work with Zscaler to help our customers secure their data. But before I do, I wanted to share a few numbers that we have. So 6.3 billion that's the number of average daily queries that we've run last year every single day on the Snowflake data platform. We have 256 trillion, that is the number of roads in the largest customer table that we have on Snowflake. 205,000 is actually the record for the greatest number of queries that we have being executed in a 1 minute interval but only by 1 single customer. And 180 petabytes, that's the agrimento-compressed data stored in Snowflake by just our 5 largest customers by data volume. And that's only compressed. We're talking uncompressed, we're talking that could be well over an exabyte. Now what do those numbers mean? It means that when you have that much data, when you're storing that much data, and when you're running hundreds of thousands of queries in a single minute, that's going to add some complexity there. You're not only having a lot of data, you're having a lot of stakeholders using that data. You have a lot of processes, a lot of jobs, people that are coming and leaving your company that's complicated. We always like to say that complexity is the enemy of security. And so at Snowflake, we try to make it so that customers really have a grasp on their data so they're able to protect and secure that important data. And it's more than just volume as well. Our customers are running several different types of workloads on Snowflake. We have customers in industries like financials, highly regulated industries like financial services or health care life sciences. They're running in several different jurisdictions, whether in EMEA under GDPR in the United States or even in our FedRAMP high environment. That data is valuable. It's potentially personal and requires a lot of protection. So how are you going to protect your crown jewels here? With Snowflake, like many other large providers, we take a shared responsibility model. On the bottom, we have here our cloud service provider. Snowflake is built on top of different CSPs. We support platforms on top of GCP, Azure, AWS. Because of that, a lot of the work that they've done passes on to us and therefore, to you as a customer. So cloud service provider is going to get their own compliance. We're going to pass -- you're going to be able to go to that utilize those certifications. We're going to again adopt those certifications and pass them to you. On the Snowflake side of the shared responsibility model, we're going to be securing the Snowflake platform. Getting those starts, getting our FedRAMP high passing audits. And again, we're going to be passing on those certifications to you. We're going to be monitoring the safety of the platform itself. Everything that we build, gets monitored, it's audited. And again, that's our job. We employ a lot of people to really just make that Snowflake platform as secure as possible. And then when we talk about shared responsibility, we talked just on the top, that's all the things that the customer is generally responsible for. Now we've moved from a share -- pure shared responsibility model to adopt even more of a shared [ fate ] model more than just things that we're responsible for in the platform. We're doing things like enforcing MFA for all the accounts. We have gone from -- we've created recently scanning for leak credentials automatically found on the Internet. And then if we confirm them, revoking them on your behalf. We're publishing guidance around best practices. We help our customers and we proactively work with our partners just like Zscaler and helping them to make their solutions stronger and safer. So let's talk a little bit more about what happens on the customer side. When we talk about what the customer is responsible for generally includes managing user entitlements, doing data classifications and implementing again our robust authentication mechanisms. We talk about leveraging Snowflake features like [ our back ] masking policies and activity monitoring. That's crucial. We talk about some of the other things that are required. Again, the big one here is enabling our role-based access control. Snowflake supply is a very strong RBAC system, but it's up to our customers to set up those granular roles, privileged structures to manage them and tend to restrict data assets -- data access on a least privilege basis. We provide the functionality of dynamic data masking and Role-Level Security. But again, it's up to our customers to apply those policies, to monitor them and make sure that you're filtering out those sensitive columns and data sets. But we provide and are continuing to improve on our auditing both through internal tables and through our new event tables. Snowflake customers, they're responsible for them monitoring, looking at what's going on monitoring the access, what's happening, what are the activities happening. Snowflake customers are responsible for classifying their data, keeping that inventory, using tagging to maintain that visibility on sensitive data and your compliance posture. And again, right, we have for other features. When we're sharing data, not just through RBAC, we offer secure data sharing, again, limiting that data exposure, tracking those external sharing activities. And again, customers, again, making sure they're implementing those best practices around authentication, using strong auth, integrating with their identity IDPs and then rotating those keys and credentials regularly. This is table -- it adds complexity. It's a lot of work. We do also recommend that our customers will automate and integrate this as much as possible, and that's part of the reason that we're working here with Zscaler today. So like I mentioned, Snowflake provides a lot, but it could be for some customers a lot of work. We also know that not everyone's -- all of everyone's data is living inside of Snowflake. We've lead into Iceberg and other Federated technologies very, very heavily because we know that customers may want to be storing their data in the cloud layer directly, which means that you may end up with different both Snowflake native tools, Amazon native tools, all sorts of native tools and our customers are wanting that unified point of view. That's why we work with partners like Zscaler just to make everything easier and more secure from our -- for our customers. I'll pass it back to you, Ofer.

Thank you, Jake. With Zscaler being a Snowflake customer, we definitely understand all of those challenges that are related to keeping our end of that shared responsibility model intact. And to do that, we realize that there is a set of capabilities that are required. First, obviously, we need to see the data in order to know where it is, know what data we have and what controls are put on top of that so that we can now go and make sure that these are secure. And that is our part of the security shared responsibility model, basically looking into our data with the controls that we put based on those flexible security options that Snowflake grants us and make sure that we did not make those mistakes that we did not share that file with somebody that we should not have that we did not expose that data out there to the world. So understanding the data landscape, knowing what data resides well on which service then understanding who can access the data, looking at that model. Figuring out how did we configure that Snowflake service did we make any critical mistake in that flow. And obviously, looking into the security benchmarks and compliance or regulatory compliance with regards to both my Snowflake controls, like Jake mentioned, CIS for Snowflake, but also any data that I may be storing in Snowflake with regards to GDPR, PCI, ISO, NIST or any other regulation that we would like to cover. We've talked about how much data and Jake described, the vast amounts of data that are stored in Snowflake, Data Lakes everywhere. In Zscaler, we've been observing the complete set of data that is not just stored with Snowflake and the specific warehouses where it runs, but also look into the entire cloud and SaaS area. And we can see that data has been growing exponentially over time. We are looking at huge amounts of data that are pretty much everywhere and are stored in databases, are stored in storage locations, on-premise, in the cloud, in SaaS services everywhere. So data is there everywhere with the vast amount and it is impossible for anyone to go and protect that data, doing manual stuff. And even just getting that visibility is impossible. And then at the same time, regulatory compliance has become super critical with fines and with the sheer need of supporting that is growing more and more important every day with more and more regulations coming and more and more security frameworks and benchmarks that organizations need to support. And then on top of all of that complexity, we're seeing AI coming in using data that is stored in one location, then storing it in another area and not really applying any controls over that data. So that becomes a whole mess to handle and handling that without a specific tool that is going to help us control all of that data is clearly impossible. That's where data security posture management or Zscaler DSPM comes into place. And as mentioned, the first challenge of my security or my part as a customer of that shared responsibility model is I need to understand my data universe. I need to know where my data resides, what services do I have? Where is my -- where are my Snowflake database, where are they located? What types of data are stored in those Snowflakes? What do I have in this database in this table, what do I have in that database in that table? I need to understand all of that. So DSPM is going to give me AI-powered classification. We're going to look in a smart way into the data and figure out both new data using AI LLM classification as well as tailored data to the customer needs, and we can also identify specific pieces of information using legacy classification that is on top of that. One of the key values for Zscaler is the ability to not just look into data addressed as a silo, but basically look at data address and data in motion using the same tool looking at your data where it is stored on Snowflake, then downloaded to your endpoint and then make its way into the web or through an e-mail. We do the same classification everywhere we detect the data as it goes through those phases and we protect your data wherever it goes. So Zscaler DSPM Is about data at rest. In the cloud, in SaaS services on-premises, obviously, Snowflake is a key part of that. But we're using the same tools across data in motion as well, and you get one big security portfolio that covers everything. DSPM is also looking at your potential misconfigurations of Snowflake of any other service that we are controlling, basically understanding what did I do wrong? And how can that hurt me later on? What are the potential issues that I might have? How can folks now access my data from the cloud, hackers, malicious insiders, whoever we want to make sure that all of these right guardrails and controls are in place and Zscaler DSPM is looking into that. We're observing the complete permission mechanism. This is not an easy task even with Snowflake with a very granular model that allows you to give different permissions to users, to groups into any schema table database. So it is super easy to make those mistakes and grant some extra permissions, ending up with folks that should not be accessing your data or be able to modify that have those permissions. So understanding that, looking into all of these options and giving you the ability to go and act upon that. This is key to our functionality. And last but not least, is understanding all of those regulations and benchmarks. We do it in a smart way. We don't just look into the controls that need to maintain something. We don't just look at the data that is stored in order to understand compliance. We mix those together. If we have a compliance control that is being breached as part of PCI, we'll make sure that it relates to a database and a table that actually contain PCI information in order to do that. If we're looking into private information, regulations, we're going to make sure that there is private information in that to reduce the clutter of alerts and to make sure that you're getting the right reporting out of that. So in a nutshell, this is Zscaler's DSPM. And in the next part, Sushil is going to walk us through how that is implemented within Zscaler DSPM and how do we help you protect your Snowflake data. Sushil to you.

Welcome, everyone. Thank you for taking out time for this wonderful session of Zscaler DSPM along with this integration with Snowflake. Ofer, thank you for setting up the stage and context of Zscaler DSPM. And now folks, I will give you a deep dive an overview into the Zscaler DSPM and how its integration with Snowflake. So first, before we even deep dive into the key functionalities and features of Zscaler DSPM, let's talk a little bit about the architecture because it's very paramount for most of our customers. Zscaler's DSPM architecture is built on 2 core fundamental principles, that's completely agentless and API first approach with the predominant focus on customers' data sovereignty and data privacy. As I mentioned, Zscaler DSPM does not deploy or require users to deploy any agents in their environment. We use an API-first cloud-native approach where the cloud-native APIs are leveraged for accessing the data stores for securely connecting to them and scanning the data. The entire Zscaler scanning infrastructure is deployed in the customer's cloud account itself. There is no scanning that happens within Zscaler's cloud and we ensure from a data privacy and data sovereignty perspective that the customer's data is stored in the customer's cloud account itself. Customers data never leave their customers' cloud account or even their region. This architecture also ensures there are no data transfer fees with regards to CSPs, whether it's internet egress cost or inter-region data cost. All of this is completely automated by Zscaler DSPM. And just to let you know from a Snowflake perspective, Zscaler supports all Snowflake additions: The standard, the enterprise business critical and the VPS additionss. This architecture forms the basis of the Zscaler DSPM, which I'll deep dive into of their respective features. Now first thing as we talked about, as Ofer has led the foundation about data discovery, the predominant foundation of DSPM is basically data discovery, right? You need a uniform data discovery and classification of the data stores that the DSPM is scanning in your environment. Now with regards to Snowflake, what are the top most questions that 1 would have with regards to data discovery and classification. First, where are my Snowflake data stores in my account, right? They're connected to which cloud, whether it's AWS, Azure or GCP? What type of sensitive data is stored in my Snowflake database and stables? And what are the regions where Snowflake is deployed? If I'm a customer that is concerned about GDPR, do I have a Snowflake instance running outside of an EU region which is hosting sensitive data that could cause me regulatory problems. These are all the basic fundamental questions from a discovery perspective for any data store along with Snowflake. And this is what Zscaler DSPM helps to address as the first point of entry into the product called the Resource Inventory and Data Discovery. So let's move ahead. This is the Data Discovery dashboard. As you can see out here, this unified classification that we talked about is -- and allows us to any kind of data store. When we detect a particular kind of sensitive data, for example, PCI like credit cards, e-mail addresses, tax numbers, they are identified across all data stores. And from here, we can drill down into specific types of data found in which data stores and in which regions. As you can see below, this is found in Snowflake accounts in the U.S. East region. Similarly, DSPM resource inventory provides a difficult interface, very easy to visualize for the data security analysts and architects to look into what types of sensitive data is being hosted and what sensitive -- in what's Snowflake tables and databases and how many records of each of this type of data is found in those tables. This provides a comprehensive view from a data discovery and classification perspective to data security analysts. Now once DSPM is identified, the sensitive data that is hosted in your environment the next big thing that the DSPM focuses is on identifying the risk associated with the data, right? So when we talk about risk associated with the data, it comes from 2 aspects: One is from posture; and one is from entitlement or data governance; and third is compliance. So when we talk about posture, what do we mean by that? When we talk about posture with regards to DSPM, in the case of Snowflake out here, you want to know how the data is stored within the Snowflake account. Is it encrypted? What type of keys are used for encryption? Is logging and auditing enabled for forensic investigations? Is data retention enabled to ensure that sensitive data is not at risk of data loss due to accidental deletion? Is the Snowflake account exposed to the Internet via public exposure? Is masking and row-level, column-level security kind of controls implemented on those tables, hosting sensitive data? These are the key aspects and this would change from data store to data store as not all the controls are applicable to one particular data store, these change with regards to this. Zscaler DSPM automatically identifies these key posture controls to help us identify the risk associated with the data where it is stored. As you can see out here on this particular screen, you can see the risk has been identified along with the sensitive data, the amount of data that is found in Snowflake and the respective Snowflake accounts. Zscaler not only takes into consideration of the posture assessment of these controls on a particular data store, but it matches them and correlates them with the type of sensitive data that is found and the amount of sensitive data that has been found to automatically prioritize and provide you the insight of the top risky data stores that the users or the security analysts need to take action on, as you can see out here. So all the heavy lifting with regards to doing the analysis, doing the correlation is done in an automated way via Zscaler. Here is a classic example of the type of the policies that regards to Posture and Snowflake. As you can see out here, there are 2 policies that we're showing out here is the Snowflake database tables, having sensitive data that do not have any masking configure. And the second one is with regards to data retention that is basically talking about the sensitive data stored in these tables that do not have any retention policies, which could lead to accidental data loss. Now once Posture assessment has been done by DSPM with regards to the security controls, which are configured on a particular data store, the next big item from identifying risk to a data is coming from data access governance, often called as entitlements and identities that who can access the sensitive data and what kind of entitlements and permissions they have on this data. Can they read the data? Can they delete the data? Can they modify the data? And the third most important thing is how do these entities receive this kind of permissions or entitlements to have this kind of unprecedented access on the data, right? This could come from policies. This could come from roles in Snowflake. So Zscaler automatically does this complex calculation of every single entity within Snowflake and other data stores and calculates the policies and the roles associated with them to calculate the whole permission model to clearly tell you which entities within your Snowflake account, have what type of access on this particular sensitive data. So this gives you a clear risk overview to the end user in terms of the data security analysts to identify and look for the users with overly privileged permissions. So let's look into this classic example. Out here, you can see a Snowflake database, which can be accessed by 10 admin principles and 15 users. Now you can drill down into this particular information to look into, okay, who are these 15 users? What are those entities within your account? What are those entity types within your account, whether it's just Snowflake users, service account? And what kind of access levels do they have on your particular data store? Does anybody have a full access? Do they have a read access or edit access? This entire information is automatically populated at the click of a user on the DSPM portal. With regards to entitlement, it's not only about which user has what type of permissions on a particular data store, it's also important to understand the association of the roles and the policies that have been mapped to the users, which eventually granted them the access to this particular data store. Zscaler DSPM automatically provides the entire access path which is shown out here with regards to how these entities got an admin level privilege on a particular data store. This entire calculation is also taken into consideration with regards to identifying the risk associated with the particular Snowflake account. And this is done completely automated by Zscaler DSPM. The users don't have to go and do anything with regards to finding this kind of risky permission models in their environment. And these risks will be automatically highlighted in terms of prioritization. And Zscaler also provides guided remediation steps to how to mitigate and resolve these particular issues. Finally, not but least, Zscaler today already supports 350-plus out-of-the-box detection policies in terms of data risk policies that includes both Posture, Entitlements and a combination of both. Besides that, Zscaler also provides the users with a very flexible intuitive investigation module. The best part of this module users need not know any kind of prior programming language like SQL, JSON or nothing. Zscaler DSPM provides an automated self-explanatory query model in which all the query attributes are readily available for a user to just select and make your queries and not only you can query for specific types of attributes of a particular data store with regards to sensitive data, you can also easily convert them into your custom policies. It's highly intuitive and very easy to use. Third pillar, Compliance Management. As Ofer rightly mentioned, the biggest challenge with regards to securing data with GenAI and cloud and many other applications today that are dealing with large amounts of data, Regulatory Compliance Management is one of the biggest challenge that customers are facing, right? Because the same amount of data is now today regulated by at least 4 or 5 compliance controls today. Zscaler out-of-the-box provides more than 20-plus compliance standards and frameworks that automatically detects for compliance violations across all the 3 clouds and including Snowflake and many other data stores as well. The compliance management module is not limited to the compliance controls and the framework provided by Zscaler. We also provide a very intuitive framework where a customer can create their own compliance framework based on their internal controls and processes. They can also edit the existing controls, and this provides the highest level of flexibility and granularity for customers to create their own controls as well using the investigation module or using any existing out-of-the-box policies and to be mapped to any control and compliance framework as per their business policies. The Compliance Management module, you can see out here we support almost 20-plus compliance frameworks each control within a framework has associated severity and their associated with respect to data stores within the cloud. So with that, I would like to complete the demo, and we are open up for Q&A.

Thank you so much, Sushil, for an amazing demo. And now in this Q&A part, first, I want to thank everyone for the questions that you have submitted. And thank you all, experts for all of these answers provided in realtime. We've picked some of the questions, and Sushil, let me try and walk you through those. I'm looking at the list right now. First, my company is using the VPS edition. Do you support that for Snowflake? Maybe, Sushil, you can explain a little bit of the VPS edition and whether it is supported or not?

Absolutely, Ofer. So as I mentioned earlier, Zscaler DSM supports all the 4 editions of Snowflake that is standard business, enterprise business, critical and the VPS. The VPS is then a highly secure environment in terms of Snowflake perspective. It's called the virtual private Snowflake edition. It's for providing the highest level of security and data isolation when it comes to for financial users, health care industry, probably even government. And Zscaler absolutely supports the VPS deployment models. And just to clarify, Zscaler support these models across all 3 cloud that Snowflake supports, whether it's in AWS, Azure and GCP.

Perfect. Is there a limit on the number of Snowflake databases that I can monitor any limit on the size of those databases?

Absolutely not. Zscaler's platform, the architecture, which is deployed in the customer's cloud account, leverages the cloud-native infrastructure, which has the capability to automatically scale to the growing needs of the data that needs to be scanned and Zscaler also has very highly optimized scanning techniques, including the data sampling scan, which is the highest level of accuracy to ensure that we don't ever hit any road block with regards to the amount of data and the database or the number of databases. There's absolutely no limit on that.

Can I tailor the data classifiers to my need? I'm guessing this one is about the DLP classification that we are doing. Can we tailor that to any customer-specific data?

Absolutely. Zscaler DLP platform always has the capability in terms of providing the highest level of customization for the end user. And the best part is any custom classifier that you configure it's applied universally across all the channels of Zscaler. So it's not just for specific DSPM, but it also applies for e-mail, in-line, endpoint, all of them.

The next one is kind of related to the one about the volume of data that can be scanned. The question is, what is the performance [ sit ] on my Snowflake or your scanning that data?

Absolutely negligible. And the reason is twofold. First, like I mentioned, Zscaler provides a highly optimized scanning technique called as the data sampling scan with the highest level of accuracy where the DSPM module only needs to fit a few specific set of rows from each database tables and need not actually fetch the all hundreds and thousands of millions of rows as it's structured data format within Snowflake. The second most thing is Zscaler DSPM leverages own dedicated warehouse, which is the compute warehouse with the lowest minimum configuration that is required. And this allows that there is no conflict in terms of trying to share the resources of the warehouses that you are using for your production workloads on your particular Snowflake tables. So this ensures that isolation from a compute perspective and also the optimized scanning technique, which ensures that is negligible or probably literally next to 0 kind of performance impact on your Snowflake tables.

And now can I -- if I'm still worried, I guess, can I set the scanning cadence for that?

Yes, absolutely. So Zscaler provides multiple ways to do your scanning, right? You can trigger an on-demand scan, let's say, you're prepping for an audit and you want to do a scan, you can trigger an on-demand scan. If you want, you can set on a schedule of daily, monthly and weekly. Not only that, similar to how applications would have their maintenance windows for backup and doing some integration jobs, we also provide a kind of a scanning window where you can say, okay, scan only Sunday between 4 to 6, where our production workload is very, very minimal. So we provide that level of flexibility in terms of how you want to do the scan of your Snowflake tables.

And then the last one I see here is my organization requires adjustments to the compliance frameworks that are unique to us, can you support that?

Absolutely. As I mentioned, we not only just support more than 25-plus out-of-the-box compliance frameworks, we also support you bringing in your own compliance framework. And for each compliance framework that you bring in, we support you bringing either any of the out-of-the-box controls that we already have because many controls are common across multiple regulatory standards. But at the same time, with our investigation module, you can create your own policy and own control and map that as well to your custom compliance framework. It offers the highest level of flexibility in terms of creating your own custom compliance frameworks. Absolutely no limitations on that.

Thank you so much, Sushil. So for the next steps and after this session, you're more than welcome to check our website, learn more about the DSPM, contact us for a demo or contact your sales rep in order to follow up about Zscaler DSPM and our support for Snowflake or for that manner to any service. I want to thank you, Jake, so much for joining us and bringing that information from Snowflake. Thank you, Sushil, for that drill down an amazing demo. And thank you all for attending this session.

Thank you, Jake, and thank you, everyone, for being part of this session.