Exclusive Interview with Liu Chao, the Founder of DataCloak Technology: Zero Trust is Now in a Period of Expansion, and It Will Become a Mainstream Solution in the Next 2 to 5 Years
We believe that, in the field of network security, "Zero Trust" is definitely one of the top choices for annual hot words in 2020.
Zero Trust is a network security concept proposed by Forrester analyst John Kindervag back in 2010. In essence it is about identity-based dynamic access control, that is, to construct an end-to-end identity-based boundary by using dynamic access control technology, while focusing on protecting fine-grained applications, interfaces and data and following the principle of least privilege. For the concept of zero trust security, the first milestone came in 2017, when Google achieved success with its zero trust project-BeyondCorp, proving that zero trust security is feasible in large-scale networks. After that, others in the network security industry started to follow suit and engage in relevant practices.
In 2020, a special year, with the Covid-19 epidemic leading to increasing attention to security issues in remote working, the concept of zero-trust security has also ushered in its second milestone—accelerated recognition, as evidenced by it being a hot topic in various summits, and continued funding flowing to many zero trust related companies. At this point in time, we also set out to communicate with a few companies on this topic, and "DataCloak Technology" is one of them.
36Kr had previously ran a report on "DataCloak Technology". Founded in 2018, DataCloak Technology mainly provides clients with next-generation network security architecture solutions based on lightweight trusted computing and the zero-trust concept. The company completed a $13 million Series A financing at the beginning of this year, which was jointly initiated by Jeneration Capital, Co-Stone Capital Partners, and joined in by MatrixPartners China, the original shareholder of DataCloak. In terms of existing products, in addition to the previously launched DataCloak® Zero Trust Endpoint Secure Workspace (DACS) and DataCloak® Zero Trust Application Access Gateway(DAAG), the company also released HyperCloak® enhanced zero trust security framework in September this year.
Among these products, DACS adopts a new generation of security sandbox technology, improving the zero-trust architecture from simple access control to the level of data security. As an effective solution to access control and isolation of sensitive data, it can replace traditional products and technologies such as VDI, DLP, IDV, and VPN. DAAG is a fine-grained application access control gateway built on zero trust architecture. It can help enterprises realize unified identity authentication and privilege management across multiple business systems, and secure access to internal business systems from external networks, therefore enabling them to upgrade to a standard zero-trust architecture more quickly and at a lower cost.
On the other hand, the HyperCloak® enhanced Zero Trust security framework represents a more optimized option that makes up for the deficiencies of ZTNA (Zero-Trust Network Access) security frameworks (represented by Google BeyondCorp) in data security, protocol support and ease of implementation. It is also more open in terms of security features and SDK and thus can also be integrated with the existing products of other companies and industries, which helps in the sense of jointly promoting cybersecurity related IT infrastructure upgrade and digital transformation. According to Liu Chao, the founder of "DataCloak Technology", "Zero Trust" is a concept that involves many infrastructure technologies other than the iconic saying of "never trust, always verify". Many companies have already launched their zero-trust products into the market, but these solutions vary wildly in terms of focused areas and depth. However, it is undeniable that the zero-trust market as a whole is still in early development. Seeing that it took five years for Google to upgrade its zero-trust architecture, many people also began to worry that it might cost too much and take too long to upgrade a zero-trust architecture. Liu Chao believes that it is better for companies to "start from deeper underlying infrastructures, which might make it easier to find low-cost, modification-free and flexible ways to upgrade and deploy zero-trust solutions".
The content of this interview is as follows (edited by 36Kr):
36Kr: There have been a lot of discussions about zero trust this year. As a company focusing on zero trust solutions, why do you think it has become a hot spot this year?
Liu Chao: Actually I don't think it all begins in this year. In fact, since 2019 those following domestic entrepreneurial competitions have been seeing many start-ups claiming to be specialized in zero trust. This year is only special because of the epidemic, which played a role in fueling the flames. It's all because this year's operating environment is different from before, in which many companies have the need to be interconnected with the outside world, and there is an increasing demand for mobile office and cross-organizational collaboration. In addition, more security issues of VPN and other programs have also been exposed, encouraging the enterprises involved to find an alternative solution.
36Kr: Although zero trust is a concept, we find that people are paying more attention to some related technologies such as IAM, SDP, and micro-isolation. Why do you think that is?
Liu Chao: The ultimate goal of Zero Trust is to ensure that enterprises in an open network environment can grant reasonable access rights to those who are legitimate, without compromising the safety of their digital assets. Many of the modules involved, including IAM, SDP, micro-isolation and AI decision engine, etc., are all part of the entire zero trust security framework. Individually any one of them can be called a zero-trust product, such as zero-trust identity, zero-trust network access and zero-trust workload, etc. But they are designed to address different issues, so they are not completely comparable.
36Kr: A single technology is for single point breakthrough, but we notice that not long ago you also released the HyperCloak® enhanced zero trust security framework. Is it just a technology or some kind of a solution?
Liu Chao: Currently available solutions on the market include the ZTNA (Zero-Trust Network Access) framework proposed by Gartner, the zero trust security architecture of the NIS and Google’s BeyondCorp security framework. As a more optimized framework, our HyperCloak® makes up for the deficiencies of said solutions in data security, protocol support and ease of implementation. It can also be integrated with the products of other companies and industries. So it can be said that it is a step-up from other frameworks, which makes it better in meeting the needs for data security and easy deployment, as well as the current needs of Chinese enterprises.
36Kr: Could you be more specific about its advantages?
Liu Chao: It has three advantages. First of all, in addition to ensuring zero-trust related access and verification, it also solves issues relating to node data security. Secondly, it supports more protocols than traditional frameworks, making it easier to deploy and implement. Many clients complain that zero trust implementation is too difficult, as it is not only time-consuming but also very costly to maintain and upgrade. Therefore, we believe that supporting more protocols can help reduce the difficulty of actual implementation by users. The third advantage is that it applies to more scenarios. ZTNA solutions are actually mainly designed to replace VPNs in corporate telecommuting. HyperCloak® is more than that as it applies to not only corporate office works but also cloud computing and even edge computing scenarios. So for enterprises it can serve as a more comprehensive solution.
36Kr: Nowadays, when talking about zero trust, people tend to say that users of zero-trust products often find modification too costly. What do you think is the reason behind this situation?
Liu Chao: I think there are two reasons. The first is "seeing smoke and mirrors." That is to say, some people may have no actual experience with this technology. They've only read about it in theoretical research and reports and came to a conclusion that zero trust is very complicated or very costly to modify. The second reason is related to the problem-solving perspective and technical implementation method. The second reason is related to the problem-solving perspective and technical implementation method.
Take Google’s project as an example. The upgrade of its zero-trust architecture was not completed until 2017, meaning that it took about 5 years. You might think that since it took so much time for even Google to do that, zero trust must be very difficult to upgrade and very costly in terms of both time and money. This is not necessarily the case and we need to know why it took Google 5 years to do that? In fact, Google has its own set of internal mechanisms, including how various application systems communicate with each other. Since this mechanism is based on the application layer, Google's zero-trust transformation must involve various business systems, and changing each and every application system naturally costs more time and money. In my opinion, domestic companies should refer to the practices of others but not copy them and try to do things in a way that is more in line with the actual needs of domestic users. For example, we could try to reduce the cost of zero trust modification by starting from a deeper underlying layer.
36Kr: Many people now want to try zero trust security for the first time. In your opinion, for those clients who are still "seeing smoke and mirrors", what's the most important things to do when choosing zero-trust solutions?
Liu Chao: The most fundamental thing is to think about what issue you want to address and to evaluate various products accordingly. The second point is that they should pay close attention to solution's technical indicators and technical capabilities, because all zero-trust solutions are implemented by software and are closely related to the user's business. They can use POC testing to help them find the best solution.
36Kr: Based on your answer, are there some clients who are naturally more suitable for zero-trust transformation?
Liu Chao: It still depends on whether there is a demand for that. Clients need to understand their company's overall security strategy and network architecture, and be clear about what they want to achieve.
36Kr: Some companies that have previously provided clients with in-depth services should find it easier to introduce zero-trust products to the same clients. Do you think this is a competitive advantage for them?
Liu Chao: Knowing more about clients is definitely an advantage. But in essence, what each company can provide is zero-trust infrastructure solutions, which is something universal that can be used by any type of companies, just like network switches, network routers and network cables. Therefore, other companies being more closely tied with the clients does not mean that they can obtain a direct competitive advantage in terms of products.
Our product boasts a certain degree of uniqueness because they are designed as an infrastructure from the very beginning. Our past business mainly involved large-scale distributed systems. The modules related to the HyperCloak zero-trust security framework are loosely coupled and they have better scalability; clients can use their native programs, or instead rely on API calls and SDK embedding. We can make specific solutions based on the actual situation of the enterprise, that is to say, rather than requiring clients to transform their own systems according to what our products need, we can adjust our own deployment architecture according to client needs. At the same time, our products can also be integrated with the client's existing security products, helping to smooth out the upgrade process. In addition, we will not use the concept of zero trust as a selling point, because clients may have different needs, including the need to address remote office issues, source code leakage, low R&D efficiency or data protection issues etc. I believe that taking client needs as the starting point can always increase the chance of both sides reaching an agreement. After all, what clients want is not a concept but effective solutions to practical problems.
36Kr: Although zero trust has become a hot topic in network security communities, it seems that it still requires some market education to achieve sufficient client acceptance. How long do you think it will take for it to have a mature market?
Liu Chao: Yes, market education is definitely required because you have to let the technicians understand the advantages of this kind of solution. And I think it will take some time to do that. I'm glad that everyone in the industry is talking about this concept and technology. Zero Trust is now in a period of expansion, and it will become a mainstream solution in the next 2 to 5 years. Moreover, Zero Trust security products are still in the process of continuous improvement, in which the most important thing is to do a good job in technological innovation and product development.